/src/nss/lib/certdb/certv3.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * Code for dealing with X509.V3 extensions.
 */

#include "cert.h"
#include "secitem.h"
#include "secoid.h"
#include "secder.h"
#include "secasn1.h"
#include "certxutl.h"
#include "secerr.h"

SECStatus
CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid, SECItem *value)
{
    return (cert_FindExtensionByOID(cert->extensions, oid, value));
}

SECStatus
CERT_FindCertExtension(const CERTCertificate *cert, int tag, SECItem *value)
{
    return (cert_FindExtension(cert->extensions, tag, value));
}

static void
SetExts(void *object, CERTCertExtension **exts)
{
    CERTCertificate *cert = (CERTCertificate *)object;

    cert->extensions = exts;
    DER_SetUInteger(cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
}

void *
CERT_StartCertExtensions(CERTCertificate *cert)
{
    return (cert_StartExtensions((void *)cert, cert->arena, SetExts));
}

/*
 * get the value of the Netscape Certificate Type Extension
 */
SECStatus
CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
{

    return (CERT_FindBitStringExtension(
        cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));
}

/*
 * get the value of a string type extension
 */
char *
CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
{
    SECItem wrapperItem, tmpItem = { siBuffer, 0 };
    SECStatus rv;
    PLArenaPool *arena = NULL;
    char *retstring = NULL;

    wrapperItem.data = NULL;
    tmpItem.data = NULL;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    if (!arena) {
        goto loser;
    }

    rv = cert_FindExtension(cert->extensions, oidtag, &wrapperItem);
    if (rv != SECSuccess) {
        goto loser;
    }

    rv = SEC_QuickDERDecodeItem(
        arena, &tmpItem, SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem);

    if (rv != SECSuccess) {
        goto loser;
    }

    retstring = (char *)PORT_Alloc(tmpItem.len + 1);
    if (retstring == NULL) {
        goto loser;
    }

    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
    retstring[tmpItem.len] = '\0';

loser:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    if (wrapperItem.data) {
        PORT_Free(wrapperItem.data);
    }

    return (retstring);
}

/*
 * get the value of the X.509 v3 Key Usage Extension
 */
SECStatus
CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
{

    return (CERT_FindBitStringExtension(cert->extensions,
                                        SEC_OID_X509_KEY_USAGE, retItem));
}

/*
 * get the value of the X.509 v3 Key Usage Extension
 */
SECStatus
CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, SECItem *retItem)
{

    SECStatus rv;
    SECItem encodedValue = { siBuffer, NULL, 0 };
    SECItem decodedValue = { siBuffer, NULL, 0 };

    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID,
                            &encodedValue);
    if (rv == SECSuccess) {
        PORTCheapArenaPool tmpArena;
        PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
        rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &decodedValue,
                                    SEC_ASN1_GET(SEC_OctetStringTemplate),
                                    &encodedValue);
        if (rv == SECSuccess) {
            rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
        }
        PORT_DestroyCheapArena(&tmpArena);
    }
    SECITEM_FreeItem(&encodedValue, PR_FALSE);
    return rv;
}

SECStatus
CERT_FindBasicConstraintExten(CERTCertificate *cert,
                              CERTBasicConstraints *value)
{
    SECItem encodedExtenValue;
    SECStatus rv;

    encodedExtenValue.data = NULL;
    encodedExtenValue.len = 0;

    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
                            &encodedExtenValue);
    if (rv != SECSuccess) {
        return (rv);
    }

    rv = CERT_DecodeBasicConstraintValue(value, &encodedExtenValue);

    /* free the raw extension data */
    PORT_Free(encodedExtenValue.data);
    encodedExtenValue.data = NULL;

    return (rv);
}

CERTAuthKeyID *
CERT_FindAuthKeyIDExten(PLArenaPool *arena, CERTCertificate *cert)
{
    SECItem encodedExtenValue;
    SECStatus rv;
    CERTAuthKeyID *ret;

    encodedExtenValue.data = NULL;
    encodedExtenValue.len = 0;

    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
                            &encodedExtenValue);
    if (rv != SECSuccess) {
        return (NULL);
    }

    ret = CERT_DecodeAuthKeyID(arena, &encodedExtenValue);

    PORT_Free(encodedExtenValue.data);
    encodedExtenValue.data = NULL;

    return (ret);
}

SECStatus
CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
{
    SECItem keyUsage;
    SECStatus rv;

    /* There is no extension, v1 or v2 certificate */
    if (cert->extensions == NULL) {
        return (SECSuccess);
    }

    keyUsage.data = NULL;

    /* This code formerly ignored the Key Usage extension if it was
    ** marked non-critical.  That was wrong.  Since we do understand it,
    ** we are obligated to honor it, whether or not it is critical.
    */
    rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
    if (rv == SECFailure) {
        rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
                                                                : SECFailure;
    } else if (!keyUsage.data || !keyUsage.len || !(keyUsage.data[0] & usage)) {
        PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
        rv = SECFailure;
    }
    PORT_Free(keyUsage.data);
    return (rv);
}

Coverage Report

Created: 2024-05-20 06:23

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		/*
6		* Code for dealing with X509.V3 extensions.
7		*/
8
9		#include "cert.h"
10		#include "secitem.h"
11		#include "secoid.h"
12		#include "secder.h"
13		#include "secasn1.h"
14		#include "certxutl.h"
15		#include "secerr.h"
16
17		SECStatus
18		CERT_FindCertExtensionByOID(CERTCertificate cert, SECItem oid, SECItem *value)
19	0	{
20	0	return (cert_FindExtensionByOID(cert->extensions, oid, value));
21	0	}
22
23		SECStatus
24		CERT_FindCertExtension(const CERTCertificate cert, int tag, SECItem value)
25	28	{
26	28	return (cert_FindExtension(cert->extensions, tag, value));
27	28	}
28
29		static void
30		SetExts(void object, CERTCertExtension *exts)
31	0	{
32	0	CERTCertificate cert = (CERTCertificate )object;
33
34	0	cert->extensions = exts;
35	0	DER_SetUInteger(cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
36	0	}
37
38		void *
39		CERT_StartCertExtensions(CERTCertificate *cert)
40	0	{
41	0	return (cert_StartExtensions((void *)cert, cert->arena, SetExts));
42	0	}
43
44		/*
45		* get the value of the Netscape Certificate Type Extension
46		*/
47		SECStatus
48		CERT_FindNSCertTypeExtension(CERTCertificate cert, SECItem retItem)
49	8	{
50
51	8	return (CERT_FindBitStringExtension(
52	8	cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));
53	8	}
54
55		/*
56		* get the value of a string type extension
57		*/
58		char *
59		CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
60	0	{
61	0	SECItem wrapperItem, tmpItem = { siBuffer, 0 };
62	0	SECStatus rv;
63	0	PLArenaPool *arena = NULL;
64	0	char *retstring = NULL;
65
66	0	wrapperItem.data = NULL;
67	0	tmpItem.data = NULL;
68
69	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
70
71	0	if (!arena) {
72	0	goto loser;
73	0	}
74
75	0	rv = cert_FindExtension(cert->extensions, oidtag, &wrapperItem);
76	0	if (rv != SECSuccess) {
77	0	goto loser;
78	0	}
79
80	0	rv = SEC_QuickDERDecodeItem(
81	0	arena, &tmpItem, SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem);
82
83	0	if (rv != SECSuccess) {
84	0	goto loser;
85	0	}
86
87	0	retstring = (char *)PORT_Alloc(tmpItem.len + 1);
88	0	if (retstring == NULL) {
89	0	goto loser;
90	0	}
91
92	0	PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
93	0	retstring[tmpItem.len] = '\0';
94
95	0	loser:
96	0	if (arena) {
97	0	PORT_FreeArena(arena, PR_FALSE);
98	0	}
99
100	0	if (wrapperItem.data) {
101	0	PORT_Free(wrapperItem.data);
102	0	}
103
104	0	return (retstring);
105	0	}
106
107		/*
108		* get the value of the X.509 v3 Key Usage Extension
109		*/
110		SECStatus
111		CERT_FindKeyUsageExtension(CERTCertificate cert, SECItem retItem)
112	8	{
113
114	8	return (CERT_FindBitStringExtension(cert->extensions,
115	8	SEC_OID_X509_KEY_USAGE, retItem));
116	8	}
117
118		/*
119		* get the value of the X.509 v3 Key Usage Extension
120		*/
121		SECStatus
122		CERT_FindSubjectKeyIDExtension(CERTCertificate cert, SECItem retItem)
123	10	{
124
125	10	SECStatus rv;
126	10	SECItem encodedValue = { siBuffer, NULL, 0 };
127	10	SECItem decodedValue = { siBuffer, NULL, 0 };
128
129	10	rv = cert_FindExtension(cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID,
130	10	&encodedValue);
131	10	if (rv == SECSuccess) {
132	4	PORTCheapArenaPool tmpArena;
133	4	PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
134	4	rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &decodedValue,
135	4	SEC_ASN1_GET(SEC_OctetStringTemplate),
136	4	&encodedValue);
137	4	if (rv == SECSuccess) {
138	4	rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
139	4	}
140	4	PORT_DestroyCheapArena(&tmpArena);
141	4	}
142	10	SECITEM_FreeItem(&encodedValue, PR_FALSE);
143	10	return rv;
144	10	}
145
146		SECStatus
147		CERT_FindBasicConstraintExten(CERTCertificate *cert,
148		CERTBasicConstraints *value)
149	16	{
150	16	SECItem encodedExtenValue;
151	16	SECStatus rv;
152
153	16	encodedExtenValue.data = NULL;
154	16	encodedExtenValue.len = 0;
155
156	16	rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
157	16	&encodedExtenValue);
158	16	if (rv != SECSuccess) {
159	8	return (rv);
160	8	}
161
162	8	rv = CERT_DecodeBasicConstraintValue(value, &encodedExtenValue);
163
164		/* free the raw extension data */
165	8	PORT_Free(encodedExtenValue.data);
166	8	encodedExtenValue.data = NULL;
167
168	8	return (rv);
169	16	}
170
171		CERTAuthKeyID *
172		CERT_FindAuthKeyIDExten(PLArenaPool arena, CERTCertificate cert)
173	8	{
174	8	SECItem encodedExtenValue;
175	8	SECStatus rv;
176	8	CERTAuthKeyID *ret;
177
178	8	encodedExtenValue.data = NULL;
179	8	encodedExtenValue.len = 0;
180
181	8	rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
182	8	&encodedExtenValue);
183	8	if (rv != SECSuccess) {
184	6	return (NULL);
185	6	}
186
187	2	ret = CERT_DecodeAuthKeyID(arena, &encodedExtenValue);
188
189	2	PORT_Free(encodedExtenValue.data);
190	2	encodedExtenValue.data = NULL;
191
192	2	return (ret);
193	8	}
194
195		SECStatus
196		CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
197	0	{
198	0	SECItem keyUsage;
199	0	SECStatus rv;
200
201		/* There is no extension, v1 or v2 certificate */
202	0	if (cert->extensions == NULL) {
203	0	return (SECSuccess);
204	0	}
205
206	0	keyUsage.data = NULL;
207
208		/* This code formerly ignored the Key Usage extension if it was
209		** marked non-critical. That was wrong. Since we do understand it,
210		** we are obligated to honor it, whether or not it is critical.
211		*/
212	0	rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
213	0	if (rv == SECFailure) {
214	0	rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
215	0	: SECFailure;
216	0	} else if (!keyUsage.data \|\| !keyUsage.len \|\| !(keyUsage.data[0] & usage)) {
217	0	PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
218	0	rv = SECFailure;
219	0	}
220	0	PORT_Free(keyUsage.data);
221	0	return (rv);
222	0	}