Extend AIA interface #323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

cconlon merged 1 commit into wolfSSL:master from padelsbach:aia-updates

Feb 5, 2026

examples/certs/aia/multi-aia-cert.pem

-Original file line number
+Diff line change
@@ -0,0 +1,23 @@
+    -----BEGIN CERTIFICATE-----
+    MIIDwTCCAqmgAwIBAgIUEcNoHSMtIkVhW/MmkmUEsVoJVQEwDQYJKoZIhvcNAQEL
+    BQAwITEfMB0GA1UEAwwWd29sZnNzbC1haWEtbXVsdGktdGVzdDAeFw0yNjAxMjcw
+    MTUwNDRaFw0yNzAxMjcwMTUwNDRaMCExHzAdBgNVBAMMFndvbGZzc2wtYWlhLW11
+    bHRpLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpVdogPQ2I
+    /nErbxSaNGoYhkwoj1qt+Be1/qWnvZzJ0EBOG4EdioMRIkJzP6W3HoAhkGBrueXf
+    riN07M3XLocRfE+9C1+jZQxBGRxysns9z7K+i0pBtPN/AXV2RCSz13FFyVyLhLks
+YAL9By36X9R0wsL+Nd4EAQ4ouf0GglmTmtb5rHf2GIno4xFg9tpWosiUTytwgDC
+    K9lQEQnTnPG6E43N2bszqBc4roOPrYDnd7raNTqcv9yTHM8zwffGJuCogE/Fbr2R
+    yVubLW28n5/O1Pb47hHuPJv6oHMZgct2SV5OB/mwVgI0eoFMSQZ35o6BpHD0C497
+    L2IcoMi8A9rFAgMBAAGjgfAwge0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAoQw
+    gbAGCCsGAQUFBwEBBIGjMIGgMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4x
+    OjIyMjIxMCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMCkGCCsG
+    AQUFBzAChh1odHRwOi8vd3d3LndvbGZzc2wuY29tL2NhLnBlbTArBggrBgEFBQcw
+    AoYfaHR0cHM6Ly93d3cud29sZnNzbC5jb20vY2EyLnBlbTAdBgNVHQ4EFgQU1GNm
+    eP/LXQk0tFaTeWoNHyLhLZkwDQYJKoZIhvcNAQELBQADggEBACwuXdKYI2Q/Vhd7
+    TJFvKdp7BuUopQGEQ+4vR+FoesYXc9MHjZJfMqEffv1MArTeY46At/zvcTeszagi
+    io+jjGBLOutsAf9WK3PnKMIkGGfro6btZ8QFyKiZ6unMMlqe6cGqrCrNKp8jLP3k
+    CKZltR5c+MIPhpjoOhNDMOcPMwZBGQJWubwOb4uOu3wv7UWJk/ovKP9WJCUn6wLH
+    soDs+MHMICkxOvDfPf+F4URVqTbzE8IvSMv38z4cAqsyEfWxr32Dg34S/NmeePFV
+sSDpksvyITGsxjnQulSuUFSmldumQ6GnA4ZUXvCNdJ0zbD/Iib9ud6K05VdWYZP
+    uyCRkjY=
+    -----END CERTIFICATE-----

examples/certs/aia/overflow-aia-cert.pem

-Original file line number
+Diff line change
@@ -0,0 +1,26 @@
+    -----BEGIN CERTIFICATE-----
+    MIIEcDCCA1igAwIBAgIUN5kIU1GLRP5bRKctP271p7IGFVowDQYJKoZIhvcNAQEL
+    BQAwJDEiMCAGA1UEAwwZd29sZnNzbC1haWEtb3ZlcmZsb3ctdGVzdDAeFw0yNjAx
+    MjcwMTU1NTBaFw0yNzAxMjcwMTU1NTBaMCQxIjAgBgNVBAMMGXdvbGZzc2wtYWlh
+    LW92ZXJmbG93LXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS
+    eHeAzVuCe44SU8bcyIWLwkA2AABw/ctSBWKAFEd7DYHduRr3diblHERU1Fv5JzYx
+    JnZquj1IO/qsnSFJYDc9sQmYea89iW8KNPVXKDzdbzhpiQLZL7Yq71ICxxqVLfRr
+lyAj0+Syncrp96olSpMJochVnQ6PqLcc/Gq7CMtrKn5KAN7Mn3+LdAQYU8JjRa
+    zqEJ8fmkBKbS5watzgnkP2o5jWSpWzpDOxTdw85hju4H9m5Gmun3XVO9dEAN/dqK
+    vklkzgQGvAMMQMIcgOzw0HxAuvsSNtjgEpIlOir0M7YiC0pYqtMO+thSCmVCvsDR
+    /nG/iqe6YBSXh6oszGwTAgMBAAGjggGYMIIBlDAMBgNVHRMEBTADAQH/MAsGA1Ud
+    DwQEAwIChDCCAVYGCCsGAQUFBwEBBIIBSDCCAUQwIgYIKwYBBQUHMAGGFmh0dHA6
+    Ly8xMjcuMC4wLjE6MjIyMjAwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
+    MjIyMjEwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjIwIgYIKwYB
+    BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjMwIgYIKwYBBQUHMAGGFmh0dHA6
+    Ly8xMjcuMC4wLjE6MjIyMjQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6
+    MjIyMjUwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjYwIgYIKwYB
+    BQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjcwIgYIKwYBBQUHMAGGFmh0dHA6
+    Ly8xMjcuMC4wLjE6MjIyMjgwHQYDVR0OBBYEFJt6TNgqMFBebotXaauIYPpUJi1S
+    MA0GCSqGSIb3DQEBCwUAA4IBAQA5noHB343sKQqVmmLds0gC/k1UhVA5iftAGmes
+    uRdNOOCdo2i739DmRAXggetgtatcjDfjxkrvq0Qi+geozZra6uX9FT/hgfw6kDpU
+    HKzJFy4E0G0HTM8mtJi+aGDZL3Lts+h272eahkT1jVKGAPFugqfz7fKRsMce6eCE
+    UD5cvtQXX16fGhBxxmUCZPnxMKcj2oNl7RliHphK6ofXuNbKjqjVQfxsTUXSQDyS
+    ApH5w6iUnAvC5l19qYrBcCVOB6CNJ2CdmvFI//Ox8Jc56HRYYDIdVp2Q3FFA5Z4s
+    gTLvlumVgihAekD+0zVF9q+AJ4TSbE3cqsQgHF/+p84KxWid
+    -----END CERTIFICATE-----

native/com_wolfssl_WolfSSLCertificate.c

-Original file line number
+Diff line change
@@ Expand Up @@
         return idx;
     }
+    #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+        (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+         defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+        ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+         defined(WOLFSSL_PR9728_PATCH_APPLIED))
+    static jobjectArray stackStringToArray(JNIEnv* jenv, jclass jcl,
+        WOLF_STACK_OF(WOLFSSL_STRING)* sk)
+    {
+        jobjectArray ret = NULL;
+        jclass stringClass = NULL;
+        int count;
+        int i;
+        if (jenv == NULL || sk == NULL) {
+            return NULL;
+        }
+        count = wolfSSL_sk_WOLFSSL_STRING_num(sk);
+        if (count <= 0) {
+            wolfSSL_X509_email_free(sk);
+            return NULL;
+        }
+        stringClass = (*jenv)->FindClass(jenv, "java/lang/String");
+        if (stringClass == NULL) {
+            wolfSSL_X509_email_free(sk);
+            return NULL;
+        }
+        ret = (*jenv)->NewObjectArray(jenv, count, stringClass, NULL);
+        if (ret == NULL) {
+            (*jenv)->DeleteLocalRef(jenv, stringClass);
+            wolfSSL_X509_email_free(sk);
+            return NULL;
+        }
+        for (i = 0; i < count; i++) {
+            const char* str = wolfSSL_sk_WOLFSSL_STRING_value(sk, i);
+            jstring jstr = (*jenv)->NewStringUTF(jenv, (str != NULL) ? str : "");
+            if (jstr == NULL) {
+                (*jenv)->DeleteLocalRef(jenv, ret);
+                (*jenv)->DeleteLocalRef(jenv, stringClass);
+                wolfSSL_X509_email_free(sk);
+                (*jenv)->ThrowNew(jenv, jcl,
+                    "Failed to create String in native AIA getter");
+                return NULL;
+            }
+            (*jenv)->SetObjectArrayElement(jenv, ret, i, jstr);
+            (*jenv)->DeleteLocalRef(jenv, jstr);
+            if ((*jenv)->ExceptionOccurred(jenv)) {
+                (*jenv)->ExceptionDescribe(jenv);
+                (*jenv)->ExceptionClear(jenv);
+                (*jenv)->DeleteLocalRef(jenv, ret);
+                (*jenv)->DeleteLocalRef(jenv, stringClass);
+                wolfSSL_X509_email_free(sk);
+                (*jenv)->ThrowNew(jenv, jcl,
+                    "Failed to set String[] element in native AIA getter");
+                return NULL;
+            }
+        }
+        (*jenv)->DeleteLocalRef(jenv, stringClass);
+        wolfSSL_X509_email_free(sk);
+        return ret;
+    }
+    #endif
     JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extended_1key_1usage
       (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
     {
@@ Expand Down Expand Up @@
         return ret;
     }
+    JNIEXPORT jobjectArray JNICALL
+    Java_com_wolfssl_WolfSSLCertificate_X509_1get1_1ocsp
+      (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+    {
+        /* AIA API extensions were added after wolfSSL 5.8.4 in PR 9728. Version
+         * check must be greater than 5.8.4 or patch from PR 9728 must be applied
+         * and WOLFSSL_PR9728_PATCH_APPLIED defined when compiling this wrapper. */
+    #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+        (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+         defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+        ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+         defined(WOLFSSL_PR9728_PATCH_APPLIED))
+        WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+        WOLF_STACK_OF(WOLFSSL_STRING)* sk = NULL;
+        if (jenv == NULL || x509 == NULL) {
+            return NULL;
+        }
+        sk = wolfSSL_X509_get1_ocsp(x509);
+        return stackStringToArray(jenv, jcl, sk);
+    #else
+        (void)jenv;
+        (void)jcl;
+        (void)x509Ptr;
+        return NULL;
+    #endif
+    }
+    JNIEXPORT jint JNICALL
+    Java_com_wolfssl_WolfSSLCertificate_X509_1get_1aia_1overflow
+      (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+    {
+    #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+        (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+         defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+        ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+         defined(WOLFSSL_PR9728_PATCH_APPLIED))
+        WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+        (void)jcl;
+        if (jenv == NULL || x509 == NULL) {
+            return 0;
+        }
+        return (jint)wolfSSL_X509_get_aia_overflow(x509);
+    #else
+        (void)jenv;
+        (void)jcl;
+        (void)x509Ptr;
+        return (jint)NOT_COMPILED_IN;
+    #endif
+    }
+    JNIEXPORT jobjectArray JNICALL
+    Java_com_wolfssl_WolfSSLCertificate_X509_1get1_1ca_1issuers
+      (JNIEnv* jenv, jclass jcl, jlong x509Ptr)
+    {
+    #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) && \
+        (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+         defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)) && \
+        defined(WOLFSSL_ASN_CA_ISSUER) && \
+        ((LIBWOLFSSL_VERSION_HEX > 0x05008004) || \
+         defined(WOLFSSL_PR9728_PATCH_APPLIED))
+        WOLFSSL_X509* x509 = (WOLFSSL_X509*)(uintptr_t)x509Ptr;
+        WOLF_STACK_OF(WOLFSSL_STRING)* sk = NULL;
+        if (jenv == NULL || x509 == NULL) {
+            return NULL;
+        }
+        sk = wolfSSL_X509_get1_ca_issuers(x509);
+        return stackStringToArray(jenv, jcl, sk);
+    #else
+        (void)jenv;
+        (void)jcl;
+        (void)x509Ptr;
+        return NULL;
+    #endif
+    }
     JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1extension
       (JNIEnv* jenv, jclass jcl, jlong x509Ptr, jstring oidIn)
     {
@@ Expand Down Expand Up @@
         return 0;
     #endif
     }

native/com_wolfssl_WolfSSLCertificate.h

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

src/java/com/wolfssl/WolfSSLCertificate.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -103,6 +103,9 @@ public class WolfSSLCertificate implements Serializable { @@
         static native int X509_verify(long x509, byte[] pubKey, int pubKeySz);
         static native boolean[] X509_get_key_usage(long x509);
         static native String[] X509_get_extended_key_usage(long x509);
+        static native String[] X509_get1_ocsp(long x509);
+        static native int X509_get_aia_overflow(long x509);
+        static native String[] X509_get1_ca_issuers(long x509);
         static native byte[] X509_get_extension(long x509, String oid);
         static native int X509_is_extension_set(long x509, String oid);
         static native String X509_get_next_altname(long x509);
@@ Expand Down Expand Up @@
             }
         }
+        /**
+         * Get OCSP responder URIs from the certificate Authority Information
+         * Access (AIA) extension.
+         *
+         * @return Array of OCSP responder URIs, or null if not present.
+         *
+         * @throws IllegalStateException if WolfSSLCertificate has been freed
+         */
+        public String[] getOcspUris() throws IllegalStateException {
+            confirmObjectIsActive();
+            synchronized (x509Lock) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                    WolfSSLDebug.INFO, this.x509Ptr,
+                    () -> "entering getOcspUris()");
+                return X509_get1_ocsp(this.x509Ptr);
+            }
+        }
+        /**
+         * Check if AIA parsing overflowed the internal URI list.
+         *
+         * @return 1 if AIA parsing overflowed, 0 if not, or
+         *         WolfSSL.NOT_COMPILED_IN if not available.
+         *
+         * @throws IllegalStateException if WolfSSLCertificate has been freed
+         */
+        public int getAiaOverflow() throws IllegalStateException {
+            confirmObjectIsActive();
+            synchronized (x509Lock) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                    WolfSSLDebug.INFO, this.x509Ptr,
+                    () -> "entering getAiaOverflow()");
+                return X509_get_aia_overflow(this.x509Ptr);
+            }
+        }
+        /**
+         * Get CA Issuer URIs from the certificate Authority Information Access
+         * (AIA) extension.
+         *
+         * @return Array of CA Issuer URIs, or null if not present.
+         *
+         * @throws IllegalStateException if WolfSSLCertificate has been freed
+         */
+        public String[] getCaIssuerUris() throws IllegalStateException {
+            confirmObjectIsActive();
+            synchronized (x509Lock) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                    WolfSSLDebug.INFO, this.x509Ptr,
+                    () -> "entering getCaIssuerUris()");
+                return X509_get1_ca_issuers(this.x509Ptr);
+            }
+        }
         /**
          * Get DER encoded extension value from a specified OID
          *
@@ Expand Down Expand Up / @@ -2246,4 +2312,3 @@ protected void finalize() throws Throwable @@
             super.finalize();
         }
     }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extend AIA interface #323

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!