/src/gnutls/lib/x509/common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2014 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2016 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include <libtasn1.h> |
26 | | #include "datum.h" |
27 | | #include "global.h" |
28 | | #include "errors.h" |
29 | | #include "str.h" |
30 | | #include "x509.h" |
31 | | #include "num.h" |
32 | | #include "x509_b64.h" |
33 | | #include <c-strcase.h> |
34 | | #include "x509_int.h" |
35 | | #include "extras/hex.h" |
36 | | #include "common.h" |
37 | | |
38 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out); |
39 | | |
40 | | #define ENTRY(oid, ldap, asn, etype) \ |
41 | | { \ |
42 | | oid, sizeof(oid) - 1, ldap, sizeof(ldap) - 1, asn, etype \ |
43 | | } |
44 | | |
45 | | /* when there is no name description */ |
46 | | #define ENTRY_ND(oid, asn, etype) \ |
47 | | { \ |
48 | | oid, sizeof(oid) - 1, NULL, 0, asn, etype \ |
49 | | } |
50 | | |
51 | | /* This list contains all the OIDs that may be |
52 | | * contained in a rdnSequence and are printable. |
53 | | */ |
54 | | static const struct oid_to_string _oid2str[] = { |
55 | | /* PKIX |
56 | | */ |
57 | | ENTRY("1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString", |
58 | | ASN1_ETYPE_INVALID), |
59 | | ENTRY("1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
60 | | ENTRY("1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL, |
61 | | ASN1_ETYPE_PRINTABLE_STRING), |
62 | | ENTRY("1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL, |
63 | | ASN1_ETYPE_PRINTABLE_STRING), |
64 | | |
65 | | ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
66 | | ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
67 | | ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
68 | | ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
69 | | ENTRY("2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
70 | | ENTRY("2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
71 | | ENTRY("2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
72 | | ENTRY("2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
73 | | ENTRY("2.5.4.13", "description", "PKIX1.DirectoryString", |
74 | | ASN1_ETYPE_INVALID), |
75 | | |
76 | | ENTRY("2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
77 | | ENTRY("2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
78 | | ENTRY("2.5.4.4", "surName", "PKIX1.DirectoryString", |
79 | | ASN1_ETYPE_INVALID), |
80 | | ENTRY("2.5.4.43", "initials", "PKIX1.DirectoryString", |
81 | | ASN1_ETYPE_INVALID), |
82 | | ENTRY("2.5.4.44", "generationQualifier", "PKIX1.DirectoryString", |
83 | | ASN1_ETYPE_INVALID), |
84 | | ENTRY("2.5.4.42", "givenName", "PKIX1.DirectoryString", |
85 | | ASN1_ETYPE_INVALID), |
86 | | ENTRY("2.5.4.65", "pseudonym", "PKIX1.DirectoryString", |
87 | | ASN1_ETYPE_INVALID), |
88 | | ENTRY("2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
89 | | ENTRY("2.5.4.17", "postalCode", "PKIX1.DirectoryString", |
90 | | ASN1_ETYPE_INVALID), |
91 | | ENTRY("2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
92 | | ENTRY("2.5.4.15", "businessCategory", "PKIX1.DirectoryString", |
93 | | ASN1_ETYPE_INVALID), |
94 | | |
95 | | ENTRY("0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING), |
96 | | ENTRY("0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString", |
97 | | ASN1_ETYPE_INVALID), |
98 | | ENTRY("1.2.840.113556.1.4.656", "userPrincipalName", |
99 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
100 | | |
101 | | /* Extended validation |
102 | | */ |
103 | | ENTRY("1.3.6.1.4.1.311.60.2.1.1", |
104 | | "jurisdictionOfIncorporationLocalityName", |
105 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
106 | | ENTRY("1.3.6.1.4.1.311.60.2.1.2", |
107 | | "jurisdictionOfIncorporationStateOrProvinceName", |
108 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
109 | | ENTRY("1.3.6.1.4.1.311.60.2.1.3", |
110 | | "jurisdictionOfIncorporationCountryName", NULL, |
111 | | ASN1_ETYPE_PRINTABLE_STRING), |
112 | | |
113 | | /* PKCS #9 |
114 | | */ |
115 | | ENTRY("1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING), |
116 | | ENTRY_ND("1.2.840.113549.1.9.7", "PKIX1.pkcs-9-challengePassword", |
117 | | ASN1_ETYPE_INVALID), |
118 | | |
119 | | /* friendly name */ |
120 | | ENTRY_ND("1.2.840.113549.1.9.20", NULL, ASN1_ETYPE_BMP_STRING), |
121 | | /* local key id */ |
122 | | ENTRY_ND("1.2.840.113549.1.9.21", NULL, ASN1_ETYPE_OCTET_STRING), |
123 | | ENTRY_ND("1.2.840.113549.1.9.4", NULL, ASN1_ETYPE_OCTET_STRING), |
124 | | |
125 | | /* rfc3920 section 5.1.1 */ |
126 | | ENTRY("1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING), |
127 | | |
128 | | /* Russian things: https://cdnimg.rg.ru/pril/66/91/91/23041_pril.pdf */ |
129 | | /* Main state registration number */ |
130 | | ENTRY("1.2.643.100.1", "OGRN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
131 | | /* Individual insurance account number */ |
132 | | ENTRY("1.2.643.100.3", "SNILS", NULL, ASN1_ETYPE_NUMERIC_STRING), |
133 | | /* Main state registration number for individual enterpreneurs */ |
134 | | ENTRY("1.2.643.100.5", "OGRNIP", NULL, ASN1_ETYPE_NUMERIC_STRING), |
135 | | /* VAT identification number */ |
136 | | ENTRY("1.2.643.3.131.1.1", "INN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
137 | | |
138 | | { NULL, 0, NULL, 0, NULL, 0 } |
139 | | }; |
140 | | |
141 | | const struct oid_to_string * |
142 | | _gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid) |
143 | 0 | { |
144 | 0 | unsigned int i = 0; |
145 | 0 | unsigned len = strlen(oid); |
146 | |
|
147 | 0 | do { |
148 | 0 | if (len == ots[i].oid_size && strcmp(ots[i].oid, oid) == 0) |
149 | 0 | return &ots[i]; |
150 | 0 | i++; |
151 | 0 | } while (ots[i].oid != NULL); |
152 | | |
153 | 0 | return NULL; |
154 | 0 | } |
155 | | |
156 | | const char *_gnutls_oid_get_asn_desc(const char *oid) |
157 | 0 | { |
158 | 0 | const struct oid_to_string *entry = |
159 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
160 | 0 | return entry ? entry->asn_desc : NULL; |
161 | 0 | } |
162 | | |
163 | | const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len) |
164 | 0 | { |
165 | 0 | unsigned int i = 0; |
166 | |
|
167 | 0 | do { |
168 | 0 | if ((_oid2str[i].name_desc != NULL) && |
169 | 0 | (str_len == _oid2str[i].name_desc_size) && |
170 | 0 | (c_strncasecmp(_oid2str[i].name_desc, str, str_len) == 0)) |
171 | 0 | return _oid2str[i].oid; |
172 | 0 | i++; |
173 | 0 | } while (_oid2str[i].oid != NULL); |
174 | | |
175 | 0 | return NULL; |
176 | 0 | } |
177 | | |
178 | | /* Escapes a string following the rules from RFC4514. |
179 | | */ |
180 | | static int str_escape(const gnutls_datum_t *str, gnutls_datum_t *escaped) |
181 | 0 | { |
182 | 0 | unsigned int j, i; |
183 | 0 | uint8_t *buffer = NULL; |
184 | 0 | int ret; |
185 | |
|
186 | 0 | if (str == NULL) |
187 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
188 | | |
189 | | /* the string will be at most twice the original */ |
190 | 0 | buffer = gnutls_malloc(str->size * 2 + 2); |
191 | 0 | if (buffer == NULL) |
192 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
193 | | |
194 | 0 | for (i = j = 0; i < str->size; i++) { |
195 | 0 | if (str->data[i] == 0) { |
196 | | /* this is handled earlier */ |
197 | 0 | ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
198 | 0 | goto cleanup; |
199 | 0 | } |
200 | | |
201 | 0 | if (str->data[i] == ',' || str->data[i] == '+' || |
202 | 0 | str->data[i] == '"' || str->data[i] == '\\' || |
203 | 0 | str->data[i] == '<' || str->data[i] == '>' || |
204 | 0 | str->data[i] == ';' || str->data[i] == 0) |
205 | 0 | buffer[j++] = '\\'; |
206 | 0 | else if (i == 0 && str->data[i] == '#') |
207 | 0 | buffer[j++] = '\\'; |
208 | 0 | else if (i == 0 && str->data[i] == ' ') |
209 | 0 | buffer[j++] = '\\'; |
210 | 0 | else if (i == (str->size - 1) && str->data[i] == ' ') |
211 | 0 | buffer[j++] = '\\'; |
212 | |
|
213 | 0 | buffer[j++] = str->data[i]; |
214 | 0 | } |
215 | | |
216 | | /* null terminate the string */ |
217 | 0 | buffer[j] = 0; |
218 | 0 | escaped->data = buffer; |
219 | 0 | escaped->size = j; |
220 | |
|
221 | 0 | return 0; |
222 | 0 | cleanup: |
223 | 0 | gnutls_free(buffer); |
224 | 0 | return ret; |
225 | 0 | } |
226 | | |
227 | | /** |
228 | | * gnutls_x509_dn_oid_known: |
229 | | * @oid: holds an Object Identifier in a null terminated string |
230 | | * |
231 | | * This function will inform about known DN OIDs. This is useful since |
232 | | * functions like gnutls_x509_crt_set_dn_by_oid() use the information |
233 | | * on known OIDs to properly encode their input. Object Identifiers |
234 | | * that are not known are not encoded by these functions, and their |
235 | | * input is stored directly into the ASN.1 structure. In that case of |
236 | | * unknown OIDs, you have the responsibility of DER encoding your |
237 | | * data. |
238 | | * |
239 | | * Returns: 1 on known OIDs and 0 otherwise. |
240 | | **/ |
241 | | int gnutls_x509_dn_oid_known(const char *oid) |
242 | 0 | { |
243 | 0 | return _gnutls_oid_get_entry(_oid2str, oid) != NULL; |
244 | 0 | } |
245 | | |
246 | | /** |
247 | | * gnutls_x509_dn_oid_name: |
248 | | * @oid: holds an Object Identifier in a null terminated string |
249 | | * @flags: 0 or GNUTLS_X509_DN_OID_* |
250 | | * |
251 | | * This function will return the name of a known DN OID. If |
252 | | * %GNUTLS_X509_DN_OID_RETURN_OID is specified this function |
253 | | * will return the given OID if no descriptive name has been |
254 | | * found. |
255 | | * |
256 | | * Returns: A null terminated string or NULL otherwise. |
257 | | * |
258 | | * Since: 3.0 |
259 | | **/ |
260 | | const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags) |
261 | 0 | { |
262 | 0 | const struct oid_to_string *entry = |
263 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
264 | |
|
265 | 0 | if (entry && entry->name_desc) |
266 | 0 | return entry->name_desc; |
267 | 0 | if (flags & GNUTLS_X509_DN_OID_RETURN_OID) |
268 | 0 | return oid; |
269 | 0 | else |
270 | 0 | return NULL; |
271 | 0 | } |
272 | | |
273 | | static int make_printable_string(unsigned etype, const gnutls_datum_t *input, |
274 | | gnutls_datum_t *out) |
275 | 0 | { |
276 | 0 | int printable = 0; |
277 | 0 | int ret; |
278 | | |
279 | | /* empty input strings result to a null string */ |
280 | 0 | if (input->data == NULL || input->size == 0) { |
281 | 0 | out->data = gnutls_calloc(1, 1); |
282 | 0 | if (out->data == NULL) |
283 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
284 | 0 | out->size = 0; |
285 | 0 | return 0; |
286 | 0 | } |
287 | | |
288 | 0 | if (etype == ASN1_ETYPE_BMP_STRING) { |
289 | 0 | ret = _gnutls_ucs2_to_utf8(input->data, input->size, out, 1); |
290 | 0 | if (ret < 0) { |
291 | | /* could not convert. Handle it as non-printable */ |
292 | 0 | printable = 0; |
293 | 0 | } else |
294 | 0 | printable = 1; |
295 | 0 | } else if (etype == ASN1_ETYPE_TELETEX_STRING) { |
296 | | /* HACK: if the teletex string contains only ascii |
297 | | * characters then treat it as printable. |
298 | | */ |
299 | 0 | if (_gnutls_str_is_print((char *)input->data, input->size)) { |
300 | 0 | out->data = gnutls_malloc(input->size + 1); |
301 | 0 | if (out->data == NULL) |
302 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
303 | | |
304 | 0 | memcpy(out->data, input->data, input->size); |
305 | 0 | out->size = input->size; |
306 | |
|
307 | 0 | out->data[out->size] = 0; |
308 | |
|
309 | 0 | printable = 1; |
310 | 0 | } |
311 | 0 | } else if (etype != |
312 | 0 | ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */ |
313 | 0 | return GNUTLS_E_INVALID_REQUEST; |
314 | | |
315 | 0 | if (printable == 0) { /* need to allocate out */ |
316 | 0 | ret = data2hex(input->data, input->size, out); |
317 | 0 | if (ret < 0) { |
318 | 0 | gnutls_assert(); |
319 | 0 | return ret; |
320 | 0 | } |
321 | 0 | } |
322 | | |
323 | 0 | return 0; |
324 | 0 | } |
325 | | |
326 | | static int decode_complex_string(const struct oid_to_string *oentry, |
327 | | void *value, int value_size, |
328 | | gnutls_datum_t *out) |
329 | 0 | { |
330 | 0 | char str[MAX_STRING_LEN], tmpname[128]; |
331 | 0 | int len = -1, result; |
332 | 0 | asn1_node tmpasn = NULL; |
333 | 0 | char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; |
334 | 0 | unsigned int etype; |
335 | 0 | gnutls_datum_t td = { NULL, 0 }; |
336 | |
|
337 | 0 | if (oentry->asn_desc == NULL) { |
338 | 0 | gnutls_assert(); |
339 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
340 | 0 | } |
341 | | |
342 | 0 | if ((result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, |
343 | 0 | &tmpasn)) != ASN1_SUCCESS) { |
344 | 0 | gnutls_assert(); |
345 | 0 | return _gnutls_asn2err(result); |
346 | 0 | } |
347 | | |
348 | 0 | if ((result = _asn1_strict_der_decode(&tmpasn, value, value_size, |
349 | 0 | asn1_err)) != ASN1_SUCCESS) { |
350 | 0 | gnutls_assert(); |
351 | 0 | _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); |
352 | 0 | asn1_delete_structure(&tmpasn); |
353 | 0 | return _gnutls_asn2err(result); |
354 | 0 | } |
355 | | |
356 | | /* Read the type of choice. |
357 | | */ |
358 | 0 | len = sizeof(str) - 1; |
359 | 0 | if ((result = asn1_read_value(tmpasn, "", str, &len)) != |
360 | 0 | ASN1_SUCCESS) { /* CHOICE */ |
361 | 0 | gnutls_assert(); |
362 | 0 | asn1_delete_structure(&tmpasn); |
363 | 0 | return _gnutls_asn2err(result); |
364 | 0 | } |
365 | | |
366 | 0 | str[len] = 0; |
367 | | |
368 | | /* We set the etype on the strings that may need |
369 | | * some conversion to UTF-8. The INVALID flag indicates |
370 | | * no conversion needed */ |
371 | 0 | if (strcmp(str, "teletexString") == 0) |
372 | 0 | etype = ASN1_ETYPE_TELETEX_STRING; |
373 | 0 | else if (strcmp(str, "bmpString") == 0) |
374 | 0 | etype = ASN1_ETYPE_BMP_STRING; |
375 | 0 | else if (strcmp(str, "universalString") == 0) |
376 | 0 | etype = ASN1_ETYPE_UNIVERSAL_STRING; |
377 | 0 | else |
378 | 0 | etype = ASN1_ETYPE_INVALID; |
379 | |
|
380 | 0 | _gnutls_str_cpy(tmpname, sizeof(tmpname), str); |
381 | |
|
382 | 0 | result = _gnutls_x509_read_value(tmpasn, tmpname, &td); |
383 | 0 | asn1_delete_structure(&tmpasn); |
384 | 0 | if (result < 0) |
385 | 0 | return gnutls_assert_val(result); |
386 | | |
387 | 0 | if (etype != ASN1_ETYPE_INVALID) { |
388 | 0 | result = make_printable_string(etype, &td, out); |
389 | |
|
390 | 0 | _gnutls_free_datum(&td); |
391 | |
|
392 | 0 | if (result < 0) |
393 | 0 | return gnutls_assert_val(result); |
394 | 0 | } else { |
395 | 0 | out->data = td.data; |
396 | 0 | out->size = td.size; |
397 | | /* _gnutls_x509_read_value always null terminates */ |
398 | 0 | } |
399 | | |
400 | 0 | assert(out->data != NULL); |
401 | | |
402 | | /* Refuse to deal with strings containing NULs. */ |
403 | 0 | if (strlen((void *)out->data) != (size_t)out->size) { |
404 | 0 | _gnutls_free_datum(out); |
405 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
406 | 0 | } |
407 | | |
408 | 0 | return 0; |
409 | 0 | } |
410 | | |
411 | | /* This function will convert an attribute value, specified by the OID, |
412 | | * to a string. The result will be a null terminated string. |
413 | | * |
414 | | * res may be null. This will just return the res_size, needed to |
415 | | * hold the string. |
416 | | */ |
417 | | int _gnutls_x509_dn_to_string(const char *oid, void *value, int value_size, |
418 | | gnutls_datum_t *str) |
419 | 0 | { |
420 | 0 | const struct oid_to_string *oentry; |
421 | 0 | int ret; |
422 | 0 | gnutls_datum_t tmp = { NULL, 0 }; |
423 | |
|
424 | 0 | if (value == NULL || value_size <= 0) { |
425 | 0 | gnutls_assert(); |
426 | 0 | return GNUTLS_E_INVALID_REQUEST; |
427 | 0 | } |
428 | | |
429 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, oid); |
430 | 0 | if (oentry == NULL) { /* unknown OID -> hex */ |
431 | 0 | unknown_oid: |
432 | 0 | ret = data2hex(value, value_size, str); |
433 | 0 | if (ret < 0) { |
434 | 0 | gnutls_assert(); |
435 | 0 | return ret; |
436 | 0 | } |
437 | 0 | return 0; |
438 | 0 | } |
439 | | |
440 | 0 | if (oentry->asn_desc != NULL) { /* complex */ |
441 | 0 | ret = decode_complex_string(oentry, value, value_size, &tmp); |
442 | 0 | if (ret < 0) { |
443 | | /* we failed decoding -> handle it as unknown OID */ |
444 | 0 | goto unknown_oid; |
445 | 0 | } |
446 | 0 | } else { |
447 | 0 | ret = _gnutls_x509_decode_string(oentry->etype, value, |
448 | 0 | value_size, &tmp, 0); |
449 | 0 | if (ret < 0) { |
450 | | /* we failed decoding -> handle it as unknown OID */ |
451 | 0 | goto unknown_oid; |
452 | 0 | } |
453 | 0 | } |
454 | | |
455 | 0 | ret = str_escape(&tmp, str); |
456 | 0 | _gnutls_free_datum(&tmp); |
457 | |
|
458 | 0 | if (ret < 0) |
459 | 0 | return gnutls_assert_val(ret); |
460 | | |
461 | 0 | return 0; |
462 | 0 | } |
463 | | |
464 | | /* Converts a data string to an LDAP rfc2253 hex string |
465 | | * something like '#01020304' |
466 | | */ |
467 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out) |
468 | 0 | { |
469 | 0 | gnutls_datum_t tmp, td; |
470 | 0 | int ret; |
471 | 0 | size_t size; |
472 | |
|
473 | 0 | td.size = hex_str_size(data_size) + 1; /* +1 for '#' */ |
474 | 0 | td.data = gnutls_malloc(td.size); |
475 | 0 | if (td.data == NULL) |
476 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
477 | | |
478 | 0 | tmp.data = (void *)data; |
479 | 0 | tmp.size = data_size; |
480 | |
|
481 | 0 | td.data[0] = '#'; |
482 | 0 | size = td.size - 1; /* don't include '#' */ |
483 | 0 | ret = gnutls_hex_encode(&tmp, (char *)&td.data[1], &size); |
484 | 0 | if (ret < 0) { |
485 | 0 | gnutls_assert(); |
486 | 0 | gnutls_free(td.data); |
487 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
488 | 0 | } |
489 | | |
490 | 0 | td.size--; /* don't include null */ |
491 | |
|
492 | 0 | out->data = td.data; |
493 | 0 | out->size = td.size; |
494 | |
|
495 | 0 | return 0; |
496 | 0 | } |
497 | | |
498 | | gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) |
499 | 0 | { |
500 | 0 | if (strcmp(str_type, "dNSName") == 0) |
501 | 0 | return GNUTLS_SAN_DNSNAME; |
502 | 0 | if (strcmp(str_type, "rfc822Name") == 0) |
503 | 0 | return GNUTLS_SAN_RFC822NAME; |
504 | 0 | if (strcmp(str_type, "uniformResourceIdentifier") == 0) |
505 | 0 | return GNUTLS_SAN_URI; |
506 | 0 | if (strcmp(str_type, "iPAddress") == 0) |
507 | 0 | return GNUTLS_SAN_IPADDRESS; |
508 | 0 | if (strcmp(str_type, "otherName") == 0) |
509 | 0 | return GNUTLS_SAN_OTHERNAME; |
510 | 0 | if (strcmp(str_type, "directoryName") == 0) |
511 | 0 | return GNUTLS_SAN_DN; |
512 | 0 | if (strcmp(str_type, "registeredID") == 0) |
513 | 0 | return GNUTLS_SAN_REGISTERED_ID; |
514 | | |
515 | 0 | return (gnutls_x509_subject_alt_name_t)-1; |
516 | 0 | } |
517 | | |
518 | | /* A generic export function. Will export the given ASN.1 encoded data |
519 | | * to PEM or DER raw data. |
520 | | */ |
521 | | int _gnutls_x509_export_int_named(asn1_node asn1_data, const char *name, |
522 | | gnutls_x509_crt_fmt_t format, |
523 | | const char *pem_header, |
524 | | unsigned char *output_data, |
525 | | size_t *output_data_size) |
526 | 0 | { |
527 | 0 | int ret; |
528 | 0 | gnutls_datum_t out = { NULL, 0 }; |
529 | 0 | size_t size; |
530 | |
|
531 | 0 | ret = _gnutls_x509_export_int_named2(asn1_data, name, format, |
532 | 0 | pem_header, &out); |
533 | 0 | if (ret < 0) |
534 | 0 | return gnutls_assert_val(ret); |
535 | | |
536 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
537 | 0 | size = out.size + 1; |
538 | 0 | else |
539 | 0 | size = out.size; |
540 | |
|
541 | 0 | if (*output_data_size < size) { |
542 | 0 | *output_data_size = size; |
543 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
544 | 0 | goto cleanup; |
545 | 0 | } |
546 | | |
547 | 0 | *output_data_size = (size_t)out.size; |
548 | 0 | if (output_data) { |
549 | 0 | if (out.size > 0) { |
550 | 0 | memcpy(output_data, out.data, (size_t)out.size); |
551 | 0 | } |
552 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
553 | 0 | output_data[out.size] = 0; |
554 | 0 | } |
555 | |
|
556 | 0 | ret = 0; |
557 | |
|
558 | 0 | cleanup: |
559 | 0 | gnutls_free(out.data); |
560 | |
|
561 | 0 | return ret; |
562 | 0 | } |
563 | | |
564 | | /* A generic export function. Will export the given ASN.1 encoded data |
565 | | * to PEM or DER raw data. |
566 | | */ |
567 | | int _gnutls_x509_export_int_named2(asn1_node asn1_data, const char *name, |
568 | | gnutls_x509_crt_fmt_t format, |
569 | | const char *pem_header, gnutls_datum_t *out) |
570 | 0 | { |
571 | 0 | int ret; |
572 | |
|
573 | 0 | if (format == GNUTLS_X509_FMT_DER) { |
574 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, out, 0); |
575 | 0 | if (ret < 0) |
576 | 0 | return gnutls_assert_val(ret); |
577 | 0 | } else { /* PEM */ |
578 | 0 | gnutls_datum_t tmp; |
579 | |
|
580 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, &tmp, 0); |
581 | 0 | if (ret < 0) |
582 | 0 | return gnutls_assert_val(ret); |
583 | | |
584 | 0 | ret = _gnutls_fbase64_encode(pem_header, tmp.data, tmp.size, |
585 | 0 | out); |
586 | 0 | _gnutls_free_datum(&tmp); |
587 | |
|
588 | 0 | if (ret < 0) |
589 | 0 | return gnutls_assert_val(ret); |
590 | 0 | } |
591 | | |
592 | 0 | return 0; |
593 | 0 | } |
594 | | |
595 | | /* Decodes an octet string. The etype specifies the string type. |
596 | | * The returned string is always null terminated (but null is not |
597 | | * included in size). |
598 | | */ |
599 | | int _gnutls_x509_decode_string(unsigned int etype, const uint8_t *der, |
600 | | size_t der_size, gnutls_datum_t *output, |
601 | | unsigned allow_ber) |
602 | 0 | { |
603 | 0 | int ret; |
604 | 0 | uint8_t *str; |
605 | 0 | unsigned int str_size, len; |
606 | 0 | gnutls_datum_t td; |
607 | |
|
608 | 0 | output->data = NULL; |
609 | 0 | output->size = 0; |
610 | |
|
611 | 0 | if (allow_ber) |
612 | 0 | ret = asn1_decode_simple_ber(etype, der, der_size, &str, |
613 | 0 | &str_size, NULL); |
614 | 0 | else |
615 | 0 | ret = asn1_decode_simple_der(etype, der, der_size, |
616 | 0 | (const uint8_t **)&str, &str_size); |
617 | 0 | if (ret != ASN1_SUCCESS) { |
618 | 0 | gnutls_assert(); |
619 | 0 | ret = _gnutls_asn2err(ret); |
620 | 0 | return ret; |
621 | 0 | } |
622 | | |
623 | 0 | td.size = str_size; |
624 | 0 | td.data = gnutls_malloc(str_size + 1); |
625 | 0 | if (td.data == NULL) |
626 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
627 | | |
628 | 0 | if (str_size > 0) |
629 | 0 | memcpy(td.data, str, str_size); |
630 | 0 | td.data[str_size] = 0; |
631 | |
|
632 | 0 | if (allow_ber) |
633 | 0 | free(str); |
634 | |
|
635 | 0 | ret = make_printable_string(etype, &td, output); |
636 | 0 | if (ret == GNUTLS_E_INVALID_REQUEST) { /* unsupported etype */ |
637 | 0 | output->data = td.data; |
638 | 0 | output->size = td.size; |
639 | 0 | ret = 0; |
640 | 0 | } else if (ret <= 0) { |
641 | 0 | _gnutls_free_datum(&td); |
642 | 0 | } |
643 | | |
644 | | /* Refuse to deal with strings containing NULs. */ |
645 | 0 | if (etype != ASN1_ETYPE_OCTET_STRING) { |
646 | 0 | if (output->data) |
647 | 0 | len = strlen((void *)output->data); |
648 | 0 | else |
649 | 0 | len = 0; |
650 | |
|
651 | 0 | if (len != (size_t)output->size) { |
652 | 0 | _gnutls_free_datum(output); |
653 | 0 | ret = gnutls_assert_val( |
654 | 0 | GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
655 | 0 | } |
656 | 0 | } |
657 | |
|
658 | 0 | return ret; |
659 | 0 | } |
660 | | |
661 | | /* Reads a value from an ASN1 tree, and puts the output |
662 | | * in an allocated variable in the given datum. |
663 | | * |
664 | | * Note that this function always allocates one plus |
665 | | * the required data size (and places a null byte). |
666 | | */ |
667 | | static int x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret, |
668 | | unsigned allow_null) |
669 | 0 | { |
670 | 0 | int len = 0, result; |
671 | 0 | uint8_t *tmp = NULL; |
672 | 0 | unsigned int etype; |
673 | |
|
674 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &etype); |
675 | 0 | if (result == 0 && allow_null == 0 && len == 0) { |
676 | | /* don't allow null strings */ |
677 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
678 | 0 | } else if (result == 0 && allow_null == 0 && |
679 | 0 | etype == ASN1_ETYPE_OBJECT_ID && len == 1) { |
680 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
681 | 0 | } |
682 | | |
683 | 0 | if (result != ASN1_MEM_ERROR) { |
684 | 0 | if (result != ASN1_SUCCESS || allow_null == 0 || len != 0) { |
685 | 0 | result = _gnutls_asn2err(result); |
686 | 0 | return result; |
687 | 0 | } |
688 | 0 | } |
689 | | |
690 | 0 | if (etype == ASN1_ETYPE_BIT_STRING) { |
691 | 0 | len = (len + 7) / 8; |
692 | 0 | } |
693 | |
|
694 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
695 | 0 | if (tmp == NULL) { |
696 | 0 | gnutls_assert(); |
697 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
698 | 0 | goto cleanup; |
699 | 0 | } |
700 | | |
701 | 0 | if (len > 0) { |
702 | 0 | result = asn1_read_value(c, root, tmp, &len); |
703 | 0 | if (result != ASN1_SUCCESS) { |
704 | 0 | gnutls_assert(); |
705 | 0 | result = _gnutls_asn2err(result); |
706 | 0 | goto cleanup; |
707 | 0 | } |
708 | | |
709 | 0 | switch (etype) { |
710 | 0 | case ASN1_ETYPE_BIT_STRING: |
711 | 0 | ret->size = (len + 7) / 8; |
712 | 0 | break; |
713 | 0 | case ASN1_ETYPE_OBJECT_ID: |
714 | 0 | if (len > 0) { |
715 | 0 | ret->size = len - 1; |
716 | 0 | } else { |
717 | 0 | result = gnutls_assert_val( |
718 | 0 | GNUTLS_E_ASN1_DER_ERROR); |
719 | 0 | goto cleanup; |
720 | 0 | } |
721 | 0 | break; |
722 | 0 | default: |
723 | 0 | ret->size = (unsigned)len; |
724 | 0 | break; |
725 | 0 | } |
726 | 0 | } else { |
727 | 0 | ret->size = 0; |
728 | 0 | } |
729 | | |
730 | 0 | tmp[ret->size] = 0; |
731 | 0 | ret->data = tmp; |
732 | |
|
733 | 0 | return 0; |
734 | | |
735 | 0 | cleanup: |
736 | 0 | gnutls_free(tmp); |
737 | 0 | return result; |
738 | 0 | } |
739 | | |
740 | | int _gnutls_x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret) |
741 | 0 | { |
742 | 0 | return x509_read_value(c, root, ret, 0); |
743 | 0 | } |
744 | | |
745 | | int _gnutls_x509_read_null_value(asn1_node c, const char *root, |
746 | | gnutls_datum_t *ret) |
747 | 0 | { |
748 | 0 | return x509_read_value(c, root, ret, 1); |
749 | 0 | } |
750 | | |
751 | | /* Reads a value from an ASN1 tree, then interprets it as the provided |
752 | | * type of string and returns the output in an allocated variable. |
753 | | * |
754 | | * Note that this function always places a null character |
755 | | * at the end of a readable string value (which is not accounted into size) |
756 | | */ |
757 | | int _gnutls_x509_read_string(asn1_node c, const char *root, gnutls_datum_t *ret, |
758 | | unsigned int etype, unsigned int allow_ber) |
759 | 0 | { |
760 | 0 | int len = 0, result; |
761 | 0 | size_t slen; |
762 | 0 | uint8_t *tmp = NULL; |
763 | 0 | unsigned rtype; |
764 | |
|
765 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &rtype); |
766 | 0 | if (result != ASN1_MEM_ERROR) { |
767 | 0 | gnutls_assert(); |
768 | 0 | result = _gnutls_asn2err(result); |
769 | 0 | return result; |
770 | 0 | } |
771 | | |
772 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
773 | 0 | len /= 8; |
774 | |
|
775 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
776 | 0 | if (tmp == NULL) { |
777 | 0 | gnutls_assert(); |
778 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
779 | 0 | goto cleanup; |
780 | 0 | } |
781 | | |
782 | 0 | result = asn1_read_value(c, root, tmp, &len); |
783 | 0 | if (result != ASN1_SUCCESS) { |
784 | 0 | gnutls_assert(); |
785 | 0 | result = _gnutls_asn2err(result); |
786 | 0 | goto cleanup; |
787 | 0 | } |
788 | | |
789 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
790 | 0 | len /= 8; |
791 | | |
792 | | /* Extract the STRING. |
793 | | */ |
794 | 0 | slen = (size_t)len; |
795 | |
|
796 | 0 | result = _gnutls_x509_decode_string(etype, tmp, slen, ret, allow_ber); |
797 | 0 | if (result < 0) { |
798 | 0 | gnutls_assert(); |
799 | 0 | goto cleanup; |
800 | 0 | } |
801 | 0 | gnutls_free(tmp); |
802 | |
|
803 | 0 | return 0; |
804 | | |
805 | 0 | cleanup: |
806 | 0 | gnutls_free(tmp); |
807 | 0 | return result; |
808 | 0 | } |
809 | | |
810 | | /* The string type should be IA5String, UTF8String etc. Leave |
811 | | * null for octet string */ |
812 | | int _gnutls_x509_encode_string(unsigned int etype, const void *input_data, |
813 | | size_t input_size, gnutls_datum_t *output) |
814 | 0 | { |
815 | 0 | uint8_t tl[ASN1_MAX_TL_SIZE]; |
816 | 0 | unsigned int tl_size; |
817 | 0 | int ret; |
818 | |
|
819 | 0 | tl_size = sizeof(tl); |
820 | 0 | ret = asn1_encode_simple_der(etype, input_data, input_size, tl, |
821 | 0 | &tl_size); |
822 | 0 | if (ret != ASN1_SUCCESS) { |
823 | 0 | gnutls_assert(); |
824 | 0 | ret = _gnutls_asn2err(ret); |
825 | 0 | return ret; |
826 | 0 | } |
827 | | |
828 | 0 | output->data = gnutls_malloc(tl_size + input_size); |
829 | 0 | if (output->data == NULL) |
830 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
831 | | |
832 | 0 | memcpy(output->data, tl, tl_size); |
833 | 0 | memcpy(output->data + tl_size, input_data, input_size); |
834 | |
|
835 | 0 | output->size = tl_size + input_size; |
836 | |
|
837 | 0 | return 0; |
838 | 0 | } |
839 | | |
840 | | /* DER Encodes the src asn1_node and stores it to |
841 | | * the given datum. If str is non zero then the data are encoded as |
842 | | * an OCTET STRING. |
843 | | */ |
844 | | int _gnutls_x509_der_encode(asn1_node src, const char *src_name, |
845 | | gnutls_datum_t *res, int str) |
846 | 0 | { |
847 | 0 | int size, result; |
848 | 0 | int asize; |
849 | 0 | uint8_t *data = NULL; |
850 | 0 | asn1_node c2 = NULL; |
851 | |
|
852 | 0 | size = 0; |
853 | 0 | result = asn1_der_coding(src, src_name, NULL, &size, NULL); |
854 | | /* this check explicitly covers the case where size == 0 && result == 0 */ |
855 | 0 | if (result != ASN1_MEM_ERROR) { |
856 | 0 | gnutls_assert(); |
857 | 0 | return _gnutls_asn2err(result); |
858 | 0 | } |
859 | | |
860 | | /* allocate data for the der |
861 | | */ |
862 | | |
863 | 0 | if (str) |
864 | 0 | size += 16; /* for later to include the octet tags */ |
865 | 0 | asize = size; |
866 | |
|
867 | 0 | data = gnutls_malloc((size_t)size); |
868 | 0 | if (data == NULL) { |
869 | 0 | gnutls_assert(); |
870 | 0 | return GNUTLS_E_MEMORY_ERROR; |
871 | 0 | } |
872 | | |
873 | 0 | result = asn1_der_coding(src, src_name, data, &size, NULL); |
874 | 0 | if (result != ASN1_SUCCESS) { |
875 | 0 | gnutls_assert(); |
876 | 0 | result = _gnutls_asn2err(result); |
877 | 0 | goto cleanup; |
878 | 0 | } |
879 | | |
880 | 0 | if (str) { |
881 | 0 | if ((result = asn1_create_element(_gnutls_get_pkix(), |
882 | 0 | "PKIX1.pkcs-7-Data", &c2)) != |
883 | 0 | ASN1_SUCCESS) { |
884 | 0 | gnutls_assert(); |
885 | 0 | result = _gnutls_asn2err(result); |
886 | 0 | goto cleanup; |
887 | 0 | } |
888 | | |
889 | 0 | result = asn1_write_value(c2, "", data, size); |
890 | 0 | if (result != ASN1_SUCCESS) { |
891 | 0 | gnutls_assert(); |
892 | 0 | result = _gnutls_asn2err(result); |
893 | 0 | goto cleanup; |
894 | 0 | } |
895 | | |
896 | 0 | result = asn1_der_coding(c2, "", data, &asize, NULL); |
897 | 0 | if (result != ASN1_SUCCESS) { |
898 | 0 | gnutls_assert(); |
899 | 0 | result = _gnutls_asn2err(result); |
900 | 0 | goto cleanup; |
901 | 0 | } |
902 | | |
903 | 0 | size = asize; |
904 | |
|
905 | 0 | asn1_delete_structure(&c2); |
906 | 0 | } |
907 | | |
908 | 0 | res->data = data; |
909 | 0 | res->size = (unsigned)size; |
910 | 0 | return 0; |
911 | | |
912 | 0 | cleanup: |
913 | 0 | gnutls_free(data); |
914 | 0 | asn1_delete_structure(&c2); |
915 | 0 | return result; |
916 | 0 | } |
917 | | |
918 | | /* DER Encodes the src asn1_node and stores it to |
919 | | * dest in dest_name. Useful to encode something and store it |
920 | | * as OCTET. If str is non null then the data are encoded as |
921 | | * an OCTET STRING. |
922 | | */ |
923 | | int _gnutls_x509_der_encode_and_copy(asn1_node src, const char *src_name, |
924 | | asn1_node dest, const char *dest_name, |
925 | | int str) |
926 | 0 | { |
927 | 0 | int result; |
928 | 0 | gnutls_datum_t encoded = { NULL, 0 }; |
929 | |
|
930 | 0 | result = _gnutls_x509_der_encode(src, src_name, &encoded, str); |
931 | |
|
932 | 0 | if (result < 0) { |
933 | 0 | gnutls_assert(); |
934 | 0 | return result; |
935 | 0 | } |
936 | | |
937 | | /* Write the data. |
938 | | */ |
939 | 0 | result = asn1_write_value(dest, dest_name, encoded.data, |
940 | 0 | (int)encoded.size); |
941 | |
|
942 | 0 | _gnutls_free_datum(&encoded); |
943 | |
|
944 | 0 | if (result != ASN1_SUCCESS) { |
945 | 0 | gnutls_assert(); |
946 | 0 | return _gnutls_asn2err(result); |
947 | 0 | } |
948 | | |
949 | 0 | return 0; |
950 | 0 | } |
951 | | |
952 | | /* Writes the value of the datum in the given asn1_node. |
953 | | */ |
954 | | int _gnutls_x509_write_value(asn1_node c, const char *root, |
955 | | const gnutls_datum_t *data) |
956 | 0 | { |
957 | 0 | int ret; |
958 | | |
959 | | /* Write the data. |
960 | | */ |
961 | 0 | ret = asn1_write_value(c, root, data->data, data->size); |
962 | 0 | if (ret != ASN1_SUCCESS) { |
963 | 0 | gnutls_assert(); |
964 | 0 | return _gnutls_asn2err(ret); |
965 | 0 | } |
966 | | |
967 | 0 | return 0; |
968 | 0 | } |
969 | | |
970 | | /* Writes the value of the datum in the given asn1_node as a string. |
971 | | */ |
972 | | int _gnutls_x509_write_string(asn1_node c, const char *root, |
973 | | const gnutls_datum_t *data, unsigned int etype) |
974 | 0 | { |
975 | 0 | int ret; |
976 | 0 | gnutls_datum_t val = { NULL, 0 }; |
977 | |
|
978 | 0 | ret = _gnutls_x509_encode_string(etype, data->data, data->size, &val); |
979 | 0 | if (ret < 0) |
980 | 0 | return gnutls_assert_val(ret); |
981 | | |
982 | | /* Write the data. |
983 | | */ |
984 | 0 | ret = asn1_write_value(c, root, val.data, val.size); |
985 | 0 | if (ret != ASN1_SUCCESS) { |
986 | 0 | gnutls_assert(); |
987 | 0 | ret = _gnutls_asn2err(ret); |
988 | 0 | goto cleanup; |
989 | 0 | } |
990 | | |
991 | 0 | ret = 0; |
992 | |
|
993 | 0 | cleanup: |
994 | 0 | _gnutls_free_datum(&val); |
995 | 0 | return ret; |
996 | 0 | } |
997 | | |
998 | | void _asnstr_append_name(char *name, size_t name_size, const char *part1, |
999 | | const char *part2) |
1000 | 0 | { |
1001 | 0 | if (part1[0] != 0) { |
1002 | 0 | _gnutls_str_cpy(name, name_size, part1); |
1003 | 0 | _gnutls_str_cat(name, name_size, part2); |
1004 | 0 | } else |
1005 | 0 | _gnutls_str_cpy(name, name_size, |
1006 | 0 | part2 + 1 /* remove initial dot */); |
1007 | 0 | } |
1008 | | |
1009 | | /* Encodes and copies the private key parameters into a |
1010 | | * subjectPublicKeyInfo structure. |
1011 | | * |
1012 | | */ |
1013 | | int _gnutls_x509_encode_and_copy_PKI_params(asn1_node dst, const char *dst_name, |
1014 | | const gnutls_pk_params_st *params) |
1015 | 0 | { |
1016 | 0 | const char *oid; |
1017 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1018 | 0 | int result; |
1019 | 0 | char name[128]; |
1020 | |
|
1021 | 0 | oid = gnutls_pk_get_oid(params->algo); |
1022 | 0 | if (oid == NULL) { |
1023 | 0 | gnutls_assert(); |
1024 | 0 | return GNUTLS_E_UNKNOWN_PK_ALGORITHM; |
1025 | 0 | } |
1026 | | |
1027 | | /* write the OID |
1028 | | */ |
1029 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1030 | 0 | ".algorithm.algorithm"); |
1031 | |
|
1032 | 0 | result = asn1_write_value(dst, name, oid, 1); |
1033 | 0 | if (result != ASN1_SUCCESS) { |
1034 | 0 | gnutls_assert(); |
1035 | 0 | return _gnutls_asn2err(result); |
1036 | 0 | } |
1037 | | |
1038 | 0 | result = _gnutls_x509_write_pubkey_params(params, &der); |
1039 | 0 | if (result < 0) { |
1040 | 0 | gnutls_assert(); |
1041 | 0 | return result; |
1042 | 0 | } |
1043 | | |
1044 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1045 | 0 | ".algorithm.parameters"); |
1046 | |
|
1047 | 0 | result = asn1_write_value(dst, name, der.data, der.size); |
1048 | 0 | _gnutls_free_datum(&der); |
1049 | |
|
1050 | 0 | if (result != ASN1_SUCCESS) { |
1051 | 0 | gnutls_assert(); |
1052 | 0 | return _gnutls_asn2err(result); |
1053 | 0 | } |
1054 | | |
1055 | 0 | result = _gnutls_x509_write_pubkey(params, &der); |
1056 | 0 | if (result < 0) { |
1057 | 0 | gnutls_assert(); |
1058 | 0 | return result; |
1059 | 0 | } |
1060 | | |
1061 | | /* Write the DER parameters. (in bits) |
1062 | | */ |
1063 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, ".subjectPublicKey"); |
1064 | 0 | result = asn1_write_value(dst, name, der.data, der.size * 8); |
1065 | 0 | _gnutls_free_datum(&der); |
1066 | |
|
1067 | 0 | if (result != ASN1_SUCCESS) { |
1068 | 0 | gnutls_assert(); |
1069 | 0 | return _gnutls_asn2err(result); |
1070 | 0 | } |
1071 | | |
1072 | 0 | return 0; |
1073 | 0 | } |
1074 | | |
1075 | | /* Encodes and public key parameters into a |
1076 | | * subjectPublicKeyInfo structure and stores it in der. |
1077 | | */ |
1078 | | int _gnutls_x509_encode_PKI_params(gnutls_datum_t *der, |
1079 | | const gnutls_pk_params_st *params) |
1080 | 0 | { |
1081 | 0 | int ret; |
1082 | 0 | asn1_node tmp; |
1083 | |
|
1084 | 0 | ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.Certificate", |
1085 | 0 | &tmp); |
1086 | 0 | if (ret != ASN1_SUCCESS) { |
1087 | 0 | gnutls_assert(); |
1088 | 0 | return _gnutls_asn2err(ret); |
1089 | 0 | } |
1090 | | |
1091 | 0 | ret = _gnutls_x509_encode_and_copy_PKI_params( |
1092 | 0 | tmp, "tbsCertificate.subjectPublicKeyInfo", params); |
1093 | 0 | if (ret != ASN1_SUCCESS) { |
1094 | 0 | gnutls_assert(); |
1095 | 0 | ret = _gnutls_asn2err(ret); |
1096 | 0 | goto cleanup; |
1097 | 0 | } |
1098 | | |
1099 | 0 | ret = _gnutls_x509_der_encode( |
1100 | 0 | tmp, "tbsCertificate.subjectPublicKeyInfo", der, 0); |
1101 | |
|
1102 | 0 | cleanup: |
1103 | 0 | asn1_delete_structure(&tmp); |
1104 | |
|
1105 | 0 | return ret; |
1106 | 0 | } |
1107 | | |
1108 | | /* Reads and returns the PK algorithm of the given certificate-like |
1109 | | * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". |
1110 | | */ |
1111 | | int _gnutls_x509_get_pk_algorithm(asn1_node src, const char *src_name, |
1112 | | gnutls_ecc_curve_t *curve, unsigned int *bits) |
1113 | 0 | { |
1114 | 0 | int result; |
1115 | 0 | int algo; |
1116 | 0 | char oid[64]; |
1117 | 0 | int len; |
1118 | 0 | gnutls_ecc_curve_t lcurve = GNUTLS_ECC_CURVE_INVALID; |
1119 | 0 | char name[128]; |
1120 | |
|
1121 | 0 | _asnstr_append_name(name, sizeof(name), src_name, |
1122 | 0 | ".algorithm.algorithm"); |
1123 | 0 | len = sizeof(oid); |
1124 | 0 | result = asn1_read_value(src, name, oid, &len); |
1125 | |
|
1126 | 0 | if (result != ASN1_SUCCESS) { |
1127 | 0 | gnutls_assert(); |
1128 | 0 | return _gnutls_asn2err(result); |
1129 | 0 | } |
1130 | | |
1131 | 0 | algo = _gnutls_oid_to_pk_and_curve(oid, &lcurve); |
1132 | 0 | if (algo == GNUTLS_PK_UNKNOWN) { |
1133 | 0 | _gnutls_debug_log("%s: unknown public key algorithm: %s\n", |
1134 | 0 | __func__, oid); |
1135 | 0 | } |
1136 | |
|
1137 | 0 | if (curve) |
1138 | 0 | *curve = lcurve; |
1139 | |
|
1140 | 0 | if (bits == NULL) { |
1141 | 0 | return algo; |
1142 | 0 | } |
1143 | | |
1144 | | /* Now read the parameters' bits |
1145 | | */ |
1146 | 0 | if (lcurve != GNUTLS_ECC_CURVE_INVALID) { /* curve present */ |
1147 | 0 | bits[0] = gnutls_ecc_curve_get_size(lcurve) * 8; |
1148 | 0 | } else { |
1149 | 0 | gnutls_pk_params_st params; |
1150 | 0 | gnutls_pk_params_init(¶ms); |
1151 | |
|
1152 | 0 | result = _gnutls_get_asn_mpis(src, src_name, ¶ms); |
1153 | 0 | if (result < 0) |
1154 | 0 | return gnutls_assert_val(result); |
1155 | | |
1156 | 0 | bits[0] = pubkey_to_bits(¶ms); |
1157 | 0 | gnutls_pk_params_release(¶ms); |
1158 | 0 | } |
1159 | | |
1160 | 0 | return algo; |
1161 | 0 | } |
1162 | | |
1163 | | /* Reads the DER signed data from the certificate and allocates space and |
1164 | | * returns them into signed_data. |
1165 | | */ |
1166 | | int _gnutls_x509_get_signed_data(asn1_node src, const gnutls_datum_t *der, |
1167 | | const char *src_name, |
1168 | | gnutls_datum_t *signed_data) |
1169 | 0 | { |
1170 | 0 | int start, end, result; |
1171 | |
|
1172 | 0 | if (der == NULL || der->size == 0) { |
1173 | 0 | return _gnutls_x509_der_encode(src, src_name, signed_data, 0); |
1174 | 0 | } |
1175 | | |
1176 | | /* Get the signed data |
1177 | | */ |
1178 | 0 | result = asn1_der_decoding_startEnd(src, der->data, der->size, src_name, |
1179 | 0 | &start, &end); |
1180 | 0 | if (result != ASN1_SUCCESS) { |
1181 | 0 | result = _gnutls_asn2err(result); |
1182 | 0 | gnutls_assert(); |
1183 | 0 | goto cleanup; |
1184 | 0 | } |
1185 | | |
1186 | 0 | result = _gnutls_set_datum(signed_data, &der->data[start], |
1187 | 0 | end - start + 1); |
1188 | |
|
1189 | 0 | if (result < 0) { |
1190 | 0 | gnutls_assert(); |
1191 | 0 | goto cleanup; |
1192 | 0 | } |
1193 | | |
1194 | 0 | result = 0; |
1195 | |
|
1196 | 0 | cleanup: |
1197 | 0 | return result; |
1198 | 0 | } |
1199 | | |
1200 | | /*- |
1201 | | * gnutls_x509_get_signature_algorithm: |
1202 | | * @src: should contain an asn1_node structure |
1203 | | * @src_name: the description of the signature field |
1204 | | * |
1205 | | * This function will return a value of the #gnutls_sign_algorithm_t |
1206 | | * enumeration that is the signature algorithm that has been used to |
1207 | | * sign this certificate. |
1208 | | * |
1209 | | * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on |
1210 | | * error. |
1211 | | -*/ |
1212 | | int _gnutls_x509_get_signature_algorithm(asn1_node src, const char *src_name) |
1213 | 0 | { |
1214 | 0 | int result; |
1215 | 0 | char name[128]; |
1216 | 0 | gnutls_datum_t sa = { NULL, 0 }; |
1217 | |
|
1218 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1219 | 0 | _gnutls_str_cat(name, sizeof(name), ".algorithm"); |
1220 | | |
1221 | | /* Read the signature algorithm */ |
1222 | 0 | result = _gnutls_x509_read_value(src, name, &sa); |
1223 | |
|
1224 | 0 | if (result < 0) { |
1225 | 0 | gnutls_assert(); |
1226 | 0 | return result; |
1227 | 0 | } |
1228 | | |
1229 | | /* Read the signature parameters. Unless the algorithm is |
1230 | | * RSA-PSS, parameters are not read. They will be read from |
1231 | | * the issuer's certificate if needed. |
1232 | | */ |
1233 | 0 | if (sa.data && strcmp((char *)sa.data, PK_PKIX1_RSA_PSS_OID) == 0) { |
1234 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1235 | 0 | gnutls_x509_spki_st params; |
1236 | |
|
1237 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1238 | 0 | _gnutls_str_cat(name, sizeof(name), ".parameters"); |
1239 | |
|
1240 | 0 | result = _gnutls_x509_read_value(src, name, &der); |
1241 | 0 | if (result < 0) { |
1242 | 0 | _gnutls_free_datum(&sa); |
1243 | 0 | return gnutls_assert_val(result); |
1244 | 0 | } |
1245 | | |
1246 | 0 | result = _gnutls_x509_read_rsa_pss_params(der.data, der.size, |
1247 | 0 | ¶ms); |
1248 | 0 | _gnutls_free_datum(&der); |
1249 | |
|
1250 | 0 | if (result == 0) |
1251 | 0 | result = gnutls_pk_to_sign(params.pk, |
1252 | 0 | params.rsa_pss_dig); |
1253 | 0 | } else if (sa.data) { |
1254 | 0 | result = gnutls_oid_to_sign((char *)sa.data); |
1255 | 0 | } else { |
1256 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1257 | 0 | } |
1258 | | |
1259 | 0 | _gnutls_free_datum(&sa); |
1260 | |
|
1261 | 0 | if (result == GNUTLS_SIGN_UNKNOWN) |
1262 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1263 | |
|
1264 | 0 | return result; |
1265 | 0 | } |
1266 | | |
1267 | | /* Reads the DER signature from the certificate and allocates space and |
1268 | | * returns them into signed_data. |
1269 | | */ |
1270 | | int _gnutls_x509_get_signature(asn1_node src, const char *src_name, |
1271 | | gnutls_datum_t *signature) |
1272 | 0 | { |
1273 | 0 | int result, len; |
1274 | 0 | int bits; |
1275 | |
|
1276 | 0 | signature->data = NULL; |
1277 | 0 | signature->size = 0; |
1278 | | |
1279 | | /* Read the signature |
1280 | | */ |
1281 | 0 | len = 0; |
1282 | 0 | result = asn1_read_value(src, src_name, NULL, &len); |
1283 | |
|
1284 | 0 | if (result != ASN1_MEM_ERROR) { |
1285 | 0 | result = _gnutls_asn2err(result); |
1286 | 0 | gnutls_assert(); |
1287 | 0 | goto cleanup; |
1288 | 0 | } |
1289 | | |
1290 | 0 | bits = len; |
1291 | 0 | if (bits % 8 != 0 || bits < 8) { |
1292 | 0 | gnutls_assert(); |
1293 | 0 | result = GNUTLS_E_CERTIFICATE_ERROR; |
1294 | 0 | goto cleanup; |
1295 | 0 | } |
1296 | | |
1297 | 0 | len = bits / 8; |
1298 | |
|
1299 | 0 | signature->data = gnutls_malloc(len); |
1300 | 0 | if (signature->data == NULL) { |
1301 | 0 | gnutls_assert(); |
1302 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
1303 | 0 | return result; |
1304 | 0 | } |
1305 | | |
1306 | | /* read the bit string of the signature |
1307 | | */ |
1308 | 0 | bits = len; |
1309 | 0 | result = asn1_read_value(src, src_name, signature->data, &bits); |
1310 | |
|
1311 | 0 | if (result != ASN1_SUCCESS) { |
1312 | 0 | result = _gnutls_asn2err(result); |
1313 | 0 | gnutls_assert(); |
1314 | 0 | goto cleanup; |
1315 | 0 | } |
1316 | | |
1317 | 0 | signature->size = len; |
1318 | |
|
1319 | 0 | return 0; |
1320 | | |
1321 | 0 | cleanup: |
1322 | 0 | gnutls_free(signature->data); |
1323 | 0 | return result; |
1324 | 0 | } |
1325 | | |
1326 | | /* ASN.1 PrintableString rules */ |
1327 | | static int is_printable(char p) |
1328 | 0 | { |
1329 | 0 | if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') || |
1330 | 0 | (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' || |
1331 | 0 | p == '+' || p == ',' || p == '-' || p == '.' || p == '/' || |
1332 | 0 | p == ':' || p == '=' || p == '?') |
1333 | 0 | return 1; |
1334 | | |
1335 | 0 | return 0; |
1336 | 0 | } |
1337 | | |
1338 | | static int write_complex_string(asn1_node asn_struct, const char *where, |
1339 | | const struct oid_to_string *oentry, |
1340 | | const uint8_t *data, size_t data_size) |
1341 | 0 | { |
1342 | 0 | char tmp[128]; |
1343 | 0 | asn1_node c2; |
1344 | 0 | int result; |
1345 | 0 | const char *string_type; |
1346 | 0 | unsigned int i; |
1347 | |
|
1348 | 0 | result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, &c2); |
1349 | 0 | if (result != ASN1_SUCCESS) { |
1350 | 0 | gnutls_assert(); |
1351 | 0 | return _gnutls_asn2err(result); |
1352 | 0 | } |
1353 | | |
1354 | 0 | tmp[0] = 0; |
1355 | |
|
1356 | 0 | string_type = "printableString"; |
1357 | | |
1358 | | /* Check if the data is ASN.1 printable, and use |
1359 | | * the UTF8 string type if not. |
1360 | | */ |
1361 | 0 | for (i = 0; i < data_size; i++) { |
1362 | 0 | if (!is_printable(data[i])) { |
1363 | 0 | string_type = "utf8String"; |
1364 | 0 | break; |
1365 | 0 | } |
1366 | 0 | } |
1367 | | |
1368 | | /* if the type is a CHOICE then write the |
1369 | | * type we'll use. |
1370 | | */ |
1371 | 0 | result = asn1_write_value(c2, "", string_type, 1); |
1372 | 0 | if (result != ASN1_SUCCESS) { |
1373 | 0 | gnutls_assert(); |
1374 | 0 | result = _gnutls_asn2err(result); |
1375 | 0 | goto error; |
1376 | 0 | } |
1377 | | |
1378 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), string_type); |
1379 | |
|
1380 | 0 | result = asn1_write_value(c2, tmp, data, data_size); |
1381 | 0 | if (result != ASN1_SUCCESS) { |
1382 | 0 | gnutls_assert(); |
1383 | 0 | result = _gnutls_asn2err(result); |
1384 | 0 | goto error; |
1385 | 0 | } |
1386 | | |
1387 | 0 | result = _gnutls_x509_der_encode_and_copy(c2, "", asn_struct, where, 0); |
1388 | 0 | if (result < 0) { |
1389 | 0 | gnutls_assert(); |
1390 | 0 | goto error; |
1391 | 0 | } |
1392 | | |
1393 | 0 | result = 0; |
1394 | |
|
1395 | 0 | error: |
1396 | 0 | asn1_delete_structure(&c2); |
1397 | 0 | return result; |
1398 | 0 | } |
1399 | | |
1400 | | /* This will encode and write the AttributeTypeAndValue field. |
1401 | | * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute. |
1402 | | * In all cases only one value is written. |
1403 | | */ |
1404 | | int _gnutls_x509_encode_and_write_attribute(const char *given_oid, |
1405 | | asn1_node asn1_struct, |
1406 | | const char *where, |
1407 | | const void *_data, int data_size, |
1408 | | int multi) |
1409 | 0 | { |
1410 | 0 | const uint8_t *data = _data; |
1411 | 0 | char tmp[128]; |
1412 | 0 | int result; |
1413 | 0 | const struct oid_to_string *oentry; |
1414 | |
|
1415 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, given_oid); |
1416 | 0 | if (oentry == NULL) { |
1417 | 0 | gnutls_assert(); |
1418 | 0 | _gnutls_debug_log("Cannot find OID: %s\n", given_oid); |
1419 | 0 | return GNUTLS_E_X509_UNSUPPORTED_OID; |
1420 | 0 | } |
1421 | | |
1422 | | /* write the data (value) |
1423 | | */ |
1424 | | |
1425 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1426 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".value"); |
1427 | |
|
1428 | 0 | if (multi != |
1429 | 0 | 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ |
1430 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ |
1431 | |
|
1432 | 0 | result = asn1_write_value(asn1_struct, tmp, "NEW", 1); |
1433 | 0 | if (result != ASN1_SUCCESS) { |
1434 | 0 | gnutls_assert(); |
1435 | 0 | result = _gnutls_asn2err(result); |
1436 | 0 | goto error; |
1437 | 0 | } |
1438 | | |
1439 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); |
1440 | 0 | } |
1441 | | |
1442 | 0 | if (oentry->asn_desc != NULL) { /* write a complex string API */ |
1443 | 0 | result = write_complex_string(asn1_struct, tmp, oentry, data, |
1444 | 0 | data_size); |
1445 | 0 | if (result < 0) |
1446 | 0 | return gnutls_assert_val(result); |
1447 | 0 | } else { /* write a simple string */ |
1448 | |
|
1449 | 0 | gnutls_datum_t td; |
1450 | |
|
1451 | 0 | td.data = (void *)data; |
1452 | 0 | td.size = data_size; |
1453 | 0 | result = _gnutls_x509_write_string(asn1_struct, tmp, &td, |
1454 | 0 | oentry->etype); |
1455 | 0 | if (result < 0) { |
1456 | 0 | gnutls_assert(); |
1457 | 0 | goto error; |
1458 | 0 | } |
1459 | 0 | } |
1460 | | |
1461 | | /* write the type |
1462 | | */ |
1463 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1464 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".type"); |
1465 | |
|
1466 | 0 | result = asn1_write_value(asn1_struct, tmp, given_oid, 1); |
1467 | 0 | if (result != ASN1_SUCCESS) { |
1468 | 0 | gnutls_assert(); |
1469 | 0 | result = _gnutls_asn2err(result); |
1470 | 0 | goto error; |
1471 | 0 | } |
1472 | | |
1473 | 0 | result = 0; |
1474 | |
|
1475 | 0 | error: |
1476 | 0 | return result; |
1477 | 0 | } |
1478 | | |
1479 | | /* copies a datum to a buffer. If it doesn't fit it returns |
1480 | | * GNUTLS_E_SHORT_MEMORY_BUFFER. It always deinitializes the datum |
1481 | | * after the copy. |
1482 | | * |
1483 | | * The buffer will always be null terminated. |
1484 | | */ |
1485 | | int _gnutls_strdatum_to_buf(gnutls_datum_t *d, void *buf, size_t *buf_size) |
1486 | 0 | { |
1487 | 0 | int ret; |
1488 | 0 | uint8_t *_buf = buf; |
1489 | |
|
1490 | 0 | if (buf == NULL || *buf_size < d->size + 1) { |
1491 | 0 | *buf_size = d->size + 1; |
1492 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1493 | 0 | goto cleanup; |
1494 | 0 | } |
1495 | 0 | memcpy(buf, d->data, d->size); |
1496 | 0 | _buf[d->size] = 0; |
1497 | |
|
1498 | 0 | *buf_size = d->size; |
1499 | 0 | ret = 0; |
1500 | |
|
1501 | 0 | cleanup: |
1502 | 0 | _gnutls_free_datum(d); |
1503 | |
|
1504 | 0 | return ret; |
1505 | 0 | } |
1506 | | |
1507 | | int _gnutls_x509_get_raw_field2(asn1_node c2, const gnutls_datum_t *raw, |
1508 | | const char *whom, gnutls_datum_t *dn) |
1509 | 0 | { |
1510 | 0 | int result, len1; |
1511 | 0 | int start1, end1; |
1512 | 0 | result = asn1_der_decoding_startEnd(c2, raw->data, raw->size, whom, |
1513 | 0 | &start1, &end1); |
1514 | |
|
1515 | 0 | if (result != ASN1_SUCCESS) { |
1516 | 0 | gnutls_assert(); |
1517 | 0 | result = _gnutls_asn2err(result); |
1518 | 0 | goto cleanup; |
1519 | 0 | } |
1520 | | |
1521 | 0 | len1 = end1 - start1 + 1; |
1522 | |
|
1523 | 0 | dn->data = &raw->data[start1]; |
1524 | 0 | dn->size = len1; |
1525 | 0 | result = 0; |
1526 | |
|
1527 | 0 | cleanup: |
1528 | 0 | return result; |
1529 | 0 | } |
1530 | | |
1531 | | int _gnutls_copy_string(const gnutls_datum_t *str, uint8_t *out, |
1532 | | size_t *out_size) |
1533 | 0 | { |
1534 | 0 | unsigned size_to_check; |
1535 | |
|
1536 | 0 | size_to_check = str->size + 1; |
1537 | |
|
1538 | 0 | if ((unsigned)size_to_check > *out_size) { |
1539 | 0 | gnutls_assert(); |
1540 | 0 | (*out_size) = size_to_check; |
1541 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1542 | 0 | } |
1543 | | |
1544 | 0 | if (out != NULL && str->data != NULL) { |
1545 | 0 | memcpy(out, str->data, str->size); |
1546 | 0 | out[str->size] = 0; |
1547 | 0 | } else if (out != NULL) { |
1548 | 0 | out[0] = 0; |
1549 | 0 | } |
1550 | 0 | *out_size = str->size; |
1551 | |
|
1552 | 0 | return 0; |
1553 | 0 | } |
1554 | | |
1555 | | int _gnutls_copy_data(const gnutls_datum_t *str, uint8_t *out, size_t *out_size) |
1556 | 0 | { |
1557 | 0 | if ((unsigned)str->size > *out_size) { |
1558 | 0 | gnutls_assert(); |
1559 | 0 | (*out_size) = str->size; |
1560 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1561 | 0 | } |
1562 | | |
1563 | 0 | if (out != NULL && str->data != NULL) { |
1564 | 0 | memcpy(out, str->data, str->size); |
1565 | 0 | } |
1566 | 0 | *out_size = str->size; |
1567 | |
|
1568 | 0 | return 0; |
1569 | 0 | } |
1570 | | |
1571 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1572 | | int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t *rpubkey) |
1573 | 0 | { |
1574 | 0 | gnutls_pubkey_t pubkey = NULL; |
1575 | 0 | int ret; |
1576 | |
|
1577 | 0 | ret = gnutls_pubkey_init(&pubkey); |
1578 | 0 | if (ret < 0) |
1579 | 0 | return gnutls_assert_val(ret); |
1580 | | |
1581 | 0 | ret = gnutls_pubkey_import_x509(pubkey, crt, 0); |
1582 | 0 | if (ret < 0) { |
1583 | 0 | gnutls_assert(); |
1584 | 0 | goto cleanup; |
1585 | 0 | } |
1586 | | |
1587 | 0 | ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, rpubkey); |
1588 | 0 | if (ret < 0) { |
1589 | 0 | gnutls_assert(); |
1590 | 0 | goto cleanup; |
1591 | 0 | } |
1592 | | |
1593 | 0 | ret = 0; |
1594 | |
|
1595 | 0 | cleanup: |
1596 | 0 | gnutls_pubkey_deinit(pubkey); |
1597 | 0 | return ret; |
1598 | 0 | } |
1599 | | |
1600 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1601 | | int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t *cert, |
1602 | | gnutls_datum_t *rpubkey) |
1603 | 0 | { |
1604 | 0 | gnutls_x509_crt_t crt = NULL; |
1605 | 0 | int ret; |
1606 | |
|
1607 | 0 | ret = gnutls_x509_crt_init(&crt); |
1608 | 0 | if (ret < 0) |
1609 | 0 | return gnutls_assert_val(ret); |
1610 | | |
1611 | 0 | ret = gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_DER); |
1612 | 0 | if (ret < 0) { |
1613 | 0 | gnutls_assert(); |
1614 | 0 | goto cleanup; |
1615 | 0 | } |
1616 | | |
1617 | 0 | ret = x509_crt_to_raw_pubkey(crt, rpubkey); |
1618 | 0 | cleanup: |
1619 | 0 | gnutls_x509_crt_deinit(crt); |
1620 | |
|
1621 | 0 | return ret; |
1622 | 0 | } |
1623 | | |
1624 | | unsigned _gnutls_check_valid_key_id(const gnutls_datum_t *key_id, |
1625 | | gnutls_x509_crt_t cert, time_t now, |
1626 | | unsigned *has_ski) |
1627 | 0 | { |
1628 | 0 | uint8_t id[MAX_KEY_ID_SIZE]; |
1629 | 0 | size_t id_size; |
1630 | 0 | unsigned result = 0; |
1631 | |
|
1632 | 0 | if (has_ski) |
1633 | 0 | *has_ski = 0; |
1634 | |
|
1635 | 0 | if (now > gnutls_x509_crt_get_expiration_time(cert) || |
1636 | 0 | now < gnutls_x509_crt_get_activation_time(cert)) { |
1637 | | /* don't bother, certificate is not yet activated or expired */ |
1638 | 0 | gnutls_assert(); |
1639 | 0 | goto out; |
1640 | 0 | } |
1641 | | |
1642 | 0 | id_size = sizeof(id); |
1643 | 0 | if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) { |
1644 | 0 | gnutls_assert(); |
1645 | 0 | goto out; |
1646 | 0 | } |
1647 | | |
1648 | 0 | if (has_ski) |
1649 | 0 | *has_ski = 1; |
1650 | |
|
1651 | 0 | if (id_size == key_id->size && !memcmp(id, key_id->data, id_size)) |
1652 | 0 | result = 1; |
1653 | |
|
1654 | 0 | out: |
1655 | 0 | return result; |
1656 | 0 | } |
1657 | | |
1658 | | /* Sort a certificate list in place with subject, issuer order. @clist_size must |
1659 | | * be equal to or less than %DEFAULT_MAX_VERIFY_DEPTH. |
1660 | | * |
1661 | | * Returns the index in clist where the initial contiguous segment ends. If the |
1662 | | * chain contains multiple segments separated by gaps (e.g., missing issuers), |
1663 | | * the caller shall call this function multiple times. |
1664 | | * |
1665 | | * For example, suppose we want the following certificate chain as a result of |
1666 | | * sorting: |
1667 | | * |
1668 | | * A -> (B) -> C -> D -> E -> (F) -> G -> H -> I |
1669 | | * |
1670 | | * from the input [A, C, E, D, G, I, H] (B and F are missing). |
1671 | | * |
1672 | | * On the first call of this function: |
1673 | | * |
1674 | | * _gnutls_sort_clist(clist, clist_size) |
1675 | | * |
1676 | | * it returns 1, meaning that the first segment only contains A. The content of |
1677 | | * @clist will remain the same [A, C, E, D, G, I, H]. |
1678 | | * |
1679 | | * Then the caller will call this function again, starting from the second |
1680 | | * element: |
1681 | | * |
1682 | | * _gnutls_sort_clist(&clist[1], clist_size - 1) |
1683 | | * |
1684 | | * This time it returns 3, meaning that the first segment contains [C, D, E]. |
1685 | | * The content of @clist will be [A, C, D, E, G, I, H]. |
1686 | | * |
1687 | | * Finally, after calling the function on the remaining elements: |
1688 | | * |
1689 | | * _gnutls_sort_clist(&clist[1 + 3], clist_size - (1 + 3)) |
1690 | | * |
1691 | | * It will return 3, meaning that the first segment contains [G, H, I]. At this |
1692 | | * point, sorting of @clist is complete. |
1693 | | */ |
1694 | | unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, |
1695 | | unsigned int clist_size) |
1696 | 0 | { |
1697 | 0 | int prev; |
1698 | 0 | unsigned int i, j, k; |
1699 | 0 | int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */ |
1700 | 0 | bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */ |
1701 | 0 | gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; |
1702 | |
|
1703 | 0 | assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH); |
1704 | | |
1705 | 0 | for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) { |
1706 | 0 | issuer[i] = -1; |
1707 | 0 | insorted[i] = 0; |
1708 | 0 | } |
1709 | | |
1710 | | /* Find the issuer of each certificate and store it |
1711 | | * in issuer array. O(n^2) so consider that before |
1712 | | * increasing DEFAULT_MAX_VERIFY_DEPTH. |
1713 | | */ |
1714 | 0 | for (i = 0; i < clist_size; i++) { |
1715 | | /* Self-signed certificate found in the chain; skip it |
1716 | | * as it should only appear in the trusted set. |
1717 | | */ |
1718 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { |
1719 | 0 | _gnutls_cert_log("self-signed cert found", clist[i]); |
1720 | 0 | continue; |
1721 | 0 | } |
1722 | | |
1723 | 0 | for (j = 1; j < clist_size; j++) { |
1724 | 0 | if (i == j) |
1725 | 0 | continue; |
1726 | | |
1727 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[j])) { |
1728 | 0 | issuer[i] = j; |
1729 | 0 | break; |
1730 | 0 | } |
1731 | 0 | } |
1732 | 0 | } |
1733 | |
|
1734 | 0 | sorted[0] = clist[0]; |
1735 | 0 | insorted[0] = 1; |
1736 | |
|
1737 | 0 | prev = 0; |
1738 | 0 | for (i = 1; i < clist_size; i++) { |
1739 | 0 | prev = issuer[prev]; |
1740 | 0 | if (prev < 0) { /* no issuer */ |
1741 | 0 | break; |
1742 | 0 | } |
1743 | | |
1744 | 0 | if (insorted[prev]) { /* loop detected */ |
1745 | 0 | break; |
1746 | 0 | } |
1747 | | |
1748 | 0 | sorted[i] = clist[prev]; |
1749 | 0 | insorted[prev] = 1; |
1750 | 0 | } |
1751 | | |
1752 | | /* append the remaining certs */ |
1753 | 0 | for (j = 1, k = i; j < clist_size; j++) { |
1754 | 0 | if (!insorted[j]) { |
1755 | 0 | sorted[k++] = clist[j]; |
1756 | 0 | } |
1757 | 0 | } |
1758 | | |
1759 | | /* write out the sorted list */ |
1760 | 0 | assert(k == clist_size); |
1761 | 0 | for (j = 0; j < clist_size; j++) { |
1762 | 0 | clist[j] = sorted[j]; |
1763 | 0 | } |
1764 | |
|
1765 | 0 | return i; |
1766 | 0 | } |
1767 | | |
1768 | | int _gnutls_check_if_sorted(gnutls_x509_crt_t *crt, int nr) |
1769 | 0 | { |
1770 | 0 | int i, ret; |
1771 | | |
1772 | | /* check if the X.509 list is ordered */ |
1773 | 0 | if (nr > 1) { |
1774 | 0 | for (i = 0; i < nr; i++) { |
1775 | 0 | if (i > 0) { |
1776 | 0 | if (!_gnutls_x509_compare_raw_dn( |
1777 | 0 | &crt[i]->raw_dn, |
1778 | 0 | &crt[i - 1]->raw_issuer_dn)) { |
1779 | 0 | ret = gnutls_assert_val( |
1780 | 0 | GNUTLS_E_CERTIFICATE_LIST_UNSORTED); |
1781 | 0 | goto cleanup; |
1782 | 0 | } |
1783 | 0 | } |
1784 | 0 | } |
1785 | 0 | } |
1786 | 0 | ret = 0; |
1787 | |
|
1788 | 0 | cleanup: |
1789 | 0 | return ret; |
1790 | 0 | } |
1791 | | |
1792 | | /** |
1793 | | * gnutls_gost_paramset_get_name: |
1794 | | * @param: is a GOST 28147 param set |
1795 | | * |
1796 | | * Convert a #gnutls_gost_paramset_t value to a string. |
1797 | | * |
1798 | | * Returns: a string that contains the name of the specified GOST param set, |
1799 | | * or %NULL. |
1800 | | * |
1801 | | * Since: 3.6.3 |
1802 | | **/ |
1803 | | const char *gnutls_gost_paramset_get_name(gnutls_gost_paramset_t param) |
1804 | 0 | { |
1805 | 0 | switch (param) { |
1806 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1807 | 0 | return "TC26-Z"; |
1808 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1809 | 0 | return "CryptoPro-A"; |
1810 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1811 | 0 | return "CryptoPro-B"; |
1812 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1813 | 0 | return "CryptoPro-C"; |
1814 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1815 | 0 | return "CryptoPro-D"; |
1816 | 0 | default: |
1817 | 0 | gnutls_assert(); |
1818 | 0 | return "Unknown"; |
1819 | 0 | } |
1820 | 0 | } |
1821 | | |
1822 | | /** |
1823 | | * gnutls_gost_paramset_get_oid: |
1824 | | * @param: is a GOST 28147 param set |
1825 | | * |
1826 | | * Convert a #gnutls_gost_paramset_t value to its object identifier. |
1827 | | * |
1828 | | * Returns: a string that contains the object identifier of the specified GOST |
1829 | | * param set, or %NULL. |
1830 | | * |
1831 | | * Since: 3.6.3 |
1832 | | **/ |
1833 | | const char *gnutls_gost_paramset_get_oid(gnutls_gost_paramset_t param) |
1834 | 0 | { |
1835 | 0 | switch (param) { |
1836 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1837 | 0 | return GOST28147_89_TC26Z_OID; |
1838 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1839 | 0 | return GOST28147_89_CPA_OID; |
1840 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1841 | 0 | return GOST28147_89_CPB_OID; |
1842 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1843 | 0 | return GOST28147_89_CPC_OID; |
1844 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1845 | 0 | return GOST28147_89_CPD_OID; |
1846 | 0 | default: |
1847 | 0 | gnutls_assert(); |
1848 | 0 | return NULL; |
1849 | 0 | } |
1850 | 0 | } |
1851 | | |
1852 | | /** |
1853 | | * gnutls_oid_to_gost_paramset: |
1854 | | * @oid: is an object identifier |
1855 | | * |
1856 | | * Converts a textual object identifier to a #gnutls_gost_paramset_t value. |
1857 | | * |
1858 | | * Returns: a #gnutls_gost_paramset_get_oid of the specified GOST 28147 |
1859 | | * param st, or %GNUTLS_GOST_PARAMSET_UNKNOWN on failure. |
1860 | | * |
1861 | | * Since: 3.6.3 |
1862 | | **/ |
1863 | | gnutls_gost_paramset_t gnutls_oid_to_gost_paramset(const char *oid) |
1864 | 0 | { |
1865 | 0 | if (!strcmp(oid, GOST28147_89_TC26Z_OID)) |
1866 | 0 | return GNUTLS_GOST_PARAMSET_TC26_Z; |
1867 | 0 | else if (!strcmp(oid, GOST28147_89_CPA_OID)) |
1868 | 0 | return GNUTLS_GOST_PARAMSET_CP_A; |
1869 | 0 | else if (!strcmp(oid, GOST28147_89_CPB_OID)) |
1870 | 0 | return GNUTLS_GOST_PARAMSET_CP_B; |
1871 | 0 | else if (!strcmp(oid, GOST28147_89_CPC_OID)) |
1872 | 0 | return GNUTLS_GOST_PARAMSET_CP_C; |
1873 | 0 | else if (!strcmp(oid, GOST28147_89_CPD_OID)) |
1874 | 0 | return GNUTLS_GOST_PARAMSET_CP_D; |
1875 | 0 | else |
1876 | 0 | return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); |
1877 | 0 | } |
1878 | | |
1879 | | int _gnutls_x509_get_version(asn1_node root, const char *name) |
1880 | 0 | { |
1881 | 0 | uint8_t version[8]; |
1882 | 0 | int len, result; |
1883 | |
|
1884 | 0 | len = sizeof(version); |
1885 | 0 | result = asn1_read_value(root, name, version, &len); |
1886 | 0 | if (result != ASN1_SUCCESS) { |
1887 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) |
1888 | 0 | return 1; /* the DEFAULT version */ |
1889 | 0 | gnutls_assert(); |
1890 | 0 | return _gnutls_asn2err(result); |
1891 | 0 | } |
1892 | | |
1893 | 0 | if (len != 1 || version[0] >= 0x80) |
1894 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
1895 | | |
1896 | 0 | return (int)version[0] + 1; |
1897 | 0 | } |