wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

Improve wolfSSL_X509_get_ext_d2i compatibility

Open dclaisse opened this issue 1 year ago • 5 comments

Description

  • When dealing with authority key id extension, conform to RFC3280/RFC5280 and populate the keyid field with an ASN1 string containing the key id.
  • When dealing with subject key id extension, return an ASN1 string containing the key id instead of an extension stack, to mimic OpenSSL behavior.
  • This mainly aims to improve compatibility, for instance with this patch one is able to leverage the HAProxy's issuers-chain-path directive, as without it HAProxy is not able to find the relevant intermediate certificate.

Fixes ZD 18785

Testing

How did you test? Tested on our production load balancers, HAProxy is now able to link intermediate certificates.

Checklist

  • [ ] added tests
  • [ ] updated/added doxygen
  • [ ] updated appropriate READMEs
  • [ ] Updated manual and documentation

dclaisse avatar Oct 14 '24 15:10 dclaisse

Can one of the admins verify this patch?

wolfSSL-Bot avatar Oct 14 '24 15:10 wolfSSL-Bot

OK to test. Contributor agreement approved.

kareem-wolfssl avatar Oct 15 '24 20:10 kareem-wolfssl

Retest this please

dgarske avatar Oct 21 '24 20:10 dgarske

Retest this please. History lost.

dgarske avatar Nov 22 '24 17:11 dgarske

@dclaisse This change is causing a fault in api.c : test_wolfSSL_certs.

374: test_wolfSSL_certs                                  :AddressSanitizer:DEADLYSIGNAL
=================================================================
==48468==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f0f4495bb85 bp 0x26c79127700d547e sp 0x7fffefd23510 T0)
==48468==The signal is caused by a READ memory access.
==48468==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f0f4495bb85 in wolfSSL_ASN1_OBJECT_free (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/src/.libs/libwolfssl.so.42+0x15bb85)
    #1 0x7f0f449868de in wolfSSL_sk_pop_free (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/src/.libs/libwolfssl.so.42+0x1868de)
    #2 0x55f60b8df357 in test_wolfSSL_certs (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/tests/.libs/unit.test+0x275357)
    #3 0x55f60b968505 in ApiTest (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/tests/.libs/unit.test+0x2fe505)
    #4 0x55f60b71ef49 in unit_test (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/tests/.libs/unit.test+0xb4f49)
    #5 0x7f0f44429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f0f44429e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #7 0x55f60b71eac4 in _start (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/tests/.libs/unit.test+0xb4ac4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/tmp/workspace/PRB-generic-config-parser@2/wolfssl/src/.libs/libwolfssl.so.42+0x15bb85) in wolfSSL_ASN1_OBJECT_free
==48468==ABORTING
FAIL scripts/unit.test (exit status: 1)

dgarske avatar Nov 22 '24 18:11 dgarske