diff mbox series

wolfSSL: support both DER and PEM blobs

Message ID 20220429141837.67872-1-juliusz@wolfssl.com
State Accepted
Headers show
Series wolfSSL: support both DER and PEM blobs | expand

Commit Message

Juliusz Sosinowicz April 29, 2022, 2:18 p.m. UTC 
Add support for loading private keys and certificates in both PEM and DER formats with wolfSSL

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 src/crypto/tls_wolfssl.c | 40 ++++++++++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 12 deletions(-)

Comments

Jouni Malinen May 1, 2022, 4:06 p.m. UTC | #1 
On Fri, Apr 29, 2022 at 04:18:38PM +0200, Juliusz Sosinowicz wrote:
> Add support for loading private keys and certificates in both PEM and DER formats with wolfSSL

Thanks, applied.

>  	if (!ok && private_key) {
>  		if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
> -						SSL_FILETYPE_PEM) <= 0) {
> +						SSL_FILETYPE_PEM) != SSL_SUCCESS) {
>  			wpa_printf(MSG_INFO,
>  				   "SSL: use private key PEM file failed");
>  			if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
> -							SSL_FILETYPE_ASN1) <= 0)
> -			{
> +						SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
>  				wpa_printf(MSG_INFO,
>  					   "SSL: use private key DER file failed");
> -			} else {
> -				ok = 1;
>  			}

Though, I dropped this removal of ok = 1 path to avoid breaking existing
functionality for the first wolfSSL_use_PrivateKey_file(PEM) call.
diff mbox series

Patch

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index ed0b75769d..04e1e0e810 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -454,7 +454,13 @@  static int tls_connection_client_cert(struct tls_connection *conn,
 			    SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
 			wpa_printf(MSG_INFO,
 				   "SSL: use client cert DER blob failed");
-			return -1;
+			if (wolfSSL_use_certificate_chain_buffer_format(
+				conn->ssl, client_cert_blob, blob_len,
+				SSL_FILETYPE_PEM) != SSL_SUCCESS) {
+				wpa_printf(MSG_INFO,
+					   "SSL: use client cert PEM blob failed");
+				return -1;
+			}
 		}
 		wpa_printf(MSG_DEBUG, "SSL: use client cert blob OK");
 		return 0;
@@ -516,27 +522,34 @@  static int tls_connection_private_key(void *tls_ctx,
 	if (private_key_blob) {
 		if (wolfSSL_use_PrivateKey_buffer(conn->ssl,
 						  private_key_blob, blob_len,
-						  SSL_FILETYPE_ASN1) <= 0) {
+						  SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
 			wpa_printf(MSG_INFO,
 				   "SSL: use private DER blob failed");
+			if (wolfSSL_use_PrivateKey_buffer(conn->ssl,
+						  private_key_blob, blob_len,
+						  SSL_FILETYPE_PEM) != SSL_SUCCESS) {
+				wpa_printf(MSG_INFO,
+					   "SSL: use private PEM blob failed");
+			}
+			else {
+				ok = 1;
+			}
 		} else {
-			wpa_printf(MSG_DEBUG, "SSL: use private key blob OK");
 			ok = 1;
 		}
+		if (ok)
+			wpa_printf(MSG_DEBUG, "SSL: use private key blob OK");
 	}
 
 	if (!ok && private_key) {
 		if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
-						SSL_FILETYPE_PEM) <= 0) {
+						SSL_FILETYPE_PEM) != SSL_SUCCESS) {
 			wpa_printf(MSG_INFO,
 				   "SSL: use private key PEM file failed");
 			if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key,
-							SSL_FILETYPE_ASN1) <= 0)
-			{
+						SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
 				wpa_printf(MSG_INFO,
 					   "SSL: use private key DER file failed");
-			} else {
-				ok = 1;
 			}
 		} else {
 			ok = 1;
@@ -1178,10 +1191,13 @@  static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn,
 
 	if (ca_cert_blob) {
 		if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_blob, blob_len,
-						   SSL_FILETYPE_ASN1) !=
-		    SSL_SUCCESS) {
-			wpa_printf(MSG_INFO, "SSL: failed to load CA blob");
-			return -1;
+							SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
+			wpa_printf(MSG_INFO, "SSL: failed to load DER CA blob");
+			if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_blob, blob_len,
+							SSL_FILETYPE_PEM) != SSL_SUCCESS) {
+				wpa_printf(MSG_INFO, "SSL: failed to load PEM CA blob");
+				return -1;
+			}
 		}
 		wpa_printf(MSG_DEBUG, "SSL: use CA cert blob OK");
 		return 0;