diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt index f22d92c0..4202591f 100644 --- a/IDE/Android/app/src/main/cpp/CMakeLists.txt +++ b/IDE/Android/app/src/main/cpp/CMakeLists.txt @@ -255,8 +255,14 @@ aux_source_directory(${wolfssl_DIR}/src TLS_SOURCES) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/bio.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/conf.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_ec.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_rsa.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_bn.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_cert.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_crl_ocsp.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_pk.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_asn1.c) +list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_ech.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_certman.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_crypto.c) list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_load.c) @@ -271,6 +277,7 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal") # Add crypto sources to CRYPTO_SOURCES, remove files that are included inline by other files aux_source_directory(${wolfssl_DIR}/wolfcrypt/src CRYPTO_SOURCES) list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c) + list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp_pk.c) list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c) elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready") diff --git a/jni/jni_wolfssl_x509_store_ctx.c b/jni/jni_wolfssl_x509_store_ctx.c index fd21b5bc..7f3d9ba1 100644 --- a/jni/jni_wolfssl_x509_store_ctx.c +++ b/jni/jni_wolfssl_x509_store_ctx.c @@ -447,6 +447,16 @@ JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wo return NULL; } + /* When USE_CHECK_TIME is set (custom verification date), clear + * NO_CHECK_TIME from ctx->param so X509StoreVerifyCertDate() + * validates cert dates against check_time. NO_CHECK_TIME is still set on + * store->param so X509StoreAddCa() can still accept expired certs + * into the store. */ + if (ctx->param != NULL && + (ctx->param->flags & WOLFSSL_USE_CHECK_TIME) != 0) { + ctx->param->flags &= (unsigned long)(~WOLFSSL_NO_CHECK_TIME); + } + /* Set max path length if specified. * Depth = max intermediates + 1 for root CA. * Check for overflow when adding 1 to maxPathLength. */ diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java index 27fcb833..17d317f0 100644 --- a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java +++ b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java @@ -59,7 +59,6 @@ import com.wolfssl.wolfcrypt.Fips; import com.wolfssl.wolfcrypt.WolfCrypt; -import com.wolfssl.wolfcrypt.WolfSSLCertManager; import com.wolfssl.wolfcrypt.WolfSSLX509StoreCtx; import com.wolfssl.wolfcrypt.WolfCryptException; @@ -524,77 +523,6 @@ private TrustAnchor findPathTrustAnchor(List path, return anchor; } - /** - * Validate the built certificate path. - * - * @param path the certificate path to validate - * @param params the PKIX builder parameters - * @param anchor the trust anchor - * - * @throws CertPathBuilderException if validation fails - */ - private void validatePath(List path, - PKIXBuilderParameters params, TrustAnchor anchor) - throws CertPathBuilderException { - - WolfSSLCertManager cm = null; - - log("validating built path (" + path.size() + " certificates)"); - - if (path == null || anchor == null) { - throw new CertPathBuilderException( - "Path or TrustAnchor is null"); - } - - try { - cm = new WolfSSLCertManager(); - - /* Load trust anchor as CA */ - X509Certificate anchorCert = anchor.getTrustedCert(); - if (anchorCert != null) { - cm.CertManagerLoadCA(anchorCert); - log("loaded trust anchor: " + - anchorCert.getSubjectX500Principal().getName()); - } - - /* Verify certificates from top (closest to anchor) to target */ - for (int i = path.size() - 1; i >= 0; i--) { - X509Certificate cert = path.get(i); - - try { - cm.CertManagerVerify(cert); - log("verified: " + - cert.getSubjectX500Principal().getName()); - - } catch (WolfCryptException e) { - throw new CertPathBuilderException( - "Certificate verification failed: " + - cert.getSubjectX500Principal().getName(), e); - } - - /* Load verified cert as CA for next verification */ - if (i > 0 && cert.getBasicConstraints() >= 0) { - try { - cm.CertManagerLoadCA(cert); - - } catch (WolfCryptException e) { - /* continue */ - log("Warning: failed to load verified cert as CA"); - } - } - } - - } catch (WolfCryptException e) { - throw new CertPathBuilderException( - "Failed to create or use WolfSSLCertManager", e); - - } finally { - if (cm != null) { - cm.free(); - } - } - } - /** * Helper class to hold chain building result with trust anchor. */ diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java index 4a240086..65fce67c 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java @@ -3450,6 +3450,52 @@ private X509Certificate loadCertFromPEM(String pem) return (X509Certificate) cf.generateCertificate(bis); } + /** + * Helper to create PKIXBuilderParameters for expired cert tests. + * + * Loads expired test certificates (valid May 2014 - April 2016) + * and sets up trust anchors, CertStore, and target selector. + * + * @param dateMillis custom validation date in epoch millis, + * or -1 to use current system time + * + * @return configured PKIXBuilderParameters + */ + private PKIXBuilderParameters createExpiredCertParams(long dateMillis) + throws CertificateException, InvalidAlgorithmParameterException, + NoSuchAlgorithmException { + + X509Certificate rootCert = + loadCertFromPEM(EXPIRED_ROOT_PEM); + X509Certificate intermediateCert = + loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM); + X509Certificate userCert = + loadCertFromPEM(EXPIRED_USER_PEM); + + Set anchors = new HashSet<>(); + anchors.add(new TrustAnchor(rootCert, null)); + + Collection certs = new ArrayList<>(); + certs.add(userCert); + certs.add(intermediateCert); + CertStore certStore = CertStore.getInstance("Collection", + new CollectionCertStoreParameters(certs)); + + X509CertSelector selector = new X509CertSelector(); + selector.setCertificate(userCert); + + PKIXBuilderParameters params = + new PKIXBuilderParameters(anchors, selector); + params.setRevocationEnabled(false); + params.addCertStore(certStore); + + if (dateMillis >= 0) { + params.setDate(new Date(dateMillis)); + } + + return params; + } + /** * Test building a cert path with expired certificates using * a custom validation date set via PKIXBuilderParameters.setDate(). @@ -3473,47 +3519,34 @@ public void testExpiredCertsWithCustomValidationDate() "this wolfSSL version", WolfSSLX509StoreCtx.isStoreCheckTimeSupported()); - /* Load expired test certificates */ - X509Certificate rootCert = loadCertFromPEM(EXPIRED_ROOT_PEM); + /* Load certs separately for result assertions below */ + X509Certificate rootCert = + loadCertFromPEM(EXPIRED_ROOT_PEM); X509Certificate intermediateCert = loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM); - X509Certificate userCert = loadCertFromPEM(EXPIRED_USER_PEM); - - /* Set up trust anchors with the expired root */ - Set anchors = new HashSet<>(); - anchors.add(new TrustAnchor(rootCert, null)); - - /* Set up CertStore with intermediate and target certs */ - Collection certs = new ArrayList<>(); - certs.add(userCert); - certs.add(intermediateCert); - CertStore certStore = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certs)); + X509Certificate userCert = + loadCertFromPEM(EXPIRED_USER_PEM); - /* Create target selector for user cert */ - X509CertSelector selector = new X509CertSelector(); - selector.setCertificate(userCert); - - /* Create PKIXBuilderParameters with custom validation date. - * Date is March 15, 2015 (within cert validity period 2014-2016). - * Epoch time 1426399200000L = Sun Mar 15 2015 06:00:00 GMT */ + /* Date is March 15, 2015 (within cert validity 2014-2016). + * Epoch time 1426399200000L = Sun Mar 15 2015 06:00:00 */ PKIXBuilderParameters params = - new PKIXBuilderParameters(anchors, selector); - params.setRevocationEnabled(false); - params.addCertStore(certStore); - params.setDate(new Date(1426399200000L)); + createExpiredCertParams(1426399200000L); /* Build cert path - should succeed with custom date */ - CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider); + CertPathBuilder cpb = + CertPathBuilder.getInstance("PKIX", provider); CertPathBuilderResult result = cpb.build(params); /* Verify result */ - assertNotNull("CertPathBuilderResult should not be null", result); - PKIXCertPathBuilderResult pResult = (PKIXCertPathBuilderResult) result; + assertNotNull( + "CertPathBuilderResult should not be null", result); + PKIXCertPathBuilderResult pResult = + (PKIXCertPathBuilderResult) result; /* Verify trust anchor is the root cert */ assertEquals("Trust anchor should be the root cert", - rootCert, pResult.getTrustAnchor().getTrustedCert()); + rootCert, + pResult.getTrustAnchor().getTrustedCert()); /* Verify path contains user and intermediate certs * (root/trust anchor is not included in the path) */ @@ -3525,60 +3558,118 @@ public void testExpiredCertsWithCustomValidationDate() /* Verify path order: user -> intermediate */ assertEquals("First cert in path should be user cert", userCert, path.getCertificates().get(0)); - assertEquals("Second cert in path should be intermediate cert", + assertEquals( + "Second cert in path should be intermediate cert", intermediateCert, path.getCertificates().get(1)); } /** - * Test that expired certs fail validation when no custom date - * is set (using current system time). + * Test that setDate() with a date after cert expiry still fails. * - * This test verifies that wolfJCE properly rejects expired certificates - * when validating against the current system time. + * Uses expired certificates (valid 2014-2016) and sets a validation + * date of March 15, 2017 (after the certificates expired). This + * verifies that setDate() properly validates against the custom date. */ @Test - public void testExpiredCertsFailWithoutCustomDate() + public void testExpiredCertsFailWithDateAfterExpiry() throws CertificateException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException { - /* Load expired test certificates */ - X509Certificate rootCert = loadCertFromPEM(EXPIRED_ROOT_PEM); - X509Certificate intermediateCert = - loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM); - X509Certificate userCert = loadCertFromPEM(EXPIRED_USER_PEM); + Assume.assumeTrue("X509_STORE check_time support not available in " + + "this wolfSSL version", + WolfSSLX509StoreCtx.isStoreCheckTimeSupported()); - /* Set up trust anchors with the expired root */ - Set anchors = new HashSet<>(); - anchors.add(new TrustAnchor(rootCert, null)); + /* Date is March 15, 2017 (certs expired April 30, 2016). + * Epoch time 1489561200000L = Wed Mar 15 2017 06:00:00 */ + PKIXBuilderParameters params = createExpiredCertParams(1489561200000L); - /* Set up CertStore with intermediate and target certs */ - Collection certs = new ArrayList<>(); - certs.add(userCert); - certs.add(intermediateCert); - CertStore certStore = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certs)); + /* Build cert path, should fail because custom date after cert expiry */ + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider); + try { + cpb.build(params); + fail("Expected CertPathBuilderException when custom " + + "date is after cert expiry"); + } catch (CertPathBuilderException e) { + /* Expected, date is after cert validity */ + assertNotNull("Exception message should not be null", + e.getMessage()); + assertTrue("Exception should indicate cert expired, got: " + + e.getMessage(), e.getMessage().contains("expired")); + } + } - /* Create target selector for user cert */ - X509CertSelector selector = new X509CertSelector(); - selector.setCertificate(userCert); + /** + * Test that setDate() with a date before cert validity still fails. + * + * Uses expired certificates (valid May 1, 2014 - April 30, 2016) + * and sets a validation date of January 1, 2014 (before notBefore). + * This verifies that setDate() also checks the notBefore boundary. + */ + @Test + public void testExpiredCertsFailWithDateBeforeValidity() + throws CertificateException, InvalidAlgorithmParameterException, + NoSuchAlgorithmException, NoSuchProviderException { - /* Create PKIXBuilderParameters WITHOUT custom date. - * This will use current system time for validation. */ + Assume.assumeTrue( + "X509_STORE check_time support not available in " + + "this wolfSSL version", + WolfSSLX509StoreCtx.isStoreCheckTimeSupported()); + + /* Date is January 1, 2014 (certs valid from May 1, 2014). + * Epoch time 1388534400000L = Wed Jan 01 2014 00:00:00 */ PKIXBuilderParameters params = - new PKIXBuilderParameters(anchors, selector); - params.setRevocationEnabled(false); - params.addCertStore(certStore); - /* Note: NOT calling params.setDate() - uses current time */ + createExpiredCertParams(1388534400000L); + + /* Build cert path - should FAIL because custom date is + * before cert notBefore */ + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider); + try { + cpb.build(params); + fail("Expected CertPathBuilderException when custom " + + "date is before cert notBefore"); + } catch (CertPathBuilderException e) { + /* Expected, date is before cert validity */ + assertNotNull("Exception message should not be null", + e.getMessage()); + assertTrue("Exception should indicate cert not yet valid" + + ", got: " + e.getMessage(), + e.getMessage().contains("not yet valid")); + } + } + + /** + * Test that expired certs fail validation when no custom date + * is set (using current system time). + * + * This test verifies that wolfJCE properly rejects expired certificates + * when validating against the current system time. + */ + @Test + public void testExpiredCertsFailWithoutCustomDate() + throws CertificateException, InvalidAlgorithmParameterException, + NoSuchAlgorithmException, NoSuchProviderException { + + /* No custom date (-1), uses current system time */ + PKIXBuilderParameters params = createExpiredCertParams(-1); /* Build cert path - should FAIL because certs are expired */ CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider); try { cpb.build(params); - fail("Expected CertPathBuilderException for expired certificates"); + fail("Expected CertPathBuilderException for " + + "expired certificates"); } catch (CertPathBuilderException e) { - /* Expected - certificates are expired */ - assertTrue("Exception message should indicate certificate issue", - e.getMessage() != null); + /* Expected, certificates are expired. May fail + * during store addition ("Failed to add certificate") + * or during verification ("expired"), depending on + * wolfSSL version and configuration. */ + assertNotNull("Exception message should not be null", + e.getMessage()); + assertTrue("Exception should indicate cert date issue" + + ", got: " + e.getMessage(), + e.getMessage().contains("expired") || + e.getMessage().contains( + "Failed to add certificate")); } } }