Merge pull request #8400 from ColtonWilley/add_trusted_cert_pem_parsing

Add support for parsing trusted PEM certs

certs/test/gen-testcerts.sh

@@ -120,6 +120,31 @@ generate_test_cert() {
     check_result $?
 }
 
+generate_test_trusted_cert() {
+    rm "$1".der
+    rm "$1".pem
+
+    echo "step 1 create configuration"
+    build_test_cert_conf "$1" "$2" "$3"
+    check_result $?
+
+    echo "step 2 create csr"
+    openssl req -new -sha256 -out "$1".csr -key ../server-key.pem -config "$1".conf
+    check_result $?
+
+    echo "step 3 check csr"
+    openssl req -text -noout -in "$1".csr -config "$1".conf
+    check_result $?
+
+    echo "step 4 create cert"
+    openssl x509 -req -days 1000 -sha256 \
+                 -in "$1".csr -signkey ../server-key.pem \
+                 -out "$1".pem -extensions req_ext -addtrust serverAuth -trustout -extfile "$1".conf
+    check_result $?
+    rm "$1".conf
+    rm "$1".csr
+}
+
 generate_expired_certs() {
     rm "$1".der
     rm "$1".pem
@@ -200,3 +225,6 @@ generate_test_cert server-garbage localhost garbage
 # Generate Expired Certificates
 generate_expired_certs expired/expired-ca ../ca-key.pem 1
 generate_expired_certs expired/expired-cert ../server-key.pem
+
+
+generate_test_trusted_cert ossl-trusted-cert localhost "" 1

certs/test/include.am

@@ -67,6 +67,7 @@ EXTRA_DIST += \
          certs/test/server-badaltname.pem \
          certs/test/server-localhost.der \
          certs/test/server-localhost.pem \
+         certs/test/ossl-trusted-cert.pem \
          certs/test/ktri-keyid-cms.msg \
          certs/test/smime-test.p7s \
          certs/test/smime-test-canon.p7s \

certs/test/ossl-trusted-cert.pem

@@ -0,0 +1,29 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIE6DCCA9CgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh
+d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjUwMTMw
+MjE0NTQ2WhcNMjcxMDI3MjE0NTQ2WjCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxEDAO
+BgNVBAsMB1N1cHBvcnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
+SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMCVCOFXQfJxbbfSRUEnAWXGRa7yvCQwuJXOL07W9hyIvHyf+6hn
+f/5cnFF194rKB+c1L4/hvXvAL3yrZKgX/Mpde7rgIeVyLm8uhtiVc9qsG1O5Xz/X
+GQ0lT+FjY1GLC2Q/rUO4pRxcNLOuAKBjxfZ/C1loeHOmjBipAm2vwxkBLrgQ48bM
+QLRpo0YzaYduxLsXpvPo3a1zvHsvIbX9ZlEMvVSz4W1fHLwjc9EJA4kU0hC5ZMMq
+0KGWSrzh1Bpbx6DAwWN4D0Q3MDKWgDIjlaF3uhPSl3PiXSXJag3DOWCktLBpQkIJ
+6dgIvDMgs1gip6rrxOHmYYPF0pbf2dBPrdcCAwEAAaOCAUUwggFBMB0GA1UdDgQW
+BBSzETLJkpiE4sn40DtuA0LKHw6OPDCB1AYDVR0jBIHMMIHJgBQnjmcRdMMmHT/t
+M2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRh
+bmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQL
+DApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFACr6s+Ce0259tiQB3+gnZ7kb6T9MAwG
+A1UdEwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBqX+1+
+o2hLg3bT22ktzzG7y1Xu+7ZymPHCf7c2inTuFQq8epdbQ4RHwlk9/y8T52CM063y
+DJPPzXBYiGFwLo7Eff3pOCxsGRCGZZm5Yj/oCgN2dEywDPoOf6J+PBz589obsYU6
+d2QqcnhghWK6pM+9OdR5idtv4tOpnPEpehMJE14Oxg36nNDobn2rqKgSrvd1xbEh
+SnNwN6ZYwlLHCj+uGEEIFiLfZFisaEqmQlXA1THIUJMMypiwJ9snSXzZN6g+Ssw7
+AG+1kSbrbpnuECTBO4GBoJ7qcnhqPe1fbP/atwb7hh4RiHKXEVVQv96fu6BZ3cHH
+rb8OQ3qAW+juUlxaMAwwCgYIKwYBBQUHAwE=
+-----END TRUSTED CERTIFICATE-----

tests/api.c

@@ -56313,6 +56313,7 @@ static int test_wc_PemToDer(void)
     int ret;
     DerBuffer* pDer = NULL;
     const char* ca_cert = "./certs/server-cert.pem";
+    const char* trusted_cert = "./certs/test/ossl-trusted-cert.pem";
     byte* cert_buf = NULL;
     size_t cert_sz = 0;
     int eccKey = 0;
@@ -56331,6 +56332,18 @@ static int test_wc_PemToDer(void)
         cert_buf = NULL;
     }
 
+    /* Test that -----BEGIN TRUSTED CERTIFICATE----- banner parses OK */
+    ExpectIntEQ(ret = load_file(trusted_cert, &cert_buf, &cert_sz), 0);
+    ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, TRUSTED_CERT_TYPE, &pDer, NULL,
+        &info, &eccKey), 0);
+    wc_FreeDer(&pDer);
+    pDer = NULL;
+
+    if (cert_buf != NULL) {
+        free(cert_buf);
+        cert_buf = NULL;
+    }
+
 #ifdef HAVE_ECC
     {
         const char* ecc_private_key = "./certs/ecc-privOnlyKey.pem";

wolfcrypt/src/asn.c

@@ -24777,6 +24777,8 @@ wcchar END_CERT             = "-----END CERTIFICATE-----";
 #endif
 wcchar BEGIN_X509_CRL       = "-----BEGIN X509 CRL-----";
 wcchar END_X509_CRL         = "-----END X509 CRL-----";
+wcchar BEGIN_TRUSTED_CERT   = "-----BEGIN TRUSTED CERTIFICATE-----";
+wcchar END_TRUSTED_CERT     = "-----END TRUSTED CERTIFICATE-----";
 wcchar BEGIN_RSA_PRIV       = "-----BEGIN RSA PRIVATE KEY-----";
 wcchar END_RSA_PRIV         = "-----END RSA PRIVATE KEY-----";
 wcchar BEGIN_RSA_PUB        = "-----BEGIN RSA PUBLIC KEY-----";
@@ -25073,6 +25075,11 @@ int wc_PemGetHeaderFooter(int type, const char** header, const char** footer)
             if (footer) *footer = END_ENC_PRIV_KEY;
             ret = 0;
             break;
+        case TRUSTED_CERT_TYPE:
+            if (header) *header = BEGIN_TRUSTED_CERT;
+            if (footer) *footer = END_TRUSTED_CERT;
+            ret = 0;
+            break;
         default:
             ret = BAD_FUNC_ARG;
             break;

wolfssl/wolfcrypt/asn_public.h

@@ -182,7 +182,8 @@ enum CertType {
     SPHINCS_SMALL_LEVEL5_TYPE,
     ECC_PARAM_TYPE,
     CHAIN_CERT_TYPE,
-    PKCS7_TYPE
+    PKCS7_TYPE,
+    TRUSTED_CERT_TYPE
 };