Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial rewrite of X509 STORE to replicate openssl behavior #8087

Merged
merged 17 commits into from
Oct 23, 2024

Conversation

ColtonWilley
Copy link
Contributor

Description

Rewrite the X509 STORE internals to replicate openssl behavior.

Fixes zd 18689

Testing

Added 9 additional test cases to api.c

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

src/x509_str.c Outdated Show resolved Hide resolved
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have tests for inter cert attributes like key usage and path length?

tests/api.c Show resolved Hide resolved
tests/api.c Outdated Show resolved Hide resolved
tests/api.c Outdated Show resolved Hide resolved
wolfssl/ssl.h Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Show resolved Hide resolved
src/x509_str.c Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
@ColtonWilley
Copy link
Contributor Author

ColtonWilley commented Oct 19, 2024

Retest this please.

@JacobBarthelmeh JacobBarthelmeh dismissed SparkiDev’s stale review October 21, 2024 15:37

Comments were added to the section of code

@ColtonWilley
Copy link
Contributor Author

Do we have tests for inter cert attributes like key usage and path length?

We do for direct usage of the CM, but I dont think anything for X509 STORE.

}
}

return ret == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm you only want to return success or failure and not any other possible return codes? Old logic was >= 0 success else failure.
@douzzer does this need to be WC_NO_ERR_TRACE(WOLFSSL_FAILURE), etc?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Talked with douzzer, he said this should be OK.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ColtonWilley the first half of the question still stands -- do we really want to be masking the true return code here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes actually I believe we do. I believe openssl only returns 0 or 1, and uses X509_STORE_CTX_get_error for error reporting.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSSL returns -1 on an error, 0 on verification failure, and 1 on verification success. This rework conforms to that API.

src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Show resolved Hide resolved
dgarske
dgarske previously approved these changes Oct 22, 2024
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there. Last round of comments.

src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated Show resolved Hide resolved
src/x509_str.c Outdated
Comment on lines 1063 to 1069
while (cnt > 0 && i > 0) {
/* The inner X509 is owned by somebody else, NULL out the reference */
obj = wolfSSL_sk_X509_OBJECT_value(objs, i);
if (obj != NULL) {
obj->type = 0;
obj->data.x509 = NULL;
}
cnt--;
i--;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could also be a crl so maybe better to use obj->data.ptr. Same effect just showing that we don't want to free anything the WOLFSSL_X509_OBJECT holds.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future it would be nice to up ref what gets put into the object list so that we can just call pop_free but that is not necessary on this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch on the CRLs. Agreed this whole thing could use a second pass at some point to take a close look at better using refcounts, but I think its large enough as is.

* CA=TRUE */
if (wolfSSL_X509_NAME_cmp(&x509->issuer, &x509->subject) == 0) {
result = X509StoreAddCa(store, x509, WOLFSSL_USER_CA);
#if !defined(WOLFSSL_SIGNER_DER_CERT)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why !WOLFSSL_SIGNER_DER_CERT here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If !WOLFSSL_SIGNER_DER_CERT, CM internals do not hold onto the full DER buffer of the cert. In this case we need to keep a copy of it ourselves to meet requirements to return the chain. If WOLFSSL_SIGNER_DER_CERT, is defined, no need to keep a separate trusted stack as we can retrieve DER buffer from the underlying CM.

dgarske
dgarske previously approved these changes Oct 23, 2024
@douzzer douzzer dismissed stale reviews from dgarske and JacobBarthelmeh via a17ca40 October 23, 2024 21:31
@douzzer douzzer force-pushed the x509_store_rewrite branch from b02f145 to a17ca40 Compare October 23, 2024 21:31
@douzzer
Copy link
Contributor

douzzer commented Oct 23, 2024

retest this please

@JacobBarthelmeh JacobBarthelmeh merged commit 9af8716 into wolfSSL:master Oct 23, 2024
141 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants