Add support for loading user CA certs from an arbitrary Windows cert store. #7503
Conversation
|
Please do not merge yet, just looking for a review + pipeline tests passing for now. Will merge after customer confirms patch works for them. |
| return NULL; | ||
| } | ||
|
|
||
| int wolfSSL_CTX_load_windows_user_CA_certs(WOLFSSL_CTX* ctx, const char* userStore, |
There was a problem hiding this comment.
Any reason not to integrate this with wolfSSL_CTX_load_system_CA_certs? Is wolfSSL_CTX_load_windows_user_CA_certs a compatibility API? If not I would avoid making it Windows specific in case we wanted to expand its coverage beyond Windows.
There was a problem hiding this comment.
The customer has requested the ability to configure which cert store is loaded at runtime in wolfSSH, which requires arguments to be passed in to wolfSSL. This is not an OpenSSL compatibility API, but it didn't make sense to me to add Windows specific arguments to wolfSSL_CTX_load_system_CA_certs. I am not sure how to avoid adding a Windows specific API while still allowing wolfSSH to configure this at runtime.
There was a problem hiding this comment.
Seems like we could come up with a better name or API that would be easier to extend in the future. @ejohnstown I'd like your input as well on this since it is related to an SSH PR.
There was a problem hiding this comment.
Could there be a generic wolfSSL_CTX_load_CA_cert_store()? There can be a ctx pointer to a struct with OS specific data. For Windows, that would have a flag for user or system. Maybe at some point someone will want certs stored in a LDAP database. Perhaps the existing load function can be rewritten as a specific use case for this function.
Certificates with bad DER encoded ASN.1 added to testing. Fix comment in asn.c.
To support new session ticket nonce longer than MAX_TICKET_NONCE_STATIC_SZ. If `--disable-ticket-nonce-malloc` is explicitly specified, the feature is not enabled even if `--enable-curl` is specified.
…server and session tickets time (uptime in sim < 1000 ms was being made 0).
…is used. Tested support with PSA.
also return -1 on param mismatch.
fix encrypted key use case Update README
The assumption is that the wrong PIDs are getting killed. Better use the current shell's child processes (ie: 'jobs' command) than storing some calculated PID
By default RPK (RFC7250) support is not enabled, but is enabled when --enable-rpk, --enable-all or --enable-dist is used. Makes use of the HAVE_RPK compile time option. Fix clang issue reported in tests/api.c during test suites
1. Modify wolfSSL_CTX_load_static_memory() to use wc_LoadStaticMemory() instead of reimplementing it. 2. Initialize the pointers in wc_LoadStaticMemory() to null. 3. Whitespace changes.
1. Add the function wc_LoadStaticMemory_ex(), which is a generic version of wc_LoadStaticMemory(). 2. Modify wc_LoadStaticMemory() to call wc_LoadStaticMemory_ex() with the bucket lists. 3. Rename the function wolfSSL_load_static_memory() as wc_partition_static_memory(), make it static, move it higher in the file.
1. Add generic function wolfSSL_StaticBufferSz_ex() where one specifies the memory bucket list sizes and distribution. 2. Rewrote wolfSSL_StaticBufferSz() in terms of the new function. 3. Changed the list pointers on wc_LoadStaticMemory_ex() and wc_init_memory_heap() to be pointers to const.
1. Add checks for listSz against WOLFMEM_MAX_BUCKETS. 2. Use WOLFMEM_DEF_BUCKETS for the size when using the default memory descriptions. 3. Whitespace.
1. Make the function wolfSSL_GetMemStats() public.
1. Added some extra parameter checking to wc_LoadStaticMemory_ex(). 2. Added some extra parameter checking to wc_StaticBufferSz_ex(). 3. Rename some parameters and add some logging prints. 4. Some static functions have some parameter checking and they are only calling in one spot, remove it.
1. Add API test for function `wc_LoadStaticMemory_ex()`.
1. Add API for function `wc_UnloadStaticMemory()` which frees the mutex used by the static memory pool. 2. Update the `wc_LoadStaticMemory_ex()` test to free the static memory pool's mutex on each successful test case.
…adStores in bench_xmss_sign_verify(); wolfcrypt/test/test.c: fix for invalidPrintfArgType_sint in xmss_test_verify_only().
…c_Sha3, not struct Sha3.
…3), for compatibility with afalg_hash.h and other ports that don't define a struct wc_Sha3.
…rivate_key_cb to wc_{lms,xmss}_read_private_key_cb and wc_{lms,xmss}_write_private_key_cb.
kareem-wolfssl
force-pushed
the
winUserCerts
branch
from
f7fe469 to
3da4c7e
Compare
|
Looks like my rebase messed up this PR, I will open a new PR, but will keep the current code review feedback in mind. |
Description
Add support for loading user CA certs from an arbitrary Windows cert store.
Testing
Tested on Windows machine.
Checklist