Skip to content

Commit

Permalink
check Root CA by TSIP before adding it to ca-table
Browse files Browse the repository at this point in the history
  • Loading branch information
miyazakh committed Oct 23, 2024
1 parent 846ef15 commit ba1cd85
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 26 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,32 @@

#include <wolfssl/wolfcrypt/wc_port.h>

#define YEAR 2024
#define MON 7

static int tick = 0;

#define YEAR ( \
((__DATE__)[7] - '0') * 1000 + \
((__DATE__)[8] - '0') * 100 + \
((__DATE__)[9] - '0') * 10 + \
((__DATE__)[10] - '0') * 1 \
)

#define MONTH ( \
__DATE__[2] == 'n' ? (__DATE__[1] == 'a' ? 1 : 6) \
: __DATE__[2] == 'b' ? 2 \
: __DATE__[2] == 'r' ? (__DATE__[0] == 'M' ? 3 : 4) \
: __DATE__[2] == 'y' ? 5 \
: __DATE__[2] == 'l' ? 7 \
: __DATE__[2] == 'g' ? 8 \
: __DATE__[2] == 'p' ? 9 \
: __DATE__[2] == 't' ? 10 \
: __DATE__[2] == 'v' ? 11 \
: 12 \
)

time_t time(time_t *t)
{
(void)t;
return ((YEAR-1970)*365+30*MON)*24*60*60 + tick++;
return ((YEAR-1970)*365+30*MONTH)*24*60*60 + tick++;
}

#include <ctype.h>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ extern "C" {
static long tick;
static void timeTick(void *pdata)
{
(void)pdata;
tick++;
}

Expand Down
45 changes: 23 additions & 22 deletions src/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -5567,6 +5567,29 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
row = HashSigner(signer->subjectNameHash);
#endif

#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_FSPSM_TLS)
/* Verify CA by TSIP so that generated tsip key is going to */
/* be able to be used for peer's cert verification */
/* TSIP is only able to handle USER CA, and only one CA. */
/* Therefore, it doesn't need to call TSIP again if there is already */
/* verified CA. */
if ( ret == 0 && signer != NULL ) {
signer->cm_idx = row;
if (type == WOLFSSL_USER_CA) {
if ((ret = wc_Renesas_cmn_RootCertVerify(cert->source,
cert->maxIdx,
cert->sigCtx.CertAtt.pubkey_n_start,
cert->sigCtx.CertAtt.pubkey_n_len - 1,
cert->sigCtx.CertAtt.pubkey_e_start,
cert->sigCtx.CertAtt.pubkey_e_len - 1,
row/* cm index */))
< 0)
WOLFSSL_MSG("Renesas_RootCertVerify() failed");
else
WOLFSSL_MSG("Renesas_RootCertVerify() succeed or skipped");
}
}
#endif /* TSIP or SCE */

if (ret == 0 && wc_LockMutex(&cm->caLock) == 0) {
signer->next = cm->caTable[row];
Expand All @@ -5580,28 +5603,6 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
ret = BAD_MUTEX_E;
}
}
#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_FSPSM_TLS)
/* Verify CA by TSIP so that generated tsip key is going to be able to */
/* be used for peer's cert verification */
/* TSIP is only able to handle USER CA, and only one CA. */
/* Therefore, it doesn't need to call TSIP again if there is already */
/* verified CA. */
if ( ret == 0 && signer != NULL ) {
signer->cm_idx = row;
if (type == WOLFSSL_USER_CA) {
if ((ret = wc_Renesas_cmn_RootCertVerify(cert->source, cert->maxIdx,
cert->sigCtx.CertAtt.pubkey_n_start,
cert->sigCtx.CertAtt.pubkey_n_len - 1,
cert->sigCtx.CertAtt.pubkey_e_start,
cert->sigCtx.CertAtt.pubkey_e_len - 1,
row/* cm index */))
< 0)
WOLFSSL_MSG("Renesas_RootCertVerify() failed");
else
WOLFSSL_MSG("Renesas_RootCertVerify() succeed or skipped");
}
}
#endif /* TSIP or SCE */

WOLFSSL_MSG("\tFreeing Parsed CA");
FreeDecodedCert(cert);
Expand Down

0 comments on commit ba1cd85

Please sign in to comment.