/src/mozilla-central/security/nss/lib/pkcs7/certread.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "cert.h"
#include "base64.h"
#include "secitem.h"
#include "secder.h"
#include "secasn1.h"
#include "secoid.h"
#include "secerr.h"

SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)

typedef struct ContentInfoStr ContentInfo;
typedef struct DegenerateSignedDataStr DegenerateSignedData;

struct ContentInfoStr {
    SECOidTag contentTypeTag; /* local; not part of encoding */
    SECItem contentType;
    union {
        SECItem *data;
        DegenerateSignedData *signedData;
    } content;
};

struct DegenerateSignedDataStr {
    SECItem version;
    SECItem **digestAlgorithms;
    ContentInfo contentInfo;
    SECItem **certificates;
    SECItem **crls;
    SECItem **signerInfos;
};

static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding);

static const SEC_ASN1TemplateChooserPtr template_chooser = choose_content_template;

static const SEC_ASN1Template ContentInfoTemplate[] = {
    { SEC_ASN1_SEQUENCE,
      0, NULL, sizeof(ContentInfo) },
    { SEC_ASN1_OBJECT_ID,
      offsetof(ContentInfo, contentType) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC |
          SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
      offsetof(ContentInfo, content),
      &template_chooser },
    { 0 }
};

static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
    { SEC_ASN1_SEQUENCE,
      0, NULL, sizeof(DegenerateSignedData) },
    { SEC_ASN1_INTEGER,
      offsetof(DegenerateSignedData, version) },
    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
      offsetof(DegenerateSignedData, digestAlgorithms),
      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { SEC_ASN1_INLINE,
      offsetof(DegenerateSignedData, contentInfo),
      ContentInfoTemplate },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
          SEC_ASN1_XTRN | 0,
      offsetof(DegenerateSignedData, certificates),
      SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
          SEC_ASN1_XTRN | 1,
      offsetof(DegenerateSignedData, crls),
      SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
      offsetof(DegenerateSignedData, signerInfos),
      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { 0 }
};

static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
    { SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
};

static SECOidTag
GetContentTypeTag(ContentInfo *cinfo)
{
    if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
        cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
    return cinfo->contentTypeTag;
}

static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding)
{
    const SEC_ASN1Template *theTemplate;
    ContentInfo *cinfo;
    SECOidTag kind;

    PORT_Assert(src_or_dest != NULL);
    if (src_or_dest == NULL)
        return NULL;

    cinfo = (ContentInfo *)src_or_dest;
    kind = GetContentTypeTag(cinfo);
    switch (kind) {
        default:
            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
            break;
        case SEC_OID_PKCS7_DATA:
            theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
            break;
        case SEC_OID_PKCS7_SIGNED_DATA:
            theTemplate = PointerToDegenerateSignedDataTemplate;
            break;
    }
    return theTemplate;
}

static SECStatus
SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
{
    ContentInfo contentInfo;
    SECStatus rv = SECFailure;
    SECItem **certs;
    int count;
    PLArenaPool *arena;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
        return rv;
    }

    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
    if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
                           pkcs7Item) != SECSuccess) {
        goto done;
    }

    if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
        goto done;
    }

    rv = SECSuccess;

    certs = contentInfo.content.signedData->certificates;
    if (certs) {
        count = 0;

        while (*certs) {
            count++;
            certs++;
        }
        rv = (*f)(arg, contentInfo.content.signedData->certificates, count);
    }

done:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return rv;
}

const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
};

static SECStatus
SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
{
    SECStatus rv = SECFailure;
    SECItem **certs;
    int count;
    SECItem **rawCerts = NULL;
    PLArenaPool *arena;
    ContentInfo contentInfo;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
        return rv;
    }

    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
    if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
                           certsItem) != SECSuccess) {
        goto done;
    }

    if (GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE) {
        goto done;
    }

    if (SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
                               contentInfo.content.data) != SECSuccess) {
        goto done;
    }

    rv = SECSuccess;

    certs = rawCerts;
    if (certs) {
        count = 0;

        while (*certs) {
            count++;
            certs++;
        }
        rv = (*f)(arg, rawCerts, count);
    }

done:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return rv;
}

CERTCertificate *
CERT_ConvertAndDecodeCertificate(char *certstr)
{
    CERTCertificate *cert;
    SECStatus rv;
    SECItem der;

    rv = ATOB_ConvertAsciiToItem(&der, certstr);
    if (rv != SECSuccess)
        return NULL;

    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   &der, NULL, PR_FALSE, PR_TRUE);

    PORT_Free(der.data);
    return cert;
}

static const char NS_CERT_HEADER[] = "-----BEGIN CERTIFICATE-----";
static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)

/*
 * read an old style ascii or binary certificate chain
 */
SECStatus
CERT_DecodeCertPackage(char *certbuf,
                       int certlen,
                       CERTImportCertificateFunc f,
                       void *arg)
{
    unsigned char *cp;
    unsigned char *bincert = NULL;
    char *ascCert = NULL;
    SECStatus rv;

    if (certbuf == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return (SECFailure);
    }
    /*
     * Make sure certlen is long enough to handle the longest possible
     * reference in the code below:
     * 0x30 0x84 l1 l2 l3 l4  +
     *                       tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
     * where 9 is the longest length of the expected oids we are testing.
     *   6 + 11 = 17. 17 bytes is clearly too small to code any kind of
     *  certificate (a 128 bit ECC certificate contains at least an 8 byte
     * key and a 16 byte signature, plus coding overhead). Typically a cert
     * is much larger. So it's safe to require certlen to be at least 17
     * bytes.
     */
    if (certlen < 17) {
        PORT_SetError(SEC_ERROR_INPUT_LEN);
        return (SECFailure);
    }

    cp = (unsigned char *)certbuf;

    /* is a DER encoded certificate of some type? */
    if ((*cp & 0x1f) == SEC_ASN1_SEQUENCE) {
        SECItem certitem;
        SECItem *pcertitem = &certitem;
        PRUint64 seqLen, seqLenLen;

        cp++;

        if (*cp & 0x80) {
            /* Multibyte length */
            seqLenLen = cp[0] & 0x7f;

            switch (seqLenLen) {
                case 4:
                    seqLen = ((unsigned long)cp[1] << 24) |
                             ((unsigned long)cp[2] << 16) | (cp[3] << 8) | cp[4];
                    break;
                case 3:
                    seqLen = ((unsigned long)cp[1] << 16) | (cp[2] << 8) | cp[3];
                    break;
                case 2:
                    seqLen = (cp[1] << 8) | cp[2];
                    break;
                case 1:
                    seqLen = cp[1];
                    break;
                case 0:
                    /* indefinite length */
                    seqLen = 0;
                    break;
                default:
                    goto notder;
            }
            cp += (seqLenLen + 1);

        } else {
            seqLenLen = 0;
            seqLen = *cp;
            cp++;
        }

        /* check entire length if definite length */
        if (seqLen || seqLenLen) {
            if (certlen != (seqLen + seqLenLen + 2L)) {
                if (certlen > (seqLen + seqLenLen + 2L))
                    PORT_SetError(SEC_ERROR_EXTRA_INPUT);
                else
                    PORT_SetError(SEC_ERROR_INPUT_LEN);
                goto notder;
            }
        }

        /* check the type oid */
        if (cp[0] == SEC_ASN1_OBJECT_ID) {
            SECOidData *oiddata;
            SECItem oiditem;
            /* XXX - assume DER encoding of OID len!! */
            oiditem.len = cp[1];
            /* if we add an oid below that is longer than 9 bytes, then we
             * need to change the certlen check at the top of the function
             * to prevent a buffer overflow
             */
            if (oiditem.len > 9) {
                PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
                return (SECFailure);
            }
            oiditem.data = (unsigned char *)&cp[2];
            oiddata = SECOID_FindOID(&oiditem);
            if (oiddata == NULL) {
                return (SECFailure);
            }

            certitem.data = (unsigned char *)certbuf;
            certitem.len = certlen;

            switch (oiddata->offset) {
                case SEC_OID_PKCS7_SIGNED_DATA:
                    /* oid: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 */
                    return (SEC_ReadPKCS7Certs(&certitem, f, arg));
                    break;
                case SEC_OID_NS_TYPE_CERT_SEQUENCE:
                    /* oid: 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, 0x05 */
                    return (SEC_ReadCertSequence(&certitem, f, arg));
                    break;
                default:
                    break;
            }

        } else {
            /* it had better be a certificate by now!! */
            certitem.data = (unsigned char *)certbuf;
            certitem.len = certlen;

            rv = (*f)(arg, &pcertitem, 1);
            return (rv);
        }
    }

/* now look for a netscape base64 ascii encoded cert */
notder : {
    unsigned char *certbegin = NULL;
    unsigned char *certend = NULL;
    char *pc;
    int cl;

    /* Convert the ASCII data into a nul-terminated string */
    ascCert = (char *)PORT_Alloc(certlen + 1);
    if (!ascCert) {
        rv = SECFailure;
        goto loser;
    }

    PORT_Memcpy(ascCert, certbuf, certlen);
    ascCert[certlen] = '\0';

    pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
    if (!pc) {                       /* maybe this is a MAC file */
        pc = ascCert;
        while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
            *pc++ = '\n';
        }
    }

    cp = (unsigned char *)ascCert;
    cl = certlen;

    /* find the beginning marker */
    while (cl > NS_CERT_HEADER_LEN) {
        int found = 0;
        if (!PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
                              NS_CERT_HEADER_LEN)) {
            cl -= NS_CERT_HEADER_LEN;
            cp += NS_CERT_HEADER_LEN;
            found = 1;
        }

        /* skip to next eol */
        while (cl && (*cp != '\n')) {
            cp++;
            cl--;
        }

        /* skip all blank lines */
        while (cl && (*cp == '\n' || *cp == '\r')) {
            cp++;
            cl--;
        }
        if (cl && found) {
            certbegin = cp;
            break;
        }
    }

    if (certbegin) {
        /* find the ending marker */
        while (cl >= NS_CERT_TRAILER_LEN) {
            if (!PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
                                  NS_CERT_TRAILER_LEN)) {
                certend = cp;
                break;
            }

            /* skip to next eol */
            while (cl && (*cp != '\n')) {
                cp++;
                cl--;
            }

            /* skip all blank lines */
            while (cl && (*cp == '\n' || *cp == '\r')) {
                cp++;
                cl--;
            }
        }
    }

    if (certbegin && certend) {
        unsigned int binLen;

        *certend = 0;
        /* convert to binary */
        bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
        if (!bincert) {
            rv = SECFailure;
            goto loser;
        }

        /* now recurse to decode the binary */
        rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);

    } else {
        PORT_SetError(SEC_ERROR_BAD_DER);
        rv = SECFailure;
    }
}

loser:

    if (bincert) {
        PORT_Free(bincert);
    }

    if (ascCert) {
        PORT_Free(ascCert);
    }

    return (rv);
}

typedef struct {
    PLArenaPool *arena;
    SECItem cert;
} collect_args;

static SECStatus
collect_certs(void *arg, SECItem **certs, int numcerts)
{
    SECStatus rv;
    collect_args *collectArgs;

    collectArgs = (collect_args *)arg;

    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);

    return (rv);
}

/*
 * read an old style ascii or binary certificate
 */
CERTCertificate *
CERT_DecodeCertFromPackage(char *certbuf, int certlen)
{
    collect_args collectArgs;
    SECStatus rv;
    CERTCertificate *cert = NULL;

    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
                                (void *)&collectArgs);
    if (rv == SECSuccess) {
        cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                       &collectArgs.cert, NULL,
                                       PR_FALSE, PR_TRUE);
    }

    PORT_FreeArena(collectArgs.arena, PR_FALSE);

    return (cert);
}

Coverage Report

Created: 2018-09-25 14:53

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#include "cert.h"
6		#include "base64.h"
7		#include "secitem.h"
8		#include "secder.h"
9		#include "secasn1.h"
10		#include "secoid.h"
11		#include "secerr.h"
12
13		SEC_ASN1_MKSUB(SEC_AnyTemplate)
14		SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
15
16		typedef struct ContentInfoStr ContentInfo;
17		typedef struct DegenerateSignedDataStr DegenerateSignedData;
18
19		struct ContentInfoStr {
20		SECOidTag contentTypeTag; /* local; not part of encoding */
21		SECItem contentType;
22		union {
23		SECItem *data;
24		DegenerateSignedData *signedData;
25		} content;
26		};
27
28		struct DegenerateSignedDataStr {
29		SECItem version;
30		SECItem **digestAlgorithms;
31		ContentInfo contentInfo;
32		SECItem **certificates;
33		SECItem **crls;
34		SECItem **signerInfos;
35		};
36
37		static const SEC_ASN1Template *
38		choose_content_template(void *src_or_dest, PRBool encoding);
39
40		static const SEC_ASN1TemplateChooserPtr template_chooser = choose_content_template;
41
42		static const SEC_ASN1Template ContentInfoTemplate[] = {
43		{ SEC_ASN1_SEQUENCE,
44		0, NULL, sizeof(ContentInfo) },
45		{ SEC_ASN1_OBJECT_ID,
46		offsetof(ContentInfo, contentType) },
47		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_DYNAMIC \|
48		SEC_ASN1_EXPLICIT \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \| 0,
49		offsetof(ContentInfo, content),
50		&template_chooser },
51		{ 0 }
52		};
53
54		static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
55		{ SEC_ASN1_SEQUENCE,
56		0, NULL, sizeof(DegenerateSignedData) },
57		{ SEC_ASN1_INTEGER,
58		offsetof(DegenerateSignedData, version) },
59		{ SEC_ASN1_SET_OF \| SEC_ASN1_XTRN,
60		offsetof(DegenerateSignedData, digestAlgorithms),
61		SEC_ASN1_SUB(SEC_AnyTemplate) },
62		{ SEC_ASN1_INLINE,
63		offsetof(DegenerateSignedData, contentInfo),
64		ContentInfoTemplate },
65		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \|
66		SEC_ASN1_XTRN \| 0,
67		offsetof(DegenerateSignedData, certificates),
68		SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
69		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \|
70		SEC_ASN1_XTRN \| 1,
71		offsetof(DegenerateSignedData, crls),
72		SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
73		{ SEC_ASN1_SET_OF \| SEC_ASN1_XTRN,
74		offsetof(DegenerateSignedData, signerInfos),
75		SEC_ASN1_SUB(SEC_AnyTemplate) },
76		{ 0 }
77		};
78
79		static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
80		{ SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
81		};
82
83		static SECOidTag
84		GetContentTypeTag(ContentInfo *cinfo)
85	0	{
86	0	if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
87	0	cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
88	0	return cinfo->contentTypeTag;
89	0	}
90
91		static const SEC_ASN1Template *
92		choose_content_template(void *src_or_dest, PRBool encoding)
93	0	{
94	0	const SEC_ASN1Template *theTemplate;
95	0	ContentInfo *cinfo;
96	0	SECOidTag kind;
97	0
98	0	PORT_Assert(src_or_dest != NULL);
99	0	if (src_or_dest == NULL)
100	0	return NULL;
101	0
102	0	cinfo = (ContentInfo *)src_or_dest;
103	0	kind = GetContentTypeTag(cinfo);
104	0	switch (kind) {
105	0	default:
106	0	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
107	0	break;
108	0	case SEC_OID_PKCS7_DATA:
109	0	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
110	0	break;
111	0	case SEC_OID_PKCS7_SIGNED_DATA:
112	0	theTemplate = PointerToDegenerateSignedDataTemplate;
113	0	break;
114	0	}
115	0	return theTemplate;
116	0	}
117
118		static SECStatus
119		SEC_ReadPKCS7Certs(SECItem pkcs7Item, CERTImportCertificateFunc f, void arg)
120	0	{
121	0	ContentInfo contentInfo;
122	0	SECStatus rv = SECFailure;
123	0	SECItem **certs;
124	0	int count;
125	0	PLArenaPool *arena;
126	0
127	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
128	0	if (arena == NULL) {
129	0	return rv;
130	0	}
131	0
132	0	PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
133	0	if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
134	0	pkcs7Item) != SECSuccess) {
135	0	goto done;
136	0	}
137	0
138	0	if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
139	0	goto done;
140	0	}
141	0
142	0	rv = SECSuccess;
143	0
144	0	certs = contentInfo.content.signedData->certificates;
145	0	if (certs) {
146	0	count = 0;
147	0
148	0	while (*certs) {
149	0	count++;
150	0	certs++;
151	0	}
152	0	rv = (*f)(arg, contentInfo.content.signedData->certificates, count);
153	0	}
154	0
155	0	done:
156	0	if (arena) {
157	0	PORT_FreeArena(arena, PR_FALSE);
158	0	}
159	0
160	0	return rv;
161	0	}
162
163		const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
164		{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
165		};
166
167		static SECStatus
168		SEC_ReadCertSequence(SECItem certsItem, CERTImportCertificateFunc f, void arg)
169	0	{
170	0	SECStatus rv = SECFailure;
171	0	SECItem **certs;
172	0	int count;
173	0	SECItem **rawCerts = NULL;
174	0	PLArenaPool *arena;
175	0	ContentInfo contentInfo;
176	0
177	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
178	0	if (arena == NULL) {
179	0	return rv;
180	0	}
181	0
182	0	PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
183	0	if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
184	0	certsItem) != SECSuccess) {
185	0	goto done;
186	0	}
187	0
188	0	if (GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE) {
189	0	goto done;
190	0	}
191	0
192	0	if (SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
193	0	contentInfo.content.data) != SECSuccess) {
194	0	goto done;
195	0	}
196	0
197	0	rv = SECSuccess;
198	0
199	0	certs = rawCerts;
200	0	if (certs) {
201	0	count = 0;
202	0
203	0	while (*certs) {
204	0	count++;
205	0	certs++;
206	0	}
207	0	rv = (*f)(arg, rawCerts, count);
208	0	}
209	0
210	0	done:
211	0	if (arena) {
212	0	PORT_FreeArena(arena, PR_FALSE);
213	0	}
214	0
215	0	return rv;
216	0	}
217
218		CERTCertificate *
219		CERT_ConvertAndDecodeCertificate(char *certstr)
220	0	{
221	0	CERTCertificate *cert;
222	0	SECStatus rv;
223	0	SECItem der;
224	0
225	0	rv = ATOB_ConvertAsciiToItem(&der, certstr);
226	0	if (rv != SECSuccess)
227	0	return NULL;
228	0
229	0	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
230	0	&der, NULL, PR_FALSE, PR_TRUE);
231	0
232	0	PORT_Free(der.data);
233	0	return cert;
234	0	}
235
236		static const char NS_CERT_HEADER[] = "-----BEGIN CERTIFICATE-----";
237		static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
238	0	#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
239	0	#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
240
241		/*
242		* read an old style ascii or binary certificate chain
243		*/
244		SECStatus
245		CERT_DecodeCertPackage(char *certbuf,
246		int certlen,
247		CERTImportCertificateFunc f,
248		void *arg)
249	0	{
250	0	unsigned char *cp;
251	0	unsigned char *bincert = NULL;
252	0	char *ascCert = NULL;
253	0	SECStatus rv;
254	0
255	0	if (certbuf == NULL) {
256	0	PORT_SetError(SEC_ERROR_INVALID_ARGS);
257	0	return (SECFailure);
258	0	}
259	0	/*
260	0	* Make sure certlen is long enough to handle the longest possible
261	0	* reference in the code below:
262	0	* 0x30 0x84 l1 l2 l3 l4 +
263	0	* tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
264	0	* where 9 is the longest length of the expected oids we are testing.
265	0	* 6 + 11 = 17. 17 bytes is clearly too small to code any kind of
266	0	* certificate (a 128 bit ECC certificate contains at least an 8 byte
267	0	* key and a 16 byte signature, plus coding overhead). Typically a cert
268	0	* is much larger. So it's safe to require certlen to be at least 17
269	0	* bytes.
270	0	*/
271	0	if (certlen < 17) {
272	0	PORT_SetError(SEC_ERROR_INPUT_LEN);
273	0	return (SECFailure);
274	0	}
275	0
276	0	cp = (unsigned char *)certbuf;
277	0
278	0	/* is a DER encoded certificate of some type? */
279	0	if ((*cp & 0x1f) == SEC_ASN1_SEQUENCE) {
280	0	SECItem certitem;
281	0	SECItem *pcertitem = &certitem;
282	0	PRUint64 seqLen, seqLenLen;
283	0
284	0	cp++;
285	0
286	0	if (*cp & 0x80) {
287	0	/* Multibyte length */
288	0	seqLenLen = cp[0] & 0x7f;
289	0
290	0	switch (seqLenLen) {
291	0	case 4:
292	0	seqLen = ((unsigned long)cp[1] << 24) \|
293	0	((unsigned long)cp[2] << 16) \| (cp[3] << 8) \| cp[4];
294	0	break;
295	0	case 3:
296	0	seqLen = ((unsigned long)cp[1] << 16) \| (cp[2] << 8) \| cp[3];
297	0	break;
298	0	case 2:
299	0	seqLen = (cp[1] << 8) \| cp[2];
300	0	break;
301	0	case 1:
302	0	seqLen = cp[1];
303	0	break;
304	0	case 0:
305	0	/* indefinite length */
306	0	seqLen = 0;
307	0	break;
308	0	default:
309	0	goto notder;
310	0	}
311	0	cp += (seqLenLen + 1);
312	0
313	0	} else {
314	0	seqLenLen = 0;
315	0	seqLen = *cp;
316	0	cp++;
317	0	}
318	0
319	0	/* check entire length if definite length */
320	0	if (seqLen \|\| seqLenLen) {
321	0	if (certlen != (seqLen + seqLenLen + 2L)) {
322	0	if (certlen > (seqLen + seqLenLen + 2L))
323	0	PORT_SetError(SEC_ERROR_EXTRA_INPUT);
324	0	else
325	0	PORT_SetError(SEC_ERROR_INPUT_LEN);
326	0	goto notder;
327	0	}
328	0	}
329	0
330	0	/* check the type oid */
331	0	if (cp[0] == SEC_ASN1_OBJECT_ID) {
332	0	SECOidData *oiddata;
333	0	SECItem oiditem;
334	0	/* XXX - assume DER encoding of OID len!! */
335	0	oiditem.len = cp[1];
336	0	/* if we add an oid below that is longer than 9 bytes, then we
337	0	* need to change the certlen check at the top of the function
338	0	* to prevent a buffer overflow
339	0	*/
340	0	if (oiditem.len > 9) {
341	0	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
342	0	return (SECFailure);
343	0	}
344	0	oiditem.data = (unsigned char *)&cp[2];
345	0	oiddata = SECOID_FindOID(&oiditem);
346	0	if (oiddata == NULL) {
347	0	return (SECFailure);
348	0	}
349	0
350	0	certitem.data = (unsigned char *)certbuf;
351	0	certitem.len = certlen;
352	0
353	0	switch (oiddata->offset) {
354	0	case SEC_OID_PKCS7_SIGNED_DATA:
355	0	/* oid: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 */
356	0	return (SEC_ReadPKCS7Certs(&certitem, f, arg));
357	0	break;
358	0	case SEC_OID_NS_TYPE_CERT_SEQUENCE:
359	0	/* oid: 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, 0x05 */
360	0	return (SEC_ReadCertSequence(&certitem, f, arg));
361	0	break;
362	0	default:
363	0	break;
364	0	}
365	0
366	0	} else {
367	0	/* it had better be a certificate by now!! */
368	0	certitem.data = (unsigned char *)certbuf;
369	0	certitem.len = certlen;
370	0
371	0	rv = (*f)(arg, &pcertitem, 1);
372	0	return (rv);
373	0	}
374	0	}
375	0
376	0	/* now look for a netscape base64 ascii encoded cert */
377	0	notder : {
378	0	unsigned char *certbegin = NULL;
379	0	unsigned char *certend = NULL;
380	0	char *pc;
381	0	int cl;
382	0
383	0	/* Convert the ASCII data into a nul-terminated string */
384	0	ascCert = (char *)PORT_Alloc(certlen + 1);
385	0	if (!ascCert) {
386	0	rv = SECFailure;
387	0	goto loser;
388	0	}
389	0
390	0	PORT_Memcpy(ascCert, certbuf, certlen);
391	0	ascCert[certlen] = '\0';
392	0
393	0	pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
394	0	if (!pc) { /* maybe this is a MAC file */
395	0	pc = ascCert;
396	0	while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
397	0	*pc++ = '\n';
398	0	}
399	0	}
400	0
401	0	cp = (unsigned char *)ascCert;
402	0	cl = certlen;
403	0
404	0	/* find the beginning marker */
405	0	while (cl > NS_CERT_HEADER_LEN) {
406	0	int found = 0;
407	0	if (!PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
408	0	NS_CERT_HEADER_LEN)) {
409	0	cl -= NS_CERT_HEADER_LEN;
410	0	cp += NS_CERT_HEADER_LEN;
411	0	found = 1;
412	0	}
413	0
414	0	/* skip to next eol */
415	0	while (cl && (*cp != '\n')) {
416	0	cp++;
417	0	cl--;
418	0	}
419	0
420	0	/* skip all blank lines */
421	0	while (cl && (cp == '\n' \|\| cp == '\r')) {
422	0	cp++;
423	0	cl--;
424	0	}
425	0	if (cl && found) {
426	0	certbegin = cp;
427	0	break;
428	0	}
429	0	}
430	0
431	0	if (certbegin) {
432	0	/* find the ending marker */
433	0	while (cl >= NS_CERT_TRAILER_LEN) {
434	0	if (!PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
435	0	NS_CERT_TRAILER_LEN)) {
436	0	certend = cp;
437	0	break;
438	0	}
439	0
440	0	/* skip to next eol */
441	0	while (cl && (*cp != '\n')) {
442	0	cp++;
443	0	cl--;
444	0	}
445	0
446	0	/* skip all blank lines */
447	0	while (cl && (cp == '\n' \|\| cp == '\r')) {
448	0	cp++;
449	0	cl--;
450	0	}
451	0	}
452	0	}
453	0
454	0	if (certbegin && certend) {
455	0	unsigned int binLen;
456	0
457	0	*certend = 0;
458	0	/* convert to binary */
459	0	bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
460	0	if (!bincert) {
461	0	rv = SECFailure;
462	0	goto loser;
463	0	}
464	0
465	0	/* now recurse to decode the binary */
466	0	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
467	0
468	0	} else {
469	0	PORT_SetError(SEC_ERROR_BAD_DER);
470	0	rv = SECFailure;
471	0	}
472	0	}
473	0
474	0	loser:
475	0
476	0	if (bincert) {
477	0	PORT_Free(bincert);
478	0	}
479	0
480	0	if (ascCert) {
481	0	PORT_Free(ascCert);
482	0	}
483	0
484	0	return (rv);
485	0	}
486
487		typedef struct {
488		PLArenaPool *arena;
489		SECItem cert;
490		} collect_args;
491
492		static SECStatus
493		collect_certs(void arg, SECItem *certs, int numcerts)
494	0	{
495	0	SECStatus rv;
496	0	collect_args *collectArgs;
497	0
498	0	collectArgs = (collect_args *)arg;
499	0
500	0	rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
501	0
502	0	return (rv);
503	0	}
504
505		/*
506		* read an old style ascii or binary certificate
507		*/
508		CERTCertificate *
509		CERT_DecodeCertFromPackage(char *certbuf, int certlen)
510	0	{
511	0	collect_args collectArgs;
512	0	SECStatus rv;
513	0	CERTCertificate *cert = NULL;
514	0
515	0	collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
516	0
517	0	rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
518	0	(void *)&collectArgs);
519	0	if (rv == SECSuccess) {
520	0	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
521	0	&collectArgs.cert, NULL,
522	0	PR_FALSE, PR_TRUE);
523	0	}
524	0
525	0	PORT_FreeArena(collectArgs.arena, PR_FALSE);
526	0
527	0	return (cert);
528	0	}