Merge remote-tracking branch 'upstream/master' into testing-fixes

Author: JeremiahM37

CLAUDE.md

@@ -9,7 +9,7 @@
 - All tests should pass without problems
 
 # Code Style
-- Keep lines under 80 characters maximum length
+- Maximum line length is 80 characters. Only break/wrap lines that would exceed 80 characters
 - MUST only use multi-line comments, no "//" style ones
 - MUST remove all trailing white space
 - Use 4 spaces for one tab, no hard tabs

examples/certs/test/crl-decode.der

@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB1jCBvwIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzEQMA4GA1UE
+CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTCBJ
+bmMuMRkwFwYDVQQLDBBEZXZlbG9wbWVudCBUZXN0MRgwFgYDVQQDDA93b2xmU1NM
+IFRlc3QgQ0EXDTI2MDIxOTAwMzYyMloXDTM2MDIxNzAwMzYyMlqgDjAMMAoGA1Ud
+FAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCvwOGtRd31ztiKj6SPIe3Oo0bW0MC+
+bBqd5oCpupUR9qEdV391PNT2F/h6P61asKJbj5ItPoFAKjOKmCFm6UvJp24ypxmr
+n3pbvjFH+ki77+3fyzvZmkbyQC5vrdb8X9dEvwk3/z98x9QB47d2zVyQLMG9ZEHT
+uTQXL9liz8V1q2BHy3V8/wwsPJhZTm3sViayixQA80YOtp1+7K08GnOhvAr78Vqd
+CvN4lY3GUkzgjt6n4gFSrsahIAyGb7hZ9opSQBAO/SMg1P6J85bYshTWSiD6aLCY
+uUxLGPkJSEKdqQph/vAr4JifZQIaIHY9oP4HmDHw8ChFlvz571YHyDLV
+-----END X509 CRL-----

examples/certs/test/crl-decode.pem

@@ -148,6 +148,62 @@ rm intermediate/ca-int-ecc-cert.pem.bak
 rm intermediate/server-int-cert.pem.bak
 rm intermediate/server-int-ecc-cert.pem.bak
 
+# Generate test CRL (PEM and DER) for WolfSSLCRL decode testing.
+# Creates a self-signed CA, revokes a dummy serial, produces CRL in
+# both PEM and DER formats under test/.
+printf "\nGenerating test CRL for CRL decode testing...\n"
+TMP_DIR="$(mktemp -d)"
+
+# CA key + self-signed cert
+openssl genrsa -out "${TMP_DIR}/crl-test-ca-key.pem" 2048 2>/dev/null
+openssl req -x509 -new -nodes \
+  -key "${TMP_DIR}/crl-test-ca-key.pem" \
+  -sha256 -days 3650 \
+  -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL Inc./OU=Development Test/CN=wolfSSL Test CA" \
+  -out "${TMP_DIR}/crl-test-ca-cert.pem" 2>/dev/null
+
+# CRL index / database files required by openssl ca
+touch "${TMP_DIR}/index.txt"
+echo "01" > "${TMP_DIR}/crlnumber"
+
+cat > "${TMP_DIR}/openssl-ca.cnf" <<EOF
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+database       = ${TMP_DIR}/index.txt
+crlnumber      = ${TMP_DIR}/crlnumber
+default_md     = sha256
+default_crl_days = 3650
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+EOF
+
+# Generate CRL with empty revocation list. Decode tests only need to parse
+# the CRL structure (issuer, signature, dates, etc.), not iterate entries.
+openssl ca -gencrl \
+  -keyfile "${TMP_DIR}/crl-test-ca-key.pem" \
+  -cert "${TMP_DIR}/crl-test-ca-cert.pem" \
+  -config "${TMP_DIR}/openssl-ca.cnf" \
+  -out test/crl-decode.pem 2>/dev/null
+if [ $? -ne 0 ]; then
+    printf "Failed to generate test/crl-decode.pem\n"
+    rm -rf "${TMP_DIR}"
+    exit 1
+fi
+
+# Convert PEM CRL to DER
+openssl crl -in test/crl-decode.pem -outform DER \
+  -out test/crl-decode.der 2>/dev/null
+if [ $? -ne 0 ]; then
+    printf "Failed to generate test/crl-decode.der\n"
+    rm -rf "${TMP_DIR}"
+    exit 1
+fi
+rm -rf "${TMP_DIR}"
+printf "Generated test/crl-decode.pem and test/crl-decode.der\n"
+
 # Generate SAN test certificates for WolfSSLAltName testing
 printf "\nGenerating SAN test certificates...\n"
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

examples/certs/update-certs.sh

@@ -26,6 +26,8 @@
     #include <wolfssl/options.h>
 #endif
 #include <wolfssl/wolfcrypt/rsa.h>
+#include <wolfssl/wolfcrypt/hash.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #include "com_wolfssl_WolfCryptRSA.h"
 
@@ -214,6 +216,189 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfCryptRSA_doEnc
     return ret;
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfCryptRSA_doPssSign
+  (JNIEnv* jenv, jobject jcl, jobject in, jlong inSz, jobject out, jintArray outSz, jint hash, jint mgf, jobject keyDer, jlong keySz)
+{
+#ifdef WC_RSA_PSS
+    int     ret;
+    WC_RNG  rng;
+    RsaKey  myKey;
+    int     rngInit = 0;
+    int     keyInit = 0;
+    unsigned int idx = 0;
+    unsigned int tmpOut;
+    unsigned char* inBuf = NULL;
+    unsigned char* outBuf = NULL;
+    unsigned char* keyBuf = NULL;
+    enum wc_HashType hashType;
+    (void)jcl;
+
+    if ((inSz  < 0) || (keySz < 0)) {
+        return -1;
+    }
+
+    inBuf = (*jenv)->GetDirectBufferAddress(jenv, in);
+    if (inBuf == NULL) {
+        printf("problem getting in buffer address\n");
+        return -1;
+    }
+
+    outBuf = (*jenv)->GetDirectBufferAddress(jenv, out);
+    if (outBuf == NULL) {
+        printf("problem getting out buffer address\n");
+        return -1;
+    }
+
+    keyBuf = (*jenv)->GetDirectBufferAddress(jenv, keyDer);
+    if (keyBuf == NULL) {
+        printf("problem getting key buffer address\n");
+        return -1;
+    }
+
+    hashType = wc_OidGetHash(hash);
+    if (hashType == WC_HASH_TYPE_NONE) {
+        printf("doPssSign: unsupported hash OID %d\n", hash);
+        return -1;
+    }
+
+    /* get output buffer size */
+    (*jenv)->GetIntArrayRegion(jenv, outSz, 0, 1, (jint*)&tmpOut);
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        printf("wc_InitRng failed, ret = %d\n", ret);
+        return ret;
+    }
+    rngInit = 1;
+
+    ret = wc_InitRsaKey(&myKey, NULL);
+    if (ret != 0) {
+        printf("wc_InitRsaKey failed, ret = %d\n", ret);
+        wc_FreeRng(&rng);
+        return ret;
+    }
+    keyInit = 1;
+
+    ret = wc_RsaPrivateKeyDecode(keyBuf, &idx, &myKey, (unsigned int)keySz);
+    if (ret == 0) {
+
+        ret = wc_RsaPSS_Sign(inBuf, (unsigned int)inSz, outBuf, tmpOut,
+            hashType, mgf, &myKey, &rng);
+        if (ret > 0) {
+            tmpOut = ret;
+            (*jenv)->SetIntArrayRegion(jenv, outSz, 0, 1, (jint*)&tmpOut);
+            ret = 0;
+        }
+    } else {
+        printf("wc_RsaPrivateKeyDecode failed, ret = %d\n", ret);
+    }
+
+    if (keyInit) {
+        wc_FreeRsaKey(&myKey);
+    }
+    if (rngInit) {
+        wc_FreeRng(&rng);
+    }
+
+    return ret;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)in;
+    (void)inSz;
+    (void)out;
+    (void)outSz;
+    (void)hash;
+    (void)mgf;
+    (void)keyDer;
+    (void)keySz;
+    return (jint)NOT_COMPILED_IN;
+#endif /* WC_RSA_PSS */
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfCryptRSA_doPssVerify
+  (JNIEnv* jenv, jobject jcl, jobject sig, jlong sigSz, jobject out, jlong outSz, jint hash, jint mgf, jobject keyDer, jlong keySz)
+{
+#ifdef WC_RSA_PSS
+    int     ret;
+    RsaKey  myKey;
+    unsigned int idx = 0;
+    unsigned char* sigBuf = NULL;
+    unsigned char* outBuf = NULL;
+    unsigned char* keyBuf = NULL;
+    enum wc_HashType hashType;
+    (void)jcl;
+
+    if ((sigSz < 0) || (keySz < 0) || (outSz < 0)) {
+        return -1;
+    }
+
+    sigBuf = (*jenv)->GetDirectBufferAddress(jenv, sig);
+    if (sigBuf == NULL) {
+        printf("problem getting sig buffer address\n");
+        return -1;
+    }
+
+    outBuf = (*jenv)->GetDirectBufferAddress(jenv, out);
+    if (outBuf == NULL) {
+        printf("problem getting out buffer address\n");
+        return -1;
+    }
+
+    keyBuf = (*jenv)->GetDirectBufferAddress(jenv, keyDer);
+    if (keyBuf == NULL) {
+        printf("problem getting key buffer address\n");
+        return -1;
+    }
+
+    hashType = wc_OidGetHash(hash);
+    if (hashType == WC_HASH_TYPE_NONE) {
+        printf("doPssVerify: unsupported hash OID %d\n", hash);
+        return -1;
+    }
+
+    ret = wc_InitRsaKey(&myKey, NULL);
+    if (ret != 0) {
+        printf("wc_InitRsaKey failed, ret = %d\n", ret);
+        return ret;
+    }
+
+    /* Try private key decode first (sign check receives the server private),
+     * fall back to public key decode (verify receives the peer public) */
+    ret = wc_RsaPrivateKeyDecode(keyBuf, &idx, &myKey, (unsigned int)keySz);
+    if (ret != 0) {
+        idx = 0;
+        ret = wc_RsaPublicKeyDecode(keyBuf, &idx, &myKey, (unsigned int)keySz);
+    }
+
+    if (ret == 0) {
+        ret = wc_RsaPSS_Verify(sigBuf, (unsigned int)sigSz, outBuf,
+            (unsigned int)outSz, hashType, mgf, &myKey);
+        if (ret < 0) {
+            printf("wc_RsaPSS_Verify failed, ret = %d\n", ret);
+        }
+    } else {
+        printf("RSA key decode failed, ret = %d\n", ret);
+    }
+
+    wc_FreeRsaKey(&myKey);
+
+    return ret;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)sig;
+    (void)sigSz;
+    (void)out;
+    (void)outSz;
+    (void)hash;
+    (void)mgf;
+    (void)keyDer;
+    (void)keySz;
+    return (jint)NOT_COMPILED_IN;
+#endif /* WC_RSA_PSS */
+}
+
 JNIEXPORT jint JNICALL Java_com_wolfssl_WolfCryptRSA_doDec
   (JNIEnv* jenv, jobject jcl, jobject in, jlong inSz, jobject out,
    jlong outSz, jobject keyDer, jlong keySz)