/src/nss/lib/pkcs7/certread.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "cert.h"
#include "base64.h"
#include "secitem.h"
#include "secder.h"
#include "secasn1.h"
#include "secoid.h"
#include "secerr.h"

SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)

typedef struct ContentInfoStr ContentInfo;
typedef struct DegenerateSignedDataStr DegenerateSignedData;

struct ContentInfoStr {
    SECOidTag contentTypeTag; /* local; not part of encoding */
    SECItem contentType;
    union {
        SECItem *data;
        DegenerateSignedData *signedData;
    } content;
};

struct DegenerateSignedDataStr {
    SECItem version;
    SECItem **digestAlgorithms;
    ContentInfo contentInfo;
    SECItem **certificates;
    SECItem **crls;
    SECItem **signerInfos;
};

static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding);

static const SEC_ASN1TemplateChooserPtr template_chooser = choose_content_template;

static const SEC_ASN1Template ContentInfoTemplate[] = {
    { SEC_ASN1_SEQUENCE,
      0, NULL, sizeof(ContentInfo) },
    { SEC_ASN1_OBJECT_ID,
      offsetof(ContentInfo, contentType) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC |
          SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
      offsetof(ContentInfo, content),
      &template_chooser },
    { 0 }
};

static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
    { SEC_ASN1_SEQUENCE,
      0, NULL, sizeof(DegenerateSignedData) },
    { SEC_ASN1_INTEGER,
      offsetof(DegenerateSignedData, version) },
    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
      offsetof(DegenerateSignedData, digestAlgorithms),
      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { SEC_ASN1_INLINE,
      offsetof(DegenerateSignedData, contentInfo),
      ContentInfoTemplate },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
          SEC_ASN1_XTRN | 0,
      offsetof(DegenerateSignedData, certificates),
      SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
          SEC_ASN1_XTRN | 1,
      offsetof(DegenerateSignedData, crls),
      SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
      offsetof(DegenerateSignedData, signerInfos),
      SEC_ASN1_SUB(SEC_AnyTemplate) },
    { 0 }
};

static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
    { SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
};

static SECOidTag
GetContentTypeTag(ContentInfo *cinfo)
{
    if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
        cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
    return cinfo->contentTypeTag;
}

static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding)
{
    const SEC_ASN1Template *theTemplate;
    ContentInfo *cinfo;
    SECOidTag kind;

    PORT_Assert(src_or_dest != NULL);
    if (src_or_dest == NULL)
        return NULL;

    cinfo = (ContentInfo *)src_or_dest;
    kind = GetContentTypeTag(cinfo);
    switch (kind) {
        default:
            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
            break;
        case SEC_OID_PKCS7_DATA:
            theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
            break;
        case SEC_OID_PKCS7_SIGNED_DATA:
            theTemplate = PointerToDegenerateSignedDataTemplate;
            break;
    }
    return theTemplate;
}

static SECStatus
SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
{
    ContentInfo contentInfo;
    SECStatus rv = SECFailure;
    SECItem **certs;
    int count;
    PLArenaPool *arena;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
        return rv;
    }

    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
    if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
                           pkcs7Item) != SECSuccess) {
        goto done;
    }

    if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
        goto done;
    }

    if (contentInfo.content.signedData == NULL) {
        PORT_SetError(SEC_ERROR_BAD_DER);
        goto done;
    }

    rv = SECSuccess;

    certs = contentInfo.content.signedData->certificates;
    if (certs) {
        count = 0;

        while (*certs) {
            count++;
            certs++;
        }
        rv = (*f)(arg, contentInfo.content.signedData->certificates, count);
    }

done:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return rv;
}

const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
};

static SECStatus
SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
{
    SECStatus rv = SECFailure;
    SECItem **certs;
    int count;
    SECItem **rawCerts = NULL;
    PLArenaPool *arena;
    ContentInfo contentInfo;

    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
        return rv;
    }

    PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
    if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
                           certsItem) != SECSuccess) {
        goto done;
    }

    if (GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE) {
        goto done;
    }

    if (SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
                               contentInfo.content.data) != SECSuccess) {
        goto done;
    }

    rv = SECSuccess;

    certs = rawCerts;
    if (certs) {
        count = 0;

        while (*certs) {
            count++;
            certs++;
        }
        rv = (*f)(arg, rawCerts, count);
    }

done:
    if (arena) {
        PORT_FreeArena(arena, PR_FALSE);
    }

    return rv;
}

CERTCertificate *
CERT_ConvertAndDecodeCertificate(char *certstr)
{
    CERTCertificate *cert;
    SECStatus rv;
    SECItem der;

    rv = ATOB_ConvertAsciiToItem(&der, certstr);
    if (rv != SECSuccess)
        return NULL;

    cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                   &der, NULL, PR_FALSE, PR_TRUE);

    PORT_Free(der.data);
    return cert;
}

static const char NS_CERT_HEADER[] = "-----BEGIN CERTIFICATE-----";
static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)

/*
 * read an old style ascii or binary certificate chain
 */
SECStatus
CERT_DecodeCertPackage(char *certbuf,
                       int certlen,
                       CERTImportCertificateFunc f,
                       void *arg)
{
    unsigned char *cp;
    unsigned char *bincert = NULL;
    char *ascCert = NULL;
    SECStatus rv;

    if (certbuf == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return (SECFailure);
    }
    /*
     * Make sure certlen is long enough to handle the longest possible
     * reference in the code below:
     * 0x30 0x84 l1 l2 l3 l4  +
     *                       tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
     * where 9 is the longest length of the expected oids we are testing.
     *   6 + 11 = 17. 17 bytes is clearly too small to code any kind of
     *  certificate (a 128 bit ECC certificate contains at least an 8 byte
     * key and a 16 byte signature, plus coding overhead). Typically a cert
     * is much larger. So it's safe to require certlen to be at least 17
     * bytes.
     */
    if (certlen < 17) {
        PORT_SetError(SEC_ERROR_INPUT_LEN);
        return (SECFailure);
    }

    cp = (unsigned char *)certbuf;

    /* is a DER encoded certificate of some type? */
    if ((*cp & 0x1f) == SEC_ASN1_SEQUENCE) {
        SECItem certitem;
        SECItem *pcertitem = &certitem;
        PRUint64 seqLen, seqLenLen;

        cp++;

        if (*cp & 0x80) {
            /* Multibyte length */
            seqLenLen = cp[0] & 0x7f;

            switch (seqLenLen) {
                case 4:
                    seqLen = ((unsigned long)cp[1] << 24) |
                             ((unsigned long)cp[2] << 16) | (cp[3] << 8) | cp[4];
                    break;
                case 3:
                    seqLen = ((unsigned long)cp[1] << 16) | (cp[2] << 8) | cp[3];
                    break;
                case 2:
                    seqLen = (cp[1] << 8) | cp[2];
                    break;
                case 1:
                    seqLen = cp[1];
                    break;
                case 0:
                    /* indefinite length */
                    seqLen = 0;
                    break;
                default:
                    goto notder;
            }
            cp += (seqLenLen + 1);

        } else {
            seqLenLen = 0;
            seqLen = *cp;
            cp++;
        }

        /* check entire length if definite length */
        if (seqLen || seqLenLen) {
            if (certlen != (seqLen + seqLenLen + 2L)) {
                if (certlen > (seqLen + seqLenLen + 2L))
                    PORT_SetError(SEC_ERROR_EXTRA_INPUT);
                else
                    PORT_SetError(SEC_ERROR_INPUT_LEN);
                goto notder;
            }
        }

        /* check the type oid */
        if (cp[0] == SEC_ASN1_OBJECT_ID) {
            SECOidData *oiddata;
            SECItem oiditem;
            /* XXX - assume DER encoding of OID len!! */
            oiditem.len = cp[1];
            /* if we add an oid below that is longer than 9 bytes, then we
             * need to change the certlen check at the top of the function
             * to prevent a buffer overflow
             */
            if (oiditem.len > 9) {
                PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
                return (SECFailure);
            }
            oiditem.data = (unsigned char *)&cp[2];
            oiddata = SECOID_FindOID(&oiditem);
            if (oiddata == NULL) {
                return (SECFailure);
            }

            certitem.data = (unsigned char *)certbuf;
            certitem.len = certlen;

            switch (oiddata->offset) {
                case SEC_OID_PKCS7_SIGNED_DATA:
                    /* oid: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 */
                    return (SEC_ReadPKCS7Certs(&certitem, f, arg));
                    break;
                case SEC_OID_NS_TYPE_CERT_SEQUENCE:
                    /* oid: 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, 0x05 */
                    return (SEC_ReadCertSequence(&certitem, f, arg));
                    break;
                default:
                    break;
            }

        } else {
            /* it had better be a certificate by now!! */
            certitem.data = (unsigned char *)certbuf;
            certitem.len = certlen;

            rv = (*f)(arg, &pcertitem, 1);
            return (rv);
        }
    }

/* now look for a netscape base64 ascii encoded cert */
notder : {
    unsigned char *certbegin = NULL;
    unsigned char *certend = NULL;
    char *pc;
    int cl;

    /* Convert the ASCII data into a nul-terminated string */
    ascCert = (char *)PORT_Alloc(certlen + 1);
    if (!ascCert) {
        rv = SECFailure;
        goto loser;
    }

    PORT_Memcpy(ascCert, certbuf, certlen);
    ascCert[certlen] = '\0';

    pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
    if (!pc) {                       /* maybe this is a MAC file */
        pc = ascCert;
        while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
            *pc++ = '\n';
        }
    }

    cp = (unsigned char *)ascCert;
    cl = certlen;

    /* find the beginning marker */
    while (cl > NS_CERT_HEADER_LEN) {
        int found = 0;
        if (!PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
                              NS_CERT_HEADER_LEN)) {
            cl -= NS_CERT_HEADER_LEN;
            cp += NS_CERT_HEADER_LEN;
            found = 1;
        }

        /* skip to next eol */
        while (cl && (*cp != '\n')) {
            cp++;
            cl--;
        }

        /* skip all blank lines */
        while (cl && (*cp == '\n' || *cp == '\r')) {
            cp++;
            cl--;
        }
        if (cl && found) {
            certbegin = cp;
            break;
        }
    }

    if (certbegin) {
        /* find the ending marker */
        while (cl >= NS_CERT_TRAILER_LEN) {
            if (!PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
                                  NS_CERT_TRAILER_LEN)) {
                certend = cp;
                break;
            }

            /* skip to next eol */
            while (cl && (*cp != '\n')) {
                cp++;
                cl--;
            }

            /* skip all blank lines */
            while (cl && (*cp == '\n' || *cp == '\r')) {
                cp++;
                cl--;
            }
        }
    }

    if (certbegin && certend) {
        unsigned int binLen;

        *certend = 0;
        /* convert to binary */
        bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
        if (!bincert) {
            rv = SECFailure;
            goto loser;
        }

        /* now recurse to decode the binary */
        rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);

    } else {
        PORT_SetError(SEC_ERROR_BAD_DER);
        rv = SECFailure;
    }
}

loser:

    if (bincert) {
        PORT_Free(bincert);
    }

    if (ascCert) {
        PORT_Free(ascCert);
    }

    return (rv);
}

typedef struct {
    PLArenaPool *arena;
    SECItem cert;
} collect_args;

static SECStatus
collect_certs(void *arg, SECItem **certs, int numcerts)
{
    collect_args *collectArgs = (collect_args *)arg;
    if (!collectArgs || !collectArgs->arena) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
    if (numcerts < 1 || !certs || !*certs) {
        PORT_SetError(SEC_ERROR_BAD_DER);
        return SECFailure;
    }
    return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
}

/*
 * read an old style ascii or binary certificate
 */
CERTCertificate *
CERT_DecodeCertFromPackage(char *certbuf, int certlen)
{
    collect_args collectArgs;
    SECStatus rv;
    CERTCertificate *cert = NULL;

    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
                                (void *)&collectArgs);
    if (rv == SECSuccess) {
        cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                       &collectArgs.cert, NULL,
                                       PR_FALSE, PR_TRUE);
    }

    PORT_FreeArena(collectArgs.arena, PR_FALSE);

    return (cert);
}

Coverage Report

Created: 2024-05-20 06:23

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#include "cert.h"
6		#include "base64.h"
7		#include "secitem.h"
8		#include "secder.h"
9		#include "secasn1.h"
10		#include "secoid.h"
11		#include "secerr.h"
12
13		SEC_ASN1_MKSUB(SEC_AnyTemplate)
14		SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
15
16		typedef struct ContentInfoStr ContentInfo;
17		typedef struct DegenerateSignedDataStr DegenerateSignedData;
18
19		struct ContentInfoStr {
20		SECOidTag contentTypeTag; /* local; not part of encoding */
21		SECItem contentType;
22		union {
23		SECItem *data;
24		DegenerateSignedData *signedData;
25		} content;
26		};
27
28		struct DegenerateSignedDataStr {
29		SECItem version;
30		SECItem **digestAlgorithms;
31		ContentInfo contentInfo;
32		SECItem **certificates;
33		SECItem **crls;
34		SECItem **signerInfos;
35		};
36
37		static const SEC_ASN1Template *
38		choose_content_template(void *src_or_dest, PRBool encoding);
39
40		static const SEC_ASN1TemplateChooserPtr template_chooser = choose_content_template;
41
42		static const SEC_ASN1Template ContentInfoTemplate[] = {
43		{ SEC_ASN1_SEQUENCE,
44		0, NULL, sizeof(ContentInfo) },
45		{ SEC_ASN1_OBJECT_ID,
46		offsetof(ContentInfo, contentType) },
47		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_DYNAMIC \|
48		SEC_ASN1_EXPLICIT \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \| 0,
49		offsetof(ContentInfo, content),
50		&template_chooser },
51		{ 0 }
52		};
53
54		static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
55		{ SEC_ASN1_SEQUENCE,
56		0, NULL, sizeof(DegenerateSignedData) },
57		{ SEC_ASN1_INTEGER,
58		offsetof(DegenerateSignedData, version) },
59		{ SEC_ASN1_SET_OF \| SEC_ASN1_XTRN,
60		offsetof(DegenerateSignedData, digestAlgorithms),
61		SEC_ASN1_SUB(SEC_AnyTemplate) },
62		{ SEC_ASN1_INLINE,
63		offsetof(DegenerateSignedData, contentInfo),
64		ContentInfoTemplate },
65		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \|
66		SEC_ASN1_XTRN \| 0,
67		offsetof(DegenerateSignedData, certificates),
68		SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
69		{ SEC_ASN1_OPTIONAL \| SEC_ASN1_CONSTRUCTED \| SEC_ASN1_CONTEXT_SPECIFIC \|
70		SEC_ASN1_XTRN \| 1,
71		offsetof(DegenerateSignedData, crls),
72		SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
73		{ SEC_ASN1_SET_OF \| SEC_ASN1_XTRN,
74		offsetof(DegenerateSignedData, signerInfos),
75		SEC_ASN1_SUB(SEC_AnyTemplate) },
76		{ 0 }
77		};
78
79		static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
80		{ SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
81		};
82
83		static SECOidTag
84		GetContentTypeTag(ContentInfo *cinfo)
85	0	{
86	0	if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
87	0	cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
88	0	return cinfo->contentTypeTag;
89	0	}
90
91		static const SEC_ASN1Template *
92		choose_content_template(void *src_or_dest, PRBool encoding)
93	0	{
94	0	const SEC_ASN1Template *theTemplate;
95	0	ContentInfo *cinfo;
96	0	SECOidTag kind;
97
98	0	PORT_Assert(src_or_dest != NULL);
99	0	if (src_or_dest == NULL)
100	0	return NULL;
101
102	0	cinfo = (ContentInfo *)src_or_dest;
103	0	kind = GetContentTypeTag(cinfo);
104	0	switch (kind) {
105	0	default:
106	0	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
107	0	break;
108	0	case SEC_OID_PKCS7_DATA:
109	0	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
110	0	break;
111	0	case SEC_OID_PKCS7_SIGNED_DATA:
112	0	theTemplate = PointerToDegenerateSignedDataTemplate;
113	0	break;
114	0	}
115	0	return theTemplate;
116	0	}
117
118		static SECStatus
119		SEC_ReadPKCS7Certs(SECItem pkcs7Item, CERTImportCertificateFunc f, void arg)
120	0	{
121	0	ContentInfo contentInfo;
122	0	SECStatus rv = SECFailure;
123	0	SECItem **certs;
124	0	int count;
125	0	PLArenaPool *arena;
126
127	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
128	0	if (arena == NULL) {
129	0	return rv;
130	0	}
131
132	0	PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
133	0	if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
134	0	pkcs7Item) != SECSuccess) {
135	0	goto done;
136	0	}
137
138	0	if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
139	0	goto done;
140	0	}
141
142	0	if (contentInfo.content.signedData == NULL) {
143	0	PORT_SetError(SEC_ERROR_BAD_DER);
144	0	goto done;
145	0	}
146
147	0	rv = SECSuccess;
148
149	0	certs = contentInfo.content.signedData->certificates;
150	0	if (certs) {
151	0	count = 0;
152
153	0	while (*certs) {
154	0	count++;
155	0	certs++;
156	0	}
157	0	rv = (*f)(arg, contentInfo.content.signedData->certificates, count);
158	0	}
159
160	0	done:
161	0	if (arena) {
162	0	PORT_FreeArena(arena, PR_FALSE);
163	0	}
164
165	0	return rv;
166	0	}
167
168		const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
169		{ SEC_ASN1_SEQUENCE_OF \| SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
170		};
171
172		static SECStatus
173		SEC_ReadCertSequence(SECItem certsItem, CERTImportCertificateFunc f, void arg)
174	0	{
175	0	SECStatus rv = SECFailure;
176	0	SECItem **certs;
177	0	int count;
178	0	SECItem **rawCerts = NULL;
179	0	PLArenaPool *arena;
180	0	ContentInfo contentInfo;
181
182	0	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
183	0	if (arena == NULL) {
184	0	return rv;
185	0	}
186
187	0	PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
188	0	if (SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
189	0	certsItem) != SECSuccess) {
190	0	goto done;
191	0	}
192
193	0	if (GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE) {
194	0	goto done;
195	0	}
196
197	0	if (SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
198	0	contentInfo.content.data) != SECSuccess) {
199	0	goto done;
200	0	}
201
202	0	rv = SECSuccess;
203
204	0	certs = rawCerts;
205	0	if (certs) {
206	0	count = 0;
207
208	0	while (*certs) {
209	0	count++;
210	0	certs++;
211	0	}
212	0	rv = (*f)(arg, rawCerts, count);
213	0	}
214
215	0	done:
216	0	if (arena) {
217	0	PORT_FreeArena(arena, PR_FALSE);
218	0	}
219
220	0	return rv;
221	0	}
222
223		CERTCertificate *
224		CERT_ConvertAndDecodeCertificate(char *certstr)
225	0	{
226	0	CERTCertificate *cert;
227	0	SECStatus rv;
228	0	SECItem der;
229
230	0	rv = ATOB_ConvertAsciiToItem(&der, certstr);
231	0	if (rv != SECSuccess)
232	0	return NULL;
233
234	0	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
235	0	&der, NULL, PR_FALSE, PR_TRUE);
236
237	0	PORT_Free(der.data);
238	0	return cert;
239	0	}
240
241		static const char NS_CERT_HEADER[] = "-----BEGIN CERTIFICATE-----";
242		static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
243	0	#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
244	0	#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
245
246		/*
247		* read an old style ascii or binary certificate chain
248		*/
249		SECStatus
250		CERT_DecodeCertPackage(char *certbuf,
251		int certlen,
252		CERTImportCertificateFunc f,
253		void *arg)
254	0	{
255	0	unsigned char *cp;
256	0	unsigned char *bincert = NULL;
257	0	char *ascCert = NULL;
258	0	SECStatus rv;
259
260	0	if (certbuf == NULL) {
261	0	PORT_SetError(SEC_ERROR_INVALID_ARGS);
262	0	return (SECFailure);
263	0	}
264		/*
265		* Make sure certlen is long enough to handle the longest possible
266		* reference in the code below:
267		* 0x30 0x84 l1 l2 l3 l4 +
268		* tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
269		* where 9 is the longest length of the expected oids we are testing.
270		* 6 + 11 = 17. 17 bytes is clearly too small to code any kind of
271		* certificate (a 128 bit ECC certificate contains at least an 8 byte
272		* key and a 16 byte signature, plus coding overhead). Typically a cert
273		* is much larger. So it's safe to require certlen to be at least 17
274		* bytes.
275		*/
276	0	if (certlen < 17) {
277	0	PORT_SetError(SEC_ERROR_INPUT_LEN);
278	0	return (SECFailure);
279	0	}
280
281	0	cp = (unsigned char *)certbuf;
282
283		/* is a DER encoded certificate of some type? */
284	0	if ((*cp & 0x1f) == SEC_ASN1_SEQUENCE) {
285	0	SECItem certitem;
286	0	SECItem *pcertitem = &certitem;
287	0	PRUint64 seqLen, seqLenLen;
288
289	0	cp++;
290
291	0	if (*cp & 0x80) {
292		/* Multibyte length */
293	0	seqLenLen = cp[0] & 0x7f;
294
295	0	switch (seqLenLen) {
296	0	case 4:
297	0	seqLen = ((unsigned long)cp[1] << 24) \|
298	0	((unsigned long)cp[2] << 16) \| (cp[3] << 8) \| cp[4];
299	0	break;
300	0	case 3:
301	0	seqLen = ((unsigned long)cp[1] << 16) \| (cp[2] << 8) \| cp[3];
302	0	break;
303	0	case 2:
304	0	seqLen = (cp[1] << 8) \| cp[2];
305	0	break;
306	0	case 1:
307	0	seqLen = cp[1];
308	0	break;
309	0	case 0:
310		/* indefinite length */
311	0	seqLen = 0;
312	0	break;
313	0	default:
314	0	goto notder;
315	0	}
316	0	cp += (seqLenLen + 1);
317
318	0	} else {
319	0	seqLenLen = 0;
320	0	seqLen = *cp;
321	0	cp++;
322	0	}
323
324		/* check entire length if definite length */
325	0	if (seqLen \|\| seqLenLen) {
326	0	if (certlen != (seqLen + seqLenLen + 2L)) {
327	0	if (certlen > (seqLen + seqLenLen + 2L))
328	0	PORT_SetError(SEC_ERROR_EXTRA_INPUT);
329	0	else
330	0	PORT_SetError(SEC_ERROR_INPUT_LEN);
331	0	goto notder;
332	0	}
333	0	}
334
335		/* check the type oid */
336	0	if (cp[0] == SEC_ASN1_OBJECT_ID) {
337	0	SECOidData *oiddata;
338	0	SECItem oiditem;
339		/* XXX - assume DER encoding of OID len!! */
340	0	oiditem.len = cp[1];
341		/* if we add an oid below that is longer than 9 bytes, then we
342		* need to change the certlen check at the top of the function
343		* to prevent a buffer overflow
344		*/
345	0	if (oiditem.len > 9) {
346	0	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
347	0	return (SECFailure);
348	0	}
349	0	oiditem.data = (unsigned char *)&cp[2];
350	0	oiddata = SECOID_FindOID(&oiditem);
351	0	if (oiddata == NULL) {
352	0	return (SECFailure);
353	0	}
354
355	0	certitem.data = (unsigned char *)certbuf;
356	0	certitem.len = certlen;
357
358	0	switch (oiddata->offset) {
359	0	case SEC_OID_PKCS7_SIGNED_DATA:
360		/* oid: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 */
361	0	return (SEC_ReadPKCS7Certs(&certitem, f, arg));
362	0	break;
363	0	case SEC_OID_NS_TYPE_CERT_SEQUENCE:
364		/* oid: 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, 0x05 */
365	0	return (SEC_ReadCertSequence(&certitem, f, arg));
366	0	break;
367	0	default:
368	0	break;
369	0	}
370
371	0	} else {
372		/* it had better be a certificate by now!! */
373	0	certitem.data = (unsigned char *)certbuf;
374	0	certitem.len = certlen;
375
376	0	rv = (*f)(arg, &pcertitem, 1);
377	0	return (rv);
378	0	}
379	0	}
380
381		/* now look for a netscape base64 ascii encoded cert */
382	0	notder : {
383	0	unsigned char *certbegin = NULL;
384	0	unsigned char *certend = NULL;
385	0	char *pc;
386	0	int cl;
387
388		/* Convert the ASCII data into a nul-terminated string */
389	0	ascCert = (char *)PORT_Alloc(certlen + 1);
390	0	if (!ascCert) {
391	0	rv = SECFailure;
392	0	goto loser;
393	0	}
394
395	0	PORT_Memcpy(ascCert, certbuf, certlen);
396	0	ascCert[certlen] = '\0';
397
398	0	pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
399	0	if (!pc) { /* maybe this is a MAC file */
400	0	pc = ascCert;
401	0	while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
402	0	*pc++ = '\n';
403	0	}
404	0	}
405
406	0	cp = (unsigned char *)ascCert;
407	0	cl = certlen;
408
409		/* find the beginning marker */
410	0	while (cl > NS_CERT_HEADER_LEN) {
411	0	int found = 0;
412	0	if (!PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
413	0	NS_CERT_HEADER_LEN)) {
414	0	cl -= NS_CERT_HEADER_LEN;
415	0	cp += NS_CERT_HEADER_LEN;
416	0	found = 1;
417	0	}
418
419		/* skip to next eol */
420	0	while (cl && (*cp != '\n')) {
421	0	cp++;
422	0	cl--;
423	0	}
424
425		/* skip all blank lines */
426	0	while (cl && (cp == '\n' \|\| cp == '\r')) {
427	0	cp++;
428	0	cl--;
429	0	}
430	0	if (cl && found) {
431	0	certbegin = cp;
432	0	break;
433	0	}
434	0	}
435
436	0	if (certbegin) {
437		/* find the ending marker */
438	0	while (cl >= NS_CERT_TRAILER_LEN) {
439	0	if (!PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
440	0	NS_CERT_TRAILER_LEN)) {
441	0	certend = cp;
442	0	break;
443	0	}
444
445		/* skip to next eol */
446	0	while (cl && (*cp != '\n')) {
447	0	cp++;
448	0	cl--;
449	0	}
450
451		/* skip all blank lines */
452	0	while (cl && (cp == '\n' \|\| cp == '\r')) {
453	0	cp++;
454	0	cl--;
455	0	}
456	0	}
457	0	}
458
459	0	if (certbegin && certend) {
460	0	unsigned int binLen;
461
462	0	*certend = 0;
463		/* convert to binary */
464	0	bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
465	0	if (!bincert) {
466	0	rv = SECFailure;
467	0	goto loser;
468	0	}
469
470		/* now recurse to decode the binary */
471	0	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
472
473	0	} else {
474	0	PORT_SetError(SEC_ERROR_BAD_DER);
475	0	rv = SECFailure;
476	0	}
477	0	}
478
479	0	loser:
480
481	0	if (bincert) {
482	0	PORT_Free(bincert);
483	0	}
484
485	0	if (ascCert) {
486	0	PORT_Free(ascCert);
487	0	}
488
489	0	return (rv);
490	0	}
491
492		typedef struct {
493		PLArenaPool *arena;
494		SECItem cert;
495		} collect_args;
496
497		static SECStatus
498		collect_certs(void arg, SECItem *certs, int numcerts)
499	0	{
500	0	collect_args collectArgs = (collect_args )arg;
501	0	if (!collectArgs \|\| !collectArgs->arena) {
502	0	PORT_SetError(SEC_ERROR_INVALID_ARGS);
503	0	return SECFailure;
504	0	}
505	0	if (numcerts < 1 \|\| !certs \|\| !*certs) {
506	0	PORT_SetError(SEC_ERROR_BAD_DER);
507	0	return SECFailure;
508	0	}
509	0	return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
510	0	}
511
512		/*
513		* read an old style ascii or binary certificate
514		*/
515		CERTCertificate *
516		CERT_DecodeCertFromPackage(char *certbuf, int certlen)
517	0	{
518	0	collect_args collectArgs;
519	0	SECStatus rv;
520	0	CERTCertificate *cert = NULL;
521
522	0	collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
523
524	0	rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
525	0	(void *)&collectArgs);
526	0	if (rv == SECSuccess) {
527	0	cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
528	0	&collectArgs.cert, NULL,
529	0	PR_FALSE, PR_TRUE);
530	0	}
531
532	0	PORT_FreeArena(collectArgs.arena, PR_FALSE);
533
534	0	return (cert);
535	0	}