Add cert/CRL capabilities: skid, akid, dist point, netscape

Author: padelsbach

examples/certs/test/crl-dp-cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIUZqjaWzuAIDjJjqQW/x9Lyn5H2McwDQYJKoZIhvcNAQEL
+BQAwOjEUMBIGA1UEAwwLVGVzdCBDUkwgRFAxFTATBgNVBAoMDHdvbGZTU0wgVGVz
+dDELMAkGA1UEBhMCVVMwHhcNMjYwMjA5MTgxMTQzWhcNMjcwMjA5MTgxMTQzWjA6
+MRQwEgYDVQQDDAtUZXN0IENSTCBEUDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQsw
+CQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALP/1lo5
+T10/LJAck3ImKvrinzS1oubA/YP/w2NTJLzlZQtbvNPW4WhY2LcuUWOSv/VmMSpq
+J/mEqEn8P9CfIgtRo0z39+HJJ3aE3ClioH6fTpj284nHZnJdYQFy/9+T4DTLcuiJ
+VILqRotqH06JRU4mhR2hqiw7YHI76BlPJAB9pVwGbit6BKWbF5vJRy440AYNCWjs
+t/NEhrKnCJugaPqvyhH9ByWI8/wPeyFNXUpuEiZVg+rSYwPr0w4kVBRUVWnDxEam
+WKEEPSM1CdY2LJGDT6Qjm6WyVQbWppu1mz6Dg+nvw+h125PyW4Cyim6HAFj3IJcI
+6YcDC2lGep7PNmECAwEAAaNrMGkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwMAYD
+VR0fBCkwJzAloCOgIYYfaHR0cDovL2NybC5leGFtcGxlLmNvbS90ZXN0LmNybDAd
+BgNVHQ4EFgQUXEABbBfseiUjqacQWYMRluxQV+kwDQYJKoZIhvcNAQELBQADggEB
+AF21pa2SQXeqmDtYLvhwNWpwpt814nRfejAzlLBLpJB8nf1NE89a53U7ELbZMPNj
+tQC/ADNoNGFQmSaPNytXtHNslPM17kSWN+6/JFhKGcWHXgPPM4E5VOZ94H1BK4fh
+PMCfMMh+826Y+RK/nsi4NnlmeJy5/QdRgbDfGY4ZZECssHSIbKPP7pgxH/YzDUd/
+HIzf5vXeiUG7PXXJhzA38k1HRhuyxOYnsrLMYw/FsDOl/knhH9dF8f+XFVHuFfQv
+GH9cm+btX0gM1EaBi1huQcYYNRp2BSa2qSjIeDRg5Bs4i5BENh7wVtZDheGD0SpE
+3jhznnX5L4CwmLzlfQkARuU=
+-----END CERTIFICATE-----

examples/certs/update-certs.sh

@@ -98,6 +98,37 @@ if [ $? -ne 0 ]; then
 fi
 printf "Generated ca-keyPkcs8.der\n"
 
+# Generate CRL Distribution Points test cert
+printf "Generating test/crl-dp-cert.pem\n"
+mkdir -p test
+TMP_DIR="$(mktemp -d)"
+cat > "${TMP_DIR}/openssl.cnf" <<EOF
+[ req ]
+distinguished_name = dn
+x509_extensions = v3_req
+prompt = no
+
+[ dn ]
+CN = Test CRL DP
+O = wolfSSL Test
+C = US
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature
+crlDistributionPoints = URI:http://crl.example.com/test.crl
+EOF
+
+openssl req -new -newkey rsa:2048 -nodes -x509 -days 365 \
+  -keyout "${TMP_DIR}/crl-dp-key.pem" -out test/crl-dp-cert.pem \
+  -config "${TMP_DIR}/openssl.cnf" >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    printf "Failed to generate test/crl-dp-cert.pem\n"
+    rm -rf "${TMP_DIR}"
+    exit 1
+fi
+rm -rf "${TMP_DIR}"
+
 # Remove text info from intermediate certs, causes issues on Android (WRONG TAG)
 printf "Removing text info from intermediate certs\n"
 sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' ca-cert.pem
@@ -131,4 +162,3 @@ else
 fi
 
 printf "\nFinished successfully\n"
-

native/com_wolfssl_WolfSSL.c

@@ -21,6 +21,7 @@
 
 #include <stdio.h>
 #include <stdint.h>
+#include <stdlib.h>
 #ifdef WOLFSSL_USER_SETTINGS
     #include <wolfssl/wolfcrypt/settings.h>
 #else
@@ -74,6 +75,135 @@ jmethodID g_verifyCallbackMethodId = NULL;
 static jobject g_fipsCbIfaceObj;
 #endif
 
+typedef struct WolfSSLJniObjMap {
+    WOLFSSL* ssl;
+    void* obj;
+    struct WolfSSLJniObjMap* next;
+} WolfSSLJniObjMap;
+
+static WolfSSLJniObjMap* g_jniObjMap = NULL;
+static wolfSSL_Mutex g_jniObjMapLock;
+static int g_jniObjMapLockInit = 0;
+
+static void wolfSSL_jni_objmap_cleanup(void)
+{
+    WolfSSLJniObjMap* cur;
+    WolfSSLJniObjMap* next;
+
+    if (!g_jniObjMapLockInit) {
+        g_jniObjMap = NULL;
+        return;
+    }
+
+    if (wc_LockMutex(&g_jniObjMapLock) == 0) {
+        cur = g_jniObjMap;
+        g_jniObjMap = NULL;
+        wc_UnLockMutex(&g_jniObjMapLock);
+    }
+    else {
+        cur = g_jniObjMap;
+        g_jniObjMap = NULL;
+    }
+
+    while (cur != NULL) {
+        next = cur->next;
+        free(cur);
+        cur = next;
+    }
+
+    wc_FreeMutex(&g_jniObjMapLock);
+    g_jniObjMapLockInit = 0;
+}
+
+int wolfSSL_jni_set_jobject(WOLFSSL* ssl, void* objPtr)
+{
+#ifdef WOLFSSL_JNI
+    return wolfSSL_set_jobject(ssl, objPtr);
+#else
+    WolfSSLJniObjMap* cur;
+    WolfSSLJniObjMap* prev = NULL;
+    WolfSSLJniObjMap* node;
+
+    if (ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    if (!g_jniObjMapLockInit) {
+        return SSL_FAILURE;
+    }
+    if (wc_LockMutex(&g_jniObjMapLock) != 0) {
+        return SSL_FAILURE;
+    }
+
+    cur = g_jniObjMap;
+    while (cur != NULL && cur->ssl != ssl) {
+        prev = cur;
+        cur = cur->next;
+    }
+
+    if (objPtr == NULL) {
+        if (cur != NULL) {
+            if (prev != NULL) {
+                prev->next = cur->next;
+            }
+            else {
+                g_jniObjMap = cur->next;
+            }
+            free(cur);
+        }
+        wc_UnLockMutex(&g_jniObjMapLock);
+        return SSL_SUCCESS;
+    }
+
+    if (cur != NULL) {
+        cur->obj = objPtr;
+        wc_UnLockMutex(&g_jniObjMapLock);
+        return SSL_SUCCESS;
+    }
+
+    node = (WolfSSLJniObjMap*)malloc(sizeof(WolfSSLJniObjMap));
+    if (node == NULL) {
+        wc_UnLockMutex(&g_jniObjMapLock);
+        return MEMORY_E;
+    }
+    node->ssl = ssl;
+    node->obj = objPtr;
+    node->next = g_jniObjMap;
+    g_jniObjMap = node;
+
+    wc_UnLockMutex(&g_jniObjMapLock);
+    return SSL_SUCCESS;
+#endif
+}
+
+void* wolfSSL_jni_get_jobject(WOLFSSL* ssl)
+{
+#ifdef WOLFSSL_JNI
+    return wolfSSL_get_jobject(ssl);
+#else
+    WolfSSLJniObjMap* cur;
+    void* obj = NULL;
+
+    if (ssl == NULL || !g_jniObjMapLockInit) {
+        return NULL;
+    }
+    if (wc_LockMutex(&g_jniObjMapLock) != 0) {
+        return NULL;
+    }
+
+    cur = g_jniObjMap;
+    while (cur != NULL) {
+        if (cur->ssl == ssl) {
+            obj = cur->obj;
+            break;
+        }
+        cur = cur->next;
+    }
+
+    wc_UnLockMutex(&g_jniObjMapLock);
+    return obj;
+#endif
+}
+
 /* custom native fn prototypes */
 void NativeLoggingCallback(const int logLevel, const char *const logMessage);
 
@@ -89,6 +219,10 @@ JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM* vm, void* reserved)
 
     /* store JavaVM */
     g_vm = vm;
+    if (wc_InitMutex(&g_jniObjMapLock) != 0) {
+        return JNI_ERR;
+    }
+    g_jniObjMapLockInit = 1;
 
     /* get JNIEnv from JavaVM */
     if ((*vm)->GetEnv(vm, (void**)&env, JNI_VERSION_1_6) != JNI_OK) {
@@ -235,6 +369,7 @@ JNIEXPORT void JNICALL JNI_OnUnload(JavaVM* vm, void* reserved)
     g_bufferArrayMethodId = NULL;
     g_bufferSetPositionMethodId = NULL;
     g_verifyCallbackMethodId = NULL;
+    wolfSSL_jni_objmap_cleanup();
 }
 
 /**
@@ -545,6 +680,58 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1dnQualifier
     return NID_dnQualifier;
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1subject_1key_1identifier
+  (JNIEnv* jenv, jclass jcl)
+{
+    (void)jenv;
+    (void)jcl;
+
+#ifdef WOLFSSL_CERT_EXT
+    return NID_subject_key_identifier;
+#else
+    return 0;
+#endif
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1authority_1key_1identifier
+  (JNIEnv* jenv, jclass jcl)
+{
+    (void)jenv;
+    (void)jcl;
+
+#ifdef WOLFSSL_CERT_EXT
+    return NID_authority_key_identifier;
+#else
+    return 0;
+#endif
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1crl_1distribution_1points
+  (JNIEnv* jenv, jclass jcl)
+{
+    (void)jenv;
+    (void)jcl;
+
+#ifdef WOLFSSL_CERT_EXT
+    return NID_crl_distribution_points;
+#else
+    return 0;
+#endif
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1netscape_1cert_1type
+  (JNIEnv* jenv, jclass jcl)
+{
+    (void)jenv;
+    (void)jcl;
+
+#ifndef IGNORE_NETSCAPE_CERT_TYPE
+    return NID_netscape_cert_type;
+#else
+    return 0;
+#endif
+}
+
 /* functions to return BulkCipherAlgorithm enum values from ./wolfssl/ssl.h  */
 JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getBulkCipherAlgorithmEnumNULL
   (JNIEnv* jenv, jclass jcl)