cjson
fuzzing
inputs
test1 test10 test11 test2 test3 test3.bu test3.uf test3.uu test4 test5 test6 test7 test8 test9library_config
cJSONConfig.cmake.in cJSONConfigVersion.cmake.in libcjson.pc.in libcjson_utils.pc.in uninstall.cmaketests
inputs
test1 test1.expected test10 test10.expected test11 test11.expected test2 test2.expected test3 test3.expected test4 test4.expected test5 test5.expected test6 test7 test7.expected test8 test8.expected test9 test9.expectedjson-patch-tests
.editorconfig .gitignore .npmignore README.md cjson-utils-tests.json package.json spec_tests.json tests.jsonunity
auto
colour_prompt.rb colour_reporter.rb generate_config.yml generate_module.rb generate_test_runner.rb parse_output.rb stylize_as_junit.rb test_file_filter.rb type_sanitizer.rb unity_test_summary.py unity_test_summary.rb unity_to_junit.pydocs
ThrowTheSwitchCodingStandard.md UnityAssertionsCheatSheetSuitableforPrintingandPossiblyFraming.pdf UnityAssertionsReference.md UnityConfigurationGuide.md UnityGettingStartedGuide.md UnityHelperScriptsGuide.md license.txtexamples
unity_config.hcurl
.github
scripts
cleancmd.pl cmp-config.pl cmp-pkg-config.sh codespell-ignore.words codespell.sh distfiles.sh pyspelling.words pyspelling.yaml randcurl.pl requirements-docs.txt requirements-proselint.txt requirements.txt shellcheck-ci.sh shellcheck.sh spellcheck.curl trimmarkdownheader.pl typos.sh typos.toml verify-examples.pl verify-synopsis.pl yamlcheck.sh yamlcheck.yamlworkflows
appveyor-status.yml checkdocs.yml checksrc.yml checkurls.yml codeql.yml configure-vs-cmake.yml curl-for-win.yml distcheck.yml fuzz.yml http3-linux.yml label.yml linux-old.yml linux.yml macos.yml non-native.yml windows.ymlCMake
CurlSymbolHiding.cmake CurlTests.c FindBrotli.cmake FindCares.cmake FindGSS.cmake FindGnuTLS.cmake FindLDAP.cmake FindLibbacktrace.cmake FindLibgsasl.cmake FindLibidn2.cmake FindLibpsl.cmake FindLibssh.cmake FindLibssh2.cmake FindLibuv.cmake FindMbedTLS.cmake FindNGHTTP2.cmake FindNGHTTP3.cmake FindNGTCP2.cmake FindNettle.cmake FindQuiche.cmake FindRustls.cmake FindWolfSSL.cmake FindZstd.cmake Macros.cmake OtherTests.cmake PickyWarnings.cmake Utilities.cmake cmake_uninstall.in.cmake curl-config.in.cmake unix-cache.cmake win32-cache.cmakedocs
cmdline-opts
.gitignore CMakeLists.txt MANPAGE.md Makefile.am Makefile.inc _AUTHORS.md _BUGS.md _DESCRIPTION.md _ENVIRONMENT.md _EXITCODES.md _FILES.md _GLOBBING.md _NAME.md _OPTIONS.md _OUTPUT.md _PROGRESS.md _PROTOCOLS.md _PROXYPREFIX.md _SEEALSO.md _SYNOPSIS.md _URL.md _VARIABLES.md _VERSION.md _WWW.md abstract-unix-socket.md alt-svc.md anyauth.md append.md aws-sigv4.md basic.md ca-native.md cacert.md capath.md cert-status.md cert-type.md cert.md ciphers.md compressed-ssh.md compressed.md config.md connect-timeout.md connect-to.md continue-at.md cookie-jar.md cookie.md create-dirs.md create-file-mode.md crlf.md crlfile.md curves.md data-ascii.md data-binary.md data-raw.md data-urlencode.md data.md delegation.md digest.md disable-eprt.md disable-epsv.md disable.md disallow-username-in-url.md dns-interface.md dns-ipv4-addr.md dns-ipv6-addr.md dns-servers.md doh-cert-status.md doh-insecure.md doh-url.md dump-ca-embed.md dump-header.md ech.md egd-file.md engine.md etag-compare.md etag-save.md expect100-timeout.md fail-early.md fail-with-body.md fail.md false-start.md follow.md form-escape.md form-string.md form.md ftp-account.md ftp-alternative-to-user.md ftp-create-dirs.md ftp-method.md ftp-pasv.md ftp-port.md ftp-pret.md ftp-skip-pasv-ip.md ftp-ssl-ccc-mode.md ftp-ssl-ccc.md ftp-ssl-control.md get.md globoff.md happy-eyeballs-timeout-ms.md haproxy-clientip.md haproxy-protocol.md head.md header.md help.md hostpubmd5.md hostpubsha256.md hsts.md http0.9.md http1.0.md http1.1.md http2-prior-knowledge.md http2.md http3-only.md http3.md ignore-content-length.md insecure.md interface.md ip-tos.md ipfs-gateway.md ipv4.md ipv6.md json.md junk-session-cookies.md keepalive-cnt.md keepalive-time.md key-type.md key.md knownhosts.md krb.md libcurl.md limit-rate.md list-only.md local-port.md location-trusted.md location.md login-options.md mail-auth.md mail-from.md mail-rcpt-allowfails.md mail-rcpt.md mainpage.idx manual.md max-filesize.md max-redirs.md max-time.md metalink.md mptcp.md negotiate.md netrc-file.md netrc-optional.md netrc.md next.md no-alpn.md no-buffer.md no-clobber.md no-keepalive.md no-npn.md no-progress-meter.md no-sessionid.md noproxy.md ntlm-wb.md ntlm.md oauth2-bearer.md out-null.md output-dir.md output.md parallel-immediate.md parallel-max-host.md parallel-max.md parallel.md pass.md path-as-is.md pinnedpubkey.md post301.md post302.md post303.md preproxy.md progress-bar.md proto-default.md proto-redir.md proto.md proxy-anyauth.md proxy-basic.md proxy-ca-native.md proxy-cacert.md proxy-capath.md proxy-cert-type.md proxy-cert.md proxy-ciphers.md proxy-crlfile.md proxy-digest.md proxy-header.md proxy-http2.md proxy-insecure.md proxy-key-type.md proxy-key.md proxy-negotiate.md proxy-ntlm.md proxy-pass.md proxy-pinnedpubkey.md proxy-service-name.md proxy-ssl-allow-beast.md proxy-ssl-auto-client-cert.md proxy-tls13-ciphers.md proxy-tlsauthtype.md proxy-tlspassword.md proxy-tlsuser.md proxy-tlsv1.md proxy-user.md proxy.md proxy1.0.md proxytunnel.md pubkey.md quote.md random-file.md range.md rate.md raw.md referer.md remote-header-name.md remote-name-all.md remote-name.md remote-time.md remove-on-error.md request-target.md request.md resolve.md retry-all-errors.md retry-connrefused.md retry-delay.md retry-max-time.md retry.md sasl-authzid.md sasl-ir.md service-name.md show-error.md show-headers.md sigalgs.md silent.md skip-existing.md socks4.md socks4a.md socks5-basic.md socks5-gssapi-nec.md socks5-gssapi-service.md socks5-gssapi.md socks5-hostname.md socks5.md speed-limit.md speed-time.md ssl-allow-beast.md ssl-auto-client-cert.md ssl-no-revoke.md ssl-reqd.md ssl-revoke-best-effort.md ssl-sessions.md ssl.md sslv2.md sslv3.md stderr.md styled-output.md suppress-connect-headers.md tcp-fastopen.md tcp-nodelay.md telnet-option.md tftp-blksize.md tftp-no-options.md time-cond.md tls-earlydata.md tls-max.md tls13-ciphers.md tlsauthtype.md tlspassword.md tlsuser.md tlsv1.0.md tlsv1.1.md tlsv1.2.md tlsv1.3.md tlsv1.md tr-encoding.md trace-ascii.md trace-config.md trace-ids.md trace-time.md trace.md unix-socket.md upload-file.md upload-flags.md url-query.md url.md use-ascii.md user-agent.md user.md variable.md verbose.md version.md vlan-priority.md write-out.md xattr.mdexamples
.checksrc .gitignore 10-at-a-time.c CMakeLists.txt Makefile.am Makefile.example Makefile.inc README.md adddocsref.pl address-scope.c altsvc.c anyauthput.c block_ip.c cacertinmem.c certinfo.c chkspeed.c connect-to.c cookie_interface.c crawler.c debug.c default-scheme.c ephiperfifo.c evhiperfifo.c externalsocket.c fileupload.c ftp-delete.c ftp-wildcard.c ftpget.c ftpgetinfo.c ftpgetresp.c ftpsget.c ftpupload.c ftpuploadfrommem.c ftpuploadresume.c getinfo.c getinmemory.c getredirect.c getreferrer.c ghiper.c headerapi.c hiperfifo.c hsts-preload.c htmltidy.c htmltitle.cpp http-options.c http-post.c http2-download.c http2-pushinmemory.c http2-serverpush.c http2-upload.c http3-present.c http3.c httpcustomheader.c httpput-postfields.c httpput.c https.c imap-append.c imap-authzid.c imap-copy.c imap-create.c imap-delete.c imap-examine.c imap-fetch.c imap-list.c imap-lsub.c imap-multi.c imap-noop.c imap-search.c imap-ssl.c imap-store.c imap-tls.c interface.c ipv6.c keepalive.c localport.c log_failed_transfers.c maxconnects.c multi-app.c multi-debugcallback.c multi-double.c multi-event.c multi-formadd.c multi-legacy.c multi-post.c multi-single.c multi-uv.c netrc.c parseurl.c persistent.c pop3-authzid.c pop3-dele.c pop3-list.c pop3-multi.c pop3-noop.c pop3-retr.c pop3-ssl.c pop3-stat.c pop3-tls.c pop3-top.c pop3-uidl.c post-callback.c postinmemory.c postit2-formadd.c postit2.c progressfunc.c protofeats.c range.c resolve.c rtsp-options.c sendrecv.c sepheaders.c sessioninfo.c sftpget.c sftpuploadresume.c shared-connection-cache.c simple.c simplepost.c simplessl.c smooth-gtk-thread.c smtp-authzid.c smtp-expn.c smtp-mail.c smtp-mime.c smtp-multi.c smtp-ssl.c smtp-tls.c smtp-vrfy.c sslbackend.c synctime.c threaded.c unixsocket.c url2file.c urlapi.c usercertinmem.c version-check.pl websocket-cb.c websocket-updown.c websocket.c xmlstream.cinternals
BUFQ.md BUFREF.md CHECKSRC.md CLIENT-READERS.md CLIENT-WRITERS.md CODE_STYLE.md CONNECTION-FILTERS.md CREDENTIALS.md CURLX.md DYNBUF.md HASH.md LLIST.md MID.md MQTT.md MULTI-EV.md NEW-PROTOCOL.md PEERS.md PORTING.md RATELIMITS.md README.md SCORECARD.md SPLAY.md STRPARSE.md THRDPOOL-AND-QUEUE.md TIME-KEEPING.md TLS-SESSIONS.md UINT_SETS.md WEBSOCKET.mdlibcurl
opts
CMakeLists.txt CURLINFO_ACTIVESOCKET.md CURLINFO_APPCONNECT_TIME.md CURLINFO_APPCONNECT_TIME_T.md CURLINFO_CAINFO.md CURLINFO_CAPATH.md CURLINFO_CERTINFO.md CURLINFO_CONDITION_UNMET.md CURLINFO_CONNECT_TIME.md CURLINFO_CONNECT_TIME_T.md CURLINFO_CONN_ID.md CURLINFO_CONTENT_LENGTH_DOWNLOAD.md CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md CURLINFO_CONTENT_LENGTH_UPLOAD.md CURLINFO_CONTENT_LENGTH_UPLOAD_T.md CURLINFO_CONTENT_TYPE.md CURLINFO_COOKIELIST.md CURLINFO_EARLYDATA_SENT_T.md CURLINFO_EFFECTIVE_METHOD.md CURLINFO_EFFECTIVE_URL.md CURLINFO_FILETIME.md CURLINFO_FILETIME_T.md CURLINFO_FTP_ENTRY_PATH.md CURLINFO_HEADER_SIZE.md CURLINFO_HTTPAUTH_AVAIL.md CURLINFO_HTTPAUTH_USED.md CURLINFO_HTTP_CONNECTCODE.md CURLINFO_HTTP_VERSION.md CURLINFO_LASTSOCKET.md CURLINFO_LOCAL_IP.md CURLINFO_LOCAL_PORT.md CURLINFO_NAMELOOKUP_TIME.md CURLINFO_NAMELOOKUP_TIME_T.md CURLINFO_NUM_CONNECTS.md CURLINFO_OS_ERRNO.md CURLINFO_POSTTRANSFER_TIME_T.md CURLINFO_PRETRANSFER_TIME.md CURLINFO_PRETRANSFER_TIME_T.md CURLINFO_PRIMARY_IP.md CURLINFO_PRIMARY_PORT.md CURLINFO_PRIVATE.md CURLINFO_PROTOCOL.md CURLINFO_PROXYAUTH_AVAIL.md CURLINFO_PROXYAUTH_USED.md CURLINFO_PROXY_ERROR.md CURLINFO_PROXY_SSL_VERIFYRESULT.md CURLINFO_QUEUE_TIME_T.md CURLINFO_REDIRECT_COUNT.md CURLINFO_REDIRECT_TIME.md CURLINFO_REDIRECT_TIME_T.md CURLINFO_REDIRECT_URL.md CURLINFO_REFERER.md CURLINFO_REQUEST_SIZE.md CURLINFO_RESPONSE_CODE.md CURLINFO_RETRY_AFTER.md CURLINFO_RTSP_CLIENT_CSEQ.md CURLINFO_RTSP_CSEQ_RECV.md CURLINFO_RTSP_SERVER_CSEQ.md CURLINFO_RTSP_SESSION_ID.md CURLINFO_SCHEME.md CURLINFO_SIZE_DELIVERED.md CURLINFO_SIZE_DOWNLOAD.md CURLINFO_SIZE_DOWNLOAD_T.md CURLINFO_SIZE_UPLOAD.md CURLINFO_SIZE_UPLOAD_T.md CURLINFO_SPEED_DOWNLOAD.md CURLINFO_SPEED_DOWNLOAD_T.md CURLINFO_SPEED_UPLOAD.md CURLINFO_SPEED_UPLOAD_T.md CURLINFO_SSL_ENGINES.md CURLINFO_SSL_VERIFYRESULT.md CURLINFO_STARTTRANSFER_TIME.md CURLINFO_STARTTRANSFER_TIME_T.md CURLINFO_TLS_SESSION.md CURLINFO_TLS_SSL_PTR.md CURLINFO_TOTAL_TIME.md CURLINFO_TOTAL_TIME_T.md CURLINFO_USED_PROXY.md CURLINFO_XFER_ID.md CURLMINFO_XFERS_ADDED.md CURLMINFO_XFERS_CURRENT.md CURLMINFO_XFERS_DONE.md CURLMINFO_XFERS_PENDING.md CURLMINFO_XFERS_RUNNING.md CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE.md CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE.md CURLMOPT_MAXCONNECTS.md CURLMOPT_MAX_CONCURRENT_STREAMS.md CURLMOPT_MAX_HOST_CONNECTIONS.md CURLMOPT_MAX_PIPELINE_LENGTH.md CURLMOPT_MAX_TOTAL_CONNECTIONS.md CURLMOPT_NETWORK_CHANGED.md CURLMOPT_NOTIFYDATA.md CURLMOPT_NOTIFYFUNCTION.md CURLMOPT_PIPELINING.md CURLMOPT_PIPELINING_SERVER_BL.md CURLMOPT_PIPELINING_SITE_BL.md CURLMOPT_PUSHDATA.md CURLMOPT_PUSHFUNCTION.md CURLMOPT_QUICK_EXIT.md CURLMOPT_RESOLVE_THREADS_MAX.md CURLMOPT_SOCKETDATA.md CURLMOPT_SOCKETFUNCTION.md CURLMOPT_TIMERDATA.md CURLMOPT_TIMERFUNCTION.md CURLOPT_ABSTRACT_UNIX_SOCKET.md CURLOPT_ACCEPTTIMEOUT_MS.md CURLOPT_ACCEPT_ENCODING.md CURLOPT_ADDRESS_SCOPE.md CURLOPT_ALTSVC.md CURLOPT_ALTSVC_CTRL.md CURLOPT_APPEND.md CURLOPT_AUTOREFERER.md CURLOPT_AWS_SIGV4.md CURLOPT_BUFFERSIZE.md CURLOPT_CAINFO.md CURLOPT_CAINFO_BLOB.md CURLOPT_CAPATH.md CURLOPT_CA_CACHE_TIMEOUT.md CURLOPT_CERTINFO.md CURLOPT_CHUNK_BGN_FUNCTION.md CURLOPT_CHUNK_DATA.md CURLOPT_CHUNK_END_FUNCTION.md CURLOPT_CLOSESOCKETDATA.md CURLOPT_CLOSESOCKETFUNCTION.md CURLOPT_CONNECTTIMEOUT.md CURLOPT_CONNECTTIMEOUT_MS.md CURLOPT_CONNECT_ONLY.md CURLOPT_CONNECT_TO.md CURLOPT_CONV_FROM_NETWORK_FUNCTION.md CURLOPT_CONV_FROM_UTF8_FUNCTION.md CURLOPT_CONV_TO_NETWORK_FUNCTION.md CURLOPT_COOKIE.md CURLOPT_COOKIEFILE.md CURLOPT_COOKIEJAR.md CURLOPT_COOKIELIST.md CURLOPT_COOKIESESSION.md CURLOPT_COPYPOSTFIELDS.md CURLOPT_CRLF.md CURLOPT_CRLFILE.md CURLOPT_CURLU.md CURLOPT_CUSTOMREQUEST.md CURLOPT_DEBUGDATA.md CURLOPT_DEBUGFUNCTION.md CURLOPT_DEFAULT_PROTOCOL.md CURLOPT_DIRLISTONLY.md CURLOPT_DISALLOW_USERNAME_IN_URL.md CURLOPT_DNS_CACHE_TIMEOUT.md CURLOPT_DNS_INTERFACE.md CURLOPT_DNS_LOCAL_IP4.md CURLOPT_DNS_LOCAL_IP6.md CURLOPT_DNS_SERVERS.md CURLOPT_DNS_SHUFFLE_ADDRESSES.md CURLOPT_DNS_USE_GLOBAL_CACHE.md CURLOPT_DOH_SSL_VERIFYHOST.md CURLOPT_DOH_SSL_VERIFYPEER.md CURLOPT_DOH_SSL_VERIFYSTATUS.md CURLOPT_DOH_URL.md CURLOPT_ECH.md CURLOPT_EGDSOCKET.md CURLOPT_ERRORBUFFER.md CURLOPT_EXPECT_100_TIMEOUT_MS.md CURLOPT_FAILONERROR.md CURLOPT_FILETIME.md CURLOPT_FNMATCH_DATA.md CURLOPT_FNMATCH_FUNCTION.md CURLOPT_FOLLOWLOCATION.md CURLOPT_FORBID_REUSE.md CURLOPT_FRESH_CONNECT.md CURLOPT_FTPPORT.md CURLOPT_FTPSSLAUTH.md CURLOPT_FTP_ACCOUNT.md CURLOPT_FTP_ALTERNATIVE_TO_USER.md CURLOPT_FTP_CREATE_MISSING_DIRS.md CURLOPT_FTP_FILEMETHOD.md CURLOPT_FTP_SKIP_PASV_IP.md CURLOPT_FTP_SSL_CCC.md CURLOPT_FTP_USE_EPRT.md CURLOPT_FTP_USE_EPSV.md CURLOPT_FTP_USE_PRET.md CURLOPT_GSSAPI_DELEGATION.md CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.md CURLOPT_HAPROXYPROTOCOL.md CURLOPT_HAPROXY_CLIENT_IP.md CURLOPT_HEADER.md CURLOPT_HEADERDATA.md CURLOPT_HEADERFUNCTION.md CURLOPT_HEADEROPT.md CURLOPT_HSTS.md CURLOPT_HSTSREADDATA.md CURLOPT_HSTSREADFUNCTION.md CURLOPT_HSTSWRITEDATA.md CURLOPT_HSTSWRITEFUNCTION.md CURLOPT_HSTS_CTRL.md CURLOPT_HTTP09_ALLOWED.md CURLOPT_HTTP200ALIASES.md CURLOPT_HTTPAUTH.md CURLOPT_HTTPGET.md CURLOPT_HTTPHEADER.md CURLOPT_HTTPPOST.md CURLOPT_HTTPPROXYTUNNEL.md CURLOPT_HTTP_CONTENT_DECODING.md CURLOPT_HTTP_TRANSFER_DECODING.md CURLOPT_HTTP_VERSION.md CURLOPT_IGNORE_CONTENT_LENGTH.md CURLOPT_INFILESIZE.md CURLOPT_INFILESIZE_LARGE.md CURLOPT_INTERFACE.md CURLOPT_INTERLEAVEDATA.md CURLOPT_INTERLEAVEFUNCTION.md CURLOPT_IOCTLDATA.md CURLOPT_IOCTLFUNCTION.md CURLOPT_IPRESOLVE.md CURLOPT_ISSUERCERT.md CURLOPT_ISSUERCERT_BLOB.md CURLOPT_KEEP_SENDING_ON_ERROR.md CURLOPT_KEYPASSWD.md CURLOPT_KRBLEVEL.md CURLOPT_LOCALPORT.md CURLOPT_LOCALPORTRANGE.md CURLOPT_LOGIN_OPTIONS.md CURLOPT_LOW_SPEED_LIMIT.md CURLOPT_LOW_SPEED_TIME.md CURLOPT_MAIL_AUTH.md CURLOPT_MAIL_FROM.md CURLOPT_MAIL_RCPT.md CURLOPT_MAIL_RCPT_ALLOWFAILS.md CURLOPT_MAXAGE_CONN.md CURLOPT_MAXCONNECTS.md CURLOPT_MAXFILESIZE.md CURLOPT_MAXFILESIZE_LARGE.md CURLOPT_MAXLIFETIME_CONN.md CURLOPT_MAXREDIRS.md CURLOPT_MAX_RECV_SPEED_LARGE.md CURLOPT_MAX_SEND_SPEED_LARGE.md CURLOPT_MIMEPOST.md CURLOPT_MIME_OPTIONS.md CURLOPT_NETRC.md CURLOPT_NETRC_FILE.md CURLOPT_NEW_DIRECTORY_PERMS.md CURLOPT_NEW_FILE_PERMS.md CURLOPT_NOBODY.md CURLOPT_NOPROGRESS.md CURLOPT_NOPROXY.md CURLOPT_NOSIGNAL.md CURLOPT_OPENSOCKETDATA.md CURLOPT_OPENSOCKETFUNCTION.md CURLOPT_PASSWORD.md CURLOPT_PATH_AS_IS.md CURLOPT_PINNEDPUBLICKEY.md CURLOPT_PIPEWAIT.md CURLOPT_PORT.md CURLOPT_POST.md CURLOPT_POSTFIELDS.md CURLOPT_POSTFIELDSIZE.md CURLOPT_POSTFIELDSIZE_LARGE.md CURLOPT_POSTQUOTE.md CURLOPT_POSTREDIR.md CURLOPT_PREQUOTE.md CURLOPT_PREREQDATA.md CURLOPT_PREREQFUNCTION.md CURLOPT_PRE_PROXY.md CURLOPT_PRIVATE.md CURLOPT_PROGRESSDATA.md CURLOPT_PROGRESSFUNCTION.md CURLOPT_PROTOCOLS.md CURLOPT_PROTOCOLS_STR.md CURLOPT_PROXY.md CURLOPT_PROXYAUTH.md CURLOPT_PROXYHEADER.md CURLOPT_PROXYPASSWORD.md CURLOPT_PROXYPORT.md CURLOPT_PROXYTYPE.md CURLOPT_PROXYUSERNAME.md CURLOPT_PROXYUSERPWD.md CURLOPT_PROXY_CAINFO.md CURLOPT_PROXY_CAINFO_BLOB.md CURLOPT_PROXY_CAPATH.md CURLOPT_PROXY_CRLFILE.md CURLOPT_PROXY_ISSUERCERT.md CURLOPT_PROXY_ISSUERCERT_BLOB.md CURLOPT_PROXY_KEYPASSWD.md CURLOPT_PROXY_PINNEDPUBLICKEY.md CURLOPT_PROXY_SERVICE_NAME.md CURLOPT_PROXY_SSLCERT.md CURLOPT_PROXY_SSLCERTTYPE.md CURLOPT_PROXY_SSLCERT_BLOB.md CURLOPT_PROXY_SSLKEY.md CURLOPT_PROXY_SSLKEYTYPE.md CURLOPT_PROXY_SSLKEY_BLOB.md CURLOPT_PROXY_SSLVERSION.md CURLOPT_PROXY_SSL_CIPHER_LIST.md CURLOPT_PROXY_SSL_OPTIONS.md CURLOPT_PROXY_SSL_VERIFYHOST.md CURLOPT_PROXY_SSL_VERIFYPEER.md CURLOPT_PROXY_TLS13_CIPHERS.md CURLOPT_PROXY_TLSAUTH_PASSWORD.md CURLOPT_PROXY_TLSAUTH_TYPE.md CURLOPT_PROXY_TLSAUTH_USERNAME.md CURLOPT_PROXY_TRANSFER_MODE.md CURLOPT_PUT.md CURLOPT_QUICK_EXIT.md CURLOPT_QUOTE.md CURLOPT_RANDOM_FILE.md CURLOPT_RANGE.md CURLOPT_READDATA.md CURLOPT_READFUNCTION.md CURLOPT_REDIR_PROTOCOLS.md CURLOPT_REDIR_PROTOCOLS_STR.md CURLOPT_REFERER.md CURLOPT_REQUEST_TARGET.md CURLOPT_RESOLVE.md CURLOPT_RESOLVER_START_DATA.md CURLOPT_RESOLVER_START_FUNCTION.md CURLOPT_RESUME_FROM.md CURLOPT_RESUME_FROM_LARGE.md CURLOPT_RTSP_CLIENT_CSEQ.md CURLOPT_RTSP_REQUEST.md CURLOPT_RTSP_SERVER_CSEQ.md CURLOPT_RTSP_SESSION_ID.md CURLOPT_RTSP_STREAM_URI.md CURLOPT_RTSP_TRANSPORT.md CURLOPT_SASL_AUTHZID.md CURLOPT_SASL_IR.md CURLOPT_SEEKDATA.md CURLOPT_SEEKFUNCTION.md CURLOPT_SERVER_RESPONSE_TIMEOUT.md CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md CURLOPT_SERVICE_NAME.md CURLOPT_SHARE.md CURLOPT_SOCKOPTDATA.md CURLOPT_SOCKOPTFUNCTION.md CURLOPT_SOCKS5_AUTH.md CURLOPT_SOCKS5_GSSAPI_NEC.md CURLOPT_SOCKS5_GSSAPI_SERVICE.md CURLOPT_SSH_AUTH_TYPES.md CURLOPT_SSH_COMPRESSION.md CURLOPT_SSH_HOSTKEYDATA.md CURLOPT_SSH_HOSTKEYFUNCTION.md CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.md CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256.md CURLOPT_SSH_KEYDATA.md CURLOPT_SSH_KEYFUNCTION.md CURLOPT_SSH_KNOWNHOSTS.md CURLOPT_SSH_PRIVATE_KEYFILE.md CURLOPT_SSH_PUBLIC_KEYFILE.md CURLOPT_SSLCERT.md CURLOPT_SSLCERTTYPE.md CURLOPT_SSLCERT_BLOB.md CURLOPT_SSLENGINE.md CURLOPT_SSLENGINE_DEFAULT.md CURLOPT_SSLKEY.md CURLOPT_SSLKEYTYPE.md CURLOPT_SSLKEY_BLOB.md CURLOPT_SSLVERSION.md CURLOPT_SSL_CIPHER_LIST.md CURLOPT_SSL_CTX_DATA.md CURLOPT_SSL_CTX_FUNCTION.md CURLOPT_SSL_EC_CURVES.md CURLOPT_SSL_ENABLE_ALPN.md CURLOPT_SSL_ENABLE_NPN.md CURLOPT_SSL_FALSESTART.md CURLOPT_SSL_OPTIONS.md CURLOPT_SSL_SESSIONID_CACHE.md CURLOPT_SSL_SIGNATURE_ALGORITHMS.md CURLOPT_SSL_VERIFYHOST.md CURLOPT_SSL_VERIFYPEER.md CURLOPT_SSL_VERIFYSTATUS.md CURLOPT_STDERR.md CURLOPT_STREAM_DEPENDS.md CURLOPT_STREAM_DEPENDS_E.md CURLOPT_STREAM_WEIGHT.md CURLOPT_SUPPRESS_CONNECT_HEADERS.md CURLOPT_TCP_FASTOPEN.md CURLOPT_TCP_KEEPALIVE.md CURLOPT_TCP_KEEPCNT.md CURLOPT_TCP_KEEPIDLE.md CURLOPT_TCP_KEEPINTVL.md CURLOPT_TCP_NODELAY.md CURLOPT_TELNETOPTIONS.md CURLOPT_TFTP_BLKSIZE.md CURLOPT_TFTP_NO_OPTIONS.md CURLOPT_TIMECONDITION.md CURLOPT_TIMEOUT.md CURLOPT_TIMEOUT_MS.md CURLOPT_TIMEVALUE.md CURLOPT_TIMEVALUE_LARGE.md CURLOPT_TLS13_CIPHERS.md CURLOPT_TLSAUTH_PASSWORD.md CURLOPT_TLSAUTH_TYPE.md CURLOPT_TLSAUTH_USERNAME.md CURLOPT_TRAILERDATA.md CURLOPT_TRAILERFUNCTION.md CURLOPT_TRANSFERTEXT.md CURLOPT_TRANSFER_ENCODING.md CURLOPT_UNIX_SOCKET_PATH.md CURLOPT_UNRESTRICTED_AUTH.md CURLOPT_UPKEEP_INTERVAL_MS.md CURLOPT_UPLOAD.md CURLOPT_UPLOAD_BUFFERSIZE.md CURLOPT_UPLOAD_FLAGS.md CURLOPT_URL.md CURLOPT_USERAGENT.md CURLOPT_USERNAME.md CURLOPT_USERPWD.md CURLOPT_USE_SSL.md CURLOPT_VERBOSE.md CURLOPT_WILDCARDMATCH.md CURLOPT_WRITEDATA.md CURLOPT_WRITEFUNCTION.md CURLOPT_WS_OPTIONS.md CURLOPT_XFERINFODATA.md CURLOPT_XFERINFOFUNCTION.md CURLOPT_XOAUTH2_BEARER.md CURLSHOPT_LOCKFUNC.md CURLSHOPT_SHARE.md CURLSHOPT_UNLOCKFUNC.md CURLSHOPT_UNSHARE.md CURLSHOPT_USERDATA.md Makefile.am Makefile.incinclude
curl
Makefile.am curl.h curlver.h easy.h header.h mprintf.h multi.h options.h stdcheaders.h system.h typecheck-gcc.h urlapi.h websockets.hlib
curlx
base64.c base64.h basename.c basename.h dynbuf.c dynbuf.h fopen.c fopen.h inet_ntop.c inet_ntop.h inet_pton.c inet_pton.h multibyte.c multibyte.h nonblock.c nonblock.h snprintf.c snprintf.h strcopy.c strcopy.h strdup.c strdup.h strerr.c strerr.h strparse.c strparse.h timediff.c timediff.h timeval.c timeval.h version_win32.c version_win32.h wait.c wait.h warnless.c warnless.h winapi.c winapi.hvauth
cleartext.c cram.c digest.c digest.h digest_sspi.c gsasl.c krb5_gssapi.c krb5_sspi.c ntlm.c ntlm_sspi.c oauth2.c spnego_gssapi.c spnego_sspi.c vauth.c vauth.hvquic
curl_ngtcp2.c curl_ngtcp2.h curl_quiche.c curl_quiche.h vquic-tls.c vquic-tls.h vquic.c vquic.h vquic_int.hvtls
apple.c apple.h cipher_suite.c cipher_suite.h gtls.c gtls.h hostcheck.c hostcheck.h keylog.c keylog.h mbedtls.c mbedtls.h openssl.c openssl.h rustls.c rustls.h schannel.c schannel.h schannel_int.h schannel_verify.c vtls.c vtls.h vtls_int.h vtls_scache.c vtls_scache.h vtls_spack.c vtls_spack.h wolfssl.c wolfssl.h x509asn1.c x509asn1.hm4
.gitignore curl-amissl.m4 curl-apple-sectrust.m4 curl-compilers.m4 curl-confopts.m4 curl-functions.m4 curl-gnutls.m4 curl-mbedtls.m4 curl-openssl.m4 curl-override.m4 curl-reentrant.m4 curl-rustls.m4 curl-schannel.m4 curl-sysconfig.m4 curl-wolfssl.m4 xc-am-iface.m4 xc-cc-check.m4 xc-lt-iface.m4 xc-val-flgs.m4 zz40-xc-ovr.m4 zz50-xc-ovr.m4projects
OS400
.checksrc README.OS400 ccsidcurl.c ccsidcurl.h config400.default curl.cmd curl.inc.in curlcl.c curlmain.c initscript.sh make-docs.sh make-include.sh make-lib.sh make-src.sh make-tests.sh makefile.sh os400sys.c os400sys.hWindows
tmpl
.gitattributes README.txt curl-all.sln curl.sln curl.vcxproj curl.vcxproj.filters libcurl.sln libcurl.vcxproj libcurl.vcxproj.filtersvms
Makefile.am backup_gnv_curl_src.com build_curl-config_script.com build_gnv_curl.com build_gnv_curl_pcsi_desc.com build_gnv_curl_pcsi_text.com build_gnv_curl_release_notes.com build_libcurl_pc.com build_vms.com clean_gnv_curl.com compare_curl_source.com config_h.com curl_crtl_init.c curl_gnv_build_steps.txt curl_release_note_start.txt curl_startup.com curlmsg.h curlmsg.msg curlmsg.sdl curlmsg_vms.h generate_config_vms_h_curl.com generate_vax_transfer.com gnv_conftest.c_first gnv_curl_configure.sh gnv_libcurl_symbols.opt gnv_link_curl.com macro32_exactcase.patch make_gnv_curl_install.sh make_pcsi_curl_kit_name.com pcsi_gnv_curl_file_list.txt pcsi_product_gnv_curl.com readme report_openssl_version.c setup_gnv_curl_build.com stage_curl_install.com vms_eco_level.hscripts
.checksrc CMakeLists.txt Makefile.am badwords badwords-all badwords.txt cd2cd cd2nroff cdall checksrc-all.pl checksrc.pl cmakelint.sh completion.pl contributors.sh contrithanks.sh coverage.sh delta dmaketgz extract-unit-protos firefox-db2pem.sh installcheck.sh maketgz managen mdlinkcheck mk-ca-bundle.pl mk-unity.pl nroff2cd perlcheck.sh pythonlint.sh randdisable release-notes.pl release-tools.sh schemetable.c singleuse.pl spacecheck.pl top-complexity top-length verify-release wcurlsrc
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc config2setopts.c config2setopts.h curl.rc curlinfo.c mk-file-embed.pl mkhelp.pl slist_wc.c slist_wc.h terminal.c terminal.h tool_cb_dbg.c tool_cb_dbg.h tool_cb_hdr.c tool_cb_hdr.h tool_cb_prg.c tool_cb_prg.h tool_cb_rea.c tool_cb_rea.h tool_cb_see.c tool_cb_see.h tool_cb_soc.c tool_cb_soc.h tool_cb_wrt.c tool_cb_wrt.h tool_cfgable.c tool_cfgable.h tool_dirhie.c tool_dirhie.h tool_doswin.c tool_doswin.h tool_easysrc.c tool_easysrc.h tool_filetime.c tool_filetime.h tool_findfile.c tool_findfile.h tool_formparse.c tool_formparse.h tool_getparam.c tool_getparam.h tool_getpass.c tool_getpass.h tool_help.c tool_help.h tool_helpers.c tool_helpers.h tool_hugehelp.h tool_ipfs.c tool_ipfs.h tool_libinfo.c tool_libinfo.h tool_listhelp.c tool_main.c tool_main.h tool_msgs.c tool_msgs.h tool_operate.c tool_operate.h tool_operhlp.c tool_operhlp.h tool_paramhlp.c tool_paramhlp.h tool_parsecfg.c tool_parsecfg.h tool_progress.c tool_progress.h tool_sdecls.h tool_setopt.c tool_setopt.h tool_setup.h tool_ssls.c tool_ssls.h tool_stderr.c tool_stderr.h tool_urlglob.c tool_urlglob.h tool_util.c tool_util.h tool_version.h tool_vms.c tool_vms.h tool_writeout.c tool_writeout.h tool_writeout_json.c tool_writeout_json.h tool_xattr.c tool_xattr.h var.c var.htests
certs
.gitignore CMakeLists.txt Makefile.am Makefile.inc genserv.pl srp-verifier-conf srp-verifier-db test-ca.cnf test-ca.prm test-client-cert.prm test-client-eku-only.prm test-localhost-san-first.prm test-localhost-san-last.prm test-localhost.nn.prm test-localhost.prm test-localhost0h.prmdata
.gitignore DISABLED Makefile.am data-xml1 data1400.c data1401.c data1402.c data1403.c data1404.c data1405.c data1406.c data1407.c data1420.c data1461.txt data1463.txt data1465.c data1481.c data1705-1.md data1705-2.md data1705-3.md data1705-4.md data1705-stdout.1 data1706-1.md data1706-2.md data1706-3.md data1706-4.md data1706-stdout.txt data320.html test1 test10 test100 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 test1008 test1009 test101 test1010 test1011 test1012 test1013 test1014 test1015 test1016 test1017 test1018 test1019 test102 test1020 test1021 test1022 test1023 test1024 test1025 test1026 test1027 test1028 test1029 test103 test1030 test1031 test1032 test1033 test1034 test1035 test1036 test1037 test1038 test1039 test104 test1040 test1041 test1042 test1043 test1044 test1045 test1046 test1047 test1048 test1049 test105 test1050 test1051 test1052 test1053 test1054 test1055 test1056 test1057 test1058 test1059 test106 test1060 test1061 test1062 test1063 test1064 test1065 test1066 test1067 test1068 test1069 test107 test1070 test1071 test1072 test1073 test1074 test1075 test1076 test1077 test1078 test1079 test108 test1080 test1081 test1082 test1083 test1084 test1085 test1086 test1087 test1088 test1089 test109 test1090 test1091 test1092 test1093 test1094 test1095 test1096 test1097 test1098 test1099 test11 test110 test1100 test1101 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 test111 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 test1118 test1119 test112 test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 test1128 test1129 test113 test1130 test1131 test1132 test1133 test1134 test1135 test1136 test1137 test1138 test1139 test114 test1140 test1141 test1142 test1143 test1144 test1145 test1146 test1147 test1148 test1149 test115 test1150 test1151 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 test116 test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 test1168 test1169 test117 test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 test1178 test1179 test118 test1180 test1181 test1182 test1183 test1184 test1185 test1186 test1187 test1188 test1189 test119 test1190 test1191 test1192 test1193 test1194 test1195 test1196 test1197 test1198 test1199 test12 test120 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 test1208 test1209 test121 test1210 test1211 test1212 test1213 test1214 test1215 test1216 test1217 test1218 test1219 test122 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 test1228 test1229 test123 test1230 test1231 test1232 test1233 test1234 test1235 test1236 test1237 test1238 test1239 test124 test1240 test1241 test1242 test1243 test1244 test1245 test1246 test1247 test1248 test1249 test125 test1250 test1251 test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 test126 test1260 test1261 test1262 test1263 test1264 test1265 test1266 test1267 test1268 test1269 test127 test1270 test1271 test1272 test1273 test1274 test1275 test1276 test1277 test1278 test1279 test128 test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 test1288 test1289 test129 test1290 test1291 test1292 test1293 test1294 test1295 test1296 test1297 test1298 test1299 test13 test130 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 test1309 test131 test1310 test1311 test1312 test1313 test1314 test1315 test1316 test1317 test1318 test1319 test132 test1320 test1321 test1322 test1323 test1324 test1325 test1326 test1327 test1328 test1329 test133 test1330 test1331 test1332 test1333 test1334 test1335 test1336 test1337 test1338 test1339 test134 test1340 test1341 test1342 test1343 test1344 test1345 test1346 test1347 test1348 test1349 test135 test1350 test1351 test1352 test1353 test1354 test1355 test1356 test1357 test1358 test1359 test136 test1360 test1361 test1362 test1363 test1364 test1365 test1366 test1367 test1368 test1369 test137 test1370 test1371 test1372 test1373 test1374 test1375 test1376 test1377 test1378 test1379 test138 test1380 test1381 test1382 test1383 test1384 test1385 test1386 test1387 test1388 test1389 test139 test1390 test1391 test1392 test1393 test1394 test1395 test1396 test1397 test1398 test1399 test14 test140 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 test1408 test1409 test141 test1410 test1411 test1412 test1413 test1414 test1415 test1416 test1417 test1418 test1419 test142 test1420 test1421 test1422 test1423 test1424 test1425 test1426 test1427 test1428 test1429 test143 test1430 test1431 test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 test144 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 test1448 test1449 test145 test1450 test1451 test1452 test1453 test1454 test1455 test1456 test1457 test1458 test1459 test146 test1460 test1461 test1462 test1463 test1464 test1465 test1466 test1467 test1468 test1469 test147 test1470 test1471 test1472 test1473 test1474 test1475 test1476 test1477 test1478 test1479 test148 test1480 test1481 test1482 test1483 test1484 test1485 test1486 test1487 test1488 test1489 test149 test1490 test1491 test1492 test1493 test1494 test1495 test1496 test1497 test1498 test1499 test15 test150 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 test1508 test1509 test151 test1510 test1511 test1512 test1513 test1514 test1515 test1516 test1517 test1518 test1519 test152 test1520 test1521 test1522 test1523 test1524 test1525 test1526 test1527 test1528 test1529 test153 test1530 test1531 test1532 test1533 test1534 test1535 test1536 test1537 test1538 test1539 test154 test1540 test1541 test1542 test1543 test1544 test1545 test1546 test1547 test1548 test1549 test155 test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 test1558 test1559 test156 test1560 test1561 test1562 test1563 test1564 test1565 test1566 test1567 test1568 test1569 test157 test1570 test1571 test1572 test1573 test1574 test1575 test1576 test1577 test1578 test1579 test158 test1580 test1581 test1582 test1583 test1584 test1585 test1586 test1587 test1588 test1589 test159 test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 test1598 test1599 test16 test160 test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 test1608 test1609 test161 test1610 test1611 test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 test162 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 test1628 test1629 test163 test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 test1638 test1639 test164 test1640 test1641 test1642 test1643 test1644 test1645 test165 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 test1658 test1659 test166 test1660 test1661 test1662 test1663 test1664 test1665 test1666 test1667 test1668 test1669 test167 test1670 test1671 test1672 test1673 test1674 test1675 test1676 test168 test1680 test1681 test1682 test1683 test1684 test1685 test169 test17 test170 test1700 test1701 test1702 test1703 test1704 test1705 test1706 test1707 test1708 test1709 test171 test1710 test1711 test1712 test1713 test1714 test1715 test172 test1720 test1721 test173 test174 test175 test176 test177 test178 test179 test18 test180 test1800 test1801 test1802 test181 test182 test183 test184 test1847 test1848 test1849 test185 test1850 test1851 test186 test187 test188 test189 test19 test190 test1900 test1901 test1902 test1903 test1904 test1905 test1906 test1907 test1908 test1909 test191 test1910 test1911 test1912 test1913 test1914 test1915 test1916 test1917 test1918 test1919 test192 test1920 test1921 test193 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test194 test1940 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 test195 test1955 test1956 test1957 test1958 test1959 test196 test1960 test1964 test1965 test1966 test197 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 test1978 test1979 test198 test1980 test1981 test1982 test1983 test1984 test199 test2 test20 test200 test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 test2008 test2009 test201 test2010 test2011 test2012 test2013 test2014 test202 test2023 test2024 test2025 test2026 test2027 test2028 test2029 test203 test2030 test2031 test2032 test2033 test2034 test2035 test2037 test2038 test2039 test204 test2040 test2041 test2042 test2043 test2044 test2045 test2046 test2047 test2048 test2049 test205 test2050 test2051 test2052 test2053 test2054 test2055 test2056 test2057 test2058 test2059 test206 test2060 test2061 test2062 test2063 test2064 test2065 test2066 test2067 test2068 test2069 test207 test2070 test2071 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 test208 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 test2088 test2089 test209 test2090 test2091 test2092 test21 test210 test2100 test2101 test2102 test2103 test2104 test211 test212 test213 test214 test215 test216 test217 test218 test219 test22 test220 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 test221 test222 test223 test224 test225 test226 test227 test228 test229 test23 test230 test2300 test2301 test2302 test2303 test2304 test2306 test2307 test2308 test2309 test231 test232 test233 test234 test235 test236 test237 test238 test239 test24 test240 test2400 test2401 test2402 test2403 test2404 test2405 test2406 test2407 test2408 test2409 test241 test2410 test2411 test242 test243 test244 test245 test246 test247 test248 test249 test25 test250 test2500 test2501 test2502 test2503 test2504 test2505 test2506 test251 test252 test253 test254 test255 test256 test257 test258 test259 test26 test260 test2600 test2601 test2602 test2603 test2604 test2605 test261 test262 test263 test264 test265 test266 test267 test268 test269 test27 test270 test2700 test2701 test2702 test2703 test2704 test2705 test2706 test2707 test2708 test2709 test271 test2710 test2711 test2712 test2713 test2714 test2715 test2716 test2717 test2718 test2719 test272 test2720 test2721 test2722 test2723 test273 test274 test275 test276 test277 test278 test279 test28 test280 test281 test282 test283 test284 test285 test286 test287 test288 test289 test29 test290 test291 test292 test293 test294 test295 test296 test297 test298 test299 test3 test30 test300 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 test3008 test3009 test301 test3010 test3011 test3012 test3013 test3014 test3015 test3016 test3017 test3018 test3019 test302 test3020 test3021 test3022 test3023 test3024 test3025 test3026 test3027 test3028 test3029 test303 test3030 test3031 test3032 test3033 test3034 test3035 test3036 test304 test305 test306 test307 test308 test309 test31 test310 test3100 test3101 test3102 test3103 test3104 test3105 test3106 test311 test312 test313 test314 test315 test316 test317 test318 test319 test32 test320 test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 test3209 test321 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 test3218 test3219 test322 test3220 test323 test324 test325 test326 test327 test328 test329 test33 test330 test3300 test3301 test3302 test331 test332 test333 test334 test335 test336 test337 test338 test339 test34 test340 test341 test342 test343 test344 test345 test346 test347 test348 test349 test35 test350 test351 test352 test353 test354 test355 test356 test357 test358 test359 test36 test360 test361 test362 test363 test364 test365 test366 test367 test368 test369 test37 test370 test371 test372 test373 test374 test375 test376 test378 test379 test38 test380 test381 test383 test384 test385 test386 test387 test388 test389 test39 test390 test391 test392 test393 test394 test395 test396 test397 test398 test399 test4 test40 test400 test4000 test4001 test401 test402 test403 test404 test405 test406 test407 test408 test409 test41 test410 test411 test412 test413 test414 test415 test416 test417 test418 test419 test42 test420 test421 test422 test423 test424 test425 test426 test427 test428 test429 test43 test430 test431 test432 test433 test434 test435 test436 test437 test438 test439 test44 test440 test441 test442 test443 test444 test445 test446 test447 test448 test449 test45 test450 test451 test452 test453 test454 test455 test456 test457 test458 test459 test46 test460 test461 test462 test463 test467 test468 test469 test47 test470 test471 test472 test473 test474 test475 test476 test477 test478 test479 test48 test480 test481 test482 test483 test484 test485 test486 test487 test488 test489 test49 test490 test491 test492 test493 test494 test495 test496 test497 test498 test499 test5 test50 test500 test501 test502 test503 test504 test505 test506 test507 test508 test509 test51 test510 test511 test512 test513 test514 test515 test516 test517 test518 test519 test52 test520 test521 test522 test523 test524 test525 test526 test527 test528 test529 test53 test530 test531 test532 test533 test534 test535 test536 test537 test538 test539 test54 test540 test541 test542 test543 test544 test545 test546 test547 test548 test549 test55 test550 test551 test552 test553 test554 test555 test556 test557 test558 test559 test56 test560 test561 test562 test563 test564 test565 test566 test567 test568 test569 test57 test570 test571 test572 test573 test574 test575 test576 test577 test578 test579 test58 test580 test581 test582 test583 test584 test585 test586 test587 test588 test589 test59 test590 test591 test592 test593 test594 test595 test596 test597 test598 test599 test6 test60 test600 test601 test602 test603 test604 test605 test606 test607 test608 test609 test61 test610 test611 test612 test613 test614 test615 test616 test617 test618 test619 test62 test620 test621 test622 test623 test624 test625 test626 test627 test628 test629 test63 test630 test631 test632 test633 test634 test635 test636 test637 test638 test639 test64 test640 test641 test642 test643 test644 test645 test646 test647 test648 test649 test65 test650 test651 test652 test653 test654 test655 test656 test658 test659 test66 test660 test661 test662 test663 test664 test665 test666 test667 test668 test669 test67 test670 test671 test672 test673 test674 test675 test676 test677 test678 test679 test68 test680 test681 test682 test683 test684 test685 test686 test687 test688 test689 test69 test690 test691 test692 test693 test694 test695 test696 test697 test698 test699 test7 test70 test700 test701 test702 test703 test704 test705 test706 test707 test708 test709 test71 test710 test711 test712 test713 test714 test715 test716 test717 test718 test719 test72 test720 test721 test722 test723 test724 test725 test726 test727 test728 test729 test73 test730 test731 test732 test733 test734 test735 test736 test737 test738 test739 test74 test740 test741 test742 test743 test744 test745 test746 test747 test748 test749 test75 test750 test751 test752 test753 test754 test755 test756 test757 test758 test759 test76 test760 test761 test762 test763 test764 test765 test766 test767 test768 test769 test77 test770 test771 test772 test773 test774 test775 test776 test777 test778 test779 test78 test780 test781 test782 test783 test784 test785 test786 test787 test788 test789 test79 test790 test791 test792 test793 test794 test795 test796 test797 test798 test799 test8 test80 test800 test801 test802 test803 test804 test805 test806 test807 test808 test809 test81 test810 test811 test812 test813 test814 test815 test816 test817 test818 test819 test82 test820 test821 test822 test823 test824 test825 test826 test827 test828 test829 test83 test830 test831 test832 test833 test834 test835 test836 test837 test838 test839 test84 test840 test841 test842 test843 test844 test845 test846 test847 test848 test849 test85 test850 test851 test852 test853 test854 test855 test856 test857 test858 test859 test86 test860 test861 test862 test863 test864 test865 test866 test867 test868 test869 test87 test870 test871 test872 test873 test874 test875 test876 test877 test878 test879 test88 test880 test881 test882 test883 test884 test885 test886 test887 test888 test889 test89 test890 test891 test892 test893 test894 test895 test896 test897 test898 test899 test9 test90 test900 test901 test902 test903 test904 test905 test906 test907 test908 test909 test91 test910 test911 test912 test913 test914 test915 test916 test917 test918 test919 test92 test920 test921 test922 test923 test924 test925 test926 test927 test928 test929 test93 test930 test931 test932 test933 test934 test935 test936 test937 test938 test939 test94 test940 test941 test942 test943 test944 test945 test946 test947 test948 test949 test95 test950 test951 test952 test953 test954 test955 test956 test957 test958 test959 test96 test960 test961 test962 test963 test964 test965 test966 test967 test968 test969 test97 test970 test971 test972 test973 test974 test975 test976 test977 test978 test979 test98 test980 test981 test982 test983 test984 test985 test986 test987 test988 test989 test99 test990 test991 test992 test993 test994 test995 test996 test997 test998 test999http
testenv
__init__.py caddy.py certs.py client.py curl.py dante.py dnsd.py env.py httpd.py nghttpx.py ports.py sshd.py vsftpd.py ws_echo_server.pylibtest
.gitignore CMakeLists.txt Makefile.am Makefile.inc cli_ftp_upload.c cli_h2_pausing.c cli_h2_serverpush.c cli_h2_upgrade_extreme.c cli_hx_download.c cli_hx_upload.c cli_tls_session_reuse.c cli_upload_pausing.c cli_ws_data.c cli_ws_pingpong.c first.c first.h lib1156.c lib1301.c lib1308.c lib1485.c lib1500.c lib1501.c lib1502.c lib1506.c lib1507.c lib1508.c lib1509.c lib1510.c lib1511.c lib1512.c lib1513.c lib1514.c lib1515.c lib1517.c lib1518.c lib1520.c lib1522.c lib1523.c lib1525.c lib1526.c lib1527.c lib1528.c lib1529.c lib1530.c lib1531.c lib1532.c lib1533.c lib1534.c lib1535.c lib1536.c lib1537.c lib1538.c lib1540.c lib1541.c lib1542.c lib1545.c lib1549.c lib1550.c lib1551.c lib1552.c lib1553.c lib1554.c lib1555.c lib1556.c lib1557.c lib1558.c lib1559.c lib1560.c lib1564.c lib1565.c lib1567.c lib1568.c lib1569.c lib1571.c lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c lib1598.c lib1599.c lib1662.c lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c lib1915.c lib1916.c lib1918.c lib1919.c lib1920.c lib1921.c lib1933.c lib1934.c lib1935.c lib1936.c lib1937.c lib1938.c lib1939.c lib1940.c lib1945.c lib1947.c lib1948.c lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c lib1964.c lib1965.c lib1970.c lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c lib2023.c lib2032.c lib2082.c lib2301.c lib2302.c lib2304.c lib2306.c lib2308.c lib2309.c lib2402.c lib2404.c lib2405.c lib2502.c lib2504.c lib2505.c lib2506.c lib2700.c lib3010.c lib3025.c lib3026.c lib3027.c lib3033.c lib3034.c lib3100.c lib3101.c lib3102.c lib3103.c lib3104.c lib3105.c lib3207.c lib3208.c lib500.c lib501.c lib502.c lib503.c lib504.c lib505.c lib506.c lib507.c lib508.c lib509.c lib510.c lib511.c lib512.c lib513.c lib514.c lib515.c lib516.c lib517.c lib518.c lib519.c lib520.c lib521.c lib523.c lib524.c lib525.c lib526.c lib530.c lib533.c lib536.c lib537.c lib539.c lib540.c lib541.c lib542.c lib543.c lib544.c lib547.c lib549.c lib552.c lib553.c lib554.c lib555.c lib556.c lib557.c lib558.c lib559.c lib560.c lib562.c lib564.c lib566.c lib567.c lib568.c lib569.c lib570.c lib571.c lib572.c lib573.c lib574.c lib575.c lib576.c lib578.c lib579.c lib582.c lib583.c lib586.c lib589.c lib590.c lib591.c lib597.c lib598.c lib599.c lib643.c lib650.c lib651.c lib652.c lib653.c lib654.c lib655.c lib658.c lib659.c lib661.c lib666.c lib667.c lib668.c lib670.c lib674.c lib676.c lib677.c lib678.c lib694.c lib695.c lib751.c lib753.c lib757.c lib758.c lib766.c memptr.c mk-lib1521.pl test1013.pl test1022.pl test307.pl test610.pl test613.pl testtrace.c testtrace.h testutil.c testutil.h unitcheck.hserver
.checksrc .gitignore CMakeLists.txt Makefile.am Makefile.inc dnsd.c first.c first.h getpart.c mqttd.c resolve.c rtspd.c sockfilt.c socksd.c sws.c tftpd.c util.ctunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md tool1394.c tool1604.c tool1621.c tool1622.c tool1623.c tool1720.cunit
.gitignore CMakeLists.txt Makefile.am Makefile.inc README.md unit1300.c unit1302.c unit1303.c unit1304.c unit1305.c unit1307.c unit1309.c unit1323.c unit1330.c unit1395.c unit1396.c unit1397.c unit1398.c unit1399.c unit1600.c unit1601.c unit1602.c unit1603.c unit1605.c unit1606.c unit1607.c unit1608.c unit1609.c unit1610.c unit1611.c unit1612.c unit1614.c unit1615.c unit1616.c unit1620.c unit1625.c unit1626.c unit1627.c unit1636.c unit1650.c unit1651.c unit1652.c unit1653.c unit1654.c unit1655.c unit1656.c unit1657.c unit1658.c unit1660.c unit1661.c unit1663.c unit1664.c unit1666.c unit1667.c unit1668.c unit1669.c unit1674.c unit1675.c unit1676.c unit1979.c unit1980.c unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c unit3200.c unit3205.c unit3211.c unit3212.c unit3213.c unit3214.c unit3216.c unit3219.c unit3300.c unit3301.c unit3302.cexamples
.env config.ini crypto_test.lua env_test.lua fs_example.lua http_server.lua https_test.lua ini_example.lua json.lua log.lua path_fs_example.lua process_example.lua request_download.lua request_test.lua run_all.lua sqlite_example.lua sqlite_http_template.lua stash_test.lua template_test.lua timer.lua websocket.luainiparser
example
iniexample.c iniwrite.c parse.c twisted-errors.ini twisted-genhuge.py twisted-ofkey.ini twisted-ofval.ini twisted.initest
CMakeLists.txt test_dictionary.c test_iniparser.c unity-config.yml unity_config.hjinjac
libjinjac
src
CMakeLists.txt ast.c ast.h block_statement.c block_statement.h buffer.c buffer.h buildin.c buildin.h common.h convert.c convert.h flex_decl.h jfunction.c jfunction.h jinja_expression.l jinja_expression.y jinjac_parse.c jinjac_parse.h jinjac_stream.c jinjac_stream.h jlist.c jlist.h jobject.c jobject.h parameter.c parameter.h str_obj.c str_obj.h trace.c trace.htest
.gitignore CMakeLists.txt autotest.rb test_01.expected test_01.jinja test_01b.expected test_01b.jinja test_01c.expected test_01c.jinja test_01d.expected test_01d.jinja test_02.expected test_02.jinja test_03.expected test_03.jinja test_04.expected test_04.jinja test_05.expected test_05.jinja test_06.expected test_06.jinja test_07.expected test_07.jinja test_08.expected test_08.jinja test_08b.expected test_08b.jinja test_09.expected test_09.jinja test_10.expected test_10.jinja test_11.expected test_11.jinja test_12.expected test_12.jinja test_13.expected test_13.jinja test_14.expected test_14.jinja test_15.expected test_15.jinja test_16.expected test_16.jinja test_17.expected test_17.jinja test_18.expected test_18.jinja test_18b.expected test_18b.jinja test_18c.expected test_18c.jinja test_19.expected test_19.jinja test_19b.expected test_19b.jinja test_19c.expected test_19c.jinja test_19d.expected test_19d.jinja test_19e.expected test_19e.jinja test_19f.expected test_19f.jinja test_20.expected test_20.jinja test_21.expected test_21.jinja test_22.expected test_22.jinja test_22a.expected test_22a.jinja test_22b.expected test_22b.jinja test_23.expected test_23.jinja test_24.expected test_24.jinjalibev
Changes LICENSE Makefile Makefile.am Makefile.in README Symbols.ev Symbols.event aclocal.m4 autogen.sh compile config.guess config.h config.h.in config.status config.sub configure configure.ac depcomp ev++.h ev.3 ev.c ev.h ev.pod ev_epoll.c ev_kqueue.c ev_poll.c ev_port.c ev_select.c ev_vars.h ev_win32.c ev_wrap.h event.c event.h install-sh libev.m4 libtool ltmain.sh missing mkinstalldirs stamp-h1luajit
doc
bluequad-print.css bluequad.css contact.html ext_buffer.html ext_c_api.html ext_ffi.html ext_ffi_api.html ext_ffi_semantics.html ext_ffi_tutorial.html ext_jit.html ext_profiler.html extensions.html install.html luajit.html running.html
dynasm
dasm_arm.h dasm_arm.lua dasm_arm64.h dasm_arm64.lua dasm_mips.h dasm_mips.lua dasm_mips64.lua dasm_ppc.h dasm_ppc.lua dasm_proto.h dasm_x64.lua dasm_x86.h dasm_x86.lua dynasm.luasrc
host
.gitignore README buildvm.c buildvm.h buildvm_asm.c buildvm_fold.c buildvm_lib.c buildvm_libbc.h buildvm_peobj.c genlibbc.lua genminilua.lua genversion.lua minilua.cjit
.gitignore bc.lua bcsave.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_mips.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua dis_mipsel.lua dis_ppc.lua dis_x64.lua dis_x86.lua dump.lua p.lua v.lua zone.luawolfssl
.github
workflows
ada.yml arduino.yml async-examples.yml async.yml atecc608-sim.yml bind.yml cmake-autoconf.yml cmake.yml codespell.yml coverity-scan-fixes.yml cryptocb-only.yml curl.yml cyrus-sasl.yml disable-pk-algs.yml docker-Espressif.yml docker-OpenWrt.yml emnet-nonblock.yml fil-c.yml freertos-mem-track.yml gencertbuf.yml grpc.yml haproxy.yml hostap-vm.yml intelasm-c-fallback.yml ipmitool.yml jwt-cpp.yml krb5.yml libspdm.yml libssh2.yml libvncserver.yml linuxkm.yml macos-apple-native-cert-validation.yml mbedtls.sh mbedtls.yml membrowse-comment.yml membrowse-onboard.yml membrowse-report.yml memcached.sh memcached.yml mono.yml mosquitto.yml msmtp.yml msys2.yml multi-arch.yml multi-compiler.yml net-snmp.yml nginx.yml no-malloc.yml no-tls.yml nss.sh nss.yml ntp.yml ocsp.yml openldap.yml openssh.yml openssl-ech.yml opensslcoexist.yml openvpn.yml os-check.yml packaging.yml pam-ipmi.yml pq-all.yml pr-commit-check.yml psk.yml puf.yml python.yml rng-tools.yml rust-wrapper.yml se050-sim.yml smallStackSize.yml socat.yml softhsm.yml sssd.yml stm32-sim.yml stsafe-a120-sim.yml stunnel.yml symbol-prefixes.yml threadx.yml tls-anvil.yml trackmemory.yml watcomc.yml win-csharp-test.yml wolfCrypt-Wconversion.yml wolfboot-integration.yml wolfsm.yml xcode.yml zephyr-4.x.yml zephyr.ymlIDE
ARDUINO
Arduino_README_prepend.md README.md include.am keywords.txt library.properties.template wolfssl-arduino.cpp wolfssl-arduino.sh wolfssl.hECLIPSE
Espressif
ESP-IDF
examples
template
CMakeLists.txt Makefile README.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp8266wolfssl_benchmark
VisualGDB
wolfssl_benchmark_IDF_v4.4_ESP32.sln wolfssl_benchmark_IDF_v4.4_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32.sln wolfssl_benchmark_IDF_v5_ESP32.vgdbproj wolfssl_benchmark_IDF_v5_ESP32C3.sln wolfssl_benchmark_IDF_v5_ESP32C3.vgdbproj wolfssl_benchmark_IDF_v5_ESP32S3.sln wolfssl_benchmark_IDF_v5_ESP32S3.vgdbprojwolfssl_client
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_client_ESP8266.vgdbprojwolfssl_server
CMakeLists.txt Makefile README.md README_server_sm.md partitions_singleapp_large.csv sdkconfig.defaults sdkconfig.defaults.esp32c2 sdkconfig.defaults.esp8266 wolfssl_server_ESP8266.vgdbprojwolfssl_test
VisualGDB
wolfssl_test-IDF_v5_ESP32.sln wolfssl_test-IDF_v5_ESP32.vgdbproj wolfssl_test-IDF_v5_ESP32C3.sln wolfssl_test-IDF_v5_ESP32C3.vgdbproj wolfssl_test-IDF_v5_ESP32C6.sln wolfssl_test-IDF_v5_ESP32C6.vgdbproj wolfssl_test_IDF_v5_ESP32S3.sln wolfssl_test_IDF_v5_ESP32S3.vgdbprojGCC-ARM
Makefile Makefile.bench Makefile.client Makefile.common Makefile.server Makefile.static Makefile.test README.md include.am linker.ld linker_fips.ldIAR-EWARM
embOS
SAMV71_XULT
embOS_SAMV71_XULT_user_settings
user_settings.h user_settings_simple_example.h user_settings_verbose_example.hembOS_wolfcrypt_benchmark_SAMV71_XULT
README_wolfcrypt_benchmark wolfcrypt_benchmark.ewd wolfcrypt_benchmark.ewpINTIME-RTOS
Makefile README.md include.am libwolfssl.c libwolfssl.vcxproj user_settings.h wolfExamples.c wolfExamples.h wolfExamples.sln wolfExamples.vcxproj wolfssl-lib.sln wolfssl-lib.vcxprojMQX
Makefile README-jp.md README.md client-tls.c include.am server-tls.c user_config.h user_settings.hMSVS-2019-AZSPHERE
wolfssl_new_azsphere
.gitignore CMakeLists.txt CMakeSettings.json app_manifest.json applibs_versions.h launch.vs.json main.cNETOS
Makefile.wolfcrypt.inc README.md include.am user_settings.h user_settings.h-cert2425 user_settings.h-cert3389 wolfssl_netos_custom.cPlatformIO
examples
wolfssl_benchmark
CMakeLists.txt README.md platformio.ini sdkconfig.defaults wolfssl_benchmark.code-workspaceROWLEY-CROSSWORKS-ARM
Kinetis_FlashPlacement.xml README.md arm_startup.c benchmark_main.c hw.h include.am kinetis_hw.c retarget.c test_main.c user_settings.h wolfssl.hzp wolfssl_ltc.hzpRenesas
e2studio
RA6M3
README.md README_APRA6M_en.md README_APRA6M_jp.md include.amRX72N
EnvisionKit
Simple
README_EN.md README_JP.mdwolfssl_demo
key_data.c key_data.h user_settings.h wolfssl_demo.c wolfssl_demo.h wolfssl_tsip_unit_test.cSTM32Cube
README.md STM32_Benchmarks.md default_conf.ftl include.am main.c wolfssl_example.c wolfssl_example.hWIN
README.txt include.am test.vcxproj user_settings.h user_settings_dtls.h wolfssl-fips.sln wolfssl-fips.vcxprojWIN-SRTP-KDF-140-3
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojWIN10
README.txt include.am resource.h test.vcxproj user_settings.h wolfssl-fips.rc wolfssl-fips.sln wolfssl-fips.vcxprojXCODE
Benchmark
include.amXilinxSDK
README.md bench.sh combine.sh eclipse_formatter_profile.xml graph.sh include.am user_settings.h wolfssl_example.capple-universal
wolfssl-multiplatform
iotsafe
Makefile README.md ca-cert.c devices.c devices.h include.am main.c memory-tls.c startup.c target.ld user_settings.hmynewt
README.md apps.wolfcrypttest.pkg.yml crypto.wolfssl.pkg.yml crypto.wolfssl.syscfg.yml include.am setup.shcerts
1024
ca-cert.der ca-cert.pem ca-key.der ca-key.pem client-cert.der client-cert.pem client-key.der client-key.pem client-keyPub.der dh1024.der dh1024.pem dsa-pub-1024.pem dsa1024.der dsa1024.pem include.am rsa1024.der server-cert.der server-cert.pem server-key.der server-key.pemcrl
extra-crls
ca-int-cert-revoked.pem claim-root.pem crl_critical_entry.pem crlnum_57oct.pem crlnum_64oct.pem general-server-crl.pem large_crlnum.pem large_crlnum2.pemdilithium
bench_dilithium_level2_key.der bench_dilithium_level3_key.der bench_dilithium_level5_key.der include.amecc
bp256r1-key.der bp256r1-key.pem ca-secp256k1-cert.pem ca-secp256k1-key.pem client-bp256r1-cert.der client-bp256r1-cert.pem client-secp256k1-cert.der client-secp256k1-cert.pem genecc.sh include.am secp256k1-key.der secp256k1-key.pem secp256k1-param.pem secp256k1-privkey.der secp256k1-privkey.pem server-bp256r1-cert.der server-bp256r1-cert.pem server-secp256k1-cert.der server-secp256k1-cert.pem server2-secp256k1-cert.der server2-secp256k1-cert.pem wolfssl.cnf wolfssl_384.cnfed25519
ca-ed25519-key.der ca-ed25519-key.pem ca-ed25519-priv.der ca-ed25519-priv.pem ca-ed25519.der ca-ed25519.pem client-ed25519-key.der client-ed25519-key.pem client-ed25519-priv.der client-ed25519-priv.pem client-ed25519.der client-ed25519.pem eddsa-ed25519.der eddsa-ed25519.pem gen-ed25519-certs.sh gen-ed25519-keys.sh gen-ed25519.sh include.am root-ed25519-key.der root-ed25519-key.pem root-ed25519-priv.der root-ed25519-priv.pem root-ed25519.der root-ed25519.pem server-ed25519-cert.pem server-ed25519-key.der server-ed25519-key.pem server-ed25519-priv.der server-ed25519-priv.pem server-ed25519.der server-ed25519.pemed448
ca-ed448-key.der ca-ed448-key.pem ca-ed448-priv.der ca-ed448-priv.pem ca-ed448.der ca-ed448.pem client-ed448-key.der client-ed448-key.pem client-ed448-priv.der client-ed448-priv.pem client-ed448.der client-ed448.pem gen-ed448-certs.sh gen-ed448-keys.sh include.am root-ed448-key.der root-ed448-key.pem root-ed448-priv.der root-ed448-priv.pem root-ed448.der root-ed448.pem server-ed448-cert.pem server-ed448-key.der server-ed448-key.pem server-ed448-priv.der server-ed448-priv.pem server-ed448.der server-ed448.pemexternal
DigiCertGlobalRootCA.pem README.txt ca-digicert-ev.pem ca-globalsign-root.pem ca-google-root.pem ca_collection.pem include.amintermediate
ca_false_intermediate
gentestcert.sh int_ca.key server.key test_ca.key test_ca.pem test_int_not_cacert.pem test_sign_bynoca_srv.pem wolfssl_base.conf wolfssl_srv.conflms
bc_hss_L2_H5_W8_root.der bc_hss_L3_H5_W4_root.der bc_lms_chain_ca.der bc_lms_chain_leaf.der bc_lms_native_bc_root.der bc_lms_sha256_h10_w8_root.der bc_lms_sha256_h5_w4_root.der include.ammldsa
README.txt include.am mldsa44-cert.der mldsa44-cert.pem mldsa44-key.pem mldsa44_bare-priv.der mldsa44_bare-seed.der mldsa44_oqskeypair.der mldsa44_priv-only.der mldsa44_pub-spki.der mldsa44_seed-only.der mldsa44_seed-priv.der mldsa65-cert.der mldsa65-cert.pem mldsa65-key.pem mldsa65_bare-priv.der mldsa65_bare-seed.der mldsa65_oqskeypair.der mldsa65_priv-only.der mldsa65_pub-spki.der mldsa65_seed-only.der mldsa65_seed-priv.der mldsa87-cert.der mldsa87-cert.pem mldsa87-key.pem mldsa87_bare-priv.der mldsa87_bare-seed.der mldsa87_oqskeypair.der mldsa87_priv-only.der mldsa87_pub-spki.der mldsa87_seed-only.der mldsa87_seed-priv.derocsp
imposter-root-ca-cert.der imposter-root-ca-cert.pem imposter-root-ca-key.der imposter-root-ca-key.pem include.am index-ca-and-intermediate-cas.txt index-ca-and-intermediate-cas.txt.attr index-intermediate1-ca-issued-certs.txt index-intermediate1-ca-issued-certs.txt.attr index-intermediate2-ca-issued-certs.txt index-intermediate2-ca-issued-certs.txt.attr index-intermediate3-ca-issued-certs.txt index-intermediate3-ca-issued-certs.txt.attr intermediate1-ca-cert.der intermediate1-ca-cert.pem intermediate1-ca-key.der intermediate1-ca-key.pem intermediate2-ca-cert.der intermediate2-ca-cert.pem intermediate2-ca-key.der intermediate2-ca-key.pem intermediate3-ca-cert.der intermediate3-ca-cert.pem intermediate3-ca-key.der intermediate3-ca-key.pem ocsp-responder-cert.der ocsp-responder-cert.pem ocsp-responder-key.der ocsp-responder-key.pem openssl.cnf renewcerts-for-test.sh renewcerts.sh root-ca-cert.der root-ca-cert.pem root-ca-crl.pem root-ca-key.der root-ca-key.pem server1-cert.der server1-cert.pem server1-chain-noroot.pem server1-key.der server1-key.pem server2-cert.der server2-cert.pem server2-key.der server2-key.pem server3-cert.der server3-cert.pem server3-key.der server3-key.pem server4-cert.der server4-cert.pem server4-key.der server4-key.pem server5-cert.der server5-cert.pem server5-key.der server5-key.pem test-leaf-response.der test-multi-response.der test-response-nointern.der test-response-rsapss.der test-response.derp521
ca-p521-key.der ca-p521-key.pem ca-p521-priv.der ca-p521-priv.pem ca-p521.der ca-p521.pem client-p521-key.der client-p521-key.pem client-p521-priv.der client-p521-priv.pem client-p521.der client-p521.pem gen-p521-certs.sh gen-p521-keys.sh include.am root-p521-key.der root-p521-key.pem root-p521-priv.der root-p521-priv.pem root-p521.der root-p521.pem server-p521-cert.pem server-p521-key.der server-p521-key.pem server-p521-priv.der server-p521-priv.pem server-p521.der server-p521.pemrpk
client-cert-rpk.der client-ecc-cert-rpk.der include.am server-cert-rpk.der server-ecc-cert-rpk.derrsapss
ca-3072-rsapss-key.der ca-3072-rsapss-key.pem ca-3072-rsapss-priv.der ca-3072-rsapss-priv.pem ca-3072-rsapss.der ca-3072-rsapss.pem ca-rsapss-key.der ca-rsapss-key.pem ca-rsapss-priv.der ca-rsapss-priv.pem ca-rsapss.der ca-rsapss.pem client-3072-rsapss-key.der client-3072-rsapss-key.pem client-3072-rsapss-priv.der client-3072-rsapss-priv.pem client-3072-rsapss.der client-3072-rsapss.pem client-rsapss-key.der client-rsapss-key.pem client-rsapss-priv.der client-rsapss-priv.pem client-rsapss.der client-rsapss.pem gen-rsapss-keys.sh include.am renew-rsapss-certs.sh root-3072-rsapss-key.der root-3072-rsapss-key.pem root-3072-rsapss-priv.der root-3072-rsapss-priv.pem root-3072-rsapss.der root-3072-rsapss.pem root-rsapss-key.der root-rsapss-key.pem root-rsapss-priv.der root-rsapss-priv.pem root-rsapss.der root-rsapss.pem server-3072-rsapss-cert.pem server-3072-rsapss-key.der server-3072-rsapss-key.pem server-3072-rsapss-priv.der server-3072-rsapss-priv.pem server-3072-rsapss.der server-3072-rsapss.pem server-mix-rsapss-cert.pem server-rsapss-cert.pem server-rsapss-key.der server-rsapss-key.pem server-rsapss-priv.der server-rsapss-priv.pem server-rsapss.der server-rsapss.pemslhdsa
bench_slhdsa_sha2_128f_key.der bench_slhdsa_sha2_128s_key.der bench_slhdsa_sha2_192f_key.der bench_slhdsa_sha2_192s_key.der bench_slhdsa_sha2_256f_key.der bench_slhdsa_sha2_256s_key.der bench_slhdsa_shake128f_key.der bench_slhdsa_shake128s_key.der bench_slhdsa_shake192f_key.der bench_slhdsa_shake192s_key.der bench_slhdsa_shake256f_key.der bench_slhdsa_shake256s_key.der client-mldsa44-priv.pem client-mldsa44-sha2.der client-mldsa44-sha2.pem client-mldsa44-shake.der client-mldsa44-shake.pem gen-slhdsa-mldsa-certs.sh include.am root-slhdsa-sha2-128s-priv.der root-slhdsa-sha2-128s-priv.pem root-slhdsa-sha2-128s.der root-slhdsa-sha2-128s.pem root-slhdsa-shake-128s-priv.der root-slhdsa-shake-128s-priv.pem root-slhdsa-shake-128s.der root-slhdsa-shake-128s.pem server-mldsa44-priv.pem server-mldsa44-sha2.der server-mldsa44-sha2.pem server-mldsa44-shake.der server-mldsa44-shake.pemsm2
ca-sm2-key.der ca-sm2-key.pem ca-sm2-priv.der ca-sm2-priv.pem ca-sm2.der ca-sm2.pem client-sm2-key.der client-sm2-key.pem client-sm2-priv.der client-sm2-priv.pem client-sm2.der client-sm2.pem fix_sm2_spki.py gen-sm2-certs.sh gen-sm2-keys.sh include.am root-sm2-key.der root-sm2-key.pem root-sm2-priv.der root-sm2-priv.pem root-sm2.der root-sm2.pem self-sm2-cert.pem self-sm2-key.pem self-sm2-priv.pem server-sm2-cert.der server-sm2-cert.pem server-sm2-key.der server-sm2-key.pem server-sm2-priv.der server-sm2-priv.pem server-sm2.der server-sm2.pemstatickeys
dh-ffdhe2048-params.pem dh-ffdhe2048-pub.der dh-ffdhe2048-pub.pem dh-ffdhe2048.der dh-ffdhe2048.pem ecc-secp256r1.der ecc-secp256r1.pem gen-static.sh include.am x25519-pub.der x25519-pub.pem x25519.der x25519.pemtest
catalog.txt cert-bad-neg-int.der cert-bad-oid.der cert-bad-utf8.der cert-ext-ia.cfg cert-ext-ia.der cert-ext-ia.pem cert-ext-joi.cfg cert-ext-joi.der cert-ext-joi.pem cert-ext-mnc.der cert-ext-multiple.cfg cert-ext-multiple.der cert-ext-multiple.pem cert-ext-nc-combined.der cert-ext-nc-combined.pem cert-ext-nc.cfg cert-ext-nc.der cert-ext-nc.pem cert-ext-ncdns.der cert-ext-ncdns.pem cert-ext-ncip.der cert-ext-ncip.pem cert-ext-ncmixed.der cert-ext-ncmulti.der cert-ext-ncmulti.pem cert-ext-ncrid.der cert-ext-ncrid.pem cert-ext-nct.cfg cert-ext-nct.der cert-ext-nct.pem cert-ext-ndir-exc.cfg cert-ext-ndir-exc.der cert-ext-ndir-exc.pem cert-ext-ndir.cfg cert-ext-ndir.der cert-ext-ndir.pem cert-ext-ns.der cert-over-max-altnames.cfg cert-over-max-altnames.der cert-over-max-altnames.pem cert-over-max-nc.cfg cert-over-max-nc.der cert-over-max-nc.pem client-ecc-cert-ski.hex cn-ip-literal.der cn-ip-wildcard.der crit-cert.pem crit-key.pem dh1024.der dh1024.pem dh512.der dh512.pem digsigku.pem encrypteddata.msg gen-badsig.sh gen-ext-certs.sh gen-testcerts.sh include.am kari-keyid-cms.msg ktri-keyid-cms.msg ossl-trusted-cert.pem server-badaltname.der server-badaltname.pem server-badaltnull.der server-badaltnull.pem server-badcn.der server-badcn.pem server-badcnnull.der server-badcnnull.pem server-cert-ecc-badsig.der server-cert-ecc-badsig.pem server-cert-rsa-badsig.der server-cert-rsa-badsig.pem server-duplicate-policy.pem server-garbage.der server-garbage.pem server-goodalt.der server-goodalt.pem server-goodaltwild.der server-goodaltwild.pem server-goodcn.der server-goodcn.pem server-goodcnwild.der server-goodcnwild.pem server-localhost.der server-localhost.pem smime-test-canon.p7s smime-test-multipart-badsig.p7s smime-test-multipart.p7s smime-test.p7stest-pathlen
assemble-chains.sh chainA-ICA1-key.pem chainA-ICA1-pathlen0.pem chainA-assembled.pem chainA-entity-key.pem chainA-entity.pem chainB-ICA1-key.pem chainB-ICA1-pathlen0.pem chainB-ICA2-key.pem chainB-ICA2-pathlen1.pem chainB-assembled.pem chainB-entity-key.pem chainB-entity.pem chainC-ICA1-key.pem chainC-ICA1-pathlen1.pem chainC-assembled.pem chainC-entity-key.pem chainC-entity.pem chainD-ICA1-key.pem chainD-ICA1-pathlen127.pem chainD-assembled.pem chainD-entity-key.pem chainD-entity.pem chainE-ICA1-key.pem chainE-ICA1-pathlen128.pem chainE-assembled.pem chainE-entity-key.pem chainE-entity.pem chainF-ICA1-key.pem chainF-ICA1-pathlen1.pem chainF-ICA2-key.pem chainF-ICA2-pathlen0.pem chainF-assembled.pem chainF-entity-key.pem chainF-entity.pem chainG-ICA1-key.pem chainG-ICA1-pathlen0.pem chainG-ICA2-key.pem chainG-ICA2-pathlen1.pem chainG-ICA3-key.pem chainG-ICA3-pathlen99.pem chainG-ICA4-key.pem chainG-ICA4-pathlen5.pem chainG-ICA5-key.pem chainG-ICA5-pathlen20.pem chainG-ICA6-key.pem chainG-ICA6-pathlen10.pem chainG-ICA7-key.pem chainG-ICA7-pathlen100.pem chainG-assembled.pem chainG-entity-key.pem chainG-entity.pem chainH-ICA1-key.pem chainH-ICA1-pathlen0.pem chainH-ICA2-key.pem chainH-ICA2-pathlen2.pem chainH-ICA3-key.pem chainH-ICA3-pathlen2.pem chainH-ICA4-key.pem chainH-ICA4-pathlen2.pem chainH-assembled.pem chainH-entity-key.pem chainH-entity.pem chainI-ICA1-key.pem chainI-ICA1-no_pathlen.pem chainI-ICA2-key.pem chainI-ICA2-no_pathlen.pem chainI-ICA3-key.pem chainI-ICA3-pathlen2.pem chainI-assembled.pem chainI-entity-key.pem chainI-entity.pem chainJ-ICA1-key.pem chainJ-ICA1-no_pathlen.pem chainJ-ICA2-key.pem chainJ-ICA2-no_pathlen.pem chainJ-ICA3-key.pem chainJ-ICA3-no_pathlen.pem chainJ-ICA4-key.pem chainJ-ICA4-pathlen2.pem chainJ-assembled.pem chainJ-entity-key.pem chainJ-entity.pem include.am refreshkeys.shtest-serial0
ee_normal.pem ee_serial0.pem generate_certs.sh include.am intermediate_serial0.pem root_serial0.pem root_serial0_key.pem selfsigned_nonca_serial0.pemxmss
bc_xmss_chain_ca.der bc_xmss_chain_leaf.der bc_xmss_sha2_10_256_root.der bc_xmss_sha2_16_256_root.der bc_xmssmt_sha2_20_2_256_root.der bc_xmssmt_sha2_20_4_256_root.der bc_xmssmt_sha2_40_8_256_root.der include.amcmake
Config.cmake.in README.md config.in functions.cmake include.am options.h.in wolfssl-config-version.cmake.in wolfssl-targets.cmake.indebian
changelog.in control.in copyright include.am libwolfssl-dev.install libwolfssl.install rules.indoc
dox_comments
header_files
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h puf.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wc_she.h wc_slhdsa.h wolfio.hheader_files-ja
aes.h arc4.h ascon.h asn.h asn_public.h blake2.h bn.h camellia.h chacha.h chacha20_poly1305.h cmac.h coding.h compress.h cryptocb.h curve25519.h curve448.h des3.h dh.h doxygen_groups.h doxygen_pages.h dsa.h ecc.h eccsi.h ed25519.h ed448.h error-crypt.h evp.h hash.h hmac.h iotsafe.h kdf.h logging.h md2.h md4.h md5.h memory.h ocsp.h pem.h pkcs11.h pkcs7.h poly1305.h psa.h pwdbased.h quic.h random.h ripemd.h rsa.h sakke.h sha.h sha256.h sha3.h sha512.h signature.h siphash.h srp.h ssl.h tfm.h types.h wc_encrypt.h wc_port.h wolfio.h
examples
async
Makefile README.md async_client.c async_server.c async_tls.c async_tls.h include.am user_settings.hconfigs
README.md include.am user_settings_EBSnet.h user_settings_all.h user_settings_arduino.h user_settings_baremetal.h user_settings_ca.h user_settings_curve25519nonblock.h user_settings_dtls13.h user_settings_eccnonblock.h user_settings_espressif.h user_settings_fipsv2.h user_settings_fipsv5.h user_settings_min_ecc.h user_settings_openssl_compat.h user_settings_pkcs7.h user_settings_platformio.h user_settings_pq.h user_settings_rsa_only.h user_settings_stm32.h user_settings_template.h user_settings_tls12.h user_settings_tls13.h user_settings_wolfboot_keytools.h user_settings_wolfssh.h user_settings_wolftpm.hechoclient
echoclient.c echoclient.h echoclient.sln echoclient.vcproj echoclient.vcxproj include.am quitlinuxkm
Kbuild Makefile README.md get_thread_size.c include.am linuxkm-fips-hash-wrapper.sh linuxkm-fips-hash.c linuxkm_memory.c linuxkm_memory.h linuxkm_wc_port.h lkcapi_aes_glue.c lkcapi_dh_glue.c lkcapi_ecdh_glue.c lkcapi_ecdsa_glue.c lkcapi_glue.c lkcapi_rsa_glue.c lkcapi_sha_glue.c module_exports.c.template module_hooks.c pie_redirect_table.c wolfcrypt.lds x86_vector_register_glue.cm4
ax_add_am_macro.m4 ax_am_jobserver.m4 ax_am_macros.m4 ax_append_compile_flags.m4 ax_append_flag.m4 ax_append_link_flags.m4 ax_append_to_file.m4 ax_atomic.m4 ax_bsdkm.m4 ax_check_compile_flag.m4 ax_check_link_flag.m4 ax_compiler_version.m4 ax_count_cpus.m4 ax_create_generic_config.m4 ax_debug.m4 ax_file_escapes.m4 ax_harden_compiler_flags.m4 ax_linuxkm.m4 ax_print_to_file.m4 ax_pthread.m4 ax_require_defined.m4 ax_tls.m4 ax_vcs_checkout.m4 hexversion.m4 lib_socket_nsl.m4 visibility.m4mqx
wolfcrypt_benchmark
ReferencedRSESystems.xml wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_benchmark_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfcrypt_test
ReferencedRSESystems.xml wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfcrypt_test_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchwolfssl_client
ReferencedRSESystems.xml wolfssl_client_twrk70f120m_Int_Flash_DDRData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_DDRData_Release_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.jlink wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_JTrace.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Debug_PnE_U-MultiLink.launch wolfssl_client_twrk70f120m_Int_Flash_SramData_Release_PnE_U-MultiLink.launchscripts
aria-cmake-build-test.sh asn1_oid_sum.pl benchmark.test benchmark_compare.sh cleanup_testfiles.sh crl-gen-openssl.test crl-revoked.test dertoc.pl dtls.test dtlscid.test external.test google.test include.am makedistsmall.sh memtest.sh ocsp-responder-openssl-interop.test ocsp-stapling-with-ca-as-responder.test ocsp-stapling-with-wolfssl-responder.test ocsp-stapling.test ocsp-stapling2.test ocsp-stapling_tls13multi.test ocsp.test openssl.test openssl_srtp.test pem.test ping.test pkcallbacks.test psk.test resume.test rsapss.test sniffer-gen.sh sniffer-ipv6.pcap sniffer-static-rsa.pcap sniffer-testsuite.test sniffer-tls12-keylog.out sniffer-tls12-keylog.pcap sniffer-tls12-keylog.sslkeylog sniffer-tls13-dh-resume.pcap sniffer-tls13-dh.pcap sniffer-tls13-ecc-resume.pcap sniffer-tls13-ecc.pcap sniffer-tls13-hrr.pcap sniffer-tls13-keylog.out sniffer-tls13-keylog.pcap sniffer-tls13-keylog.sslkeylog sniffer-tls13-x25519-resume.pcap sniffer-tls13-x25519.pcap stm32l4-v4_0_1_build.sh tls13.test trusted_peer.test unit.test.in user_settings_asm.shsrc
bio.c conf.c crl.c dtls.c dtls13.c include.am internal.c keys.c ocsp.c pk.c pk_ec.c pk_rsa.c quic.c sniffer.c ssl.c ssl_api_cert.c ssl_api_crl_ocsp.c ssl_api_pk.c ssl_asn1.c ssl_bn.c ssl_certman.c ssl_crypto.c ssl_ech.c ssl_load.c ssl_misc.c ssl_p7p12.c ssl_sess.c ssl_sk.c tls.c tls13.c wolfio.c x509.c x509_str.ctests
api
api.h api_decl.h create_ocsp_test_blobs.py include.am test_aes.c test_aes.h test_arc4.c test_arc4.h test_ascon.c test_ascon.h test_ascon_kats.h test_asn.c test_asn.h test_blake2.c test_blake2.h test_camellia.c test_camellia.h test_certman.c test_certman.h test_chacha.c test_chacha.h test_chacha20_poly1305.c test_chacha20_poly1305.h test_cmac.c test_cmac.h test_curve25519.c test_curve25519.h test_curve448.c test_curve448.h test_des3.c test_des3.h test_dh.c test_dh.h test_digest.h test_dsa.c test_dsa.h test_dtls.c test_dtls.h test_ecc.c test_ecc.h test_ed25519.c test_ed25519.h test_ed448.c test_ed448.h test_evp.c test_evp.h test_evp_cipher.c test_evp_cipher.h test_evp_digest.c test_evp_digest.h test_evp_pkey.c test_evp_pkey.h test_hash.c test_hash.h test_hmac.c test_hmac.h test_md2.c test_md2.h test_md4.c test_md4.h test_md5.c test_md5.h test_mldsa.c test_mldsa.h test_mlkem.c test_mlkem.h test_ocsp.c test_ocsp.h test_ocsp_test_blobs.h test_ossl_asn1.c test_ossl_asn1.h test_ossl_bio.c test_ossl_bio.h test_ossl_bn.c test_ossl_bn.h test_ossl_cipher.c test_ossl_cipher.h test_ossl_dgst.c test_ossl_dgst.h test_ossl_dh.c test_ossl_dh.h test_ossl_dsa.c test_ossl_dsa.h test_ossl_ec.c test_ossl_ec.h test_ossl_ecx.c test_ossl_ecx.h test_ossl_mac.c test_ossl_mac.h test_ossl_obj.c test_ossl_obj.h test_ossl_p7p12.c test_ossl_p7p12.h test_ossl_pem.c test_ossl_pem.h test_ossl_rand.c test_ossl_rand.h test_ossl_rsa.c test_ossl_rsa.h test_ossl_sk.c test_ossl_sk.h test_ossl_x509.c test_ossl_x509.h test_ossl_x509_acert.c test_ossl_x509_acert.h test_ossl_x509_crypto.c test_ossl_x509_crypto.h test_ossl_x509_ext.c test_ossl_x509_ext.h test_ossl_x509_info.c test_ossl_x509_info.h test_ossl_x509_io.c test_ossl_x509_io.h test_ossl_x509_lu.c test_ossl_x509_lu.h test_ossl_x509_name.c test_ossl_x509_name.h test_ossl_x509_pk.c test_ossl_x509_pk.h test_ossl_x509_str.c test_ossl_x509_str.h test_ossl_x509_vp.c test_ossl_x509_vp.h test_pkcs12.c test_pkcs12.h test_pkcs7.c test_pkcs7.h test_poly1305.c test_poly1305.h test_random.c test_random.h test_rc2.c test_rc2.h test_ripemd.c test_ripemd.h test_rsa.c test_rsa.h test_sha.c test_sha.h test_sha256.c test_sha256.h test_sha3.c test_sha3.h test_sha512.c test_sha512.h test_she.c test_she.h test_signature.c test_signature.h test_slhdsa.c test_slhdsa.h test_sm2.c test_sm2.h test_sm3.c test_sm3.h test_sm4.c test_sm4.h test_tls.c test_tls.h test_tls13.c test_tls13.h test_tls_ext.c test_tls_ext.h test_wc_encrypt.c test_wc_encrypt.h test_wolfmath.c test_wolfmath.h test_x509.c test_x509.hwolfcrypt
benchmark
README.md benchmark-VS2022.sln benchmark-VS2022.vcxproj benchmark-VS2022.vcxproj.user benchmark.c benchmark.h benchmark.sln benchmark.vcproj benchmark.vcxproj include.amsrc
port
Espressif
esp_crt_bundle
README.md cacrt_all.pem cacrt_deprecated.pem cacrt_local.pem esp_crt_bundle.c gen_crt_bundle.py pio_install_cryptography.pyRenesas
README.md renesas_common.c renesas_fspsm_aes.c renesas_fspsm_rsa.c renesas_fspsm_sha.c renesas_fspsm_util.c renesas_rx64_hw_sha.c renesas_rx64_hw_util.c renesas_tsip_aes.c renesas_tsip_rsa.c renesas_tsip_sha.c renesas_tsip_util.carm
armv8-32-aes-asm.S armv8-32-aes-asm_c.c armv8-32-chacha-asm.S armv8-32-chacha-asm_c.c armv8-32-curve25519.S armv8-32-curve25519_c.c armv8-32-mlkem-asm.S armv8-32-mlkem-asm_c.c armv8-32-poly1305-asm.S armv8-32-poly1305-asm_c.c armv8-32-sha256-asm.S armv8-32-sha256-asm_c.c armv8-32-sha3-asm.S armv8-32-sha3-asm_c.c armv8-32-sha512-asm.S armv8-32-sha512-asm_c.c armv8-aes-asm.S armv8-aes-asm_c.c armv8-aes.c armv8-chacha-asm.S armv8-chacha-asm_c.c armv8-curve25519.S armv8-curve25519_c.c armv8-mlkem-asm.S armv8-mlkem-asm_c.c armv8-poly1305-asm.S armv8-poly1305-asm_c.c armv8-sha256-asm.S armv8-sha256-asm_c.c armv8-sha256.c armv8-sha3-asm.S armv8-sha3-asm_c.c armv8-sha512-asm.S armv8-sha512-asm_c.c armv8-sha512.c cryptoCell.c cryptoCellHash.c thumb2-aes-asm.S thumb2-aes-asm_c.c thumb2-chacha-asm.S thumb2-chacha-asm_c.c thumb2-curve25519.S thumb2-curve25519_c.c thumb2-mlkem-asm.S thumb2-mlkem-asm_c.c thumb2-poly1305-asm.S thumb2-poly1305-asm_c.c thumb2-sha256-asm.S thumb2-sha256-asm_c.c thumb2-sha3-asm.S thumb2-sha3-asm_c.c thumb2-sha512-asm.S thumb2-sha512-asm_c.ccaam
README.md caam_aes.c caam_doc.pdf caam_driver.c caam_error.c caam_integrity.c caam_qnx.c caam_sha.c wolfcaam_aes.c wolfcaam_cmac.c wolfcaam_ecdsa.c wolfcaam_fsl_nxp.c wolfcaam_hash.c wolfcaam_hmac.c wolfcaam_init.c wolfcaam_qnx.c wolfcaam_rsa.c wolfcaam_seco.c wolfcaam_x25519.cdevcrypto
README.md devcrypto_aes.c devcrypto_ecdsa.c devcrypto_hash.c devcrypto_hmac.c devcrypto_rsa.c devcrypto_x25519.c wc_devcrypto.criscv
riscv-64-aes.c riscv-64-chacha.c riscv-64-poly1305.c riscv-64-sha256.c riscv-64-sha3.c riscv-64-sha512.cwolfssl
openssl
aes.h asn1.h asn1t.h bio.h bn.h buffer.h camellia.h cmac.h cms.h compat_types.h conf.h crypto.h des.h dh.h dsa.h ec.h ec25519.h ec448.h ecdh.h ecdsa.h ed25519.h ed448.h engine.h err.h evp.h fips_rand.h hmac.h include.am kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h opensslconf.h opensslv.h ossl_typ.h pem.h pkcs12.h pkcs7.h rand.h rc4.h ripemd.h rsa.h safestack.h sha.h sha3.h srp.h ssl.h ssl23.h stack.h tls1.h txt_db.h ui.h x509.h x509_vfy.h x509v3.hwolfcrypt
port
Renesas
renesas-fspsm-crypt.h renesas-fspsm-types.h renesas-rx64-hw-crypt.h renesas-tsip-crypt.h renesas_cmn.h renesas_fspsm_internal.h renesas_sync.h renesas_tsip_internal.h renesas_tsip_types.hcaam
caam_driver.h caam_error.h caam_qnx.h wolfcaam.h wolfcaam_aes.h wolfcaam_cmac.h wolfcaam_ecdsa.h wolfcaam_fsl_nxp.h wolfcaam_hash.h wolfcaam_qnx.h wolfcaam_rsa.h wolfcaam_seco.h wolfcaam_sha.h wolfcaam_x25519.hwrapper
Ada
examples
src
aes_verify_main.adb rsa_verify_main.adb sha256_main.adb spark_sockets.adb spark_sockets.ads spark_terminal.adb spark_terminal.ads tls_client.adb tls_client.ads tls_client_main.adb tls_server.adb tls_server.ads tls_server_main.adbtests
src
aes_bindings_tests.adb aes_bindings_tests.ads rsa_verify_bindings_tests.adb rsa_verify_bindings_tests.ads sha256_bindings_tests.adb sha256_bindings_tests.ads tests.adbCSharp
wolfSSL-Example-IOCallbacks
App.config wolfSSL-Example-IOCallbacks.cs wolfSSL-Example-IOCallbacks.csprojwolfSSL-TLS-ServerThreaded
App.config wolfSSL-TLS-ServerThreaded.cs wolfSSL-TLS-ServerThreaded.csprojrust
wolfssl-wolfcrypt
src
aes.rs blake2.rs chacha20_poly1305.rs cmac.rs cmac_mac.rs curve25519.rs dh.rs dilithium.rs ecc.rs ecdsa.rs ed25519.rs ed448.rs fips.rs hkdf.rs hmac.rs hmac_mac.rs kdf.rs lib.rs lms.rs mlkem.rs mlkem_kem.rs pbkdf2_password_hash.rs prf.rs random.rs rsa.rs rsa_pkcs1v15.rs sha.rs sha_digest.rs sys.rstests
test_aes.rs test_blake2.rs test_chacha20_poly1305.rs test_cmac.rs test_cmac_mac.rs test_curve25519.rs test_dh.rs test_dilithium.rs test_ecc.rs test_ecdsa.rs test_ed25519.rs test_ed448.rs test_hkdf.rs test_hmac.rs test_hmac_mac.rs test_kdf.rs test_lms.rs test_mlkem.rs test_mlkem_kem.rs test_pbkdf2_password_hash.rs test_prf.rs test_random.rs test_rsa.rs test_rsa_pkcs1v15.rs test_sha.rs test_sha_digest.rs test_wolfcrypt.rszephyr
samples
wolfssl_benchmark
CMakeLists.txt README install_test.sh prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.confwolfssl_test
CMakeLists.txt README install_test.sh prj-no-malloc.conf prj.conf sample.yaml zephyr_legacy.conf zephyr_v4.1.conf
wolfssl/tests/api/test_certman.c
raw
1/* test_certman.c
2 *
3 * Copyright (C) 2006-2026 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22#include <tests/unit.h>
23
24#ifdef NO_INLINE
25 #include <wolfssl/wolfcrypt/misc.h>
26#else
27 #define WOLFSSL_MISC_INCLUDED
28 #include <wolfcrypt/src/misc.c>
29#endif
30
31#include <wolfssl/ssl.h>
32#include <wolfssl/ocsp.h>
33#include <tests/api/api.h>
34#include <tests/api/test_certman.h>
35#include <tests/utils.h>
36
37int test_wolfSSL_CertManagerAPI(void)
38{
39 EXPECT_DECLS;
40#ifndef NO_CERTS
41 WOLFSSL_CERT_MANAGER* cm = NULL;
42 unsigned char c = 0;
43
44 ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
45
46 wolfSSL_CertManagerFree(NULL);
47 ExpectIntEQ(wolfSSL_CertManager_up_ref(NULL), 0);
48 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(NULL),
49 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
50#ifdef WOLFSSL_TRUST_PEER_CERT
51 ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(NULL),
52 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
53#endif
54
55 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer_ex(NULL, &c, 1,
56 WOLFSSL_FILETYPE_ASN1, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
57
58#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
59 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, -1,
60 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
61 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, -1,
62 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
63 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, -1,
64 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
65 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, NULL, 1,
66 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
67 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(NULL, &c, 1,
68 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
69 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, NULL, 1,
70 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
71 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, -1,
72 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
73 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, &c, 1, -1),
74 WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE));
75#endif
76
77#if !defined(NO_FILESYSTEM)
78 {
79 #ifdef WOLFSSL_PEM_TO_DER
80 const char* ca_cert = "./certs/ca-cert.pem";
81 #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
82 const char* ca_cert_der = "./certs/ca-cert.der";
83 #endif
84 #else
85 const char* ca_cert = "./certs/ca-cert.der";
86 #endif
87 const char* ca_path = "./certs";
88
89 #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
90 ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, NULL, -1),
91 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
92 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, NULL, WOLFSSL_FILETYPE_ASN1),
93 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
94 ExpectIntEQ(wolfSSL_CertManagerVerify(NULL, ca_cert,
95 WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
96 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert, -1),
97 WC_NO_ERR_TRACE(WOLFSSL_BAD_FILETYPE));
98#ifdef WOLFSSL_PEM_TO_DER
99 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, ca_cert_der,
100 WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER));
101#endif
102 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, "no-file",
103 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(WOLFSSL_BAD_FILE));
104 #endif
105
106 ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, NULL),
107 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
108 ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, NULL),
109 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
110 ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, NULL, ca_path),
111 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
112 ExpectIntEQ(wolfSSL_CertManagerLoadCA(NULL, ca_cert, ca_path),
113 WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
114 }
115#endif
116
117#ifdef OPENSSL_COMPATIBLE_DEFAULTS
118 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0), 1);
119#elif !defined(HAVE_CRL)
120 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 0),
121 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
122#endif
123
124 ExpectIntEQ(wolfSSL_CertManagerDisableCRL(NULL),
125 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
126 ExpectIntEQ(wolfSSL_CertManagerDisableCRL(cm), 1);
127#ifdef HAVE_CRL
128 /* Test APIs when CRL is disabled. */
129#ifdef HAVE_CRL_IO
130 ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1);
131#endif
132 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048,
133 sizeof_server_cert_der_2048), 1);
134 ExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1);
135#endif
136
137 /* OCSP */
138 ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(NULL, 0),
139 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
140 ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(NULL),
141 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
142 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(NULL),
143 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
144 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(NULL),
145 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
146 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(NULL),
147 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
148 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(NULL),
149 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
150#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
151 !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
152 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm),
153 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
154 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm),
155 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
156 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm),
157 WC_NO_ERR_TRACE(NOT_COMPILED_IN));
158#endif
159
160#ifdef HAVE_OCSP
161 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, -1),
162 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
163 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, -1),
164 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
165 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, -1),
166 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
167 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, NULL, 1),
168 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
169 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(NULL, &c, 1),
170 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
171 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, NULL, 1),
172 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
173 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, -1),
174 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
175
176 ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, NULL, 0,
177 NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
178 ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, NULL, 1,
179 NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
180 ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(NULL, &c, 1,
181 NULL, NULL, NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
182
183 ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, NULL),
184 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
185 ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(NULL, ""),
186 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
187 ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, NULL), 1);
188
189 ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(NULL, NULL, NULL, NULL),
190 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
191 ExpectIntEQ(wolfSSL_CertManagerSetOCSP_Cb(cm, NULL, NULL, NULL), 1);
192
193 ExpectIntEQ(wolfSSL_CertManagerDisableOCSP(cm), 1);
194 /* Test APIs when OCSP is disabled. */
195 ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, &c, 1,
196 NULL, NULL, NULL, NULL), 1);
197 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, &c, 1), 1);
198
199#endif
200
201 ExpectIntEQ(wolfSSL_CertManager_up_ref(cm), 1);
202 if (EXPECT_SUCCESS()) {
203 wolfSSL_CertManagerFree(cm);
204 }
205 wolfSSL_CertManagerFree(cm);
206 cm = NULL;
207
208 ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
209
210#ifdef HAVE_OCSP
211 ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, WOLFSSL_OCSP_URL_OVERRIDE |
212 WOLFSSL_OCSP_CHECKALL), 1);
213#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
214 defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
215 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1);
216 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1);
217 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPStapling(cm), 1);
218 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPStapling(cm), 1);
219 ExpectIntEQ(wolfSSL_CertManagerEnableOCSPMustStaple(cm), 1);
220 ExpectIntEQ(wolfSSL_CertManagerDisableOCSPMustStaple(cm), 1);
221#endif
222
223 ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1);
224 ExpectIntEQ(wolfSSL_CertManagerSetOCSPOverrideURL(cm, ""), 1);
225#endif
226
227#ifdef WOLFSSL_TRUST_PEER_CERT
228 ExpectIntEQ(wolfSSL_CertManagerUnload_trust_peers(cm), 1);
229#endif
230 wolfSSL_CertManagerFree(cm);
231#endif
232 return EXPECT_RESULT();
233}
234
235#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS)
236static int test_cm_load_ca_buffer(const byte* cert_buf, size_t cert_sz,
237 int file_type)
238{
239 int ret;
240 WOLFSSL_CERT_MANAGER* cm;
241
242 cm = wolfSSL_CertManagerNew();
243 if (cm == NULL) {
244 fprintf(stderr, "test_cm_load_ca failed\n");
245 return -1;
246 }
247
248 ret = wolfSSL_CertManagerLoadCABuffer(cm, cert_buf, (sword32)cert_sz,
249 file_type);
250
251 wolfSSL_CertManagerFree(cm);
252
253 return ret;
254}
255
256static int test_cm_load_ca_file(const char* ca_cert_file)
257{
258 int ret = 0;
259 byte* cert_buf = NULL;
260 size_t cert_sz = 0;
261#if defined(WOLFSSL_PEM_TO_DER)
262 DerBuffer* pDer = NULL;
263#endif
264
265 ret = load_file(ca_cert_file, &cert_buf, &cert_sz);
266 if (ret == 0) {
267 /* normal test */
268 ret = test_cm_load_ca_buffer(cert_buf, cert_sz, CERT_FILETYPE);
269
270 if (ret == WOLFSSL_SUCCESS) {
271 /* test including null terminator in length */
272 byte* tmp = (byte*)XREALLOC(cert_buf, cert_sz+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
273 if (tmp == NULL) {
274 ret = MEMORY_E;
275 }
276 else {
277 cert_buf = tmp;
278 cert_buf[cert_sz] = '\0';
279 ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1,
280 CERT_FILETYPE);
281 }
282
283 }
284
285 #if defined(WOLFSSL_PEM_TO_DER)
286 if (ret == WOLFSSL_SUCCESS) {
287 /* test loading DER */
288 ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer,
289 NULL, NULL, NULL);
290 if (ret == 0 && pDer != NULL) {
291 ret = test_cm_load_ca_buffer(pDer->buffer, pDer->length,
292 WOLFSSL_FILETYPE_ASN1);
293
294 wc_FreeDer(&pDer);
295 }
296 }
297 #endif
298
299 }
300 XFREE(cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
301
302 return ret;
303}
304
305static int test_cm_load_ca_buffer_ex(const byte* cert_buf, size_t cert_sz,
306 int file_type, word32 flags)
307{
308 int ret;
309 WOLFSSL_CERT_MANAGER* cm;
310
311 cm = wolfSSL_CertManagerNew();
312 if (cm == NULL) {
313 fprintf(stderr, "test_cm_load_ca failed\n");
314 return -1;
315 }
316
317 ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, cert_buf, (sword32)cert_sz,
318 file_type, 0, flags);
319
320 wolfSSL_CertManagerFree(cm);
321
322 return ret;
323}
324
325static int test_cm_load_ca_file_ex(const char* ca_cert_file, word32 flags)
326{
327 int ret = 0;
328 byte* cert_buf = NULL;
329 size_t cert_sz = 0;
330#if defined(WOLFSSL_PEM_TO_DER)
331 DerBuffer* pDer = NULL;
332#endif
333
334 ret = load_file(ca_cert_file, &cert_buf, &cert_sz);
335 if (ret == 0) {
336 /* normal test */
337 ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz,
338 CERT_FILETYPE, flags);
339
340 if (ret == WOLFSSL_SUCCESS) {
341 /* test including null terminator in length */
342 byte* tmp = (byte*)XREALLOC(cert_buf, cert_sz+1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
343 if (tmp == NULL) {
344 ret = MEMORY_E;
345 }
346 else {
347 cert_buf = tmp;
348 cert_buf[cert_sz] = '\0';
349 ret = test_cm_load_ca_buffer_ex(cert_buf, cert_sz+1,
350 CERT_FILETYPE, flags);
351 }
352
353 }
354
355 #if defined(WOLFSSL_PEM_TO_DER)
356 if (ret == WOLFSSL_SUCCESS) {
357 /* test loading DER */
358 ret = wc_PemToDer(cert_buf, (sword32)cert_sz, CA_TYPE, &pDer,
359 NULL, NULL, NULL);
360 if (ret == 0 && pDer != NULL) {
361 ret = test_cm_load_ca_buffer_ex(pDer->buffer, pDer->length,
362 WOLFSSL_FILETYPE_ASN1, flags);
363
364 wc_FreeDer(&pDer);
365 }
366 }
367 #endif
368
369 }
370 XFREE(cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
371
372 return ret;
373}
374
375#endif /* !NO_FILESYSTEM && !NO_CERTS */
376
377int test_wolfSSL_CertManagerLoadCABuffer(void)
378{
379 EXPECT_DECLS;
380#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS)
381#if defined(WOLFSSL_PEM_TO_DER)
382 const char* ca_cert = "./certs/ca-cert.pem";
383 const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem";
384#else
385 const char* ca_cert = "./certs/ca-cert.der";
386 const char* ca_expired_cert = "./certs/test/expired/expired-ca.der";
387#endif
388 int ret;
389
390 ExpectIntLE(ret = test_cm_load_ca_file(ca_cert), 1);
391#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
392 ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
393#elif defined(NO_RSA)
394 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E));
395#else
396 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
397#endif
398
399 ExpectIntLE(ret = test_cm_load_ca_file(ca_expired_cert), 1);
400#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
401 ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
402#elif defined(NO_RSA)
403 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E));
404#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \
405 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME)
406 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
407#else
408 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
409#endif
410#endif
411 return EXPECT_RESULT();
412}
413
414int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
415{
416 EXPECT_DECLS;
417#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS)
418#if defined(WOLFSSL_PEM_TO_DER)
419 const char* ca_cert = "./certs/ca-cert.pem";
420 const char* ca_expired_cert = "./certs/test/expired/expired-ca.pem";
421#else
422 const char* ca_cert = "./certs/ca-cert.der";
423 const char* ca_expired_cert = "./certs/test/expired/expired-ca.der";
424#endif
425 int ret;
426
427 ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_cert, WOLFSSL_LOAD_FLAG_NONE),
428 1);
429#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
430 ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
431#elif defined(NO_RSA)
432 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E));
433#else
434 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
435#endif
436
437 ExpectIntLE(ret = test_cm_load_ca_file_ex(ca_expired_cert,
438 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), 1);
439#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
440 ExpectIntEQ(ret, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
441#elif defined(NO_RSA)
442 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_UNKNOWN_OID_E));
443#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS && \
444 WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && !defined(NO_ASN_TIME) && \
445 defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
446 ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
447#else
448 ExpectIntEQ(ret, WOLFSSL_SUCCESS);
449#endif
450
451#endif
452
453 return EXPECT_RESULT();
454}
455
456int test_wolfSSL_CertManagerLoadCABufferType(void)
457{
458 EXPECT_DECLS;
459#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \
460 !defined(NO_RSA) && !defined(NO_SHA256) && \
461 !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
462#if defined(WOLFSSL_PEM_TO_DER)
463 const char* ca_cert = "./certs/ca-cert.pem";
464 const char* int1_cert = "./certs/intermediate/ca-int-cert.pem";
465 const char* int2_cert = "./certs/intermediate/ca-int2-cert.pem";
466 const char* client_cert = "./certs/intermediate/client-int-cert.pem";
467#else
468 const char* ca_cert = "./certs/ca-cert.der";
469 const char* int1_cert = "./certs/intermediate/ca-int-cert.der";
470 const char* int2_cert = "./certs/intermediate/ca-int2-cert.der";
471 const char* client_cert = "./certs/intermediate/client-int-cert.der";
472#endif
473 byte* ca_cert_buf = NULL;
474 byte* int1_cert_buf = NULL;
475 byte* int2_cert_buf = NULL;
476 byte* client_cert_buf = NULL;
477 size_t ca_cert_sz = 0;
478 size_t int1_cert_sz = 0;
479 size_t int2_cert_sz = 0;
480 size_t client_cert_sz = 0;
481 WOLFSSL_CERT_MANAGER* cm = NULL;
482
483 ExpectNotNull(cm = wolfSSL_CertManagerNew());
484 ExpectIntEQ(load_file(ca_cert, &ca_cert_buf, &ca_cert_sz), 0);
485 ExpectIntEQ(load_file(int1_cert, &int1_cert_buf, &int1_cert_sz), 0);
486 ExpectIntEQ(load_file(int2_cert, &int2_cert_buf, &int2_cert_sz), 0);
487 ExpectIntEQ(load_file(client_cert, &client_cert_buf, &client_cert_sz), 0);
488
489 ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
490 (sword32)ca_cert_sz, CERT_FILETYPE, 0,
491 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 0), WOLFSSL_SUCCESS);
492 ExpectIntNE(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
493 (sword32)ca_cert_sz, CERT_FILETYPE, 0,
494 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, 5), WOLFSSL_SUCCESS);
495
496 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, ca_cert_buf,
497 (sword32)ca_cert_sz, CERT_FILETYPE, 0,
498 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_CA),
499 WOLFSSL_SUCCESS);
500#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
501 defined(OPENSSL_EXTRA)
502 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
503 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
504#endif
505 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
506 (sword32)int1_cert_sz, CERT_FILETYPE, 0,
507 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
508 WOLFSSL_SUCCESS);
509#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
510 defined(OPENSSL_EXTRA)
511 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
512 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
513#endif
514 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
515 (sword32)int2_cert_sz, CERT_FILETYPE, 0,
516 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
517 WOLFSSL_SUCCESS);
518#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
519 defined(OPENSSL_EXTRA)
520 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
521 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
522#endif
523 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
524 (sword32)client_cert_sz, CERT_FILETYPE, 0,
525 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
526 WOLFSSL_SUCCESS);
527
528 ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
529 WOLFSSL_SUCCESS);
530
531 /* Intermediate certs have been unloaded, but CA cert is still
532 loaded. Expect first level intermediate to verify, rest to fail. */
533#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
534 defined(OPENSSL_EXTRA)
535 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
536 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
537 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
538 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
539 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
540 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
541#endif
542
543 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int1_cert_buf,
544 (sword32)int1_cert_sz, CERT_FILETYPE, 0,
545 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_TEMP_CA),
546 WOLFSSL_SUCCESS);
547#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
548 defined(OPENSSL_EXTRA)
549 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
550 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
551#endif
552 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, int2_cert_buf,
553 (sword32)int2_cert_sz, CERT_FILETYPE, 0,
554 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_CHAIN_CA),
555 WOLFSSL_SUCCESS);
556#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
557 defined(OPENSSL_EXTRA)
558 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
559 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
560#endif
561 ExpectIntEQ(wolfSSL_CertManagerLoadCABufferType(cm, client_cert_buf,
562 (sword32)client_cert_sz, CERT_FILETYPE, 0,
563 WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS, WOLFSSL_USER_INTER),
564 WOLFSSL_SUCCESS);
565
566 ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_INTER),
567 WOLFSSL_SUCCESS);
568#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
569 defined(OPENSSL_EXTRA)
570 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
571 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
572 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
573 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
574 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
575 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
576#endif
577
578 ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_CHAIN_CA),
579 WOLFSSL_SUCCESS);
580#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
581 defined(OPENSSL_EXTRA)
582 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
583 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
584 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
585 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
586 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
587 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
588#endif
589
590 ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_TEMP_CA),
591 WOLFSSL_SUCCESS);
592#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
593 defined(OPENSSL_EXTRA)
594 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
595 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
596 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
597 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
598 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
599 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
600#endif
601
602 ExpectIntEQ(wolfSSL_CertManagerUnloadTypeCerts(cm, WOLFSSL_USER_CA),
603 WOLFSSL_SUCCESS);
604#if (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
605 defined(OPENSSL_EXTRA)
606 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int1_cert_buf,
607 int1_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
608 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, int2_cert_buf,
609 int2_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
610 ExpectIntNE(wolfSSL_CertManagerVerifyBuffer(cm, client_cert_buf,
611 client_cert_sz, CERT_FILETYPE), WOLFSSL_SUCCESS);
612#endif
613
614 if (cm)
615 wolfSSL_CertManagerFree(cm);
616 if (ca_cert_buf)
617 XFREE(ca_cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
618 if (int1_cert_buf)
619 XFREE(int1_cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
620 if (int2_cert_buf)
621 XFREE(int2_cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
622 if (client_cert_buf)
623 XFREE(client_cert_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
624#endif
625
626 return EXPECT_RESULT();
627}
628
629int test_wolfSSL_CertManagerGetCerts(void)
630{
631 EXPECT_DECLS;
632#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
633 !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
634 defined(WOLFSSL_SIGNER_DER_CERT)
635 WOLFSSL_CERT_MANAGER* cm = NULL;
636 WOLFSSL_STACK* sk = NULL;
637 X509* x509 = NULL;
638 X509* cert1 = NULL;
639 FILE* file1 = NULL;
640#ifdef DEBUG_WOLFSSL_VERBOSE
641 WOLFSSL_BIO* bio = NULL;
642#endif
643 int i = 0;
644 int ret = 0;
645 const byte* der = NULL;
646 int derSz = 0;
647
648 ExpectNotNull(file1 = fopen("./certs/ca-cert.pem", "rb"));
649
650 ExpectNotNull(cert1 = wolfSSL_PEM_read_X509(file1, NULL, NULL, NULL));
651 if (file1 != NULL) {
652 fclose(file1);
653 }
654
655 ExpectNull(sk = wolfSSL_CertManagerGetCerts(NULL));
656 ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
657 ExpectNull(sk = wolfSSL_CertManagerGetCerts(cm));
658
659 ExpectNotNull(der = wolfSSL_X509_get_der(cert1, &derSz));
660#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
661 /* Check that ASN_SELF_SIGNED_E is returned for a self-signed cert for QT
662 * and full OpenSSL compatibility */
663 ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
664 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E));
665#else
666 ExpectIntEQ(ret = wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
667 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E));
668#endif
669
670 ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CertManagerLoadCA(cm,
671 "./certs/ca-cert.pem", NULL));
672
673 ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(cm));
674
675 for (i = 0; EXPECT_SUCCESS() && i < sk_X509_num(sk); i++) {
676 ExpectNotNull(x509 = sk_X509_value(sk, i));
677 ExpectIntEQ(0, wolfSSL_X509_cmp(x509, cert1));
678
679#ifdef DEBUG_WOLFSSL_VERBOSE
680 bio = BIO_new(wolfSSL_BIO_s_file());
681 if (bio != NULL) {
682 BIO_set_fp(bio, stderr, BIO_NOCLOSE);
683 X509_print(bio, x509);
684 BIO_free(bio);
685 }
686#endif /* DEBUG_WOLFSSL_VERBOSE */
687 }
688 wolfSSL_X509_free(cert1);
689 sk_X509_pop_free(sk, NULL);
690 wolfSSL_CertManagerFree(cm);
691#endif /* defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
692 !defined(NO_FILESYSTEM) && !defined(NO_RSA) && \
693 defined(WOLFSSL_SIGNER_DER_CERT) */
694
695 return EXPECT_RESULT();
696}
697
698int test_wolfSSL_CertManagerSetVerify(void)
699{
700 EXPECT_DECLS;
701#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_TLS) && \
702 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
703 (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
704 WOLFSSL_CERT_MANAGER* cm = NULL;
705 int tmp = myVerifyAction;
706#ifdef WOLFSSL_PEM_TO_DER
707 const char* ca_cert = "./certs/ca-cert.pem";
708 const char* expiredCert = "./certs/test/expired/expired-cert.pem";
709#else
710 const char* ca_cert = "./certs/ca-cert.der";
711 const char* expiredCert = "./certs/test/expired/expired-cert.der";
712#endif
713
714 wolfSSL_CertManagerSetVerify(NULL, NULL);
715 wolfSSL_CertManagerSetVerify(NULL, myVerify);
716
717 ExpectNotNull(cm = wolfSSL_CertManagerNew());
718
719 wolfSSL_CertManagerSetVerify(cm, myVerify);
720
721#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
722 ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL), -1);
723#else
724 ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL),
725 WOLFSSL_SUCCESS);
726#endif
727 /* Use the test CB that always accepts certs */
728 myVerifyAction = VERIFY_OVERRIDE_ERROR;
729
730 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, expiredCert,
731 CERT_FILETYPE), WOLFSSL_SUCCESS);
732
733#ifdef WOLFSSL_ALWAYS_VERIFY_CB
734 {
735 const char* verifyCert = "./certs/server-cert.der";
736 /* Use the test CB that always fails certs */
737 myVerifyAction = VERIFY_FORCE_FAIL;
738
739 ExpectIntEQ(wolfSSL_CertManagerVerify(cm, verifyCert,
740 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(VERIFY_CERT_ERROR));
741 }
742#endif
743
744 wolfSSL_CertManagerFree(cm);
745 myVerifyAction = tmp;
746#endif
747
748 return EXPECT_RESULT();
749}
750
751int test_wolfSSL_CertManagerNameConstraint(void)
752{
753 EXPECT_DECLS;
754#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
755 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
756 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
757 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
758 !defined(NO_SHA256)
759 WOLFSSL_CERT_MANAGER* cm = NULL;
760 WOLFSSL_EVP_PKEY *priv = NULL;
761 WOLFSSL_X509_NAME* name = NULL;
762 const char* ca_cert = "./certs/test/cert-ext-nc.der";
763 const char* server_cert = "./certs/test/server-goodcn.pem";
764 int i = 0;
765 static const byte extNameConsOid[] = {85, 29, 30};
766
767 RsaKey key;
768 WC_RNG rng;
769 byte *der = NULL;
770 int derSz = 0;
771 word32 idx = 0;
772 byte *pt;
773 WOLFSSL_X509 *x509 = NULL;
774 WOLFSSL_X509 *ca = NULL;
775
776 wc_InitRng(&rng);
777
778 /* load in CA private key for signing */
779 ExpectIntEQ(wc_InitRsaKey_ex(&key, HEAP_HINT, testDevId), 0);
780 ExpectIntEQ(wc_RsaPrivateKeyDecode(server_key_der_2048, &idx, &key,
781 sizeof_server_key_der_2048), 0);
782
783 /* get ca certificate then alter it */
784 ExpectNotNull(der =
785 (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
786 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(ca_cert,
787 WOLFSSL_FILETYPE_ASN1));
788 ExpectNotNull(pt = (byte*)wolfSSL_X509_get_tbs(x509, &derSz));
789 if (EXPECT_SUCCESS() && (der != NULL)) {
790 XMEMCPY(der, pt, (size_t)derSz);
791
792 /* find the name constraint extension and alter it */
793 pt = der;
794 for (i = 0; i < derSz - 3; i++) {
795 if (XMEMCMP(pt, extNameConsOid, 3) == 0) {
796 pt += 3;
797 break;
798 }
799 pt++;
800 }
801 ExpectIntNE(i, derSz - 3); /* did not find OID if this case is hit */
802
803 /* go to the length value and set it to 0 */
804 while (i < derSz && *pt != 0x81) {
805 pt++;
806 i++;
807 }
808 ExpectIntNE(i, derSz); /* did not place to alter */
809 pt++;
810 *pt = 0x00;
811 }
812
813 /* resign the altered certificate */
814 ExpectIntGT((derSz = wc_SignCert(derSz, CTC_SHA256wRSA, der,
815 FOURK_BUF, &key, NULL, &rng)), 0);
816
817 ExpectNotNull(cm = wolfSSL_CertManagerNew());
818 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
819 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_PARSE_E));
820 wolfSSL_CertManagerFree(cm);
821
822 XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
823 wolfSSL_X509_free(x509);
824 wc_FreeRsaKey(&key);
825 wc_FreeRng(&rng);
826
827 /* add email alt name to satisfy constraint */
828 pt = (byte*)server_key_der_2048;
829 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
830 (const unsigned char**)&pt, sizeof_server_key_der_2048));
831
832 ExpectNotNull(cm = wolfSSL_CertManagerNew());
833 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
834 WOLFSSL_FILETYPE_ASN1));
835
836 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
837 DEBUG_WRITE_DER(der, derSz, "ca.der");
838
839 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
840 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
841
842 /* Good cert test with proper alt email name */
843 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
844 WOLFSSL_FILETYPE_PEM));
845 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
846 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
847 name = NULL;
848
849 ExpectNotNull(name = X509_NAME_new());
850 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
851 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
852 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
853 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
854 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
855 (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
856 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
857 X509_NAME_free(name);
858 name = NULL;
859
860 wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
861
862 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
863 DEBUG_WRITE_CERT_X509(x509, "good-cert.pem");
864
865 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
866 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
867 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
868 wolfSSL_X509_free(x509);
869 x509 = NULL;
870
871
872 /* Cert with bad alt name list */
873 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
874 WOLFSSL_FILETYPE_PEM));
875 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
876 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
877 name = NULL;
878
879 ExpectNotNull(name = X509_NAME_new());
880 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
881 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
882 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
883 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
884 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
885 (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
886 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
887 X509_NAME_free(name);
888
889 wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
890 wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
891
892 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
893 DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
894
895 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
896 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
897 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
898
899 wolfSSL_CertManagerFree(cm);
900 wolfSSL_X509_free(x509);
901 wolfSSL_X509_free(ca);
902 wolfSSL_EVP_PKEY_free(priv);
903#endif
904
905 return EXPECT_RESULT();
906}
907
908int test_wolfSSL_CertManagerNameConstraint2(void)
909{
910 EXPECT_DECLS;
911#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
912 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
913 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
914 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES)
915 const char* ca_cert = "./certs/test/cert-ext-ndir.der";
916 const char* ca_cert2 = "./certs/test/cert-ext-ndir-exc.der";
917 const char* server_cert = "./certs/server-cert.pem";
918 WOLFSSL_CERT_MANAGER* cm = NULL;
919 WOLFSSL_X509 *x509 = NULL;
920 WOLFSSL_X509 *ca = NULL;
921
922 const unsigned char *der = NULL;
923 const unsigned char *pt;
924 WOLFSSL_EVP_PKEY *priv = NULL;
925 WOLFSSL_X509_NAME* name = NULL;
926 int derSz = 0;
927
928 /* C=US*/
929 char altName[] = {
930 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
931 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53
932 };
933
934 /* C=ID */
935 char altNameFail[] = {
936 0x30, 0x0D, 0x31, 0x0B, 0x30, 0x09,
937 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x44
938 };
939
940 /* C=US ST=California*/
941 char altNameExc[] = {
942 0x30, 0x22,
943 0x31, 0x0B,
944 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
945 0x31, 0x13,
946 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A,
947 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61
948 };
949 /* load in CA private key for signing */
950 pt = ca_key_der_2048;
951 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &pt,
952 sizeof_ca_key_der_2048));
953
954 ExpectNotNull(cm = wolfSSL_CertManagerNew());
955 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
956 WOLFSSL_FILETYPE_ASN1));
957 ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
958 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
959 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
960
961 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
962 WOLFSSL_FILETYPE_PEM));
963 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
964 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
965#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
966 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
967#else
968 wolfSSL_X509_sign(x509, priv, EVP_sha256());
969#endif
970 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
971 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
972 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
973
974 /* Test no name case. */
975 ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE),
976 WOLFSSL_SUCCESS);
977 ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE),
978 WOLFSSL_SUCCESS);
979 /* IP not supported unless WOLFSSL_IP_ALT_NAME is enabled. */
980#ifdef WOLFSSL_IP_ALT_NAME
981 ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE),
982 WOLFSSL_SUCCESS);
983#else
984 ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE),
985 WOLFSSL_FAILURE);
986#endif
987
988 /* add in matching DIR alt name and resign */
989 wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
990#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
991 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
992#else
993 wolfSSL_X509_sign(x509, priv, EVP_sha256());
994#endif
995
996 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
997 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
998 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
999 wolfSSL_X509_free(x509);
1000 x509 = NULL;
1001
1002 /* check verify fail */
1003 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1004 WOLFSSL_FILETYPE_PEM));
1005 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1006 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1007
1008 /* add in miss matching DIR alt name and resign */
1009 wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
1010 ASN_DIR_TYPE);
1011
1012#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
1013 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
1014#else
1015 wolfSSL_X509_sign(x509, priv, EVP_sha256());
1016#endif
1017 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
1018#ifndef WOLFSSL_NO_ASN_STRICT
1019 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1020 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1021#else
1022 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1023 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1024#endif
1025
1026 /* check that it still fails if one bad altname and one good altname is in
1027 * the certificate */
1028 wolfSSL_X509_free(x509);
1029 x509 = NULL;
1030 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1031 WOLFSSL_FILETYPE_PEM));
1032 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1033 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1034 wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
1035 wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
1036 ASN_DIR_TYPE);
1037
1038#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
1039 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
1040#else
1041 wolfSSL_X509_sign(x509, priv, EVP_sha256());
1042#endif
1043 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
1044#ifndef WOLFSSL_NO_ASN_STRICT
1045 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1046 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1047#else
1048 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1049 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1050#endif
1051
1052 /* check it fails with switching position of bad altname */
1053 wolfSSL_X509_free(x509);
1054 x509 = NULL;
1055 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1056 WOLFSSL_FILETYPE_PEM));
1057 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1058 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1059 wolfSSL_X509_add_altname_ex(x509, altNameFail, sizeof(altNameFail),
1060 ASN_DIR_TYPE);
1061 wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE);
1062
1063#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
1064 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
1065#else
1066 wolfSSL_X509_sign(x509, priv, EVP_sha256());
1067#endif
1068 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
1069#ifndef WOLFSSL_NO_ASN_STRICT
1070 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1071 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1072#else
1073 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1074 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1075#endif
1076 wolfSSL_CertManagerFree(cm);
1077
1078 wolfSSL_X509_free(x509);
1079 x509 = NULL;
1080 wolfSSL_X509_free(ca);
1081 ca = NULL;
1082
1083 /* now test with excluded name constraint */
1084 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1085 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert2,
1086 WOLFSSL_FILETYPE_ASN1));
1087 ExpectNotNull((der = wolfSSL_X509_get_der(ca, &derSz)));
1088 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1089 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1090
1091 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1092 WOLFSSL_FILETYPE_PEM));
1093 wolfSSL_X509_add_altname_ex(x509, altNameExc, sizeof(altNameExc),
1094 ASN_DIR_TYPE);
1095 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1096 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1097
1098#if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
1099 wolfSSL_X509_sign(x509, priv, EVP_sha3_256());
1100#else
1101 wolfSSL_X509_sign(x509, priv, EVP_sha256());
1102#endif
1103 ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz)));
1104#ifndef WOLFSSL_NO_ASN_STRICT
1105 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1106 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1107#else
1108 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1109 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1110#endif
1111 wolfSSL_CertManagerFree(cm);
1112 wolfSSL_X509_free(x509);
1113 wolfSSL_X509_free(ca);
1114 wolfSSL_EVP_PKEY_free(priv);
1115#endif
1116
1117 return EXPECT_RESULT();
1118}
1119
1120int test_wolfSSL_CertManagerNameConstraint3(void)
1121{
1122 EXPECT_DECLS;
1123#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1124 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1125 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1126 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1127 !defined(NO_SHA256)
1128 WOLFSSL_CERT_MANAGER* cm = NULL;
1129 WOLFSSL_EVP_PKEY *priv = NULL;
1130 WOLFSSL_X509_NAME* name = NULL;
1131 const char* ca_cert = "./certs/test/cert-ext-mnc.der";
1132 const char* server_cert = "./certs/test/server-goodcn.pem";
1133
1134 byte *der = NULL;
1135 int derSz = 0;
1136 byte *pt;
1137 WOLFSSL_X509 *x509 = NULL;
1138 WOLFSSL_X509 *ca = NULL;
1139
1140 pt = (byte*)server_key_der_2048;
1141 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1142 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1143
1144 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1145 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1146 WOLFSSL_FILETYPE_ASN1));
1147 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1148 DEBUG_WRITE_DER(der, derSz, "ca.der");
1149
1150 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1151 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1152
1153 /* check satisfying .wolfssl.com constraint passes */
1154 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1155 WOLFSSL_FILETYPE_PEM));
1156 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1157 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1158 name = NULL;
1159
1160 ExpectNotNull(name = X509_NAME_new());
1161 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1162 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1163 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1164 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1165 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
1166 (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
1167 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1168 X509_NAME_free(name);
1169 name = NULL;
1170
1171 wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
1172
1173 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1174 DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem");
1175
1176 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1177 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1178 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1179 wolfSSL_X509_free(x509);
1180 x509 = NULL;
1181
1182 /* check satisfying .random.com constraint passes */
1183 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1184 WOLFSSL_FILETYPE_PEM));
1185 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1186 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1187 name = NULL;
1188
1189 ExpectNotNull(name = X509_NAME_new());
1190 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1191 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1192 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1193 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1194 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
1195 (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS);
1196 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1197 X509_NAME_free(name);
1198 name = NULL;
1199
1200 wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE);
1201
1202 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1203 DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem");
1204
1205 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1206 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1207 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1208 wolfSSL_X509_free(x509);
1209 x509 = NULL;
1210
1211 /* check fail case when neither constraint is matched */
1212 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1213 WOLFSSL_FILETYPE_PEM));
1214 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1215 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1216 name = NULL;
1217
1218 ExpectNotNull(name = X509_NAME_new());
1219 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1220 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1221 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1222 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1223 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
1224 (byte*)"support@info.com", 16, -1, 0), SSL_SUCCESS);
1225 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1226 X509_NAME_free(name);
1227
1228 wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
1229
1230 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1231 DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
1232
1233 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1234 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1235 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1236
1237 wolfSSL_CertManagerFree(cm);
1238 wolfSSL_X509_free(x509);
1239 wolfSSL_X509_free(ca);
1240 wolfSSL_EVP_PKEY_free(priv);
1241#endif
1242
1243 return EXPECT_RESULT();
1244}
1245
1246int test_wolfSSL_CertManagerNameConstraint4(void)
1247{
1248 EXPECT_DECLS;
1249#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1250 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1251 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1252 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1253 !defined(NO_SHA256)
1254 WOLFSSL_CERT_MANAGER* cm = NULL;
1255 WOLFSSL_EVP_PKEY *priv = NULL;
1256 WOLFSSL_X509_NAME* name = NULL;
1257 const char* ca_cert = "./certs/test/cert-ext-ncdns.der";
1258 const char* server_cert = "./certs/test/server-goodcn.pem";
1259
1260 byte *der = NULL;
1261 int derSz;
1262 byte *pt;
1263 WOLFSSL_X509 *x509 = NULL;
1264 WOLFSSL_X509 *ca = NULL;
1265
1266 pt = (byte*)server_key_der_2048;
1267 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1268 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1269
1270 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1271 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1272 WOLFSSL_FILETYPE_ASN1));
1273 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1274 DEBUG_WRITE_DER(der, derSz, "ca.der");
1275
1276 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1277 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1278
1279 /* check satisfying wolfssl.com constraint passes */
1280 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1281 WOLFSSL_FILETYPE_PEM));
1282 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1283 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1284 name = NULL;
1285
1286 ExpectNotNull(name = X509_NAME_new());
1287 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1288 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1289 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1290 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1291 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1292 X509_NAME_free(name);
1293 name = NULL;
1294
1295 wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
1296 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1297 DEBUG_WRITE_CERT_X509(x509, "good-1st-constraint-cert.pem");
1298
1299 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1300 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1301 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1302 wolfSSL_X509_free(x509);
1303 x509 = NULL;
1304
1305 /* check satisfying example.com constraint passes */
1306 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1307 WOLFSSL_FILETYPE_PEM));
1308 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1309 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1310 name = NULL;
1311
1312 ExpectNotNull(name = X509_NAME_new());
1313 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1314 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1315 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1316 (byte*)"example.com", 11, -1, 0), SSL_SUCCESS);
1317 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1318 X509_NAME_free(name);
1319 name = NULL;
1320
1321 wolfSSL_X509_add_altname(x509, "www.example.com", ASN_DNS_TYPE);
1322 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1323 DEBUG_WRITE_CERT_X509(x509, "good-2nd-constraint-cert.pem");
1324
1325 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1326 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1327 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1328 wolfSSL_X509_free(x509);
1329 x509 = NULL;
1330
1331 /* check satisfying wolfssl.com constraint passes with list of DNS's */
1332 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1333 WOLFSSL_FILETYPE_PEM));
1334 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1335 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1336 name = NULL;
1337
1338 ExpectNotNull(name = X509_NAME_new());
1339 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1340 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1341 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1342 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1343 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1344 X509_NAME_free(name);
1345 name = NULL;
1346
1347 wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
1348 wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE);
1349 wolfSSL_X509_add_altname(x509, "extra.wolfssl.com", ASN_DNS_TYPE);
1350 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1351 DEBUG_WRITE_CERT_X509(x509, "good-multiple-constraint-cert.pem");
1352
1353 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1354 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1355 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1356 wolfSSL_X509_free(x509);
1357 x509 = NULL;
1358
1359 /* check fail when one DNS in the list is bad */
1360 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1361 WOLFSSL_FILETYPE_PEM));
1362 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1363 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1364 name = NULL;
1365
1366 ExpectNotNull(name = X509_NAME_new());
1367 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1368 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1369 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1370 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1371 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1372 X509_NAME_free(name);
1373 name = NULL;
1374
1375 wolfSSL_X509_add_altname(x509, "www.wolfssl.com", ASN_DNS_TYPE);
1376 wolfSSL_X509_add_altname(x509, "www.nomatch.com", ASN_DNS_TYPE);
1377 wolfSSL_X509_add_altname(x509, "www.info.wolfssl.com", ASN_DNS_TYPE);
1378 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1379 DEBUG_WRITE_CERT_X509(x509, "bad-multiple-constraint-cert.pem");
1380
1381 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1382 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1383 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1384 wolfSSL_X509_free(x509);
1385 x509 = NULL;
1386
1387 /* check fail case when neither constraint is matched */
1388 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1389 WOLFSSL_FILETYPE_PEM));
1390 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1391 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1392 name = NULL;
1393
1394 ExpectNotNull(name = X509_NAME_new());
1395 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1396 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1397 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1398 (byte*)"common", 6, -1, 0), SSL_SUCCESS);
1399 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1400 X509_NAME_free(name);
1401
1402 wolfSSL_X509_add_altname(x509, "www.random.com", ASN_DNS_TYPE);
1403 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1404 DEBUG_WRITE_CERT_X509(x509, "bad-cert.pem");
1405
1406 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1407 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1408 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1409
1410 wolfSSL_CertManagerFree(cm);
1411 wolfSSL_X509_free(x509);
1412 wolfSSL_X509_free(ca);
1413 wolfSSL_EVP_PKEY_free(priv);
1414#endif
1415
1416 return EXPECT_RESULT();
1417}
1418
1419int test_wolfSSL_CertManagerNameConstraint5(void)
1420{
1421 EXPECT_DECLS;
1422#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1423 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1424 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1425 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1426 !defined(NO_SHA256)
1427 WOLFSSL_CERT_MANAGER* cm = NULL;
1428 WOLFSSL_EVP_PKEY *priv = NULL;
1429 WOLFSSL_X509_NAME* name = NULL;
1430 const char* ca_cert = "./certs/test/cert-ext-ncmixed.der";
1431 const char* server_cert = "./certs/test/server-goodcn.pem";
1432
1433 byte *der = NULL;
1434 int derSz;
1435 byte *pt;
1436 WOLFSSL_X509 *x509 = NULL;
1437 WOLFSSL_X509 *ca = NULL;
1438
1439 pt = (byte*)server_key_der_2048;
1440 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1441 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1442
1443 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1444 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1445 WOLFSSL_FILETYPE_ASN1));
1446 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1447 DEBUG_WRITE_DER(der, derSz, "ca.der");
1448
1449 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1450 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1451
1452 /* check satisfying wolfssl.com constraint passes */
1453 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1454 WOLFSSL_FILETYPE_PEM));
1455 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1456 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1457 name = NULL;
1458
1459 ExpectNotNull(name = X509_NAME_new());
1460 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1461 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1462 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1463 (byte*)"example", 7, -1, 0), SSL_SUCCESS);
1464 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1465 X509_NAME_free(name);
1466 name = NULL;
1467
1468 wolfSSL_X509_add_altname(x509, "good.example", ASN_DNS_TYPE);
1469 wolfSSL_X509_add_altname(x509, "facts@into.wolfssl.com", ASN_RFC822_TYPE);
1470 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1471 DEBUG_WRITE_CERT_X509(x509, "good-cert.pem");
1472
1473 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1474 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1475 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1476 wolfSSL_X509_free(x509);
1477 x509 = NULL;
1478
1479 /* fail with DNS check because of common name */
1480 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1481 WOLFSSL_FILETYPE_PEM));
1482 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1483 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1484 name = NULL;
1485
1486 ExpectNotNull(name = X509_NAME_new());
1487 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1488 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1489 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1490 (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
1491 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1492 X509_NAME_free(name);
1493 name = NULL;
1494
1495 wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
1496 wolfSSL_X509_add_altname(x509, "facts@wolfssl.com", ASN_RFC822_TYPE);
1497 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1498 DEBUG_WRITE_CERT_X509(x509, "bad-cn-cert.pem");
1499
1500 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1501 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1502 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1503 wolfSSL_X509_free(x509);
1504 x509 = NULL;
1505
1506 /* fail on permitted DNS name constraint */
1507 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1508 WOLFSSL_FILETYPE_PEM));
1509 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1510 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1511 name = NULL;
1512
1513 ExpectNotNull(name = X509_NAME_new());
1514 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1515 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1516 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1517 X509_NAME_free(name);
1518 name = NULL;
1519
1520 wolfSSL_X509_add_altname(x509, "www.example", ASN_DNS_TYPE);
1521 wolfSSL_X509_add_altname(x509, "www.wolfssl", ASN_DNS_TYPE);
1522 wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE);
1523 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1524 DEBUG_WRITE_CERT_X509(x509, "bad-1st-constraint-cert.pem");
1525
1526 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1527 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1528 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1529 wolfSSL_X509_free(x509);
1530 x509 = NULL;
1531
1532 /* fail on permitted email name constraint */
1533 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1534 WOLFSSL_FILETYPE_PEM));
1535 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1536 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1537 name = NULL;
1538
1539 ExpectNotNull(name = X509_NAME_new());
1540 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1541 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1542 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1543 X509_NAME_free(name);
1544 name = NULL;
1545
1546 wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
1547 wolfSSL_X509_add_altname(x509, "info@wolfssl.com", ASN_RFC822_TYPE);
1548 wolfSSL_X509_add_altname(x509, "info@example.com", ASN_RFC822_TYPE);
1549 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1550 DEBUG_WRITE_CERT_X509(x509, "bad-2nd-constraint-cert.pem");
1551
1552 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1553 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1554 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1555 wolfSSL_X509_free(x509);
1556 x509 = NULL;
1557
1558 /* success with empty email name */
1559 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1560 WOLFSSL_FILETYPE_PEM));
1561 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1562 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1563 name = NULL;
1564
1565 ExpectNotNull(name = X509_NAME_new());
1566 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1567 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1568 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1569 X509_NAME_free(name);
1570
1571 wolfSSL_X509_add_altname(x509, "example", ASN_DNS_TYPE);
1572 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1573 DEBUG_WRITE_CERT_X509(x509, "good-missing-constraint-cert.pem");
1574
1575 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1576 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1577 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1578 wolfSSL_X509_free(x509);
1579
1580 wolfSSL_CertManagerFree(cm);
1581 wolfSSL_X509_free(ca);
1582 wolfSSL_EVP_PKEY_free(priv);
1583#endif
1584 return EXPECT_RESULT();
1585}
1586
1587int test_wolfSSL_CertManagerNameConstraint_DNS_CN(void)
1588{
1589 EXPECT_DECLS;
1590#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1591 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1592 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1593 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1594 !defined(NO_SHA256)
1595 /* Test that DNS name constraints are enforced against the Subject CN
1596 * when no SAN extension is present. The CA cert (cert-ext-ncdns.der)
1597 * permits only DNS:wolfssl.com and DNS:example.com. A leaf cert with
1598 * CN=evil.attacker.com and no SAN should be REJECTED. */
1599 WOLFSSL_CERT_MANAGER* cm = NULL;
1600 WOLFSSL_EVP_PKEY *priv = NULL;
1601 WOLFSSL_X509_NAME* name = NULL;
1602 const char* ca_cert = "./certs/test/cert-ext-ncdns.der";
1603 const char* server_cert = "./certs/test/server-goodcn.pem";
1604
1605 byte *der = NULL;
1606 int derSz;
1607 byte *pt;
1608 WOLFSSL_X509 *x509 = NULL;
1609 WOLFSSL_X509 *ca = NULL;
1610
1611 pt = (byte*)server_key_der_2048;
1612 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1613 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1614
1615 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1616 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1617 WOLFSSL_FILETYPE_ASN1));
1618 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1619 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1620 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1621
1622 /* Sanity check: cert with SAN=evil.attacker.com is correctly rejected */
1623 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1624 WOLFSSL_FILETYPE_PEM));
1625 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1626 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1627 name = NULL;
1628
1629 ExpectNotNull(name = X509_NAME_new());
1630 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1631 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1632 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1633 (byte*)"evil.attacker.com", 17, -1, 0),
1634 SSL_SUCCESS);
1635 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1636 X509_NAME_free(name);
1637 name = NULL;
1638
1639 ExpectIntEQ(wolfSSL_X509_add_altname(x509, "evil.attacker.com",
1640 ASN_DNS_TYPE), WOLFSSL_SUCCESS);
1641 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1642 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1643 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1644 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1645 wolfSSL_X509_free(x509);
1646 x509 = NULL;
1647
1648 /* NOW the actual vulnerability test: cert with CN=evil.attacker.com
1649 * but NO SAN. The DNS name constraint should still reject this, since
1650 * wolfSSL's hostname verification falls back to CN when no SAN exists. */
1651 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1652 WOLFSSL_FILETYPE_PEM));
1653 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1654 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1655 name = NULL;
1656
1657 ExpectNotNull(name = X509_NAME_new());
1658 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1659 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1660 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1661 (byte*)"evil.attacker.com", 17, -1, 0),
1662 SSL_SUCCESS);
1663 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1664 X509_NAME_free(name);
1665 name = NULL;
1666
1667 /* Do NOT add any SAN this is the bypass vector */
1668 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1669 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1670 /* Should be ASN_NAME_INVALID_E because CN violates the constraint */
1671 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1672 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1673 wolfSSL_X509_free(x509);
1674 x509 = NULL;
1675
1676 /* Positive test: CN matches a permitted name (wolfssl.com) and no SAN is
1677 * present. The CN fallback should accept this cert. */
1678 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1679 WOLFSSL_FILETYPE_PEM));
1680 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1681 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1682 name = NULL;
1683
1684 ExpectNotNull(name = X509_NAME_new());
1685 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
1686 (byte*)"US", 2, -1, 0), SSL_SUCCESS);
1687 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
1688 (byte*)"wolfssl.com", 11, -1, 0),
1689 SSL_SUCCESS);
1690 ExpectIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
1691 X509_NAME_free(name);
1692 name = NULL;
1693
1694 /* No SAN added; CN=wolfssl.com matches the permitted DNS constraint. */
1695 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1696 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1697 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1698 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1699
1700 wolfSSL_CertManagerFree(cm);
1701 wolfSSL_X509_free(x509);
1702 wolfSSL_X509_free(ca);
1703 wolfSSL_EVP_PKEY_free(priv);
1704#endif
1705 return EXPECT_RESULT();
1706}
1707
1708int test_wolfSSL_CertManagerNameConstraint_IP_SAN(void)
1709{
1710 EXPECT_DECLS;
1711#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1712 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1713 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1714 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1715 !defined(NO_SHA256) && !defined(IGNORE_NAME_CONSTRAINTS)
1716 /* Regression test for iPAddress name-constraint enforcement.
1717 *
1718 * The CA at cert-ext-ncip.der declares a permittedSubtrees iPAddress
1719 * constraint of 192.168.1.0/255.255.255.0. A leaf with an iPAddress
1720 * SAN outside that subnet must be rejected. Prior to the fix, default
1721 * builds (without WOLFSSL_IP_ALT_NAME) silently skipped iPAddress SANs
1722 * during parsing, so the constraint loop saw no IP entries and the
1723 * leaf was accepted.
1724 *
1725 * The bypass only existed when WOLFSSL_IP_ALT_NAME was undefined (the
1726 * default). To exercise the regression target, this test must run in a
1727 * configuration without --enable-ip-alt-name and without
1728 * --enable-opensslall (which implies WOLFSSL_IP_ALT_NAME via
1729 * settings.h). With WOLFSSL_IP_ALT_NAME defined the same assertions
1730 * still hold, but the negative case there is enforcement of an
1731 * already-working path rather than the regression itself.
1732 *
1733 * Scope: this test exercises the permittedSubtrees code path. The
1734 * excludedSubtrees path uses the same parsing plumbing
1735 * (DecodeGeneralName -> SetDNSEntry into cert->altNames) and the same
1736 * ConfirmNameConstraints walk; the TALOS bug was strictly about
1737 * iPAddress entries being absent from cert->altNames, so once that is
1738 * fixed both directions are restored. The pre-existing
1739 * test_wolfSSL_NAME_CONSTRAINTS_excluded test exercises the excluded
1740 * direction more broadly. */
1741 WOLFSSL_CERT_MANAGER* cm = NULL;
1742 WOLFSSL_EVP_PKEY *priv = NULL;
1743 WOLFSSL_X509_NAME* name = NULL;
1744 const char* ca_cert = "./certs/test/cert-ext-ncip.der";
1745 const char* server_cert = "./certs/test/server-goodcn.pem";
1746 /* Raw IPv4 bytes for SAN values (not dotted-quad strings). */
1747 static const byte ip_inside[] = { 192, 168, 1, 10 }; /* permitted */
1748 static const byte ip_outside[] = { 10, 0, 0, 1 }; /* violates */
1749
1750 byte *der = NULL;
1751 int derSz;
1752 byte *pt;
1753 WOLFSSL_X509 *x509 = NULL;
1754 WOLFSSL_X509 *ca = NULL;
1755
1756 pt = (byte*)server_key_der_2048;
1757 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1758 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1759
1760 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1761 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1762 WOLFSSL_FILETYPE_ASN1));
1763 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1764 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1765 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1766
1767 /* Negative case: leaf with IP SAN outside permitted subnet. Must be
1768 * rejected with ASN_NAME_INVALID_E. */
1769 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1770 WOLFSSL_FILETYPE_PEM));
1771 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1772 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1773 name = NULL;
1774
1775 /* Use add_altname_ex with raw IP bytes so the test runs in default
1776 * builds where add_altname (string form) requires WOLFSSL_IP_ALT_NAME. */
1777 ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (const char*)ip_outside,
1778 sizeof(ip_outside), ASN_IP_TYPE), WOLFSSL_SUCCESS);
1779 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1780 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1781 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1782 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1783 wolfSSL_X509_free(x509);
1784 x509 = NULL;
1785
1786 /* Positive case: leaf with IP SAN inside the permitted subnet must be
1787 * accepted. Confirms the fix does not over-reject. */
1788 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1789 WOLFSSL_FILETYPE_PEM));
1790 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1791 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1792 name = NULL;
1793
1794 ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (const char*)ip_inside,
1795 sizeof(ip_inside), ASN_IP_TYPE), WOLFSSL_SUCCESS);
1796 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1797 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1798 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1799 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1800
1801 wolfSSL_CertManagerFree(cm);
1802 wolfSSL_X509_free(x509);
1803 wolfSSL_X509_free(ca);
1804 wolfSSL_EVP_PKEY_free(priv);
1805#endif
1806 return EXPECT_RESULT();
1807}
1808
1809int test_wolfSSL_CertManagerNameConstraint_RID_SAN(void)
1810{
1811 EXPECT_DECLS;
1812#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
1813 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
1814 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1815 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1816 !defined(NO_SHA256) && !defined(IGNORE_NAME_CONSTRAINTS)
1817 /* Regression test for registeredID name-constraint enforcement.
1818 *
1819 * The CA at cert-ext-ncrid.der declares a permittedSubtrees
1820 * registeredID constraint of OID 1.2.3.4.5. A leaf with a
1821 * registeredID SAN outside that permitted set must be rejected.
1822 *
1823 * Pre-fix, three independent failures hid the registeredID type from
1824 * enforcement in all build configurations:
1825 * 1. ConfirmNameConstraints' nameTypes[] array did not include
1826 * ASN_RID_TYPE, so the constraint loop never considered
1827 * registeredID entries.
1828 * 2. DecodeSubtree's accepted-tag set excluded
1829 * ASN_CONTEXT_SPECIFIC|ASN_RID_TYPE, so registeredID subtrees
1830 * in the CA's nameConstraints were dropped during parsing and
1831 * never reached signer->permittedNames/excludedNames.
1832 * 3. DecodeGeneralName gated registeredID SAN parsing on
1833 * WOLFSSL_RID_ALT_NAME; without that define cert->altNames had
1834 * no ASN_RID_TYPE entries.
1835 * The bug was unconditional - WOLFSSL_RID_ALT_NAME alone did not
1836 * fix it because layers 1 and 2 still discarded the data. */
1837 WOLFSSL_CERT_MANAGER* cm = NULL;
1838 WOLFSSL_EVP_PKEY *priv = NULL;
1839 WOLFSSL_X509_NAME* name = NULL;
1840 const char* ca_cert = "./certs/test/cert-ext-ncrid.der";
1841 const char* server_cert = "./certs/test/server-goodcn.pem";
1842 /* DER-encoded OID body bytes (no tag/length, since registeredID is
1843 * IMPLICIT [8] OBJECT IDENTIFIER inside a SAN). The first arc encodes
1844 * 40*X + Y in one byte for X<=2,Y<=39, then each subsequent arc is
1845 * base-128 with continuation bits. For values <128 the encoding is a
1846 * single byte. */
1847 static const byte rid_inside[] = { 0x2A, 0x03, 0x04, 0x05 }; /* 1.2.3.4.5 - permitted */
1848 static const byte rid_outside[] = { 0x2A, 0x03, 0x04, 0x63 }; /* 1.2.3.4.99 - violates */
1849
1850 byte *der = NULL;
1851 int derSz;
1852 byte *pt;
1853 WOLFSSL_X509 *x509 = NULL;
1854 WOLFSSL_X509 *ca = NULL;
1855
1856 pt = (byte*)server_key_der_2048;
1857 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1858 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1859
1860 ExpectNotNull(cm = wolfSSL_CertManagerNew());
1861 ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
1862 WOLFSSL_FILETYPE_ASN1));
1863 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
1864 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
1865 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1866
1867 /* Negative case: leaf with a registeredID SAN outside the permitted
1868 * OID set. Must be rejected with ASN_NAME_INVALID_E. */
1869 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1870 WOLFSSL_FILETYPE_PEM));
1871 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1872 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1873 name = NULL;
1874
1875 ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (const char*)rid_outside,
1876 sizeof(rid_outside), ASN_RID_TYPE), WOLFSSL_SUCCESS);
1877 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1878 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1879 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1880 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_NAME_INVALID_E));
1881 wolfSSL_X509_free(x509);
1882 x509 = NULL;
1883
1884 /* Positive case: leaf with a registeredID SAN matching the permitted
1885 * OID exactly must be accepted. */
1886 ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
1887 WOLFSSL_FILETYPE_PEM));
1888 ExpectNotNull(name = wolfSSL_X509_get_subject_name(ca));
1889 ExpectIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
1890 name = NULL;
1891
1892 ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, (const char*)rid_inside,
1893 sizeof(rid_inside), ASN_RID_TYPE), WOLFSSL_SUCCESS);
1894 ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
1895 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
1896 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
1897 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
1898
1899 wolfSSL_CertManagerFree(cm);
1900 wolfSSL_X509_free(x509);
1901 wolfSSL_X509_free(ca);
1902 wolfSSL_EVP_PKEY_free(priv);
1903#endif
1904 return EXPECT_RESULT();
1905}
1906
1907int test_wolfSSL_X509_get_ext_d2i_RID_SAN(void)
1908{
1909 EXPECT_DECLS;
1910#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \
1911 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
1912 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
1913 !defined(NO_SHA256)
1914 /* Regression test: a cert with a registeredID SAN must be exposable
1915 * through the OPENSSL_EXTRA SAN APIs even when WOLFSSL_RID_ALT_NAME
1916 * is undefined.
1917 *
1918 * The registeredID name-constraint fix adds registeredID entries to
1919 * altNames unconditionally so name constraints can be enforced. The
1920 * OPENSSL_EXTRA helpers DNS_to_GENERAL_NAME (used by
1921 * wolfSSL_X509_get_ext) and the ALT_NAMES_OID arm of
1922 * wolfSSL_X509_get_ext_d2i previously gated registeredID handling on
1923 * WOLFSSL_RID_ALT_NAME, which is NOT auto-enabled by
1924 * --enable-opensslextra. Without the fix, any cert with a
1925 * registeredID SAN would cause those getters to return NULL or
1926 * produce a malformed GENERAL_NAME (type==GEN_RID but
1927 * d.dNSName-as-IA5STRING in the union). */
1928 WOLFSSL_EVP_PKEY *priv = NULL;
1929 const char* server_cert = "./certs/test/server-goodcn.pem";
1930 static const byte rid_oid[] = { 0x2A, 0x03, 0x04, 0x05 };
1931 byte *pt;
1932 byte *der = NULL;
1933 int derSz;
1934 WOLFSSL_X509 *leaf = NULL;
1935 WOLFSSL_X509 *parsed = NULL;
1936 WOLFSSL_STACK *altNames = NULL;
1937 WOLFSSL_X509_EXTENSION *ext = NULL;
1938 WOLFSSL_GENERAL_NAME *gn = NULL;
1939 int found = 0;
1940 int i;
1941 int loc;
1942
1943 pt = (byte*)server_key_der_2048;
1944 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
1945 (const unsigned char**)&pt, sizeof_server_key_der_2048));
1946
1947 /* Build and sign a leaf with a registeredID SAN. */
1948 ExpectNotNull(leaf = wolfSSL_X509_load_certificate_file(server_cert,
1949 WOLFSSL_FILETYPE_PEM));
1950 ExpectIntEQ(wolfSSL_X509_add_altname_ex(leaf, (const char*)rid_oid,
1951 sizeof(rid_oid), ASN_RID_TYPE), WOLFSSL_SUCCESS);
1952 ExpectIntGT(wolfSSL_X509_sign(leaf, priv, EVP_sha256()), 0);
1953 ExpectNotNull((der = (byte*)wolfSSL_X509_get_der(leaf, &derSz)));
1954
1955 /* Re-parse the signed leaf so altNames are populated through
1956 * DecodeGeneralName (the path the fix touches). */
1957 ExpectNotNull(parsed = wolfSSL_X509_load_certificate_buffer(der, derSz,
1958 WOLFSSL_FILETYPE_ASN1));
1959
1960 /* wolfSSL_X509_get_ext_d2i for SAN must return a non-NULL stack
1961 * containing a registeredID GENERAL_NAME with the union populated
1962 * via d.registeredID (not d.dNSName). */
1963 ExpectNotNull(altNames = (WOLFSSL_STACK*)wolfSSL_X509_get_ext_d2i(parsed,
1964 NID_subject_alt_name, NULL, NULL));
1965 if (altNames != NULL) {
1966 for (i = 0; i < wolfSSL_sk_num(altNames); i++) {
1967 gn = (WOLFSSL_GENERAL_NAME*)wolfSSL_sk_value(altNames, i);
1968 if (gn != NULL && gn->type == ASN_RID_TYPE) {
1969 /* The union must hold a real ASN1_OBJECT, not the
1970 * default IA5 string the bypass path would produce.
1971 * Verify the encoded OID bytes match what we put on
1972 * the leaf so a future mis-encoding (wrong tag, off-by
1973 * -one length, swapped fields) is caught. */
1974 ExpectNotNull(gn->d.registeredID);
1975 if (gn->d.registeredID != NULL) {
1976 /* DER-wrapped: ASN_OBJECT_ID + length-byte + body */
1977 word32 expectedSz = 1 + 1 + sizeof(rid_oid);
1978 ExpectIntEQ(gn->d.registeredID->objSz, expectedSz);
1979 ExpectNotNull(gn->d.registeredID->obj);
1980 if (gn->d.registeredID->obj != NULL &&
1981 gn->d.registeredID->objSz == expectedSz) {
1982 ExpectIntEQ(gn->d.registeredID->obj[0], ASN_OBJECT_ID);
1983 ExpectIntEQ(gn->d.registeredID->obj[1],
1984 (byte)sizeof(rid_oid));
1985 ExpectIntEQ(XMEMCMP(gn->d.registeredID->obj + 2,
1986 rid_oid, sizeof(rid_oid)), 0);
1987 }
1988 }
1989 found = 1;
1990 break;
1991 }
1992 }
1993 }
1994 ExpectIntEQ(found, 1);
1995
1996 if (altNames != NULL) {
1997 wolfSSL_sk_pop_free(altNames,
1998 (void (*)(void*))wolfSSL_GENERAL_NAME_free);
1999 }
2000
2001 /* Also exercise wolfSSL_X509_get_ext, which routes through
2002 * DNS_to_GENERAL_NAME. Pre-fix that helper would return WOLFSSL_FAILURE
2003 * for any RID entry in default builds, causing X509_get_ext to return
2004 * NULL even though the SAN extension is present. */
2005 loc = wolfSSL_X509_get_ext_by_NID(parsed, NID_subject_alt_name, -1);
2006 ExpectIntGE(loc, 0);
2007 if (loc >= 0) {
2008 ExpectNotNull(ext = wolfSSL_X509_get_ext(parsed, loc));
2009 }
2010
2011 wolfSSL_X509_free(parsed);
2012 wolfSSL_X509_free(leaf);
2013 wolfSSL_EVP_PKEY_free(priv);
2014#endif
2015 return EXPECT_RESULT();
2016}
2017
2018int test_wolfSSL_X509_check_host_IP_only_SAN_CN_fallback(void)
2019{
2020 EXPECT_DECLS;
2021#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA) && \
2022 defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
2023 defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
2024 !defined(NO_SHA256)
2025 /* Companion regression test for the CheckForAltNames CN-fallback
2026 * preservation introduced alongside the iPAddress name-constraint
2027 * enforcement fix.
2028 *
2029 * Once iPAddress SAN entries are unconditionally added to altNames
2030 * (so name constraints can be enforced), a leaf that presents only
2031 * iPAddress SANs would suppress CN fallback in CheckForAltNames in
2032 * default builds, where the iPAddress matching path is compiled out.
2033 * That would silently break TLS hostname verification for callers
2034 * that previously relied on the CN fallback. The fix in
2035 * src/internal.c treats iPAddress entries as absent for the
2036 * *checkCN decision when WOLFSSL_IP_ALT_NAME is undefined.
2037 *
2038 * This test pins both directions:
2039 * - default build (no WOLFSSL_IP_ALT_NAME): IP-only-SAN cert with a
2040 * matching CN must succeed via CN fallback.
2041 * - WOLFSSL_IP_ALT_NAME defined: the same cert must fail because
2042 * the SAN presence suppresses CN fallback (RFC 6125 compliant).
2043 * Independently, a cert with a non-matching DNS SAN must always fail
2044 * regardless of build flags, since DNS SAN presence unambiguously
2045 * suppresses CN fallback. */
2046 WOLFSSL_EVP_PKEY *priv = NULL;
2047 WOLFSSL_X509_NAME* name = NULL;
2048 const char* server_cert = "./certs/test/server-goodcn.pem";
2049 const char hostName[] = "cnhost.local";
2050 static const byte ip_san[] = { 10, 0, 0, 1 };
2051 byte *pt;
2052 WOLFSSL_X509 *leafIp = NULL;
2053 WOLFSSL_X509 *leafDns = NULL;
2054
2055 pt = (byte*)server_key_der_2048;
2056 ExpectNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
2057 (const unsigned char**)&pt, sizeof_server_key_der_2048));
2058
2059 /* Leaf with CN matching hostName and only an iPAddress SAN. */
2060 ExpectNotNull(leafIp = wolfSSL_X509_load_certificate_file(server_cert,
2061 WOLFSSL_FILETYPE_PEM));
2062 ExpectNotNull(name = X509_NAME_new());
2063 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
2064 (byte*)hostName, (int)XSTRLEN(hostName), -1, 0), SSL_SUCCESS);
2065 ExpectIntEQ(wolfSSL_X509_set_subject_name(leafIp, name), WOLFSSL_SUCCESS);
2066 X509_NAME_free(name);
2067 name = NULL;
2068 ExpectIntEQ(wolfSSL_X509_add_altname_ex(leafIp, (const char*)ip_san,
2069 sizeof(ip_san), ASN_IP_TYPE), WOLFSSL_SUCCESS);
2070 ExpectIntGT(wolfSSL_X509_sign(leafIp, priv, EVP_sha256()), 0);
2071
2072#ifndef WOLFSSL_IP_ALT_NAME
2073 /* Default build: iPAddress entries are present in altNames for
2074 * constraint enforcement but treated as absent for *checkCN, so the
2075 * lookup falls back to the Subject CN, which matches. */
2076 ExpectIntEQ(wolfSSL_X509_check_host(leafIp, hostName, XSTRLEN(hostName),
2077 0, NULL), WOLFSSL_SUCCESS);
2078#else
2079 /* IP_ALT_NAME build: SAN presence suppresses CN fallback per RFC 6125.
2080 * The hostName ("cnhost.local") cannot match the iPAddress entry, so
2081 * the check must fail. */
2082 ExpectIntEQ(wolfSSL_X509_check_host(leafIp, hostName, XSTRLEN(hostName),
2083 0, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
2084#endif
2085
2086 /* Leaf with CN matching hostName but a non-matching DNS SAN. CN
2087 * fallback must be suppressed in every build (DNS SAN unambiguously
2088 * counts toward *checkCN), so the check must fail. This pins the
2089 * other side of the boundary so a future change that broadly skips
2090 * altNames in *checkCN does not silently regress. */
2091 ExpectNotNull(leafDns = wolfSSL_X509_load_certificate_file(server_cert,
2092 WOLFSSL_FILETYPE_PEM));
2093 ExpectNotNull(name = X509_NAME_new());
2094 ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
2095 (byte*)hostName, (int)XSTRLEN(hostName), -1, 0), SSL_SUCCESS);
2096 ExpectIntEQ(wolfSSL_X509_set_subject_name(leafDns, name), WOLFSSL_SUCCESS);
2097 X509_NAME_free(name);
2098 name = NULL;
2099 ExpectIntEQ(wolfSSL_X509_add_altname(leafDns, "other.example",
2100 ASN_DNS_TYPE), WOLFSSL_SUCCESS);
2101 ExpectIntGT(wolfSSL_X509_sign(leafDns, priv, EVP_sha256()), 0);
2102 ExpectIntEQ(wolfSSL_X509_check_host(leafDns, hostName, XSTRLEN(hostName),
2103 0, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
2104
2105 wolfSSL_X509_free(leafIp);
2106 wolfSSL_X509_free(leafDns);
2107 wolfSSL_EVP_PKEY_free(priv);
2108#endif
2109 return EXPECT_RESULT();
2110}
2111
2112int test_wolfSSL_CertManagerCRL(void)
2113{
2114 EXPECT_DECLS;
2115#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
2116 !defined(NO_RSA)
2117 const char* ca_cert = "./certs/ca-cert.pem";
2118 const char* crl1 = "./certs/crl/crl.pem";
2119 const char* crl2 = "./certs/crl/crl2.pem";
2120#ifdef WC_RSA_PSS
2121 const char* crl_rsapss = "./certs/crl/crl_rsapss.pem";
2122 const char* ca_rsapss = "./certs/rsapss/ca-rsapss.pem";
2123#endif
2124 /* ./certs/crl/crl.der */
2125 const unsigned char crl_buff[] = {
2126 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xED, 0x02,
2127 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
2128 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
2129 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09,
2130 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
2131 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
2132 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74,
2133 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06,
2134 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, 0x6F,
2135 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30,
2136 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08,
2137 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68,
2138 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
2139 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, 0x75,
2140 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30,
2141 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F,
2142 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66,
2143 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31,
2144 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48,
2145 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10,
2146 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C,
2147 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
2148 0x17, 0x0D, 0x32, 0x34, 0x30, 0x31, 0x30, 0x39,
2149 0x30, 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x17,
2150 0x0D, 0x32, 0x36, 0x31, 0x30, 0x30, 0x35, 0x30,
2151 0x30, 0x33, 0x34, 0x33, 0x30, 0x5A, 0x30, 0x14,
2152 0x30, 0x12, 0x02, 0x01, 0x02, 0x17, 0x0D, 0x32,
2153 0x34, 0x30, 0x31, 0x30, 0x39, 0x30, 0x30, 0x33,
2154 0x34, 0x33, 0x30, 0x5A, 0xA0, 0x0E, 0x30, 0x0C,
2155 0x30, 0x0A, 0x06, 0x03, 0x55, 0x1D, 0x14, 0x04,
2156 0x03, 0x02, 0x01, 0x02, 0x30, 0x0D, 0x06, 0x09,
2157 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01,
2158 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
2159 0xB3, 0x6F, 0xED, 0x72, 0xD2, 0x73, 0x6A, 0x77,
2160 0xBF, 0x3A, 0x55, 0xBC, 0x54, 0x18, 0x6A, 0x71,
2161 0xBC, 0x6A, 0xCC, 0xCD, 0x5D, 0x90, 0xF5, 0x64,
2162 0x8D, 0x1B, 0xF0, 0xE0, 0x48, 0x7B, 0xF2, 0x7B,
2163 0x06, 0x86, 0x53, 0x63, 0x9B, 0xD8, 0x24, 0x15,
2164 0x10, 0xB1, 0x19, 0x96, 0x9B, 0xD2, 0x75, 0xA8,
2165 0x25, 0xA2, 0x35, 0xA9, 0x14, 0xD6, 0xD5, 0x5E,
2166 0x53, 0xE3, 0x34, 0x9D, 0xF2, 0x8B, 0x07, 0x19,
2167 0x9B, 0x1F, 0xF1, 0x02, 0x0F, 0x04, 0x46, 0xE8,
2168 0xB8, 0xB6, 0xF2, 0x8D, 0xC7, 0xC0, 0x15, 0x3E,
2169 0x3E, 0x8E, 0x96, 0x73, 0x15, 0x1E, 0x62, 0xF6,
2170 0x4E, 0x2A, 0xF7, 0xAA, 0xA0, 0x91, 0x80, 0x12,
2171 0x7F, 0x81, 0x0C, 0x65, 0xCC, 0x38, 0xBE, 0x58,
2172 0x6C, 0x14, 0xA5, 0x21, 0xA1, 0x8D, 0xF7, 0x8A,
2173 0xB9, 0x24, 0xF4, 0x2D, 0xCA, 0xC0, 0x67, 0x43,
2174 0x0B, 0xC8, 0x1C, 0xB4, 0x7D, 0x12, 0x7F, 0xA2,
2175 0x1B, 0x19, 0x0E, 0x94, 0xCF, 0x7B, 0x9F, 0x75,
2176 0xA0, 0x08, 0x9A, 0x67, 0x3F, 0x87, 0x89, 0x3E,
2177 0xF8, 0x58, 0xA5, 0x8A, 0x1B, 0x2D, 0xDA, 0x9B,
2178 0xD0, 0x1B, 0x18, 0x92, 0xC3, 0xD2, 0x6A, 0xD7,
2179 0x1C, 0xFC, 0x45, 0x69, 0x77, 0xC3, 0x57, 0x65,
2180 0x75, 0x99, 0x9E, 0x47, 0x2A, 0x20, 0x25, 0xEF,
2181 0x90, 0xF2, 0x5F, 0x3B, 0x7D, 0x9C, 0x7D, 0x00,
2182 0xEA, 0x92, 0x54, 0xEB, 0x0B, 0xE7, 0x17, 0xAF,
2183 0x24, 0x1A, 0xF9, 0x7C, 0x83, 0x50, 0x68, 0x1D,
2184 0xDC, 0x5B, 0x60, 0x12, 0xA7, 0x52, 0x78, 0xD9,
2185 0xA9, 0xB0, 0x1F, 0x59, 0x48, 0x36, 0xC7, 0xA6,
2186 0x97, 0x34, 0xC7, 0x87, 0x3F, 0xAE, 0xFD, 0xA9,
2187 0x56, 0x5D, 0x48, 0xCC, 0x89, 0x7A, 0x79, 0x60,
2188 0x8F, 0x9B, 0x2B, 0x63, 0x3C, 0xB3, 0x04, 0x1D,
2189 0x5F, 0xF7, 0x20, 0xD2, 0xFD, 0xF2, 0x51, 0xB1,
2190 0x96, 0x93, 0x13, 0x5B, 0xAB, 0x74, 0x82, 0x8B
2191 };
2192
2193 WOLFSSL_CERT_MANAGER* cm = NULL;
2194
2195 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2196
2197 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(NULL, 0),
2198 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2199 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1);
2200 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK), 1);
2201 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm,
2202 WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL), 1);
2203 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, 16), 1);
2204 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL), 1);
2205
2206 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, -1),
2207 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2208 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, -1),
2209 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2210 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, -1),
2211 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2212 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, NULL, 1),
2213 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2214 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(NULL, server_cert_der_2048, 1),
2215 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2216 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, NULL, 1),
2217 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2218 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048, -1),
2219 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2220 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048,
2221 sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E));
2222
2223 ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(NULL, NULL),
2224 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2225 ExpectIntEQ(wolfSSL_CertManagerSetCRL_Cb(cm, NULL), 1);
2226#ifdef HAVE_CRL_IO
2227 ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(NULL, NULL),
2228 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2229 ExpectIntEQ(wolfSSL_CertManagerSetCRL_IOCb(cm, NULL), 1);
2230#endif
2231
2232#ifndef NO_FILESYSTEM
2233 ExpectIntEQ(wolfSSL_CertManagerLoadCRL(NULL, NULL, WOLFSSL_FILETYPE_ASN1,
2234 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2235 ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, NULL, WOLFSSL_FILETYPE_ASN1,
2236 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2237 /* -1 seen as !WOLFSSL_FILETYPE_PEM */
2238 ExpectIntEQ(wolfSSL_CertManagerLoadCRL(cm, "./certs/crl", -1, 0), 1);
2239
2240 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(NULL, NULL,
2241 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2242 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, NULL, WOLFSSL_FILETYPE_ASN1),
2243 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2244 /* -1 seen as !WOLFSSL_FILETYPE_PEM */
2245 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, "./certs/crl/crl.pem", -1),
2246 WC_NO_ERR_TRACE(ASN_PARSE_E));
2247#endif
2248
2249 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, -1,
2250 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2251 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, -1,
2252 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2253 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, -1,
2254 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2255 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, NULL, 1,
2256 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2257 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(NULL, crl_buff, 1,
2258 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2259 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, NULL, 1,
2260 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2261 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, -1,
2262 WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2263
2264 ExpectIntEQ(wolfSSL_CertManagerFreeCRL(NULL),
2265 WC_NO_ERR_TRACE(BAD_FUNC_ARG));
2266 DoExpectIntEQ(wolfSSL_CertManagerFreeCRL(cm), 1);
2267
2268 ExpectIntEQ(WOLFSSL_SUCCESS,
2269 wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL));
2270 ExpectIntEQ(WOLFSSL_SUCCESS,
2271 wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0));
2272 ExpectIntEQ(WOLFSSL_SUCCESS,
2273 wolfSSL_CertManagerLoadCRL(cm, crl2, WOLFSSL_FILETYPE_PEM, 0));
2274 wolfSSL_CertManagerFreeCRL(cm);
2275
2276#ifndef WOLFSSL_CRL_ALLOW_MISSING_CDP
2277 ExpectIntEQ(WOLFSSL_SUCCESS,
2278 wolfSSL_CertManagerLoadCRL(cm, crl1, WOLFSSL_FILETYPE_PEM, 0));
2279 ExpectIntEQ(WOLFSSL_SUCCESS,
2280 wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL));
2281 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048,
2282 sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_MISSING));
2283 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, server_cert_der_2048,
2284 sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1),
2285 WC_NO_ERR_TRACE(CRL_MISSING));
2286#endif /* !WOLFSSL_CRL_ALLOW_MISSING_CDP */
2287
2288 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff),
2289 WOLFSSL_FILETYPE_ASN1), 1);
2290
2291#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS)
2292 /* loading should fail without the CA set */
2293 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
2294 WOLFSSL_FILETYPE_PEM), WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E));
2295
2296 /* now successfully load the RSA-PSS crl once loading in it's CA */
2297 ExpectIntEQ(WOLFSSL_SUCCESS,
2298 wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL));
2299 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
2300 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
2301#endif
2302
2303 wolfSSL_CertManagerFree(cm);
2304#endif
2305
2306 return EXPECT_RESULT();
2307}
2308
2309int test_wolfSSL_CRL_reason_extensions_cleanup(void)
2310{
2311 EXPECT_DECLS;
2312#if defined(HAVE_CRL) && defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
2313 defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && \
2314 !defined(NO_STDIO_FILESYSTEM) && !defined(NO_RSA)
2315 WOLFSSL_CERT_MANAGER* cm = NULL;
2316 const char* crlReasonFile = "./certs/crl/crl_reason.pem";
2317
2318 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2319 if (cm != NULL) {
2320 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
2321 WOLFSSL_SUCCESS);
2322 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, ca_cert_der_2048,
2323 sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1),
2324 WOLFSSL_SUCCESS);
2325 /* Exercises ParseCRL/GetRevoked path that allocates entry extensions;
2326 * cleanup runs via FreeDecodedCRL in BufferLoadCRL. */
2327 ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crlReasonFile,
2328 WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
2329 wolfSSL_CertManagerFree(cm);
2330 }
2331#endif
2332 return EXPECT_RESULT();
2333}
2334
2335int test_wolfSSL_CRL_static_revoked_list(void)
2336{
2337 EXPECT_DECLS;
2338#if defined(CRL_STATIC_REVOKED_LIST) && defined(HAVE_CRL) && \
2339 !defined(NO_RSA) && !defined(NO_CERTS)
2340 /* CRL signed by certs/ca-cert.pem that revokes serials 05, 02, 01 in that
2341 * (unsorted) wire order. The unsorted order exposes a binary search bug in
2342 * FindRevokedSerial when CRL_STATIC_REVOKED_LIST is enabled: the revoked
2343 * cert array is never sorted after parsing, so binary search misses entries
2344 * that are out of order.
2345 *
2346 * Generated with Python cryptography library:
2347 * builder.add_revoked_certificate(serial=5)
2348 * builder.add_revoked_certificate(serial=2)
2349 * builder.add_revoked_certificate(serial=1)
2350 * crl = builder.sign(ca_key, hashes.SHA256())
2351 */
2352 static const unsigned char crl_multi_revoked[] = {
2353 0x30, 0x82, 0x02, 0x1D, 0x30, 0x82, 0x01, 0x05,
2354 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A,
2355 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
2356 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30,
2357 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
2358 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
2359 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E,
2360 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
2361 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42,
2362 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11,
2363 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
2364 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74,
2365 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
2366 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73,
2367 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18,
2368 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
2369 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C,
2370 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
2371 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
2372 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
2373 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
2374 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F,
2375 0x6D, 0x17, 0x0D, 0x32, 0x36, 0x30, 0x31, 0x30,
2376 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A,
2377 0x17, 0x0D, 0x33, 0x36, 0x30, 0x31, 0x30, 0x31,
2378 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x30,
2379 0x3C, 0x30, 0x12, 0x02, 0x01, 0x05, 0x17, 0x0D,
2380 0x32, 0x33, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30,
2381 0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x12, 0x02,
2382 0x01, 0x02, 0x17, 0x0D, 0x32, 0x33, 0x30, 0x32,
2383 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
2384 0x5A, 0x30, 0x12, 0x02, 0x01, 0x01, 0x17, 0x0D,
2385 0x32, 0x33, 0x30, 0x33, 0x30, 0x31, 0x30, 0x30,
2386 0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x0D, 0x06,
2387 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
2388 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
2389 0x00, 0x15, 0x9F, 0xC1, 0x9E, 0x17, 0xB3, 0x5A,
2390 0xF1, 0x48, 0xA5, 0x87, 0x2A, 0x84, 0xD1, 0x93,
2391 0x8D, 0x19, 0x24, 0xCB, 0xC5, 0x32, 0x56, 0x10,
2392 0x6C, 0x4D, 0xF5, 0xD1, 0x9A, 0xC0, 0x1A, 0x8B,
2393 0x1C, 0x84, 0x6B, 0x4B, 0x20, 0xA7, 0xA4, 0x2C,
2394 0x11, 0x5C, 0x23, 0xBD, 0x0C, 0xB1, 0x33, 0xBE,
2395 0x38, 0x1B, 0xCB, 0xDB, 0x8E, 0xD4, 0x0F, 0x62,
2396 0x0D, 0xB5, 0x18, 0x21, 0x28, 0x0B, 0x77, 0xB9,
2397 0xB4, 0xA8, 0xE9, 0xA0, 0x25, 0x00, 0x83, 0xED,
2398 0x64, 0x49, 0x8E, 0x52, 0xD9, 0x8D, 0xAF, 0xC2,
2399 0x16, 0x3E, 0xD3, 0x93, 0x09, 0xB9, 0x18, 0xBB,
2400 0x6C, 0x41, 0xDF, 0x59, 0x59, 0x53, 0x8C, 0x64,
2401 0x8B, 0xD1, 0x9D, 0xBB, 0x92, 0x8F, 0xB2, 0x26,
2402 0x27, 0x78, 0x41, 0xFB, 0xF8, 0xB1, 0x2F, 0x8F,
2403 0xA1, 0x85, 0xB6, 0xC7, 0x8E, 0x42, 0x72, 0xEF,
2404 0xF4, 0x3F, 0xC4, 0xAF, 0x40, 0x95, 0xCA, 0x94,
2405 0xE5, 0x88, 0x89, 0x18, 0x32, 0x54, 0xC3, 0xC4,
2406 0xBE, 0x7E, 0x48, 0x1B, 0x3D, 0xB3, 0x6C, 0x11,
2407 0x54, 0x6F, 0x9E, 0xFE, 0x09, 0x5B, 0x72, 0x3F,
2408 0xD7, 0xA0, 0x02, 0xFF, 0x43, 0x01, 0xFE, 0x23,
2409 0xF8, 0x72, 0xCD, 0xA9, 0x76, 0x36, 0x31, 0x78,
2410 0x21, 0xCB, 0x0E, 0xC2, 0x25, 0x8D, 0x0B, 0x4C,
2411 0x2C, 0xAA, 0x6A, 0x80, 0x6E, 0xE2, 0x1E, 0xAC,
2412 0x70, 0x5D, 0x4A, 0xAA, 0x56, 0x17, 0xF0, 0x2D,
2413 0xA2, 0x2A, 0x4E, 0x2B, 0xC8, 0xC9, 0x87, 0x8E,
2414 0x07, 0xEB, 0xD8, 0x36, 0x42, 0x39, 0xA0, 0xA4,
2415 0xF6, 0x34, 0xC2, 0x5F, 0xE1, 0x21, 0x07, 0x50,
2416 0x4B, 0x37, 0x15, 0x7D, 0xF9, 0x18, 0x54, 0x13,
2417 0xC0, 0x1D, 0x0A, 0x27, 0x3A, 0x63, 0xD2, 0xC3,
2418 0xD5, 0x57, 0x5E, 0x67, 0x56, 0x65, 0x9E, 0x2E,
2419 0x4D, 0xB4, 0x96, 0x54, 0x7A, 0x3D, 0xFD, 0xF9,
2420 0xCF, 0xCD, 0x10, 0x65, 0x05, 0x97, 0x53, 0x72,
2421 0x12
2422 };
2423 WOLFSSL_CERT_MANAGER* cm = NULL;
2424
2425 /* Set up CertManager with the CA and CRL checking enabled */
2426 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2427 ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, "./certs/ca-cert.pem", NULL),
2428 WOLFSSL_SUCCESS);
2429 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
2430 WOLFSSL_SUCCESS);
2431
2432 /* Load the CRL that revokes serials {05, 02, 01} in unsorted wire order */
2433 ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_multi_revoked,
2434 sizeof(crl_multi_revoked), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
2435
2436 /* server-cert.pem has serial 01, which is in the CRL but at the last
2437 * position in the unsorted array. Binary search on unsorted data misses
2438 * it, so this assertion fails before the bug fix. */
2439 ExpectIntEQ(wolfSSL_CertManagerCheckCRL(cm, server_cert_der_2048,
2440 sizeof_server_cert_der_2048), WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
2441
2442 wolfSSL_CertManagerFree(cm);
2443#endif
2444 return EXPECT_RESULT();
2445}
2446
2447int test_wolfSSL_CRL_duplicate_extensions(void)
2448{
2449 EXPECT_DECLS;
2450#if defined(WOLFSSL_ASN_TEMPLATE) && !defined(NO_CERTS) && \
2451 defined(HAVE_CRL) && !defined(NO_RSA) && \
2452 !defined(WOLFSSL_NO_ASN_STRICT) && \
2453 (defined(WC_ASN_RUNTIME_DATE_CHECK_CONTROL) || defined(NO_ASN_TIME_CHECK))
2454 const unsigned char crl_duplicate_akd[] =
2455 "-----BEGIN X509 CRL-----\n"
2456 "MIICCDCB8QIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE\n"
2457 "CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK\n"
2458 "TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v\n"
2459 "dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqBEMEIwHwYDVR0jBBgw\n"
2460 "FoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q\n"
2461 "9+K5XGRxgzUwDQYJKoZIhvcNAQELBQADggEBAIFVw4jrS4taSXR/9gPzqGrqFeHr\n"
2462 "IXCnFtHJTLxqa8vUOAqSwqysvNpepVKioMVoGrLjFMjANjWQqTEiMROAnLfJ/+L8\n"
2463 "FHZkV/mZwOKAXMhIC9MrJzifxBICwmvD028qnwQm09EP8z4ICZptD6wPdRTDzduc\n"
2464 "KBuAX+zn8pNrJgyrheRKpPgno9KsbCzK4D/RIt1sTK2M3vVOtY+vpsN70QYUXvQ4\n"
2465 "r2RZac3omlT43x5lddPxIlcouQpwWcVvr/K+Va770MRrjn88PBrJmvsEw/QYVBXp\n"
2466 "Gxv2b78HFDacba80sMIm8ltRdqUCa5qIc6OATsz7izCQXEbkTEeESrcK1MA=\n"
2467 "-----END X509 CRL-----\n";
2468
2469 WOLFSSL_CERT_MANAGER* cm = NULL;
2470 int ret;
2471
2472 (void)wc_AsnSetSkipDateCheck(1);
2473
2474 cm = wolfSSL_CertManagerNew();
2475 ExpectNotNull(cm);
2476
2477 /* Test loading CRL with duplicate extensions */
2478 WOLFSSL_MSG("Testing CRL with duplicate Authority Key Identifier "
2479 "extensions");
2480 ret = wolfSSL_CertManagerLoadCRLBuffer(cm, crl_duplicate_akd,
2481 sizeof(crl_duplicate_akd),
2482 WOLFSSL_FILETYPE_PEM);
2483 ExpectIntEQ(ret, ASN_PARSE_E);
2484
2485 wolfSSL_CertManagerFree(cm);
2486
2487 (void)wc_AsnSetSkipDateCheck(0);
2488#endif
2489 return EXPECT_RESULT();
2490}
2491
2492int test_wolfSSL_CRL_critical_idp(void)
2493{
2494 EXPECT_DECLS;
2495#if !defined(NO_CERTS) && defined(HAVE_CRL) && !defined(NO_RSA)
2496
2497 /* CA cert (CN=claim-root), self-signed, 799 bytes DER */
2498 static const unsigned char ca_cert_idp[] = {
2499 0x30, 0x82, 0x03, 0x1b, 0x30, 0x82, 0x02, 0x03, 0xa0, 0x03, 0x02,
2500 0x01, 0x02, 0x02, 0x14, 0x1e, 0x25, 0xc1, 0x5d, 0x6f, 0x02, 0x21,
2501 0xa0, 0xf0, 0x14, 0x15, 0x9c, 0x3b, 0x4d, 0x1d, 0x73, 0x16, 0x00,
2502 0xe4, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
2503 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30,
2504 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61,
2505 0x69, 0x6d, 0x2d, 0x72, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d,
2506 0x32, 0x36, 0x30, 0x34, 0x31, 0x36, 0x31, 0x31, 0x33, 0x38, 0x35,
2507 0x35, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x34, 0x31, 0x33, 0x31,
2508 0x31, 0x33, 0x38, 0x35, 0x35, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30,
2509 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61,
2510 0x69, 0x6d, 0x2d, 0x72, 0x6f, 0x6f, 0x74, 0x30, 0x82, 0x01, 0x22,
2511 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
2512 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
2513 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x49, 0x8c, 0xb5,
2514 0x17, 0xc1, 0x01, 0x24, 0x6f, 0x56, 0x1a, 0xa9, 0x3b, 0x03, 0xe2,
2515 0x9f, 0x24, 0xb1, 0x25, 0x98, 0xfb, 0x38, 0x82, 0x78, 0x54, 0xa7,
2516 0x1f, 0x69, 0x87, 0xe4, 0x96, 0x1b, 0x81, 0x18, 0x10, 0xb0, 0xc0,
2517 0x5b, 0x4b, 0xbf, 0xb8, 0x1d, 0xf4, 0xee, 0x75, 0x0f, 0xb5, 0x45,
2518 0x72, 0x70, 0xce, 0x65, 0x84, 0x44, 0x3e, 0x30, 0x78, 0xc4, 0xf3,
2519 0xec, 0xba, 0x96, 0x78, 0xa4, 0x65, 0xfc, 0x62, 0x8d, 0xf5, 0x29,
2520 0xf9, 0x7c, 0x3d, 0x78, 0x6c, 0x1d, 0x4a, 0x4c, 0xc9, 0x15, 0x2d,
2521 0x22, 0x10, 0xea, 0x93, 0x26, 0xb8, 0xa6, 0x17, 0xd3, 0x0e, 0xbc,
2522 0x0c, 0xab, 0x83, 0x63, 0xf6, 0x1c, 0xcc, 0x83, 0x73, 0x29, 0x7e,
2523 0x7f, 0x83, 0x7f, 0xbd, 0x63, 0xaa, 0x8d, 0xfa, 0x78, 0x85, 0xd2,
2524 0x3e, 0x60, 0x95, 0x5a, 0x8d, 0xfa, 0x8f, 0xcd, 0x94, 0x3f, 0x13,
2525 0x28, 0xd9, 0xd0, 0x87, 0x28, 0x17, 0x78, 0xe2, 0x61, 0x8d, 0x79,
2526 0x97, 0x01, 0xa9, 0x7c, 0x84, 0xc0, 0x1c, 0xbe, 0x5f, 0x5d, 0xca,
2527 0x28, 0x6b, 0x5e, 0xdd, 0x83, 0xa5, 0x55, 0x34, 0x11, 0xba, 0xfa,
2528 0x8b, 0x92, 0xa3, 0xde, 0xb6, 0xf3, 0xba, 0xab, 0x7f, 0x1a, 0x67,
2529 0xfd, 0x6f, 0x20, 0x85, 0x4c, 0x77, 0xa7, 0x8e, 0xbe, 0xb8, 0xf8,
2530 0x8f, 0x70, 0xe3, 0x5a, 0xd3, 0x77, 0xc9, 0x9e, 0x10, 0x60, 0xb4,
2531 0xdb, 0x0c, 0xc5, 0x05, 0xe1, 0x1f, 0xbd, 0xe6, 0x79, 0xee, 0x82,
2532 0x3f, 0x51, 0x76, 0xe2, 0x7f, 0x5c, 0x11, 0x6d, 0xd3, 0x21, 0x69,
2533 0xec, 0x05, 0x11, 0x8b, 0xc8, 0x39, 0xb3, 0x2c, 0xa6, 0x83, 0xb4,
2534 0x6f, 0xac, 0x19, 0xd6, 0x6a, 0x65, 0x0d, 0x08, 0x94, 0x58, 0xde,
2535 0x3d, 0xc9, 0x0c, 0x54, 0x03, 0x73, 0x0c, 0x8d, 0x24, 0x09, 0xf3,
2536 0xb1, 0x5d, 0xd2, 0xe3, 0xeb, 0x56, 0xd6, 0x28, 0x66, 0x5b, 0x02,
2537 0x03, 0x01, 0x00, 0x01, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06,
2538 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
2539 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
2540 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06,
2541 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x52, 0x97, 0x58,
2542 0x47, 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e,
2543 0xea, 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x1f, 0x06, 0x03, 0x55,
2544 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x52, 0x97, 0x58,
2545 0x47, 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e,
2546 0xea, 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x0d, 0x06, 0x09, 0x2a,
2547 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
2548 0x82, 0x01, 0x01, 0x00, 0x7d, 0x30, 0xd4, 0x6a, 0x01, 0x89, 0x3b,
2549 0x62, 0xed, 0x16, 0x46, 0x59, 0x0f, 0xf2, 0x3b, 0xb5, 0xde, 0x89,
2550 0x08, 0x17, 0x68, 0xcb, 0x46, 0xdc, 0x39, 0xa6, 0xcb, 0x56, 0xb0,
2551 0x91, 0xeb, 0x03, 0xb2, 0x15, 0xc4, 0x3b, 0x4d, 0x63, 0x55, 0x22,
2552 0x0a, 0x26, 0xe6, 0x64, 0x46, 0xe8, 0x0f, 0xa8, 0xf3, 0xde, 0xe1,
2553 0x43, 0x54, 0xe6, 0xd7, 0x8a, 0xf4, 0x4f, 0xab, 0x56, 0x93, 0x12,
2554 0x71, 0x4b, 0x25, 0x71, 0x0a, 0x31, 0x18, 0x79, 0xee, 0x45, 0xa4,
2555 0xf5, 0x72, 0x67, 0xfa, 0x41, 0xd9, 0x87, 0x97, 0x09, 0xef, 0x55,
2556 0xad, 0x6f, 0x47, 0x1d, 0x5a, 0xb2, 0xe9, 0xf7, 0x22, 0x05, 0x2d,
2557 0x5a, 0x81, 0xa8, 0xe8, 0x53, 0xb0, 0x94, 0xf6, 0x63, 0xff, 0x3f,
2558 0x51, 0x7a, 0x08, 0xac, 0x27, 0x9a, 0x57, 0x11, 0x22, 0xa4, 0x00,
2559 0x84, 0x70, 0x86, 0x76, 0x39, 0x0f, 0x4f, 0x57, 0xcf, 0x8e, 0x94,
2560 0xd2, 0x8e, 0x43, 0xc0, 0xd5, 0x34, 0x7d, 0xf5, 0xa1, 0x45, 0x1e,
2561 0xb7, 0xc8, 0x7e, 0x7c, 0xfe, 0x5d, 0x4d, 0x53, 0x43, 0x25, 0x15,
2562 0x9e, 0x08, 0x01, 0x56, 0xa4, 0xff, 0x79, 0x59, 0x25, 0xc9, 0x23,
2563 0x98, 0xaf, 0x05, 0xaf, 0xc1, 0x0b, 0x29, 0xf1, 0xe2, 0xc4, 0x36,
2564 0x31, 0x91, 0xfa, 0xf2, 0xbb, 0x12, 0xe8, 0x67, 0xf9, 0xc7, 0xa1,
2565 0x5e, 0x8c, 0xed, 0x92, 0x12, 0xa3, 0x2b, 0xe1, 0xc2, 0xe1, 0xa0,
2566 0xb0, 0x0e, 0x12, 0xa7, 0xd0, 0xa2, 0xae, 0xd6, 0xfa, 0x30, 0x21,
2567 0x0f, 0x73, 0xfe, 0x24, 0x21, 0x5f, 0x03, 0x86, 0x69, 0xcd, 0xec,
2568 0x76, 0x18, 0xe1, 0xfd, 0xb6, 0x64, 0x90, 0xa6, 0x06, 0x2e, 0x19,
2569 0x40, 0x93, 0x50, 0x37, 0xe4, 0x90, 0xe3, 0x1f, 0x07, 0xae, 0xfb,
2570 0x89, 0xc3, 0xf6, 0xc4, 0x90, 0xab, 0x40, 0x67, 0x4c, 0x43, 0x2c,
2571 0xa2, 0xb0, 0x3e, 0x61, 0x16, 0x69, 0x8f
2572 };
2573
2574 /* CRL with critical IDP onlyuser=TRUE, revokes serial 0x1000, 480 bytes */
2575 static const unsigned char crl_user_idp[] = {
2576 0x30, 0x82, 0x01, 0xdc, 0x30, 0x81, 0xc5, 0x02, 0x01, 0x01, 0x30,
2577 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
2578 0x0b, 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
2579 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x2d,
2580 0x72, 0x6f, 0x6f, 0x74, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x31,
2581 0x36, 0x31, 0x31, 0x33, 0x38, 0x35, 0x35, 0x5a, 0x17, 0x0d, 0x33,
2582 0x36, 0x30, 0x34, 0x31, 0x33, 0x31, 0x31, 0x33, 0x38, 0x35, 0x35,
2583 0x5a, 0x30, 0x15, 0x30, 0x13, 0x02, 0x02, 0x10, 0x00, 0x17, 0x0d,
2584 0x32, 0x36, 0x30, 0x34, 0x31, 0x36, 0x31, 0x31, 0x33, 0x38, 0x35,
2585 0x35, 0x5a, 0xa0, 0x65, 0x30, 0x63, 0x30, 0x1f, 0x06, 0x03, 0x55,
2586 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x52, 0x97, 0x58,
2587 0x47, 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e,
2588 0xea, 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x33, 0x06, 0x03, 0x55,
2589 0x1d, 0x1c, 0x01, 0x01, 0xff, 0x04, 0x29, 0x30, 0x27, 0xa0, 0x22,
2590 0xa0, 0x20, 0x86, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
2591 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x2e, 0x74, 0x65, 0x73, 0x74, 0x2f,
2592 0x63, 0x72, 0x6c, 0x2d, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x70, 0x65,
2593 0x6d, 0x81, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x14,
2594 0x04, 0x04, 0x02, 0x02, 0x20, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
2595 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
2596 0x82, 0x01, 0x01, 0x00, 0x9b, 0x1a, 0x70, 0xba, 0xf8, 0x38, 0xff,
2597 0xc6, 0x36, 0x59, 0x6e, 0xab, 0x87, 0x74, 0x04, 0xe3, 0x17, 0xb3,
2598 0xdd, 0x62, 0x03, 0x25, 0x9e, 0xff, 0x53, 0xf7, 0xde, 0x48, 0xb0,
2599 0x56, 0x0c, 0x19, 0xea, 0x86, 0x30, 0x21, 0x01, 0x63, 0xd6, 0xd2,
2600 0xef, 0xd1, 0x0e, 0x1d, 0xde, 0xc1, 0x18, 0x33, 0xd2, 0x1b, 0x79,
2601 0x2e, 0xa1, 0xd5, 0x51, 0xcc, 0x31, 0x35, 0x28, 0xa6, 0x6f, 0xc0,
2602 0xcf, 0x78, 0xbf, 0x5d, 0xdd, 0x66, 0x81, 0x71, 0xa3, 0x52, 0xb5,
2603 0x48, 0x81, 0x1a, 0x34, 0xf1, 0x03, 0x37, 0x3a, 0x97, 0x02, 0xd6,
2604 0x56, 0x4a, 0x24, 0xeb, 0x93, 0x47, 0xb6, 0xc3, 0x69, 0xc6, 0x2b,
2605 0xd8, 0xfc, 0xf9, 0x9f, 0x85, 0xab, 0xe2, 0x81, 0x66, 0x8f, 0xcf,
2606 0x7a, 0x81, 0xd7, 0x46, 0xb4, 0x8d, 0x44, 0x05, 0x40, 0xd2, 0x3b,
2607 0x1c, 0xb8, 0x4a, 0x88, 0xb8, 0x65, 0x69, 0x5e, 0x7f, 0x6c, 0x43,
2608 0x1c, 0x4f, 0xbf, 0x48, 0x55, 0x6b, 0xb0, 0xb3, 0x70, 0x49, 0x1a,
2609 0xfa, 0xd1, 0x55, 0xe7, 0xb9, 0x5d, 0x4f, 0x2d, 0x7e, 0xc1, 0xa5,
2610 0x5f, 0x5e, 0x38, 0xef, 0x74, 0xe8, 0x72, 0x89, 0x9c, 0x86, 0x24,
2611 0x65, 0x2d, 0x38, 0x88, 0x53, 0x81, 0x48, 0x8a, 0x7d, 0xc3, 0x0d,
2612 0x87, 0xaf, 0xd3, 0xf7, 0x39, 0xeb, 0xac, 0x36, 0xc2, 0xc9, 0x1f,
2613 0x78, 0xa9, 0x53, 0x1c, 0x4a, 0xa6, 0xba, 0x63, 0xd1, 0xc2, 0x62,
2614 0x81, 0x00, 0x39, 0xb1, 0x1c, 0x1c, 0xad, 0x96, 0x83, 0xf7, 0x99,
2615 0x34, 0xc6, 0x9c, 0x93, 0xbb, 0x6a, 0x7c, 0xf5, 0x18, 0xed, 0xbd,
2616 0x29, 0xe4, 0x29, 0x50, 0x3c, 0xcb, 0x94, 0x72, 0x8f, 0xad, 0x15,
2617 0x91, 0x38, 0x4a, 0xb4, 0xde, 0x98, 0x3e, 0xd6, 0xb2, 0xd1, 0x2a,
2618 0x8c, 0xa2, 0xc9, 0x0f, 0x2f, 0x7c, 0x4a, 0xd6, 0x56, 0x02, 0x9f,
2619 0x6c, 0xda, 0xa9, 0x4c, 0x04, 0x64, 0x7c
2620 };
2621
2622 /* CRL with critical IDP onlyCA=TRUE, empty revocation list, 459 bytes */
2623 static const unsigned char crl_caonly_idp[] = {
2624 0x30, 0x82, 0x01, 0xc7, 0x30, 0x81, 0xb0, 0x02, 0x01, 0x01, 0x30,
2625 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
2626 0x0b, 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
2627 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x2d,
2628 0x72, 0x6f, 0x6f, 0x74, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x31,
2629 0x36, 0x31, 0x31, 0x33, 0x38, 0x35, 0x35, 0x5a, 0x17, 0x0d, 0x33,
2630 0x36, 0x30, 0x34, 0x31, 0x33, 0x31, 0x31, 0x33, 0x38, 0x35, 0x35,
2631 0x5a, 0xa0, 0x67, 0x30, 0x65, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
2632 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x52, 0x97, 0x58, 0x47,
2633 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e, 0xea,
2634 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x35, 0x06, 0x03, 0x55, 0x1d,
2635 0x1c, 0x01, 0x01, 0xff, 0x04, 0x2b, 0x30, 0x29, 0xa0, 0x24, 0xa0,
2636 0x22, 0x86, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
2637 0x6c, 0x61, 0x69, 0x6d, 0x2e, 0x74, 0x65, 0x73, 0x74, 0x2f, 0x63,
2638 0x72, 0x6c, 0x2d, 0x63, 0x61, 0x6f, 0x6e, 0x6c, 0x79, 0x2e, 0x70,
2639 0x65, 0x6d, 0x82, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
2640 0x14, 0x04, 0x04, 0x02, 0x02, 0x20, 0x01, 0x30, 0x0d, 0x06, 0x09,
2641 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
2642 0x03, 0x82, 0x01, 0x01, 0x00, 0x9d, 0x6e, 0x0d, 0x93, 0x89, 0xab,
2643 0x6e, 0x74, 0x52, 0x2c, 0xe6, 0x89, 0xcb, 0x72, 0x49, 0x90, 0x0d,
2644 0x91, 0x80, 0xb5, 0xca, 0x7b, 0x95, 0x0d, 0xa8, 0x05, 0x31, 0x04,
2645 0x50, 0xb8, 0xf3, 0xce, 0x9c, 0xbb, 0x05, 0x38, 0x0a, 0x64, 0x1a,
2646 0x61, 0x68, 0xa7, 0xa8, 0xa0, 0x69, 0x2a, 0x79, 0x01, 0x42, 0x67,
2647 0xf5, 0x72, 0xdf, 0x37, 0x5b, 0x42, 0x6d, 0x3c, 0x59, 0x95, 0x09,
2648 0x34, 0xb3, 0xb6, 0x8b, 0x2b, 0xd8, 0xab, 0xb6, 0x8b, 0xff, 0x8e,
2649 0xae, 0xd0, 0xc6, 0x9a, 0xbe, 0x7e, 0x29, 0xbc, 0x4d, 0xfb, 0xe1,
2650 0xac, 0xd8, 0x23, 0x1a, 0xec, 0x0d, 0xa1, 0xa0, 0xf6, 0x52, 0x8e,
2651 0x64, 0xc4, 0x11, 0x0f, 0x7c, 0x5b, 0x9f, 0x65, 0x4f, 0x5a, 0xd6,
2652 0x64, 0xe0, 0x64, 0xf6, 0xac, 0x9d, 0xdc, 0x21, 0x3f, 0xa8, 0x5c,
2653 0xd2, 0xf5, 0x87, 0xec, 0x49, 0x19, 0xff, 0x01, 0x9e, 0x8d, 0x83,
2654 0x08, 0xd2, 0xdc, 0x83, 0xf6, 0x03, 0xc4, 0x6f, 0xf6, 0xa2, 0x13,
2655 0x41, 0xfe, 0x66, 0xcd, 0xeb, 0xe8, 0x0f, 0x28, 0x7d, 0xd2, 0xcd,
2656 0xfa, 0x7a, 0xd7, 0xae, 0x08, 0xa1, 0x31, 0x17, 0x60, 0x59, 0x39,
2657 0x98, 0x85, 0xe1, 0xa4, 0xd2, 0x35, 0x70, 0xb7, 0xff, 0xf3, 0x2f,
2658 0xee, 0x45, 0x9c, 0xbe, 0xcc, 0x18, 0x49, 0x94, 0xe9, 0xf6, 0xd0,
2659 0x45, 0x54, 0x6f, 0xe4, 0xe8, 0x3a, 0x0d, 0x5b, 0x05, 0xe8, 0x02,
2660 0x51, 0x5b, 0x63, 0xb5, 0xf2, 0x47, 0x86, 0x9b, 0xf3, 0x07, 0xc2,
2661 0x49, 0x26, 0xa0, 0x77, 0x94, 0xe7, 0x4f, 0xbc, 0x5f, 0x9f, 0xf9,
2662 0x06, 0x0e, 0xcb, 0x45, 0x9c, 0x02, 0x11, 0xfc, 0xcb, 0x12, 0x7f,
2663 0xba, 0x7d, 0x93, 0x5b, 0x57, 0x6a, 0x15, 0x5e, 0xd2, 0xc1, 0x97,
2664 0xb2, 0xbb, 0x00, 0x2c, 0xdd, 0x41, 0x97, 0x2a, 0xe4, 0x53, 0x40,
2665 0xf8, 0xb5, 0x56, 0xf2, 0x9a, 0x04, 0xe6, 0x89
2666 };
2667
2668 WOLFSSL_CERT_MANAGER* cm = NULL;
2669
2670 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2671
2672 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, ca_cert_idp,
2673 sizeof(ca_cert_idp), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
2674
2675 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
2676 WOLFSSL_SUCCESS);
2677
2678 /* User-scope CRL has a critical IDP extension, must be rejected */
2679 ExpectIntNE(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_user_idp,
2680 sizeof(crl_user_idp), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
2681
2682 /* CA-only CRL also has a critical IDP extension, must be rejected */
2683 ExpectIntNE(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_caonly_idp,
2684 sizeof(crl_caonly_idp), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
2685
2686 wolfSSL_CertManagerFree(cm);
2687#endif
2688 return EXPECT_RESULT();
2689}
2690
2691int test_wolfSSL_CRL_unknown_critical_ext(void)
2692{
2693 EXPECT_DECLS;
2694#if !defined(NO_CERTS) && defined(HAVE_CRL) && !defined(NO_RSA)
2695
2696 static const unsigned char ca_cert[] = {
2697 0x30, 0x82, 0x03, 0x1b, 0x30, 0x82, 0x02, 0x03, 0xa0, 0x03, 0x02,
2698 0x01, 0x02, 0x02, 0x14, 0x1e, 0x25, 0xc1, 0x5d, 0x6f, 0x02, 0x21,
2699 0xa0, 0xf0, 0x14, 0x15, 0x9c, 0x3b, 0x4d, 0x1d, 0x73, 0x16, 0x00,
2700 0xe4, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
2701 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30,
2702 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61,
2703 0x69, 0x6d, 0x2d, 0x72, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d,
2704 0x32, 0x36, 0x30, 0x34, 0x31, 0x36, 0x31, 0x31, 0x33, 0x38, 0x35,
2705 0x35, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x30, 0x34, 0x31, 0x33, 0x31,
2706 0x31, 0x33, 0x38, 0x35, 0x35, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30,
2707 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61,
2708 0x69, 0x6d, 0x2d, 0x72, 0x6f, 0x6f, 0x74, 0x30, 0x82, 0x01, 0x22,
2709 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
2710 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
2711 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x49, 0x8c, 0xb5,
2712 0x17, 0xc1, 0x01, 0x24, 0x6f, 0x56, 0x1a, 0xa9, 0x3b, 0x03, 0xe2,
2713 0x9f, 0x24, 0xb1, 0x25, 0x98, 0xfb, 0x38, 0x82, 0x78, 0x54, 0xa7,
2714 0x1f, 0x69, 0x87, 0xe4, 0x96, 0x1b, 0x81, 0x18, 0x10, 0xb0, 0xc0,
2715 0x5b, 0x4b, 0xbf, 0xb8, 0x1d, 0xf4, 0xee, 0x75, 0x0f, 0xb5, 0x45,
2716 0x72, 0x70, 0xce, 0x65, 0x84, 0x44, 0x3e, 0x30, 0x78, 0xc4, 0xf3,
2717 0xec, 0xba, 0x96, 0x78, 0xa4, 0x65, 0xfc, 0x62, 0x8d, 0xf5, 0x29,
2718 0xf9, 0x7c, 0x3d, 0x78, 0x6c, 0x1d, 0x4a, 0x4c, 0xc9, 0x15, 0x2d,
2719 0x22, 0x10, 0xea, 0x93, 0x26, 0xb8, 0xa6, 0x17, 0xd3, 0x0e, 0xbc,
2720 0x0c, 0xab, 0x83, 0x63, 0xf6, 0x1c, 0xcc, 0x83, 0x73, 0x29, 0x7e,
2721 0x7f, 0x83, 0x7f, 0xbd, 0x63, 0xaa, 0x8d, 0xfa, 0x78, 0x85, 0xd2,
2722 0x3e, 0x60, 0x95, 0x5a, 0x8d, 0xfa, 0x8f, 0xcd, 0x94, 0x3f, 0x13,
2723 0x28, 0xd9, 0xd0, 0x87, 0x28, 0x17, 0x78, 0xe2, 0x61, 0x8d, 0x79,
2724 0x97, 0x01, 0xa9, 0x7c, 0x84, 0xc0, 0x1c, 0xbe, 0x5f, 0x5d, 0xca,
2725 0x28, 0x6b, 0x5e, 0xdd, 0x83, 0xa5, 0x55, 0x34, 0x11, 0xba, 0xfa,
2726 0x8b, 0x92, 0xa3, 0xde, 0xb6, 0xf3, 0xba, 0xab, 0x7f, 0x1a, 0x67,
2727 0xfd, 0x6f, 0x20, 0x85, 0x4c, 0x77, 0xa7, 0x8e, 0xbe, 0xb8, 0xf8,
2728 0x8f, 0x70, 0xe3, 0x5a, 0xd3, 0x77, 0xc9, 0x9e, 0x10, 0x60, 0xb4,
2729 0xdb, 0x0c, 0xc5, 0x05, 0xe1, 0x1f, 0xbd, 0xe6, 0x79, 0xee, 0x82,
2730 0x3f, 0x51, 0x76, 0xe2, 0x7f, 0x5c, 0x11, 0x6d, 0xd3, 0x21, 0x69,
2731 0xec, 0x05, 0x11, 0x8b, 0xc8, 0x39, 0xb3, 0x2c, 0xa6, 0x83, 0xb4,
2732 0x6f, 0xac, 0x19, 0xd6, 0x6a, 0x65, 0x0d, 0x08, 0x94, 0x58, 0xde,
2733 0x3d, 0xc9, 0x0c, 0x54, 0x03, 0x73, 0x0c, 0x8d, 0x24, 0x09, 0xf3,
2734 0xb1, 0x5d, 0xd2, 0xe3, 0xeb, 0x56, 0xd6, 0x28, 0x66, 0x5b, 0x02,
2735 0x03, 0x01, 0x00, 0x01, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x0f, 0x06,
2736 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
2737 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
2738 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06,
2739 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x52, 0x97, 0x58,
2740 0x47, 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e,
2741 0xea, 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x1f, 0x06, 0x03, 0x55,
2742 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x52, 0x97, 0x58,
2743 0x47, 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e,
2744 0xea, 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x0d, 0x06, 0x09, 0x2a,
2745 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
2746 0x82, 0x01, 0x01, 0x00, 0x7d, 0x30, 0xd4, 0x6a, 0x01, 0x89, 0x3b,
2747 0x62, 0xed, 0x16, 0x46, 0x59, 0x0f, 0xf2, 0x3b, 0xb5, 0xde, 0x89,
2748 0x08, 0x17, 0x68, 0xcb, 0x46, 0xdc, 0x39, 0xa6, 0xcb, 0x56, 0xb0,
2749 0x91, 0xeb, 0x03, 0xb2, 0x15, 0xc4, 0x3b, 0x4d, 0x63, 0x55, 0x22,
2750 0x0a, 0x26, 0xe6, 0x64, 0x46, 0xe8, 0x0f, 0xa8, 0xf3, 0xde, 0xe1,
2751 0x43, 0x54, 0xe6, 0xd7, 0x8a, 0xf4, 0x4f, 0xab, 0x56, 0x93, 0x12,
2752 0x71, 0x4b, 0x25, 0x71, 0x0a, 0x31, 0x18, 0x79, 0xee, 0x45, 0xa4,
2753 0xf5, 0x72, 0x67, 0xfa, 0x41, 0xd9, 0x87, 0x97, 0x09, 0xef, 0x55,
2754 0xad, 0x6f, 0x47, 0x1d, 0x5a, 0xb2, 0xe9, 0xf7, 0x22, 0x05, 0x2d,
2755 0x5a, 0x81, 0xa8, 0xe8, 0x53, 0xb0, 0x94, 0xf6, 0x63, 0xff, 0x3f,
2756 0x51, 0x7a, 0x08, 0xac, 0x27, 0x9a, 0x57, 0x11, 0x22, 0xa4, 0x00,
2757 0x84, 0x70, 0x86, 0x76, 0x39, 0x0f, 0x4f, 0x57, 0xcf, 0x8e, 0x94,
2758 0xd2, 0x8e, 0x43, 0xc0, 0xd5, 0x34, 0x7d, 0xf5, 0xa1, 0x45, 0x1e,
2759 0xb7, 0xc8, 0x7e, 0x7c, 0xfe, 0x5d, 0x4d, 0x53, 0x43, 0x25, 0x15,
2760 0x9e, 0x08, 0x01, 0x56, 0xa4, 0xff, 0x79, 0x59, 0x25, 0xc9, 0x23,
2761 0x98, 0xaf, 0x05, 0xaf, 0xc1, 0x0b, 0x29, 0xf1, 0xe2, 0xc4, 0x36,
2762 0x31, 0x91, 0xfa, 0xf2, 0xbb, 0x12, 0xe8, 0x67, 0xf9, 0xc7, 0xa1,
2763 0x5e, 0x8c, 0xed, 0x92, 0x12, 0xa3, 0x2b, 0xe1, 0xc2, 0xe1, 0xa0,
2764 0xb0, 0x0e, 0x12, 0xa7, 0xd0, 0xa2, 0xae, 0xd6, 0xfa, 0x30, 0x21,
2765 0x0f, 0x73, 0xfe, 0x24, 0x21, 0x5f, 0x03, 0x86, 0x69, 0xcd, 0xec,
2766 0x76, 0x18, 0xe1, 0xfd, 0xb6, 0x64, 0x90, 0xa6, 0x06, 0x2e, 0x19,
2767 0x40, 0x93, 0x50, 0x37, 0xe4, 0x90, 0xe3, 0x1f, 0x07, 0xae, 0xfb,
2768 0x89, 0xc3, 0xf6, 0xc4, 0x90, 0xab, 0x40, 0x67, 0x4c, 0x43, 0x2c,
2769 0xa2, 0xb0, 0x3e, 0x61, 0x16, 0x69, 0x8f
2770 };
2771
2772 /* CRL with critical obsolete extension OID 2.5.29.1, 422 bytes DER.
2773 * OID 2.5.29.1 is the old X.509v2 Authority Key Identifier, permanently
2774 * superseded by 2.5.29.35. No implementation will ever support it. */
2775 static const unsigned char crl_obsolete_critical[] = {
2776 0x30, 0x82, 0x01, 0xa6, 0x30, 0x81, 0x8f, 0x02, 0x01, 0x01, 0x30,
2777 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
2778 0x0b, 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
2779 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x2d,
2780 0x72, 0x6f, 0x6f, 0x74, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x31,
2781 0x36, 0x31, 0x35, 0x32, 0x31, 0x30, 0x37, 0x5a, 0x17, 0x0d, 0x33,
2782 0x36, 0x30, 0x34, 0x31, 0x33, 0x31, 0x35, 0x32, 0x31, 0x30, 0x37,
2783 0x5a, 0xa0, 0x46, 0x30, 0x44, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
2784 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x52, 0x97, 0x58, 0x47,
2785 0x98, 0xca, 0xf8, 0x99, 0xa0, 0x7e, 0x8e, 0x1c, 0x38, 0x2e, 0xea,
2786 0xbb, 0xea, 0x9b, 0x74, 0x30, 0x30, 0x14, 0x06, 0x03, 0x55, 0x1d,
2787 0x01, 0x01, 0x01, 0xff, 0x04, 0x0a, 0x0c, 0x08, 0x6f, 0x62, 0x73,
2788 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
2789 0x14, 0x04, 0x04, 0x02, 0x02, 0x20, 0x02, 0x30, 0x0d, 0x06, 0x09,
2790 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
2791 0x03, 0x82, 0x01, 0x01, 0x00, 0x05, 0xf3, 0x8f, 0xdb, 0x7f, 0x75,
2792 0x2c, 0x34, 0x4b, 0x7e, 0x70, 0x17, 0x5e, 0x34, 0xc6, 0xdb, 0xcb,
2793 0x54, 0x33, 0x06, 0x58, 0x6d, 0xae, 0x9c, 0xc8, 0xe3, 0xaf, 0x82,
2794 0xe5, 0xf6, 0x86, 0x42, 0xb3, 0x01, 0x72, 0x1a, 0xca, 0xf9, 0x10,
2795 0x5d, 0x14, 0xe6, 0x84, 0x34, 0x56, 0x55, 0x74, 0xb5, 0x06, 0x64,
2796 0x49, 0x1d, 0xb3, 0xb0, 0x13, 0xff, 0x1c, 0x05, 0x4f, 0x43, 0x29,
2797 0xbc, 0xfe, 0xb5, 0x92, 0x54, 0xf6, 0x9b, 0x81, 0x07, 0x5e, 0x2e,
2798 0x75, 0xd8, 0xfd, 0x9b, 0x5b, 0xc9, 0xd3, 0xc2, 0x15, 0xa7, 0x6e,
2799 0x2f, 0x4b, 0x3a, 0x27, 0x57, 0xef, 0x40, 0x61, 0x8c, 0x11, 0x9d,
2800 0x0a, 0xb1, 0x2b, 0x0e, 0xed, 0x5d, 0xf2, 0xf5, 0x1a, 0xce, 0xdc,
2801 0xd7, 0x75, 0xc6, 0x25, 0x22, 0xe4, 0x70, 0xad, 0x93, 0xff, 0x36,
2802 0xa1, 0xa2, 0xa0, 0xd9, 0x82, 0x23, 0x6e, 0xc8, 0x3a, 0x80, 0x82,
2803 0xbf, 0x12, 0xac, 0xa1, 0xf9, 0x03, 0x9c, 0xb9, 0x20, 0x91, 0x33,
2804 0x80, 0x7b, 0xb7, 0x6e, 0xa5, 0x32, 0x98, 0xd6, 0x2c, 0x5d, 0x9d,
2805 0x3b, 0x64, 0x3b, 0xb4, 0xea, 0x03, 0x2d, 0x65, 0xcf, 0x7f, 0x0f,
2806 0x97, 0xef, 0x5b, 0x17, 0x8c, 0xcf, 0x98, 0x69, 0xba, 0x2d, 0x62,
2807 0xe9, 0x40, 0xe2, 0x3d, 0xbd, 0xd2, 0x0f, 0x4a, 0xf8, 0xb0, 0xa7,
2808 0xdb, 0x80, 0xa3, 0x47, 0x56, 0xe5, 0xe6, 0x6f, 0x93, 0x5c, 0x6f,
2809 0xdd, 0x62, 0x43, 0x28, 0x5c, 0xe5, 0x8f, 0x0e, 0x11, 0xa6, 0x1f,
2810 0x61, 0xaf, 0x39, 0x15, 0x40, 0xf4, 0x6e, 0x79, 0x40, 0xf6, 0x28,
2811 0xf3, 0xd4, 0x30, 0x3b, 0x25, 0xb6, 0xf0, 0x4a, 0x51, 0xc3, 0x18,
2812 0xff, 0xad, 0x4d, 0x6e, 0x10, 0x73, 0x68, 0xfa, 0x54, 0x9e, 0xdc,
2813 0x34, 0x70, 0xe4, 0x5d, 0x9e, 0x7c, 0xfa, 0x59, 0x97, 0xde, 0x35,
2814 0x17, 0xbb, 0xaf, 0xa0, 0x28, 0x78, 0x13, 0xbf
2815 };
2816
2817 WOLFSSL_CERT_MANAGER* cm = NULL;
2818
2819 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2820 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, ca_cert,
2821 sizeof(ca_cert), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
2822 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
2823 WOLFSSL_SUCCESS);
2824
2825 ExpectIntNE(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_obsolete_critical,
2826 sizeof(crl_obsolete_critical), WOLFSSL_FILETYPE_ASN1),
2827 WOLFSSL_SUCCESS);
2828
2829 wolfSSL_CertManagerFree(cm);
2830#endif
2831 return EXPECT_RESULT();
2832}
2833
2834int test_wolfSSL_CRL_unknown_critical_entry_ext(void)
2835{
2836 EXPECT_DECLS;
2837#if !defined(NO_CERTS) && defined(HAVE_CRL) && !defined(NO_RSA) && \
2838 !defined(NO_FILESYSTEM)
2839 WOLFSSL_CERT_MANAGER* cm = NULL;
2840
2841 ExpectNotNull(cm = wolfSSL_CertManagerNew());
2842 ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm,
2843 "./certs/crl/extra-crls/claim-root.pem", NULL), WOLFSSL_SUCCESS);
2844 ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
2845 WOLFSSL_SUCCESS);
2846
2847 /* CRL with a revoked entry that carries a critical unknown extension
2848 * (OID 2.5.29.1, old X.509v2 AKI, permanently superseded).
2849 * Per RFC 5280 Section 5.3, the CRL must not be used. */
2850 ExpectIntNE(wolfSSL_CertManagerLoadCRLFile(cm,
2851 "./certs/crl/extra-crls/crl_critical_entry.pem", WOLFSSL_FILETYPE_PEM),
2852 WOLFSSL_SUCCESS);
2853
2854 wolfSSL_CertManagerFree(cm);
2855#endif
2856 return EXPECT_RESULT();
2857}
2858
2859int test_wolfSSL_CertManagerCheckOCSPResponse(void)
2860{
2861 EXPECT_DECLS;
2862#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA)
2863/* Need one of these for wolfSSL_OCSP_REQUEST_new. */
2864#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
2865 defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \
2866 defined(HAVE_LIGHTY)
2867 WOLFSSL_CERT_MANAGER* cm = NULL;
2868 /* Raw OCSP response bytes captured using the following setup:
2869 * - Run responder with
2870 * openssl ocsp -port 9999 -ndays 9999
2871 * -index certs/ocsp/index-intermediate1-ca-issued-certs.txt
2872 * -rsigner certs/ocsp/ocsp-responder-cert.pem
2873 * -rkey certs/ocsp/ocsp-responder-key.pem
2874 * -CA certs/ocsp/intermediate1-ca-cert.pem
2875 * - Run client with
2876 * openssl ocsp -host 127.0.0.1:9999 -respout resp.out
2877 * -issuer certs/ocsp/intermediate1-ca-cert.pem
2878 * -cert certs/ocsp/server1-cert.pem
2879 * -CAfile certs/ocsp/root-ca-cert.pem -noverify
2880 * - Select the response packet in Wireshark, and export it using
2881 * "File->Export Packet Dissection->As "C" Arrays". Select "Selected
2882 * packets only". After importing into the editor, remove the initial
2883 * ~148 bytes of header, ending with the Content-Length and the \r\n\r\n.
2884 */
2885 static const byte response[] = {
2886 0x30, 0x82, 0x07, 0x40, /* ....0..@ */
2887 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x07, 0x39, 0x30, /* ......90 */
2888 0x82, 0x07, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, /* ..5..+.. */
2889 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, /* ...0.... */
2890 0x07, 0x26, 0x30, 0x82, 0x07, 0x22, 0x30, 0x82, /* .&0.."0. */
2891 0x01, 0x40, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, /* .@...0.. */
2892 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */
2893 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */
2894 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */
2895 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */
2896 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */
2897 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */
2898 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */
2899 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */
2900 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */
2901 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */
2902 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */
2903 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, /* ring1.0. */
2904 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, /* ..U....w */
2905 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f, /* olfSSL O */
2906 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, /* CSP Resp */
2907 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, /* onder1.0 */
2908 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, /* ...*.H.. */
2909 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, /* ......in */
2910 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */
2911 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, /* sl.com.. */
2912 0x32, 0x30, 0x32, 0x34, 0x31, 0x32, 0x32, 0x30, /* 20241220 */
2913 0x31, 0x37, 0x30, 0x37, 0x30, 0x34, 0x5a, 0x30, /* 170704Z0 */
2914 0x64, 0x30, 0x62, 0x30, 0x3a, 0x30, 0x09, 0x06, /* d0b0:0.. */
2915 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, /* .+...... */
2916 0x04, 0x14, 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, /* ..qM.#@Y */
2917 0xc0, 0x96, 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, /* ...7C.1. */
2918 0xba, 0xb1, 0x43, 0x18, 0xda, 0x04, 0x04, 0x14, /* ..C..... */
2919 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02, /* ..:.,... */
2920 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82, /* ..L.*.q. */
2921 0x64, 0x44, 0xda, 0x0e, 0x02, 0x01, 0x05, 0x80, /* dD...... */
2922 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x34, 0x31, /* ...20241 */
2923 0x32, 0x32, 0x30, 0x31, 0x37, 0x30, 0x37, 0x30, /* 22017070 */
2924 0x34, 0x5a, 0xa0, 0x11, 0x18, 0x0f, 0x32, 0x30, /* 4Z....20 */
2925 0x35, 0x32, 0x30, 0x35, 0x30, 0x36, 0x31, 0x37, /* 52050617 */
2926 0x30, 0x37, 0x30, 0x34, 0x5a, 0xa1, 0x23, 0x30, /* 0704Z.#0 */
2927 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, /* !0...+.. */
2928 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, /* ...0.... */
2929 0x04, 0x10, 0x12, 0x7c, 0x27, 0xbd, 0x22, 0x28, /* ...|'."( */
2930 0x5e, 0x62, 0x81, 0xed, 0x6d, 0x2c, 0x2d, 0x59, /* ^b..m,-Y */
2931 0x42, 0xd7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, /* B.0...*. */
2932 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, /* H....... */
2933 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6c, 0xce, /* ......l. */
2934 0xa8, 0xe8, 0xfe, 0xaf, 0x33, 0xe2, 0xce, 0x4e, /* ....3..N */
2935 0x63, 0x8d, 0x61, 0x16, 0x0f, 0x70, 0xb2, 0x0c, /* c.a..p.. */
2936 0x9a, 0xe3, 0x01, 0xd5, 0xca, 0xe5, 0x9b, 0x70, /* .......p */
2937 0x81, 0x6f, 0x94, 0x09, 0xe8, 0x88, 0x98, 0x1a, /* .o...... */
2938 0x67, 0xa0, 0xc2, 0xe7, 0x8f, 0x9b, 0x5f, 0x13, /* g....._. */
2939 0x17, 0x8d, 0x93, 0x8c, 0x31, 0x61, 0x7d, 0x72, /* ....1a}r */
2940 0x34, 0xbd, 0x21, 0x48, 0xca, 0xb2, 0xc9, 0xae, /* 4.!H.... */
2941 0x28, 0x5f, 0x97, 0x19, 0xcb, 0xdf, 0xed, 0xd4, /* (_...... */
2942 0x6e, 0x89, 0x30, 0x89, 0x11, 0xd1, 0x05, 0x08, /* n.0..... */
2943 0x81, 0xe9, 0xa7, 0xba, 0xf7, 0x16, 0x0c, 0xbe, /* ........ */
2944 0x48, 0x2e, 0xc0, 0x05, 0xac, 0x90, 0xc2, 0x35, /* H......5 */
2945 0xce, 0x6c, 0x94, 0x5d, 0x2b, 0xad, 0x4f, 0x19, /* .l.]+.O. */
2946 0xea, 0x7b, 0xd9, 0x4f, 0x49, 0x20, 0x8d, 0x98, /* .{.OI .. */
2947 0xa9, 0xe4, 0x53, 0x6d, 0xca, 0x34, 0xdb, 0x4a, /* ..Sm.4.J */
2948 0x28, 0xb3, 0x33, 0xfb, 0xfd, 0xcc, 0x4b, 0xfa, /* (.3...K. */
2949 0xdb, 0x70, 0xe1, 0x96, 0xc8, 0xd4, 0xf1, 0x85, /* .p...... */
2950 0x99, 0xaf, 0x06, 0xeb, 0xfd, 0x96, 0x21, 0x86, /* ......!. */
2951 0x81, 0xee, 0xcf, 0xd2, 0xf4, 0x83, 0xc9, 0x1d, /* ........ */
2952 0x8f, 0x42, 0xd1, 0xc1, 0xbc, 0x50, 0x0a, 0xfb, /* .B...P.. */
2953 0x95, 0x39, 0x4c, 0x36, 0xa8, 0xfe, 0x2b, 0x8e, /* .9L6..+. */
2954 0xc5, 0xb5, 0xe0, 0xab, 0xdb, 0xc0, 0xbf, 0x1d, /* ........ */
2955 0x35, 0x4d, 0xc0, 0x52, 0xfb, 0x08, 0x04, 0x4c, /* 5M.R...L */
2956 0x98, 0xf0, 0xb5, 0x5b, 0xff, 0x99, 0x74, 0xce, /* ...[..t. */
2957 0xb7, 0xc9, 0xe3, 0xe5, 0x70, 0x2e, 0xd3, 0x1d, /* ....p... */
2958 0x46, 0x38, 0xf9, 0x51, 0x17, 0x73, 0xd1, 0x08, /* F8.Q.s.. */
2959 0x8d, 0x3d, 0x12, 0x47, 0xd0, 0x66, 0x77, 0xaf, /* .=.G.fw. */
2960 0xfd, 0x4c, 0x75, 0x1f, 0xe9, 0x6c, 0xf4, 0x5a, /* .Lu..l.Z */
2961 0xde, 0xec, 0x37, 0xc7, 0xc4, 0x0a, 0xbe, 0x91, /* ..7..... */
2962 0xbc, 0x05, 0x08, 0x86, 0x47, 0x30, 0x2a, 0xc6, /* ....G0*. */
2963 0x85, 0x4b, 0x55, 0x6c, 0xef, 0xdf, 0x2d, 0x5a, /* .KUl..-Z */
2964 0xf7, 0x5b, 0xb5, 0xba, 0xed, 0x38, 0xb0, 0xcb, /* .[...8.. */
2965 0xeb, 0x7e, 0x84, 0x3a, 0x69, 0x2c, 0xa0, 0x82, /* .~.:i,.. */
2966 0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, /* ..0...0. */
2967 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, /* ..0..... */
2968 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, /* ......0. */
2969 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, /* ..*.H... */
2970 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, /* .....0.. */
2971 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */
2972 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, /* ...US1.0 */
2973 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, /* ...U.... */
2974 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, /* Washingt */
2975 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, /* on1.0... */
2976 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, /* U....Sea */
2977 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, /* ttle1.0. */
2978 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, /* ..U....w */
2979 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, /* olfSSL1. */
2980 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, /* 0...U... */
2981 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */
2982 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, /* ring1.0. */
2983 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, /* ..U....w */
2984 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, /* olfSSL r */
2985 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, /* oot CA1. */
2986 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0...*.H. */
2987 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, /* .......i */
2988 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, /* nfo@wolf */
2989 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, /* ssl.com0 */
2990 0x1e, 0x17, 0x0d, 0x32, 0x34, 0x31, 0x32, 0x31, /* ...24121 */
2991 0x38, 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, /* 8212531Z */
2992 0x17, 0x0d, 0x32, 0x37, 0x30, 0x39, 0x31, 0x34, /* ..270914 */
2993 0x32, 0x31, 0x32, 0x35, 0x33, 0x31, 0x5a, 0x30, /* 212531Z0 */
2994 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* ..1.0... */
2995 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, /* U....US1 */
2996 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, /* .0...U.. */
2997 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, /* ..Washin */
2998 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, /* gton1.0. */
2999 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, /* ..U....S */
3000 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, /* eattle1. */
3001 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, /* 0...U... */
3002 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */
3003 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, /* 1.0...U. */
3004 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, /* ...Engin */
3005 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, /* eering1. */
3006 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, /* 0...U... */
3007 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, /* .wolfSSL */
3008 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, /* OCSP Re */
3009 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65, 0x72, 0x31, /* sponder1 */
3010 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, /* .0...*.H */
3011 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, /* ........ */
3012 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, /* info@wol */
3013 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, /* fssl.com */
3014 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, /* 0.."0... */
3015 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */
3016 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, /* ........ */
3017 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, /* 0....... */
3018 0x00, 0xb8, 0xba, 0x23, 0xb4, 0xf6, 0xc3, 0x7b, /* ...#...{ */
3019 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5, /* .....a.. */
3020 0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, /* .c..#4Pm */
3021 0xf8, 0x7c, 0xa2, 0x8a, 0x04, 0x8b, 0xd5, 0x75, /* .|.....u */
3022 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a, /* \-.c...z */
3023 0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, /* ..E5+... */
3024 0x22, 0xb4, 0x94, 0x41, 0x38, 0xe2, 0x9d, 0x74, /* "..A8..t */
3025 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb, /* ..0".Q.. */
3026 0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, /* .?F+..Z? */
3027 0x41, 0x74, 0x67, 0x75, 0x95, 0xa9, 0x94, 0xd5, /* Atgu.... */
3028 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95, /* ..B..... */
3029 0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, /* ..e.C... */
3030 0x16, 0x80, 0x90, 0xce, 0x24, 0x35, 0x21, 0xc4, /* ....$5!. */
3031 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3, /* U.ZQ..-. */
3032 0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, /* .ZOJs1P. */
3033 0x4a, 0x16, 0xbd, 0x39, 0x8b, 0xad, 0x05, 0x48, /* J..9...H */
3034 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72, /* .......r */
3035 0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, /* g.\..... */
3036 0x76, 0xf8, 0xe0, 0x4a, 0xec, 0xbc, 0x93, 0xf4, /* v..J.... */
3037 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03, /* fL(q..f. */
3038 0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, /* ..0..... */
3039 0xf5, 0x1e, 0xe8, 0xc7, 0x5d, 0x9b, 0x8b, 0x11, /* ....]... */
3040 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff, /* ..<..qx. */
3041 0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, /* .?2..q.. */
3042 0x8c, 0x27, 0xac, 0x11, 0xb8, 0xd8, 0x43, 0x49, /* .'....CI */
3043 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda, /* ..p..... */
3044 0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, /* $..;..el */
3045 0x00, 0x76, 0x50, 0xef, 0x15, 0x08, 0xd7, 0xb4, /* .vP..... */
3046 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f, /* sh&...._ */
3047 0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, /* na...... */
3048 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */
3049 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5, /* .et|qTe. */
3050 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, /* 9....... */
3051 0x01, 0x0a, 0x30, 0x82, 0x01, 0x06, 0x30, 0x09, /* ..0...0. */
3052 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, /* ..U....0 */
3053 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, /* .0...U.. */
3054 0x04, 0x16, 0x04, 0x14, 0x32, 0x67, 0xe1, 0xb1, /* ....2g.. */
3055 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70, /* y....#.p */
3056 0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, /* @P.FV.06 */
3057 0x30, 0x81, 0xc4, 0x06, 0x03, 0x55, 0x1d, 0x23, /* 0....U.# */
3058 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14, /* ...0.... */
3059 0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, /* s.../... */
3060 0x47, 0xa5, 0x38, 0xd7, 0xb0, 0x04, 0x82, 0x3a, /* G.8....: */
3061 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4, /* ~r.!.... */
3062 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, /* ..0..1.0 */
3063 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, /* ...U.... */
3064 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, /* US1.0... */
3065 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, /* U....Was */
3066 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, /* hington1 */
3067 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, /* .0...U.. */
3068 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, /* ..Seattl */
3069 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, /* e1.0...U */
3070 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */
3071 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, /* SSL1.0.. */
3072 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, /* .U....En */
3073 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, /* gineerin */
3074 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, /* g1.0...U */
3075 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, /* ....wolf */
3076 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, /* SSL root */
3077 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, /* CA1.0.. */
3078 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, /* .*.H.... */
3079 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, /* ....info */
3080 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, /* @wolfssl */
3081 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x63, 0x30, /* .com..c0 */
3082 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, /* ...U.%.. */
3083 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, /* 0...+... */
3084 0x05, 0x07, 0x03, 0x09, 0x30, 0x0d, 0x06, 0x09, /* ....0... */
3085 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, /* *.H..... */
3086 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, /* ........ */
3087 0x4d, 0xa2, 0xd8, 0x55, 0xe0, 0x2b, 0xf4, 0xad, /* M..U.+.. */
3088 0x65, 0xe2, 0x92, 0x35, 0xcb, 0x60, 0xa0, 0xa2, /* e..5.`.. */
3089 0x6b, 0xa6, 0x88, 0xc1, 0x86, 0x58, 0x57, 0x37, /* k....XW7 */
3090 0xbd, 0x2e, 0x28, 0x6e, 0x1c, 0x56, 0x2a, 0x35, /* ..(n.V*5 */
3091 0xde, 0xff, 0x3e, 0x8e, 0x3d, 0x47, 0x21, 0x1a, /* ..>.=G!. */
3092 0xe9, 0xd3, 0xc6, 0xb4, 0xe2, 0xcb, 0x3e, 0xc6, /* ......>. */
3093 0xaf, 0x9b, 0xef, 0x23, 0x88, 0x56, 0x95, 0x73, /* ...#.V.s */
3094 0x2e, 0xb3, 0xed, 0xc5, 0x11, 0x4b, 0x69, 0xf7, /* .....Ki. */
3095 0x13, 0x3a, 0x05, 0xe1, 0xaf, 0xba, 0xc9, 0x59, /* .:.....Y */
3096 0xfd, 0xe2, 0xa0, 0x81, 0xa0, 0x4c, 0x0c, 0x2c, /* .....L., */
3097 0xcb, 0x57, 0xad, 0x96, 0x3a, 0x8c, 0x32, 0xa6, /* .W..:.2. */
3098 0x4a, 0xf8, 0x72, 0xb8, 0xec, 0xb3, 0x26, 0x69, /* J.r...&i */
3099 0xd6, 0x6a, 0x4c, 0x4c, 0x78, 0x18, 0x3c, 0xca, /* .jLLx.<. */
3100 0x19, 0xf1, 0xb5, 0x8e, 0x23, 0x81, 0x5b, 0x27, /* ....#.[' */
3101 0x90, 0xe0, 0x5c, 0x2b, 0x17, 0x4d, 0x78, 0x99, /* ..\+.Mx. */
3102 0x6b, 0x25, 0xbd, 0x2f, 0xae, 0x1b, 0xaa, 0xce, /* k%./.... */
3103 0x84, 0xb9, 0x44, 0x21, 0x46, 0xc0, 0x34, 0x6b, /* ..D!F.4k */
3104 0x5b, 0xb9, 0x1b, 0xca, 0x5c, 0x60, 0xf1, 0xef, /* [...\`.. */
3105 0xe6, 0x66, 0xbc, 0x84, 0x63, 0x56, 0x50, 0x7d, /* .f..cVP} */
3106 0xbb, 0x2c, 0x2f, 0x7b, 0x47, 0xb4, 0xfd, 0x58, /* .,/{G..X */
3107 0x77, 0x87, 0xee, 0x27, 0x20, 0x96, 0x72, 0x8e, /* w..' .r. */
3108 0x4c, 0x7e, 0x4f, 0x93, 0xeb, 0x5f, 0x8f, 0x9c, /* L~O.._.. */
3109 0x1e, 0x59, 0x7a, 0x96, 0xaa, 0x53, 0x77, 0x22, /* .Yz..Sw" */
3110 0x41, 0xd8, 0xd3, 0xf9, 0x89, 0x8f, 0xe8, 0x9d, /* A....... */
3111 0x65, 0xbd, 0x0c, 0x71, 0x3c, 0xbb, 0xa3, 0x07, /* e..q<... */
3112 0xbf, 0xfb, 0xa8, 0xd1, 0x18, 0x0a, 0xb4, 0xc4, /* ........ */
3113 0xf7, 0x83, 0xb3, 0x86, 0x2b, 0xf0, 0x5b, 0x05, /* ....+.[. */
3114 0x28, 0xc1, 0x01, 0x31, 0x73, 0x5c, 0x2b, 0xbd, /* (..1s\+. */
3115 0x60, 0x97, 0xa3, 0x36, 0x82, 0x96, 0xd7, 0x83, /* `..6.... */
3116 0xdf, 0x75, 0xee, 0x29, 0x42, 0x97, 0x86, 0x41, /* .u.)B..A */
3117 0x55, 0xb9, 0x70, 0x87, 0xd5, 0x02, 0x85, 0x13, /* U.p..... */
3118 0x41, 0xf8, 0x25, 0x05, 0xab, 0x6a, 0xaa, 0x57 /* A.%..j.W */
3119 };
3120 OcspEntry entry[1];
3121 CertStatus status[1];
3122 OcspRequest* request = NULL;
3123#ifndef NO_FILESYSTEM
3124 const char* ca_cert = "./certs/ca-cert.pem";
3125#endif
3126
3127 byte serial[] = {0x05};
3128 byte issuerHash[] = {
3129 0x71, 0x4d, 0x82, 0x23, 0x40, 0x59, 0xc0, 0x96,
3130 0xa1, 0x37, 0x43, 0xfa, 0x31, 0xdb, 0xba, 0xb1,
3131 0x43, 0x18, 0xda, 0x04
3132 };
3133 byte issuerKeyHash[] = {
3134 0x83, 0xc6, 0x3a, 0x89, 0x2c, 0x81, 0xf4, 0x02,
3135 0xd7, 0x9d, 0x4c, 0xe2, 0x2a, 0xc0, 0x71, 0x82,
3136 0x64, 0x44, 0xda, 0x0e
3137 };
3138
3139
3140 XMEMSET(entry, 0, sizeof(OcspEntry));
3141 XMEMSET(status, 0, sizeof(CertStatus));
3142
3143 ExpectNotNull(request = wolfSSL_OCSP_REQUEST_new());
3144 ExpectNotNull(request->serial = (byte*)XMALLOC(sizeof(serial), NULL,
3145 DYNAMIC_TYPE_OCSP_REQUEST));
3146
3147 if ((request != NULL) && (request->serial != NULL)) {
3148 request->serialSz = sizeof(serial);
3149 XMEMCPY(request->serial, serial, sizeof(serial));
3150 XMEMCPY(request->issuerHash, issuerHash, sizeof(issuerHash));
3151 XMEMCPY(request->issuerKeyHash, issuerKeyHash, sizeof(issuerKeyHash));
3152 }
3153
3154 ExpectNotNull(cm = wolfSSL_CertManagerNew_ex(NULL));
3155 ExpectIntEQ(wolfSSL_CertManagerEnableOCSP(cm, 0), WOLFSSL_SUCCESS);
3156 ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm,
3157 "./certs/ocsp/intermediate1-ca-cert.pem", NULL), WOLFSSL_SUCCESS);
3158
3159 /* Response should be valid. */
3160 ExpectIntEQ(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response,
3161 sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS);
3162
3163 /* Flip a byte in the request serial number, response should be invalid
3164 * now. */
3165 if ((request != NULL) && (request->serial != NULL))
3166 request->serial[0] ^= request->serial[0];
3167 ExpectIntNE(wolfSSL_CertManagerCheckOCSPResponse(cm, (byte *)response,
3168 sizeof(response), NULL, status, entry, request), WOLFSSL_SUCCESS);
3169
3170#ifndef NO_FILESYSTEM
3171 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048,
3172 sizeof(server_cert_der_2048)), WC_NO_ERR_TRACE(ASN_NO_SIGNER_E));
3173 ExpectIntEQ(WOLFSSL_SUCCESS,
3174 wolfSSL_CertManagerLoadCA(cm, ca_cert, NULL));
3175 ExpectIntEQ(wolfSSL_CertManagerCheckOCSP(cm, server_cert_der_2048,
3176 sizeof(server_cert_der_2048)), 1);
3177#endif
3178
3179 wolfSSL_OCSP_REQUEST_free(request);
3180 wolfSSL_CertManagerFree(cm);
3181#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY ||
3182 * WOLFSSL_APACHE_HTTPD || HAVE_LIGHTY */
3183#endif /* HAVE_OCSP */
3184 return EXPECT_RESULT();
3185}
3186
3187#ifdef HAVE_CERT_CHAIN_VALIDATION
3188#ifndef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
3189#ifdef WOLFSSL_PEM_TO_DER
3190#ifndef NO_SHA256
3191static int load_ca_into_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
3192{
3193 int ret;
3194
3195 if ((ret = wolfSSL_CertManagerLoadCA(cm, certA, 0)) != WOLFSSL_SUCCESS) {
3196 fprintf(stderr, "loading cert %s failed\n", certA);
3197 fprintf(stderr, "Error: (%d): %s\n", ret,
3198 wolfSSL_ERR_reason_error_string((word32)ret));
3199 return -1;
3200 }
3201
3202 return 0;
3203}
3204
3205static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA)
3206{
3207 int ret;
3208 if ((ret = wolfSSL_CertManagerVerify(cm, certA, CERT_FILETYPE))
3209 != WOLFSSL_SUCCESS) {
3210 fprintf(stderr, "could not verify the cert: %s\n", certA);
3211 fprintf(stderr, "Error: (%d): %s\n", ret,
3212 wolfSSL_ERR_reason_error_string((word32)ret));
3213 return -1;
3214 }
3215 else {
3216 fprintf(stderr, "successfully verified: %s\n", certA);
3217 }
3218
3219 return 0;
3220}
3221#define LOAD_ONE_CA(a, b, c, d) \
3222 do { \
3223 (a) = load_ca_into_cm(c, d); \
3224 if ((a) != 0) \
3225 return (b); \
3226 else \
3227 (b)--; \
3228 } while(0)
3229
3230#define VERIFY_ONE_CERT(a, b, c, d) \
3231 do { \
3232 (a) = verify_cert_with_cm(c, d);\
3233 if ((a) != 0) \
3234 return (b); \
3235 else \
3236 (b)--; \
3237 } while(0)
3238
3239static int test_chainG(WOLFSSL_CERT_MANAGER* cm)
3240{
3241 int ret;
3242 int i = -1;
3243 /* Chain G is a valid chain per RFC 5280 section 4.2.1.9 */
3244 char chainGArr[9][50] = {"certs/ca-cert.pem",
3245 "certs/test-pathlen/chainG-ICA7-pathlen100.pem",
3246 "certs/test-pathlen/chainG-ICA6-pathlen10.pem",
3247 "certs/test-pathlen/chainG-ICA5-pathlen20.pem",
3248 "certs/test-pathlen/chainG-ICA4-pathlen5.pem",
3249 "certs/test-pathlen/chainG-ICA3-pathlen99.pem",
3250 "certs/test-pathlen/chainG-ICA2-pathlen1.pem",
3251 "certs/test-pathlen/chainG-ICA1-pathlen0.pem",
3252 "certs/test-pathlen/chainG-entity.pem"};
3253
3254 LOAD_ONE_CA(ret, i, cm, chainGArr[0]); /* if failure, i = -1 here */
3255 LOAD_ONE_CA(ret, i, cm, chainGArr[1]); /* if failure, i = -2 here */
3256 LOAD_ONE_CA(ret, i, cm, chainGArr[2]); /* if failure, i = -3 here */
3257 LOAD_ONE_CA(ret, i, cm, chainGArr[3]); /* if failure, i = -4 here */
3258 LOAD_ONE_CA(ret, i, cm, chainGArr[4]); /* if failure, i = -5 here */
3259 LOAD_ONE_CA(ret, i, cm, chainGArr[5]); /* if failure, i = -6 here */
3260 LOAD_ONE_CA(ret, i, cm, chainGArr[6]); /* if failure, i = -7 here */
3261 LOAD_ONE_CA(ret, i, cm, chainGArr[7]); /* if failure, i = -8 here */
3262 VERIFY_ONE_CERT(ret, i, cm, chainGArr[1]); /* if failure, i = -9 here */
3263 VERIFY_ONE_CERT(ret, i, cm, chainGArr[2]); /* if failure, i = -10 here */
3264 VERIFY_ONE_CERT(ret, i, cm, chainGArr[3]); /* if failure, i = -11 here */
3265 VERIFY_ONE_CERT(ret, i, cm, chainGArr[4]); /* if failure, i = -12 here */
3266 VERIFY_ONE_CERT(ret, i, cm, chainGArr[5]); /* if failure, i = -13 here */
3267 VERIFY_ONE_CERT(ret, i, cm, chainGArr[6]); /* if failure, i = -14 here */
3268 VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */
3269 VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */
3270
3271 /* test validating the entity twice, should have no effect on pathLen since
3272 * entity/leaf cert */
3273 VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */
3274
3275 return ret;
3276}
3277
3278static int test_chainH(WOLFSSL_CERT_MANAGER* cm)
3279{
3280 int ret;
3281 int i = -1;
3282 /* Chain H is NOT a valid chain per RFC5280 section 4.2.1.9:
3283 * ICA4-pathlen of 2 signing ICA3-pathlen of 2 (reduce max path len to 2)
3284 * ICA3-pathlen of 2 signing ICA2-pathlen of 2 (reduce max path len to 1)
3285 * ICA2-pathlen of 2 signing ICA1-pathlen of 0 (reduce max path len to 0)
3286 * ICA1-pathlen of 0 signing entity (pathlen is already 0, ERROR)
3287 * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1
3288 */
3289 char chainHArr[6][50] = {"certs/ca-cert.pem",
3290 "certs/test-pathlen/chainH-ICA4-pathlen2.pem",
3291 "certs/test-pathlen/chainH-ICA3-pathlen2.pem",
3292 "certs/test-pathlen/chainH-ICA2-pathlen2.pem",
3293 "certs/test-pathlen/chainH-ICA1-pathlen0.pem",
3294 "certs/test-pathlen/chainH-entity.pem"};
3295
3296 LOAD_ONE_CA(ret, i, cm, chainHArr[0]); /* if failure, i = -1 here */
3297 LOAD_ONE_CA(ret, i, cm, chainHArr[1]); /* if failure, i = -2 here */
3298 LOAD_ONE_CA(ret, i, cm, chainHArr[2]); /* if failure, i = -3 here */
3299 LOAD_ONE_CA(ret, i, cm, chainHArr[3]); /* if failure, i = -4 here */
3300 LOAD_ONE_CA(ret, i, cm, chainHArr[4]); /* if failure, i = -5 here */
3301 VERIFY_ONE_CERT(ret, i, cm, chainHArr[1]); /* if failure, i = -6 here */
3302 VERIFY_ONE_CERT(ret, i, cm, chainHArr[2]); /* if failure, i = -7 here */
3303 VERIFY_ONE_CERT(ret, i, cm, chainHArr[3]); /* if failure, i = -8 here */
3304 VERIFY_ONE_CERT(ret, i, cm, chainHArr[4]); /* if failure, i = -9 here */
3305 VERIFY_ONE_CERT(ret, i, cm, chainHArr[5]); /* if failure, i = -10 here */
3306
3307 return ret;
3308}
3309
3310static int test_chainI(WOLFSSL_CERT_MANAGER* cm)
3311{
3312 int ret;
3313 int i = -1;
3314 /* Chain I is a valid chain per RFC5280 section 4.2.1.9:
3315 * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 2)
3316 * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 1)
3317 * ICA1-no_pathlen signing entity (reduce maxPathLen to 0)
3318 * Test should successfully verify ICA4, ICA3, ICA2 and then fail on ICA1
3319 */
3320 char chainIArr[5][50] = {"certs/ca-cert.pem",
3321 "certs/test-pathlen/chainI-ICA3-pathlen2.pem",
3322 "certs/test-pathlen/chainI-ICA2-no_pathlen.pem",
3323 "certs/test-pathlen/chainI-ICA1-no_pathlen.pem",
3324 "certs/test-pathlen/chainI-entity.pem"};
3325
3326 LOAD_ONE_CA(ret, i, cm, chainIArr[0]); /* if failure, i = -1 here */
3327 LOAD_ONE_CA(ret, i, cm, chainIArr[1]); /* if failure, i = -2 here */
3328 LOAD_ONE_CA(ret, i, cm, chainIArr[2]); /* if failure, i = -3 here */
3329 LOAD_ONE_CA(ret, i, cm, chainIArr[3]); /* if failure, i = -4 here */
3330 VERIFY_ONE_CERT(ret, i, cm, chainIArr[1]); /* if failure, i = -5 here */
3331 VERIFY_ONE_CERT(ret, i, cm, chainIArr[2]); /* if failure, i = -6 here */
3332 VERIFY_ONE_CERT(ret, i, cm, chainIArr[3]); /* if failure, i = -7 here */
3333 VERIFY_ONE_CERT(ret, i, cm, chainIArr[4]); /* if failure, i = -8 here */
3334
3335 return ret;
3336}
3337
3338static int test_chainJ(WOLFSSL_CERT_MANAGER* cm)
3339{
3340 int ret;
3341 int i = -1;
3342 /* Chain J is NOT a valid chain per RFC5280 section 4.2.1.9:
3343 * ICA4-pathlen of 2 signing ICA3 without a pathlen (reduce maxPathLen to 2)
3344 * ICA3-pathlen of 2 signing ICA2 without a pathlen (reduce maxPathLen to 1)
3345 * ICA2-no_pathlen signing ICA1-no_pathlen (reduce maxPathLen to 0)
3346 * ICA1-no_pathlen signing entity (ERROR, pathlen zero and non-leaf cert)
3347 */
3348 char chainJArr[6][50] = {"certs/ca-cert.pem",
3349 "certs/test-pathlen/chainJ-ICA4-pathlen2.pem",
3350 "certs/test-pathlen/chainJ-ICA3-no_pathlen.pem",
3351 "certs/test-pathlen/chainJ-ICA2-no_pathlen.pem",
3352 "certs/test-pathlen/chainJ-ICA1-no_pathlen.pem",
3353 "certs/test-pathlen/chainJ-entity.pem"};
3354
3355 LOAD_ONE_CA(ret, i, cm, chainJArr[0]); /* if failure, i = -1 here */
3356 LOAD_ONE_CA(ret, i, cm, chainJArr[1]); /* if failure, i = -2 here */
3357 LOAD_ONE_CA(ret, i, cm, chainJArr[2]); /* if failure, i = -3 here */
3358 LOAD_ONE_CA(ret, i, cm, chainJArr[3]); /* if failure, i = -4 here */
3359 LOAD_ONE_CA(ret, i, cm, chainJArr[4]); /* if failure, i = -5 here */
3360 VERIFY_ONE_CERT(ret, i, cm, chainJArr[1]); /* if failure, i = -6 here */
3361 VERIFY_ONE_CERT(ret, i, cm, chainJArr[2]); /* if failure, i = -7 here */
3362 VERIFY_ONE_CERT(ret, i, cm, chainJArr[3]); /* if failure, i = -8 here */
3363 VERIFY_ONE_CERT(ret, i, cm, chainJArr[4]); /* if failure, i = -9 here */
3364 VERIFY_ONE_CERT(ret, i, cm, chainJArr[5]); /* if failure, i = -10 here */
3365
3366 return ret;
3367}
3368#endif
3369#endif
3370#endif
3371#endif
3372
3373int test_various_pathlen_chains(void)
3374{
3375 EXPECT_DECLS;
3376#if defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_CERT_CHAIN_VALIDATION) && \
3377 !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
3378#ifndef NO_SHA256
3379 WOLFSSL_CERT_MANAGER* cm = NULL;
3380
3381 /* Test chain G (large chain with varying pathLens) */
3382 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3383#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
3384 ExpectIntEQ(test_chainG(cm), -1);
3385#else
3386 ExpectIntEQ(test_chainG(cm), 0);
3387#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */
3388 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3389 wolfSSL_CertManagerFree(cm);
3390 /* end test chain G */
3391
3392 /* Test chain H (5 chain with same pathLens) */
3393 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3394 ExpectIntLT(test_chainH(cm), 0);
3395 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3396 wolfSSL_CertManagerFree(cm);
3397
3398 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3399 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3400 wolfSSL_CertManagerFree(cm);
3401 /* end test chain H */
3402
3403 /* Test chain I (only first ICA has pathLen set and it's set to 2,
3404 * followed by 2 ICA's, should pass) */
3405 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3406#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
3407 ExpectIntEQ(test_chainI(cm), -1);
3408#else
3409 ExpectIntEQ(test_chainI(cm), 0);
3410#endif /* NO_WOLFSSL_CLIENT && NO_WOLFSSL_SERVER */
3411 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3412 wolfSSL_CertManagerFree(cm);
3413 cm = NULL;
3414
3415 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3416 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3417 wolfSSL_CertManagerFree(cm);
3418 cm = NULL;
3419
3420 /* Test chain J (Again only first ICA has pathLen set and it's set to 2,
3421 * this time followed by 3 ICA's, should fail */
3422 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3423 ExpectIntLT(test_chainJ(cm), 0);
3424 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3425 wolfSSL_CertManagerFree(cm);
3426 cm = NULL;
3427
3428 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3429 ExpectIntEQ(wolfSSL_CertManagerUnloadCAs(cm), WOLFSSL_SUCCESS);
3430 wolfSSL_CertManagerFree(cm);
3431#endif
3432#endif
3433 return EXPECT_RESULT();
3434}
3435
3436/* Verify that certificates signed with MD5 (md5WithRSAEncryption) are
3437 * rejected during chain verification. MD5 must not be acceptable as a
3438 * certificate signature hash, even when MD5 is compiled in (e.g. for TLS
3439 * 1.0 PRF or HMAC uses). Trust anchors are exempt from this check because
3440 * ParseCertRelative skips ConfirmSignature for CA_TYPE. */
3441int test_wolfSSL_CertManagerRejectMD5Cert(void)
3442{
3443 EXPECT_DECLS;
3444#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_MD5) && \
3445 !defined(WOLFSSL_ALLOW_MD5_CERT_SIGS) && defined(WOLFSSL_CERT_GEN) && \
3446 !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_ASN_CRYPT) && \
3447 !defined(USE_CERT_BUFFERS_1024)
3448 WOLFSSL_CERT_MANAGER* cm = NULL;
3449 RsaKey caKey;
3450 WC_RNG rng;
3451 Cert leaf;
3452 byte* der = NULL;
3453 int derSz = 0;
3454 word32 idx = 0;
3455 int caKeyInit = 0;
3456 int rngInit = 0;
3457
3458 XMEMSET(&caKey, 0, sizeof(caKey));
3459 XMEMSET(&rng, 0, sizeof(rng));
3460
3461 ExpectIntEQ(wc_InitRng(&rng), 0);
3462 if (EXPECT_SUCCESS()) rngInit = 1;
3463
3464 ExpectIntEQ(wc_InitRsaKey_ex(&caKey, HEAP_HINT, testDevId), 0);
3465 if (EXPECT_SUCCESS()) caKeyInit = 1;
3466 ExpectIntEQ(wc_RsaPrivateKeyDecode(ca_key_der_2048, &idx, &caKey,
3467 sizeof_ca_key_der_2048), 0);
3468
3469 ExpectNotNull(der = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
3470 DYNAMIC_TYPE_TMP_BUFFER));
3471 if (der == NULL) {
3472 goto cleanup;
3473 }
3474
3475 /* Build a leaf certificate whose issuer is the built-in 2048-bit
3476 * wolfSSL test CA and sign it with MD5+RSA using the matching CA
3477 * private key. */
3478 ExpectIntEQ(wc_InitCert(&leaf), 0);
3479 leaf.sigType = CTC_MD5wRSA;
3480 leaf.isCA = 0;
3481 XSTRNCPY(leaf.subject.country, "US", CTC_NAME_SIZE);
3482 XSTRNCPY(leaf.subject.state, "MT", CTC_NAME_SIZE);
3483 XSTRNCPY(leaf.subject.locality, "Bozeman", CTC_NAME_SIZE);
3484 XSTRNCPY(leaf.subject.org, "wolfSSL", CTC_NAME_SIZE);
3485 XSTRNCPY(leaf.subject.unit, "Test", CTC_NAME_SIZE);
3486 XSTRNCPY(leaf.subject.commonName, "md5-leaf", CTC_NAME_SIZE);
3487 XSTRNCPY(leaf.subject.email, "info@wolfssl.com", CTC_NAME_SIZE);
3488
3489 ExpectIntEQ(wc_SetIssuerBuffer(&leaf, ca_cert_der_2048,
3490 sizeof_ca_cert_der_2048), 0);
3491
3492 /* wc_MakeCert needs an RSA public key for the subject; reuse caKey
3493 * for simplicity (we only care about signature-side verification). */
3494 ExpectIntGT((derSz = wc_MakeCert(&leaf, der, FOURK_BUF, &caKey, NULL,
3495 &rng)), 0);
3496 ExpectIntGT((derSz = wc_SignCert(leaf.bodySz, leaf.sigType, der,
3497 FOURK_BUF, &caKey, NULL, &rng)), 0);
3498
3499 /* Load the SHA-256 signed CA cert as a trust anchor and attempt
3500 * to verify the MD5-signed leaf: it must be rejected because
3501 * HashForSignature() now returns HASH_TYPE_E for MD5 in verify mode,
3502 * and wolfSSL_CertManagerVerifyBuffer() returns that error. */
3503 ExpectNotNull(cm = wolfSSL_CertManagerNew());
3504 if (cm != NULL) {
3505 ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, ca_cert_der_2048,
3506 sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1),
3507 WOLFSSL_SUCCESS);
3508
3509 ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
3510 WOLFSSL_FILETYPE_ASN1),
3511 WC_NO_ERR_TRACE(HASH_TYPE_E));
3512 }
3513
3514cleanup:
3515 wolfSSL_CertManagerFree(cm);
3516 XFREE(der, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
3517 if (caKeyInit) wc_FreeRsaKey(&caKey);
3518 if (rngInit) wc_FreeRng(&rng);
3519#endif
3520 return EXPECT_RESULT();
3521}