Merge pull request #323 from padelsbach/aia-updates

Extend AIA interface

Author: cconlon

examples/certs/aia/multi-aia-cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIUEcNoHSMtIkVhW/MmkmUEsVoJVQEwDQYJKoZIhvcNAQEL
+BQAwITEfMB0GA1UEAwwWd29sZnNzbC1haWEtbXVsdGktdGVzdDAeFw0yNjAxMjcw
+MTUwNDRaFw0yNzAxMjcwMTUwNDRaMCExHzAdBgNVBAMMFndvbGZzc2wtYWlhLW11
+bHRpLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpVdogPQ2I
+/nErbxSaNGoYhkwoj1qt+Be1/qWnvZzJ0EBOG4EdioMRIkJzP6W3HoAhkGBrueXf
+riN07M3XLocRfE+9C1+jZQxBGRxysns9z7K+i0pBtPN/AXV2RCSz13FFyVyLhLks
+2YAL9By36X9R0wsL+Nd4EAQ4ouf0GglmTmtb5rHf2GIno4xFg9tpWosiUTytwgDC
+K9lQEQnTnPG6E43N2bszqBc4roOPrYDnd7raNTqcv9yTHM8zwffGJuCogE/Fbr2R
+yVubLW28n5/O1Pb47hHuPJv6oHMZgct2SV5OB/mwVgI0eoFMSQZ35o6BpHD0C497
+L2IcoMi8A9rFAgMBAAGjgfAwge0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAoQw
+gbAGCCsGAQUFBwEBBIGjMIGgMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4x
+OjIyMjIxMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMCkGCCsG
+AQUFBzAChh1odHRwOi8vd3d3LndvbGZzc2wuY29tL2NhLnBlbTArBggrBgEFBQcw
+AoYfaHR0cHM6Ly93d3cud29sZnNzbC5jb20vY2EyLnBlbTAdBgNVHQ4EFgQU1GNm
+eP/LXQk0tFaTeWoNHyLhLZkwDQYJKoZIhvcNAQELBQADggEBACwuXdKYI2Q/Vhd7
+TJFvKdp7BuUopQGEQ+4vR+FoesYXc9MHjZJfMqEffv1MArTeY46At/zvcTeszagi
+io+jjGBLOutsAf9WK3PnKMIkGGfro6btZ8QFyKiZ6unMMlqe6cGqrCrNKp8jLP3k
+CKZltR5c+MIPhpjoOhNDMOcPMwZBGQJWubwOb4uOu3wv7UWJk/ovKP9WJCUn6wLH
+soDs+MHMICkxOvDfPf+F4URVqTbzE8IvSMv38z4cAqsyEfWxr32Dg34S/NmeePFV
+7sSDpksvyITGsxjnQulSuUFSmldumQ6GnA4ZUXvCNdJ0zbD/Iib9ud6K05VdWYZP
+uyCRkjY=
+-----END CERTIFICATE-----

examples/certs/aia/overflow-aia-cert.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEcDCCA1igAwIBAgIUN5kIU1GLRP5bRKctP271p7IGFVowDQYJKoZIhvcNAQEL
+BQAwJDEiMCAGA1UEAwwZd29sZnNzbC1haWEtb3ZlcmZsb3ctdGVzdDAeFw0yNjAx
+MjcwMTU1NTBaFw0yNzAxMjcwMTU1NTBaMCQxIjAgBgNVBAMMGXdvbGZzc2wtYWlh
+LW92ZXJmbG93LXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS
+eHeAzVuCe44SU8bcyIWLwkA2AABw/ctSBWKAFEd7DYHduRr3diblHERU1Fv5JzYx
+JnZquj1IO/qsnSFJYDc9sQmYea89iW8KNPVXKDzdbzhpiQLZL7Yq71ICxxqVLfRr
+91lyAj0+Syncrp96olSpMJochVnQ6PqLcc/Gq7CMtrKn5KAN7Mn3+LdAQYU8JjRa
+zqEJ8fmkBKbS5watzgnkP2o5jWSpWzpDOxTdw85hju4H9m5Gmun3XVO9dEAN/dqK
+vklkzgQGvAMMQMIcgOzw0HxAuvsSNtjgEpIlOir0M7YiC0pYqtMO+thSCmVCvsDR
+/nG/iqe6YBSXh6oszGwTAgMBAAGjggGYMIIBlDAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIChDCCAVYGCCsGAQUFBwEBBIIBSDCCAUQwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly8xMjcuMC4wLjE6MjIyMjAwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
+MjIyMjEwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjIwIgYIKwYB
+BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjMwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly8xMjcuMC4wLjE6MjIyMjQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
+MjIyMjUwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjYwIgYIKwYB
+BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjcwIgYIKwYBBQUHMAGGFmh0dHA6
+Ly8xMjcuMC4wLjE6MjIyMjgwHQYDVR0OBBYEFJt6TNgqMFBebotXaauIYPpUJi1S
+MA0GCSqGSIb3DQEBCwUAA4IBAQA5noHB343sKQqVmmLds0gC/k1UhVA5iftAGmes
+uRdNOOCdo2i739DmRAXggetgtatcjDfjxkrvq0Qi+geozZra6uX9FT/hgfw6kDpU
+HKzJFy4E0G0HTM8mtJi+aGDZL3Lts+h272eahkT1jVKGAPFugqfz7fKRsMce6eCE
+UD5cvtQXX16fGhBxxmUCZPnxMKcj2oNl7RliHphK6ofXuNbKjqjVQfxsTUXSQDyS
+ApH5w6iUnAvC5l19qYrBcCVOB6CNJ2CdmvFI//Ox8Jc56HRYYDIdVp2Q3FFA5Z4s
+gTLvlumVgihAekD+0zVF9q+AJ4TSbE3cqsQgHF/+p84KxWid
+-----END CERTIFICATE-----

native/com_wolfssl_WolfSSLCertificate.c

@@ -1736,6 +1736,75 @@ static int addEkuOid(JNIEnv* jenv, jobjectArray ret, int idx,
     return idx;
 }
 
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+    (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+     defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+    ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+     defined(WOLFSSL_PR9728_PATCH_APPLIED))
+
+static jobjectArray stackStringToArray(JNIEnv* jenv, jclass jcl,
+    WOLF_STACK_OF(WOLFSSL_STRING)* sk)
+{
+    jobjectArray ret = NULL;
+    jclass stringClass = NULL;
+    int count;
+    int i;
+
+    if (jenv == NULL || sk == NULL) {
+        return NULL;
+    }
+
+    count = wolfSSL_sk_WOLFSSL_STRING_num(sk);
+    if (count <= 0) {
+        wolfSSL_X509_email_free(sk);
+        return NULL;
+    }
+
+    stringClass = (*jenv)->FindClass(jenv, "java/lang/String");
+    if (stringClass == NULL) {
+        wolfSSL_X509_email_free(sk);
+        return NULL;
+    }
+
+    ret = (*jenv)->NewObjectArray(jenv, count, stringClass, NULL);
+    if (ret == NULL) {
+        (*jenv)->DeleteLocalRef(jenv, stringClass);
+        wolfSSL_X509_email_free(sk);
+        return NULL;
+    }
+
+    for (i = 0; i < count; i++) {
+        const char* str = wolfSSL_sk_WOLFSSL_STRING_value(sk, i);
+        jstring jstr = (*jenv)->NewStringUTF(jenv, (str != NULL) ? str : "");
+        if (jstr == NULL) {
+            (*jenv)->DeleteLocalRef(jenv, ret);
+            (*jenv)->DeleteLocalRef(jenv, stringClass);
+            wolfSSL_X509_email_free(sk);
+            (*jenv)->ThrowNew(jenv, jcl,
+                "Failed to create String in native AIA getter");
+            return NULL;
+        }
+
+        (*jenv)->SetObjectArrayElement(jenv, ret, i, jstr);
+        (*jenv)->DeleteLocalRef(jenv, jstr);
+        if ((*jenv)->ExceptionOccurred(jenv)) {
+            (*jenv)->ExceptionDescribe(jenv);
+            (*jenv)->ExceptionClear(jenv);
+            (*jenv)->DeleteLocalRef(jenv, ret);
+            (*jenv)->DeleteLocalRef(jenv, stringClass);
+            wolfSSL_X509_email_free(sk);
+            (*jenv)->ThrowNew(jenv, jcl,
+                "Failed to set String[] element in native AIA getter");
+            return NULL;
+        }
+    }
+
+    (*jenv)->DeleteLocalRef(jenv, stringClass);
+    wolfSSL_X509_email_free(sk);
+    return ret;
+}
+#endif
+
 JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extended_1key_1usage
   (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
 {
@@ -1800,6 +1869,87 @@ JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1ex
     return ret;
 }
 
+JNIEXPORT jobjectArray JNICALL
+Java_com_wolfssl_WolfSSLCertificate_X509_1get1_1ocsp
+  (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+{
+    /* AIA API extensions were added after wolfSSL 5.8.4 in PR 9728. Version
+     * check must be greater than 5.8.4 or patch from PR 9728 must be applied
+     * and WOLFSSL_PR9728_PATCH_APPLIED defined when compiling this wrapper. */
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+    (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+     defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+    ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+     defined(WOLFSSL_PR9728_PATCH_APPLIED))
+    WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+    WOLF_STACK_OF(WOLFSSL_STRING)* sk = NULL;
+
+    if (jenv == NULL || x509 == NULL) {
+        return NULL;
+    }
+
+    sk = wolfSSL_X509_get1_ocsp(x509);
+    return stackStringToArray(jenv, jcl, sk);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)x509Ptr;
+    return NULL;
+#endif
+}
+
+JNIEXPORT jint JNICALL
+Java_com_wolfssl_WolfSSLCertificate_X509_1get_1aia_1overflow
+  (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+{
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+    (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+     defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+    ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+     defined(WOLFSSL_PR9728_PATCH_APPLIED))
+    WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+    (void)jcl;
+
+    if (jenv == NULL || x509 == NULL) {
+        return 0;
+    }
+
+    return (jint)wolfSSL_X509_get_aia_overflow(x509);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)x509Ptr;
+    return (jint)NOT_COMPILED_IN;
+#endif
+}
+
+JNIEXPORT jobjectArray JNICALL
+Java_com_wolfssl_WolfSSLCertificate_X509_1get1_1ca_1issuers
+  (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+{
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+    (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+     defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+    defined(WOLFSSL_ASN_CA_ISSUER) && \
+    ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+     defined(WOLFSSL_PR9728_PATCH_APPLIED))
+    WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+    WOLF_STACK_OF(WOLFSSL_STRING)* sk = NULL;
+
+    if (jenv == NULL || x509 == NULL) {
+        return NULL;
+    }
+
+    sk = wolfSSL_X509_get1_ca_issuers(x509);
+    return stackStringToArray(jenv, jcl, sk);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)x509Ptr;
+    return NULL;
+#endif
+}
+
 JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extension
   (JNIEnv* jenv, jclass jcl, jlong x509Ptr, jstring oidIn)
 {
@@ -2385,4 +2535,3 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1ext_1d2i_
     return 0;
 #endif
 }
-

native/com_wolfssl_WolfSSLCertificate.h

@@ -103,6 +103,9 @@ public class WolfSSLCertificate implements Serializable {
     static native int X509_verify(long x509, byte[] pubKey, int pubKeySz);
     static native boolean[] X509_get_key_usage(long x509);
     static native String[] X509_get_extended_key_usage(long x509);
+    static native String[] X509_get1_ocsp(long x509);
+    static native int X509_get_aia_overflow(long x509);
+    static native String[] X509_get1_ca_issuers(long x509);
     static native byte[] X509_get_extension(long x509, String oid);
     static native int X509_is_extension_set(long x509, String oid);
     static native String X509_get_next_altname(long x509);
@@ -1631,6 +1634,69 @@ public String[] getExtendedKeyUsage() throws IllegalStateException {
         }
     }
 
+    /**
+     * Get OCSP responder URIs from the certificate Authority Information
+     * Access (AIA) extension.
+     *
+     * @return Array of OCSP responder URIs, or null if not present.
+     *
+     * @throws IllegalStateException if WolfSSLCertificate has been freed
+     */
+    public String[] getOcspUris() throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        synchronized (x509Lock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.x509Ptr,
+                () -> "entering getOcspUris()");
+
+            return X509_get1_ocsp(this.x509Ptr);
+        }
+    }
+
+    /**
+     * Check if AIA parsing overflowed the internal URI list.
+     *
+     * @return 1 if AIA parsing overflowed, 0 if not, or
+     *         WolfSSL.NOT_COMPILED_IN if not available.
+     *
+     * @throws IllegalStateException if WolfSSLCertificate has been freed
+     */
+    public int getAiaOverflow() throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        synchronized (x509Lock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.x509Ptr,
+                () -> "entering getAiaOverflow()");
+
+            return X509_get_aia_overflow(this.x509Ptr);
+        }
+    }
+
+    /**
+     * Get CA Issuer URIs from the certificate Authority Information Access
+     * (AIA) extension.
+     *
+     * @return Array of CA Issuer URIs, or null if not present.
+     *
+     * @throws IllegalStateException if WolfSSLCertificate has been freed
+     */
+    public String[] getCaIssuerUris() throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        synchronized (x509Lock) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, this.x509Ptr,
+                () -> "entering getCaIssuerUris()");
+
+            return X509_get1_ca_issuers(this.x509Ptr);
+        }
+    }
+
     /**
      * Get DER encoded extension value from a specified OID
      *
@@ -2246,4 +2312,3 @@ protected void finalize() throws Throwable
         super.finalize();
     }
 }
-