Skip to content

Add cert/CRL capabilities: skid, akid, dist point, netscape #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cconlon merged 1 commit into from
Feb 18, 2026
Merged

Add cert/CRL capabilities: skid, akid, dist point, netscape #317

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions examples/certs/test/crl-dp-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIUZqjaWzuAIDjJjqQW/x9Lyn5H2McwDQYJKoZIhvcNAQEL
BQAwOjEUMBIGA1UEAwwLVGVzdCBDUkwgRFAxFTATBgNVBAoMDHdvbGZTU0wgVGVz
dDELMAkGA1UEBhMCVVMwHhcNMjYwMjA5MTgxMTQzWhcNMjcwMjA5MTgxMTQzWjA6
MRQwEgYDVQQDDAtUZXN0IENSTCBEUDEVMBMGA1UECgwMd29sZlNTTCBUZXN0MQsw
CQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALP/1lo5
T10/LJAck3ImKvrinzS1oubA/YP/w2NTJLzlZQtbvNPW4WhY2LcuUWOSv/VmMSpq
J/mEqEn8P9CfIgtRo0z39+HJJ3aE3ClioH6fTpj284nHZnJdYQFy/9+T4DTLcuiJ
VILqRotqH06JRU4mhR2hqiw7YHI76BlPJAB9pVwGbit6BKWbF5vJRy440AYNCWjs
t/NEhrKnCJugaPqvyhH9ByWI8/wPeyFNXUpuEiZVg+rSYwPr0w4kVBRUVWnDxEam
WKEEPSM1CdY2LJGDT6Qjm6WyVQbWppu1mz6Dg+nvw+h125PyW4Cyim6HAFj3IJcI
6YcDC2lGep7PNmECAwEAAaNrMGkwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwMAYD
VR0fBCkwJzAloCOgIYYfaHR0cDovL2NybC5leGFtcGxlLmNvbS90ZXN0LmNybDAd
BgNVHQ4EFgQUXEABbBfseiUjqacQWYMRluxQV+kwDQYJKoZIhvcNAQELBQADggEB
AF21pa2SQXeqmDtYLvhwNWpwpt814nRfejAzlLBLpJB8nf1NE89a53U7ELbZMPNj
tQC/ADNoNGFQmSaPNytXtHNslPM17kSWN+6/JFhKGcWHXgPPM4E5VOZ94H1BK4fh
PMCfMMh+826Y+RK/nsi4NnlmeJy5/QdRgbDfGY4ZZECssHSIbKPP7pgxH/YzDUd/
HIzf5vXeiUG7PXXJhzA38k1HRhuyxOYnsrLMYw/FsDOl/knhH9dF8f+XFVHuFfQv
GH9cm+btX0gM1EaBi1huQcYYNRp2BSa2qSjIeDRg5Bs4i5BENh7wVtZDheGD0SpE
3jhznnX5L4CwmLzlfQkARuU=
-----END CERTIFICATE-----
32 changes: 31 additions & 1 deletion examples/certs/update-certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,37 @@ if [ $? -ne 0 ]; then
fi
printf "Generated ca-keyPkcs8.der\n"

# Generate CRL Distribution Points test cert
printf "Generating test/crl-dp-cert.pem\n"
mkdir -p test
TMP_DIR="$(mktemp -d)"
cat > "${TMP_DIR}/openssl.cnf" <<EOF
[ req ]
distinguished_name = dn
x509_extensions = v3_req
prompt = no

[ dn ]
CN = Test CRL DP
O = wolfSSL Test
C = US

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
crlDistributionPoints = URI:http://crl.example.com/test.crl
EOF

openssl req -new -newkey rsa:2048 -nodes -x509 -days 365 \
-keyout "${TMP_DIR}/crl-dp-key.pem" -out test/crl-dp-cert.pem \
-config "${TMP_DIR}/openssl.cnf" >/dev/null 2>&1
if [ $? -ne 0 ]; then
printf "Failed to generate test/crl-dp-cert.pem\n"
rm -rf "${TMP_DIR}"
exit 1
fi
rm -rf "${TMP_DIR}"

# Remove text info from intermediate certs, causes issues on Android (WRONG TAG)
printf "Removing text info from intermediate certs\n"
sed -i.bak -n '/-----BEGIN CERTIFICATE-----/,$p' ca-cert.pem
Expand Down Expand Up @@ -131,4 +162,3 @@ else
fi

printf "\nFinished successfully\n"

52 changes: 52 additions & 0 deletions native/com_wolfssl_WolfSSL.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,58 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1dnQualifier
return NID_dnQualifier;
}

JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1subject_1key_1identifier
(JNIEnv* jenv, jclass jcl)
{
(void)jenv;
(void)jcl;

#ifdef WOLFSSL_CERT_EXT
return NID_subject_key_identifier;
#else
return 0;
#endif
}

JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1authority_1key_1identifier
(JNIEnv* jenv, jclass jcl)
{
(void)jenv;
(void)jcl;

#ifdef WOLFSSL_CERT_EXT
return NID_authority_key_identifier;
#else
return 0;
#endif
}

JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1crl_1distribution_1points
(JNIEnv* jenv, jclass jcl)
{
(void)jenv;
(void)jcl;

#ifdef WOLFSSL_CERT_EXT
return NID_crl_distribution_points;
#else
return 0;
#endif
}

JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getNID_1netscape_1cert_1type
(JNIEnv* jenv, jclass jcl)
{
(void)jenv;
(void)jcl;

#ifndef IGNORE_NETSCAPE_CERT_TYPE
return NID_netscape_cert_type;
#else
return 0;
#endif
}

/* functions to return BulkCipherAlgorithm enum values from ./wolfssl/ssl.h */
JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getBulkCipherAlgorithmEnumNULL
(JNIEnv* jenv, jclass jcl)
Expand Down
46 changes: 46 additions & 0 deletions native/com_wolfssl_WolfSSL.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 7 additions & 3 deletions native/com_wolfssl_WolfSSLCRL.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1lastUpdate
}
else {
/* Extract length from bytes 32-35 (assuming native byte order) */
timeLen = *((int*)(timeBuf + CTC_DATE_SIZE));
XMEMCPY(&timeLen, timeBuf + CTC_DATE_SIZE, sizeof(timeLen));
if (timeLen <= 0 || timeLen > CTC_DATE_SIZE) {
ret = 0;
}
Expand Down Expand Up @@ -212,7 +212,7 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1set_1nextUpdate
}
else {
/* Extract length from bytes 32-35 (assuming native byte order) */
timeLen = *((int*)(timeBuf + CTC_DATE_SIZE));
XMEMCPY(&timeLen, timeBuf + CTC_DATE_SIZE, sizeof(timeLen));
if (timeLen <= 0 || timeLen > CTC_DATE_SIZE) {
ret = 0;
}
Expand Down Expand Up @@ -254,6 +254,8 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked
int serialSz = 0;
int ret = WOLFSSL_SUCCESS;
(void)jcl;

/* Note: date is not currently used until WOLFSSL_X509_REVOKED adds it. */
(void)revDate;
(void)dateFmt;

Expand Down Expand Up @@ -284,7 +286,9 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1add_1revoked

(*jenv)->ReleaseByteArrayElements(jenv, serial, (jbyte*)serialBuf,
JNI_ABORT);
wolfSSL_ASN1_INTEGER_free(serialInt);
if (serialInt != NULL) {
wolfSSL_ASN1_INTEGER_free(serialInt);
}

return ret;
#else
Expand Down
Loading
Loading