Skip to content

Commit a8fa38d

Browse files
ejohnstownJacobBarthelmeh
ejohnstown
authored and
JacobBarthelmeh
committed
OCSP Lookups
1. Changed to use the new set of certs. 2. Do an actual cert check and report errors. 3. Do an actual OCSP lookup and report errors.
1 parent 1405eea commit a8fa38d

6 files changed

Lines changed: 87 additions & 11 deletions

File tree

examples/client/client.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -398,7 +398,7 @@ static int wsUserAuth(byte authType,
398398
* passed in a public key file, use public key auth */
399399
if ((XSTRNCMP((char*)authData->username, "hansel",
400400
authData->usernameSz) == 0) ||
401-
(XSTRNCMP((char*)authData->username, "john",
401+
(XSTRNCMP((char*)authData->username, "orange",
402402
authData->usernameSz) == 0) ||
403403
pubKeyName != NULL) {
404404

@@ -1036,11 +1036,11 @@ THREAD_RETURN WOLFSSH_THREAD client_test(void* args)
10361036
}
10371037

10381038
#ifdef WOLFSSH_CERTS
1039-
if (XSTRCMP("john", username) == 0) {
1040-
ret = load_der_file("./keys/john-cert.der",
1039+
if (XSTRCMP("orange", username) == 0) {
1040+
ret = load_der_file("../ca/orange-cert.der",
10411041
&userPublicKey, &userPublicKeySz);
10421042
if (ret != 0) err_sys("Couldn't load certificate file.");
1043-
ret = load_der_file("./keys/john-key.der",
1043+
ret = load_der_file("../ca/orange-key.der",
10441044
&userPrivateKey, &userPrivateKeySz);
10451045
if (ret != 0) err_sys("Couldn't load private key file.");
10461046

examples/echoserver/echoserver.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1725,7 +1725,7 @@ static int LoadCertBuffer(byte* buf, word32 bufSz, PwMapList* list)
17251725

17261726
if (PwMapNew(list,
17271727
WOLFSSH_USERAUTH_PUBLICKEY,
1728-
(const byte*)"john", 4, buf, bufSz) == NULL ) {
1728+
(const byte*)"orange", 6, buf, bufSz) == NULL ) {
17291729
return -1;
17301730
}
17311731

@@ -2061,7 +2061,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
20612061
{
20622062
byte* certBuf = NULL;
20632063
word32 certBufSz = 0;
2064-
const char* filename = "./keys/john-cert.der";
2064+
const char* filename = "../ca/orange-cert.der";
20652065

20662066
load_file(filename, NULL, &certBufSz);
20672067

@@ -2099,7 +2099,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
20992099
}
21002100
load_file(caCert, certBuf, &certBufSz);
21012101
ret = wolfSSH_CTX_AddRootCert_buffer(ctx, certBuf, certBufSz,
2102-
WOLFSSH_FORMAT_ASN1);
2102+
WOLFSSH_FORMAT_PEM);
21032103
if (ret != 0) {
21042104
fprintf(stderr, "Couldn't add root cert\n");
21052105
WEXIT(EXIT_FAILURE);
@@ -2306,6 +2306,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
23062306

23072307

23082308
#ifndef NO_MAIN_DRIVER
2309+
void wolfSSL_Debugging_ON(void);
23092310

23102311
int main(int argc, char** argv)
23112312
{
@@ -2319,6 +2320,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
23192320
WSTARTTCP();
23202321

23212322
#ifdef DEBUG_WOLFSSH
2323+
wolfSSL_Debugging_ON();
23222324
wolfSSH_Debugging_ON();
23232325
#endif
23242326

src/certman.c

Lines changed: 42 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@
3838

3939
#include <wolfssl/ssl.h>
4040
#include <wolfssl/ocsp.h>
41+
#include <wolfssl/wolfcrypt/error-crypt.h>
42+
#include <wolfssl/error-ssl.h>
4143

4244
#include <wolfssh/internal.h>
4345
#include <wolfssh/certman.h>
@@ -186,8 +188,46 @@ int wolfSSH_CERTMAN_VerifyCert_buffer(WOLFSSH_CERTMAN* cm,
186188

187189
WLOG_ENTER();
188190

189-
ret = wolfSSL_CertManagerVerifyBuffer(cm->cm, cert, certSz,
190-
WOLFSSL_FILETYPE_ASN1);
191+
if (ret == WS_SUCCESS) {
192+
ret = wolfSSL_CertManagerVerifyBuffer(cm->cm, cert, certSz,
193+
WOLFSSL_FILETYPE_ASN1);
194+
195+
if (ret == WOLFSSL_SUCCESS) {
196+
ret = WS_SUCCESS;
197+
}
198+
else if (ret == ASN_NO_SIGNER_E) {
199+
WLOG(WS_LOG_CERTMAN, "cert verify: no signer");
200+
ret = WS_CERT_NO_SIGNER_E;
201+
}
202+
else if (ret == ASN_AFTER_DATE_E) {
203+
WLOG(WS_LOG_CERTMAN, "cert verify: expired");
204+
ret = WS_CERT_EXPIRED_E;
205+
}
206+
else if (ret == ASN_SIG_CONFIRM_E) {
207+
WLOG(WS_LOG_CERTMAN, "cert verify: bad sig");
208+
ret = WS_CERT_SIG_CONFIRM_E;
209+
}
210+
else {
211+
WLOG(WS_LOG_CERTMAN, "cert verify: other error (%d)", ret);
212+
ret = WS_CERT_OTHER_E;
213+
}
214+
}
215+
216+
if (ret == WS_SUCCESS) {
217+
ret = wolfSSL_CertManagerCheckOCSP(cm->cm, (byte*)cert, certSz);
218+
219+
if (ret == WOLFSSL_SUCCESS) {
220+
ret = WS_SUCCESS;
221+
}
222+
else if (ret == OCSP_CERT_REVOKED) {
223+
WLOG(WS_LOG_CERTMAN, "ocsp lookup: ocsp revoked");
224+
ret = WS_CERT_REVOKED_E;
225+
}
226+
else {
227+
WLOG(WS_LOG_CERTMAN, "ocsp lookup: other error (%d)", ret);
228+
ret = WS_CERT_OTHER_E;
229+
}
230+
}
191231

192232
WLOG_LEAVE(ret);
193233
return ret;

src/internal.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -384,6 +384,21 @@ const char* GetErrorString(int err)
384384
case WS_SFTP_BAD_HEADER:
385385
return "sftp bad header";
386386

387+
case WS_CERT_NO_SIGNER_E:
388+
return "no signer certificate";
389+
390+
case WS_CERT_EXPIRED_E:
391+
return "certificate expired";
392+
393+
case WS_CERT_REVOKED_E:
394+
return "certificate revoked";
395+
396+
case WS_CERT_SIG_CONFIRM_E:
397+
return "certificate signature fail";
398+
399+
case WS_CERT_OTHER_E:
400+
return "other certificate error";
401+
387402
default:
388403
return "Unknown error code";
389404
}
@@ -4689,6 +4704,13 @@ static int DoUserAuthRequestEccCert(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
46894704
#endif
46904705
}
46914706

4707+
#ifdef WOLFSSH_CERTS
4708+
if (ret == WS_SUCCESS) {
4709+
ret = wolfSSH_CERTMAN_VerifyCert_buffer(ssh->ctx->certMan,
4710+
pk->publicKey, pk->publicKeySz);
4711+
}
4712+
#endif /* WOLFSSH_CERTS */
4713+
46924714
if (ret == WS_SUCCESS) {
46934715
ret = wc_ecc_init_ex(key_ptr, ssh->ctx->heap, INVALID_DEVID);
46944716
if (ret == 0) {

src/ssh.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1675,8 +1675,15 @@ int wolfSSH_CTX_SetBanner(WOLFSSH_CTX* ctx,
16751675
int wolfSSH_CTX_UsePrivateKey_buffer(WOLFSSH_CTX* ctx,
16761676
const byte* in, word32 inSz, int format)
16771677
{
1678+
int ret = WS_SUCCESS;
1679+
16781680
WLOG(WS_LOG_DEBUG, "Entering wolfSSH_CTX_UsePrivateKey_buffer()");
1679-
return wolfSSH_ProcessBuffer(ctx, in, inSz, format, BUFTYPE_PRIVKEY);
1681+
1682+
ret = wolfSSH_ProcessBuffer(ctx, in, inSz, format, BUFTYPE_PRIVKEY);
1683+
1684+
WLOG(WS_LOG_DEBUG,
1685+
"Leaving wolfSSH_CTX_UsePrivateKey_buffer(), ret = %d", ret);
1686+
return ret;
16801687
}
16811688

16821689

wolfssh/error.h

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,8 +119,13 @@ enum WS_ErrorCodes {
119119
WS_AGENT_NO_KEY_E = -1078, /* AGENT doesn't have requested key */
120120
WS_AGENT_CXN_FAIL = -1079, /* Couldn't connect to agent. */
121121
WS_SFTP_BAD_HEADER = -1080, /* SFTP bad header */
122+
WS_CERT_NO_SIGNER_E = -1081, /* No signer cert available */
123+
WS_CERT_EXPIRED_E = -1082, /* Certificate expired */
124+
WS_CERT_REVOKED_E = -1083, /* User certificate reported revoked */
125+
WS_CERT_SIG_CONFIRM_E = -1084, /* Root cert sig verify fail */
126+
WS_CERT_OTHER_E = -1085, /* Other certificate issue */
122127

123-
WS_LAST_E = -1080 /* Update this to indicate last error */
128+
WS_LAST_E = -1085 /* Update this to indicate last error */
124129
};
125130

126131

0 commit comments

Comments
 (0)