/src/gnutls/lib/x509/common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2014 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2016 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include <libtasn1.h> |
26 | | #include <datum.h> |
27 | | #include <global.h> |
28 | | #include "errors.h" |
29 | | #include <str.h> |
30 | | #include <x509.h> |
31 | | #include <num.h> |
32 | | #include <x509_b64.h> |
33 | | #include <c-strcase.h> |
34 | | #include "x509_int.h" |
35 | | #include "extras/hex.h" |
36 | | #include <common.h> |
37 | | |
38 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t * out); |
39 | | |
40 | | #define ENTRY(oid, ldap, asn, etype) {oid, sizeof(oid)-1, ldap, sizeof(ldap)-1, asn, etype} |
41 | | |
42 | | /* when there is no name description */ |
43 | | #define ENTRY_ND(oid, asn, etype) {oid, sizeof(oid)-1, NULL, 0, asn, etype} |
44 | | |
45 | | /* This list contains all the OIDs that may be |
46 | | * contained in a rdnSequence and are printable. |
47 | | */ |
48 | | static const struct oid_to_string _oid2str[] = { |
49 | | /* PKIX |
50 | | */ |
51 | | ENTRY("1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString", |
52 | | ASN1_ETYPE_INVALID), |
53 | | ENTRY("1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
54 | | ENTRY("1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL, |
55 | | ASN1_ETYPE_PRINTABLE_STRING), |
56 | | ENTRY("1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL, |
57 | | ASN1_ETYPE_PRINTABLE_STRING), |
58 | | |
59 | | ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
60 | | ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
61 | | ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
62 | | ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
63 | | ENTRY("2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
64 | | ENTRY("2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
65 | | ENTRY("2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
66 | | ENTRY("2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
67 | | ENTRY("2.5.4.13", "description", "PKIX1.DirectoryString", |
68 | | ASN1_ETYPE_INVALID), |
69 | | |
70 | | ENTRY("2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
71 | | ENTRY("2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
72 | | ENTRY("2.5.4.4", "surName", "PKIX1.DirectoryString", |
73 | | ASN1_ETYPE_INVALID), |
74 | | ENTRY("2.5.4.43", "initials", "PKIX1.DirectoryString", |
75 | | ASN1_ETYPE_INVALID), |
76 | | ENTRY("2.5.4.44", "generationQualifier", "PKIX1.DirectoryString", |
77 | | ASN1_ETYPE_INVALID), |
78 | | ENTRY("2.5.4.42", "givenName", "PKIX1.DirectoryString", |
79 | | ASN1_ETYPE_INVALID), |
80 | | ENTRY("2.5.4.65", "pseudonym", "PKIX1.DirectoryString", |
81 | | ASN1_ETYPE_INVALID), |
82 | | ENTRY("2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
83 | | ENTRY("2.5.4.17", "postalCode", "PKIX1.DirectoryString", |
84 | | ASN1_ETYPE_INVALID), |
85 | | ENTRY("2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
86 | | ENTRY("2.5.4.15", "businessCategory", "PKIX1.DirectoryString", |
87 | | ASN1_ETYPE_INVALID), |
88 | | |
89 | | ENTRY("0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING), |
90 | | ENTRY("0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString", |
91 | | ASN1_ETYPE_INVALID), |
92 | | ENTRY("1.2.840.113556.1.4.656", "userPrincipalName", |
93 | | "PKIX1.DirectoryString", |
94 | | ASN1_ETYPE_INVALID), |
95 | | |
96 | | /* Extended validation |
97 | | */ |
98 | | ENTRY("1.3.6.1.4.1.311.60.2.1.1", |
99 | | "jurisdictionOfIncorporationLocalityName", |
100 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
101 | | ENTRY("1.3.6.1.4.1.311.60.2.1.2", |
102 | | "jurisdictionOfIncorporationStateOrProvinceName", |
103 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
104 | | ENTRY("1.3.6.1.4.1.311.60.2.1.3", |
105 | | "jurisdictionOfIncorporationCountryName", |
106 | | NULL, ASN1_ETYPE_PRINTABLE_STRING), |
107 | | |
108 | | /* PKCS #9 |
109 | | */ |
110 | | ENTRY("1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING), |
111 | | ENTRY_ND("1.2.840.113549.1.9.7", "PKIX1.pkcs-9-challengePassword", |
112 | | ASN1_ETYPE_INVALID), |
113 | | |
114 | | /* friendly name */ |
115 | | ENTRY_ND("1.2.840.113549.1.9.20", NULL, ASN1_ETYPE_BMP_STRING), |
116 | | /* local key id */ |
117 | | ENTRY_ND("1.2.840.113549.1.9.21", NULL, ASN1_ETYPE_OCTET_STRING), |
118 | | ENTRY_ND("1.2.840.113549.1.9.4", NULL, ASN1_ETYPE_OCTET_STRING), |
119 | | |
120 | | /* rfc3920 section 5.1.1 */ |
121 | | ENTRY("1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING), |
122 | | |
123 | | /* Russian things: https://cdnimg.rg.ru/pril/66/91/91/23041_pril.pdf */ |
124 | | /* Main state registration number */ |
125 | | ENTRY("1.2.643.100.1", "OGRN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
126 | | /* Individual insurance account number */ |
127 | | ENTRY("1.2.643.100.3", "SNILS", NULL, ASN1_ETYPE_NUMERIC_STRING), |
128 | | /* Main state registration number for individual enterpreneurs */ |
129 | | ENTRY("1.2.643.100.5", "OGRNIP", NULL, ASN1_ETYPE_NUMERIC_STRING), |
130 | | /* VAT identification number */ |
131 | | ENTRY("1.2.643.3.131.1.1", "INN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
132 | | |
133 | | {NULL, 0, NULL, 0, NULL, 0} |
134 | | }; |
135 | | |
136 | | const struct oid_to_string *_gnutls_oid_get_entry(const struct oid_to_string |
137 | | *ots, const char *oid) |
138 | 0 | { |
139 | 0 | unsigned int i = 0; |
140 | 0 | unsigned len = strlen(oid); |
141 | |
|
142 | 0 | do { |
143 | 0 | if (len == ots[i].oid_size && strcmp(ots[i].oid, oid) == 0) |
144 | 0 | return &ots[i]; |
145 | 0 | i++; |
146 | 0 | } |
147 | 0 | while (ots[i].oid != NULL); |
148 | | |
149 | 0 | return NULL; |
150 | 0 | } |
151 | | |
152 | | const char *_gnutls_oid_get_asn_desc(const char *oid) |
153 | 0 | { |
154 | 0 | const struct oid_to_string *entry = |
155 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
156 | 0 | return entry ? entry->asn_desc : NULL; |
157 | 0 | } |
158 | | |
159 | | const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len) |
160 | 0 | { |
161 | 0 | unsigned int i = 0; |
162 | |
|
163 | 0 | do { |
164 | 0 | if ((_oid2str[i].name_desc != NULL) && |
165 | 0 | (str_len == _oid2str[i].name_desc_size) && |
166 | 0 | (c_strncasecmp(_oid2str[i].name_desc, str, str_len) == 0)) |
167 | 0 | return _oid2str[i].oid; |
168 | 0 | i++; |
169 | 0 | } |
170 | 0 | while (_oid2str[i].oid != NULL); |
171 | | |
172 | 0 | return NULL; |
173 | 0 | } |
174 | | |
175 | | /* Escapes a string following the rules from RFC4514. |
176 | | */ |
177 | | static int str_escape(const gnutls_datum_t * str, gnutls_datum_t * escaped) |
178 | 0 | { |
179 | 0 | unsigned int j, i; |
180 | 0 | uint8_t *buffer = NULL; |
181 | 0 | int ret; |
182 | |
|
183 | 0 | if (str == NULL) |
184 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
185 | | |
186 | | /* the string will be at most twice the original */ |
187 | 0 | buffer = gnutls_malloc(str->size * 2 + 2); |
188 | 0 | if (buffer == NULL) |
189 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
190 | | |
191 | 0 | for (i = j = 0; i < str->size; i++) { |
192 | 0 | if (str->data[i] == 0) { |
193 | | /* this is handled earlier */ |
194 | 0 | ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
195 | 0 | goto cleanup; |
196 | 0 | } |
197 | | |
198 | 0 | if (str->data[i] == ',' || str->data[i] == '+' |
199 | 0 | || str->data[i] == '"' || str->data[i] == '\\' |
200 | 0 | || str->data[i] == '<' || str->data[i] == '>' |
201 | 0 | || str->data[i] == ';' || str->data[i] == 0) |
202 | 0 | buffer[j++] = '\\'; |
203 | 0 | else if (i == 0 && str->data[i] == '#') |
204 | 0 | buffer[j++] = '\\'; |
205 | 0 | else if (i == 0 && str->data[i] == ' ') |
206 | 0 | buffer[j++] = '\\'; |
207 | 0 | else if (i == (str->size - 1) && str->data[i] == ' ') |
208 | 0 | buffer[j++] = '\\'; |
209 | |
|
210 | 0 | buffer[j++] = str->data[i]; |
211 | 0 | } |
212 | | |
213 | | /* null terminate the string */ |
214 | 0 | buffer[j] = 0; |
215 | 0 | escaped->data = buffer; |
216 | 0 | escaped->size = j; |
217 | |
|
218 | 0 | return 0; |
219 | 0 | cleanup: |
220 | 0 | gnutls_free(buffer); |
221 | 0 | return ret; |
222 | 0 | } |
223 | | |
224 | | /** |
225 | | * gnutls_x509_dn_oid_known: |
226 | | * @oid: holds an Object Identifier in a null terminated string |
227 | | * |
228 | | * This function will inform about known DN OIDs. This is useful since |
229 | | * functions like gnutls_x509_crt_set_dn_by_oid() use the information |
230 | | * on known OIDs to properly encode their input. Object Identifiers |
231 | | * that are not known are not encoded by these functions, and their |
232 | | * input is stored directly into the ASN.1 structure. In that case of |
233 | | * unknown OIDs, you have the responsibility of DER encoding your |
234 | | * data. |
235 | | * |
236 | | * Returns: 1 on known OIDs and 0 otherwise. |
237 | | **/ |
238 | | int gnutls_x509_dn_oid_known(const char *oid) |
239 | 0 | { |
240 | 0 | return _gnutls_oid_get_entry(_oid2str, oid) != NULL; |
241 | 0 | } |
242 | | |
243 | | /** |
244 | | * gnutls_x509_dn_oid_name: |
245 | | * @oid: holds an Object Identifier in a null terminated string |
246 | | * @flags: 0 or GNUTLS_X509_DN_OID_* |
247 | | * |
248 | | * This function will return the name of a known DN OID. If |
249 | | * %GNUTLS_X509_DN_OID_RETURN_OID is specified this function |
250 | | * will return the given OID if no descriptive name has been |
251 | | * found. |
252 | | * |
253 | | * Returns: A null terminated string or NULL otherwise. |
254 | | * |
255 | | * Since: 3.0 |
256 | | **/ |
257 | | const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags) |
258 | 0 | { |
259 | 0 | const struct oid_to_string *entry = |
260 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
261 | |
|
262 | 0 | if (entry && entry->name_desc) |
263 | 0 | return entry->name_desc; |
264 | 0 | if (flags & GNUTLS_X509_DN_OID_RETURN_OID) |
265 | 0 | return oid; |
266 | 0 | else |
267 | 0 | return NULL; |
268 | 0 | } |
269 | | |
270 | | static int |
271 | | make_printable_string(unsigned etype, const gnutls_datum_t * input, |
272 | | gnutls_datum_t * out) |
273 | 0 | { |
274 | 0 | int printable = 0; |
275 | 0 | int ret; |
276 | | |
277 | | /* empty input strings result to a null string */ |
278 | 0 | if (input->data == NULL || input->size == 0) { |
279 | 0 | out->data = gnutls_calloc(1, 1); |
280 | 0 | if (out->data == NULL) |
281 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
282 | 0 | out->size = 0; |
283 | 0 | return 0; |
284 | 0 | } |
285 | | |
286 | 0 | if (etype == ASN1_ETYPE_BMP_STRING) { |
287 | 0 | ret = _gnutls_ucs2_to_utf8(input->data, input->size, out, 1); |
288 | 0 | if (ret < 0) { |
289 | | /* could not convert. Handle it as non-printable */ |
290 | 0 | printable = 0; |
291 | 0 | } else |
292 | 0 | printable = 1; |
293 | 0 | } else if (etype == ASN1_ETYPE_TELETEX_STRING) { |
294 | | /* HACK: if the teletex string contains only ascii |
295 | | * characters then treat it as printable. |
296 | | */ |
297 | 0 | if (_gnutls_str_is_print((char *)input->data, input->size)) { |
298 | 0 | out->data = gnutls_malloc(input->size + 1); |
299 | 0 | if (out->data == NULL) |
300 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
301 | | |
302 | 0 | memcpy(out->data, input->data, input->size); |
303 | 0 | out->size = input->size; |
304 | |
|
305 | 0 | out->data[out->size] = 0; |
306 | |
|
307 | 0 | printable = 1; |
308 | 0 | } |
309 | 0 | } else if (etype != ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */ |
310 | 0 | return GNUTLS_E_INVALID_REQUEST; |
311 | | |
312 | 0 | if (printable == 0) { /* need to allocate out */ |
313 | 0 | ret = data2hex(input->data, input->size, out); |
314 | 0 | if (ret < 0) { |
315 | 0 | gnutls_assert(); |
316 | 0 | return ret; |
317 | 0 | } |
318 | 0 | } |
319 | | |
320 | 0 | return 0; |
321 | 0 | } |
322 | | |
323 | | static int |
324 | | decode_complex_string(const struct oid_to_string *oentry, void *value, |
325 | | int value_size, gnutls_datum_t * out) |
326 | 0 | { |
327 | 0 | char str[MAX_STRING_LEN], tmpname[128]; |
328 | 0 | int len = -1, result; |
329 | 0 | asn1_node tmpasn = NULL; |
330 | 0 | char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; |
331 | 0 | unsigned int etype; |
332 | 0 | gnutls_datum_t td = { NULL, 0 }; |
333 | |
|
334 | 0 | if (oentry->asn_desc == NULL) { |
335 | 0 | gnutls_assert(); |
336 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
337 | 0 | } |
338 | | |
339 | 0 | if ((result = |
340 | 0 | asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, |
341 | 0 | &tmpasn)) != ASN1_SUCCESS) { |
342 | 0 | gnutls_assert(); |
343 | 0 | return _gnutls_asn2err(result); |
344 | 0 | } |
345 | | |
346 | 0 | if ((result = |
347 | 0 | _asn1_strict_der_decode(&tmpasn, value, value_size, |
348 | 0 | asn1_err)) != ASN1_SUCCESS) { |
349 | 0 | gnutls_assert(); |
350 | 0 | _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); |
351 | 0 | asn1_delete_structure(&tmpasn); |
352 | 0 | return _gnutls_asn2err(result); |
353 | 0 | } |
354 | | |
355 | | /* Read the type of choice. |
356 | | */ |
357 | 0 | len = sizeof(str) - 1; |
358 | 0 | if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ |
359 | 0 | gnutls_assert(); |
360 | 0 | asn1_delete_structure(&tmpasn); |
361 | 0 | return _gnutls_asn2err(result); |
362 | 0 | } |
363 | | |
364 | 0 | str[len] = 0; |
365 | | |
366 | | /* We set the etype on the strings that may need |
367 | | * some conversion to UTF-8. The INVALID flag indicates |
368 | | * no conversion needed */ |
369 | 0 | if (strcmp(str, "teletexString") == 0) |
370 | 0 | etype = ASN1_ETYPE_TELETEX_STRING; |
371 | 0 | else if (strcmp(str, "bmpString") == 0) |
372 | 0 | etype = ASN1_ETYPE_BMP_STRING; |
373 | 0 | else if (strcmp(str, "universalString") == 0) |
374 | 0 | etype = ASN1_ETYPE_UNIVERSAL_STRING; |
375 | 0 | else |
376 | 0 | etype = ASN1_ETYPE_INVALID; |
377 | |
|
378 | 0 | _gnutls_str_cpy(tmpname, sizeof(tmpname), str); |
379 | |
|
380 | 0 | result = _gnutls_x509_read_value(tmpasn, tmpname, &td); |
381 | 0 | asn1_delete_structure(&tmpasn); |
382 | 0 | if (result < 0) |
383 | 0 | return gnutls_assert_val(result); |
384 | | |
385 | 0 | if (etype != ASN1_ETYPE_INVALID) { |
386 | 0 | result = make_printable_string(etype, &td, out); |
387 | |
|
388 | 0 | _gnutls_free_datum(&td); |
389 | |
|
390 | 0 | if (result < 0) |
391 | 0 | return gnutls_assert_val(result); |
392 | 0 | } else { |
393 | 0 | out->data = td.data; |
394 | 0 | out->size = td.size; |
395 | | /* _gnutls_x509_read_value always null terminates */ |
396 | 0 | } |
397 | | |
398 | 0 | assert(out->data != NULL); |
399 | | |
400 | | /* Refuse to deal with strings containing NULs. */ |
401 | 0 | if (strlen((void *)out->data) != (size_t)out->size) { |
402 | 0 | _gnutls_free_datum(out); |
403 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
404 | 0 | } |
405 | | |
406 | 0 | return 0; |
407 | 0 | } |
408 | | |
409 | | /* This function will convert an attribute value, specified by the OID, |
410 | | * to a string. The result will be a null terminated string. |
411 | | * |
412 | | * res may be null. This will just return the res_size, needed to |
413 | | * hold the string. |
414 | | */ |
415 | | int |
416 | | _gnutls_x509_dn_to_string(const char *oid, void *value, |
417 | | int value_size, gnutls_datum_t * str) |
418 | 0 | { |
419 | 0 | const struct oid_to_string *oentry; |
420 | 0 | int ret; |
421 | 0 | gnutls_datum_t tmp = { NULL, 0 }; |
422 | |
|
423 | 0 | if (value == NULL || value_size <= 0) { |
424 | 0 | gnutls_assert(); |
425 | 0 | return GNUTLS_E_INVALID_REQUEST; |
426 | 0 | } |
427 | | |
428 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, oid); |
429 | 0 | if (oentry == NULL) { /* unknown OID -> hex */ |
430 | 0 | unknown_oid: |
431 | 0 | ret = data2hex(value, value_size, str); |
432 | 0 | if (ret < 0) { |
433 | 0 | gnutls_assert(); |
434 | 0 | return ret; |
435 | 0 | } |
436 | 0 | return 0; |
437 | 0 | } |
438 | | |
439 | 0 | if (oentry->asn_desc != NULL) { /* complex */ |
440 | 0 | ret = decode_complex_string(oentry, value, value_size, &tmp); |
441 | 0 | if (ret < 0) { |
442 | | /* we failed decoding -> handle it as unknown OID */ |
443 | 0 | goto unknown_oid; |
444 | 0 | } |
445 | 0 | } else { |
446 | 0 | ret = |
447 | 0 | _gnutls_x509_decode_string(oentry->etype, value, |
448 | 0 | value_size, &tmp, 0); |
449 | 0 | if (ret < 0) { |
450 | | /* we failed decoding -> handle it as unknown OID */ |
451 | 0 | goto unknown_oid; |
452 | 0 | } |
453 | 0 | } |
454 | | |
455 | 0 | ret = str_escape(&tmp, str); |
456 | 0 | _gnutls_free_datum(&tmp); |
457 | |
|
458 | 0 | if (ret < 0) |
459 | 0 | return gnutls_assert_val(ret); |
460 | | |
461 | 0 | return 0; |
462 | 0 | } |
463 | | |
464 | | /* Converts a data string to an LDAP rfc2253 hex string |
465 | | * something like '#01020304' |
466 | | */ |
467 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t * out) |
468 | 0 | { |
469 | 0 | gnutls_datum_t tmp, td; |
470 | 0 | int ret; |
471 | 0 | size_t size; |
472 | |
|
473 | 0 | td.size = hex_str_size(data_size) + 1; /* +1 for '#' */ |
474 | 0 | td.data = gnutls_malloc(td.size); |
475 | 0 | if (td.data == NULL) |
476 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
477 | | |
478 | 0 | tmp.data = (void *)data; |
479 | 0 | tmp.size = data_size; |
480 | |
|
481 | 0 | td.data[0] = '#'; |
482 | 0 | size = td.size - 1; /* don't include '#' */ |
483 | 0 | ret = gnutls_hex_encode(&tmp, (char *)&td.data[1], &size); |
484 | 0 | if (ret < 0) { |
485 | 0 | gnutls_assert(); |
486 | 0 | gnutls_free(td.data); |
487 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
488 | 0 | } |
489 | | |
490 | 0 | td.size--; /* don't include null */ |
491 | |
|
492 | 0 | out->data = td.data; |
493 | 0 | out->size = td.size; |
494 | |
|
495 | 0 | return 0; |
496 | 0 | } |
497 | | |
498 | | gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) |
499 | 0 | { |
500 | 0 | if (strcmp(str_type, "dNSName") == 0) |
501 | 0 | return GNUTLS_SAN_DNSNAME; |
502 | 0 | if (strcmp(str_type, "rfc822Name") == 0) |
503 | 0 | return GNUTLS_SAN_RFC822NAME; |
504 | 0 | if (strcmp(str_type, "uniformResourceIdentifier") == 0) |
505 | 0 | return GNUTLS_SAN_URI; |
506 | 0 | if (strcmp(str_type, "iPAddress") == 0) |
507 | 0 | return GNUTLS_SAN_IPADDRESS; |
508 | 0 | if (strcmp(str_type, "otherName") == 0) |
509 | 0 | return GNUTLS_SAN_OTHERNAME; |
510 | 0 | if (strcmp(str_type, "directoryName") == 0) |
511 | 0 | return GNUTLS_SAN_DN; |
512 | 0 | if (strcmp(str_type, "registeredID") == 0) |
513 | 0 | return GNUTLS_SAN_REGISTERED_ID; |
514 | | |
515 | 0 | return (gnutls_x509_subject_alt_name_t) - 1; |
516 | 0 | } |
517 | | |
518 | | /* A generic export function. Will export the given ASN.1 encoded data |
519 | | * to PEM or DER raw data. |
520 | | */ |
521 | | int |
522 | | _gnutls_x509_export_int_named(asn1_node asn1_data, const char *name, |
523 | | gnutls_x509_crt_fmt_t format, |
524 | | const char *pem_header, |
525 | | unsigned char *output_data, |
526 | | size_t *output_data_size) |
527 | 0 | { |
528 | 0 | int ret; |
529 | 0 | gnutls_datum_t out = { NULL, 0 }; |
530 | 0 | size_t size; |
531 | |
|
532 | 0 | ret = _gnutls_x509_export_int_named2(asn1_data, name, |
533 | 0 | format, pem_header, &out); |
534 | 0 | if (ret < 0) |
535 | 0 | return gnutls_assert_val(ret); |
536 | | |
537 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
538 | 0 | size = out.size + 1; |
539 | 0 | else |
540 | 0 | size = out.size; |
541 | |
|
542 | 0 | if (*output_data_size < size) { |
543 | 0 | *output_data_size = size; |
544 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
545 | 0 | goto cleanup; |
546 | 0 | } |
547 | | |
548 | 0 | *output_data_size = (size_t)out.size; |
549 | 0 | if (output_data) { |
550 | 0 | if (out.size > 0) { |
551 | 0 | memcpy(output_data, out.data, (size_t)out.size); |
552 | 0 | } |
553 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
554 | 0 | output_data[out.size] = 0; |
555 | 0 | } |
556 | |
|
557 | 0 | ret = 0; |
558 | |
|
559 | 0 | cleanup: |
560 | 0 | gnutls_free(out.data); |
561 | |
|
562 | 0 | return ret; |
563 | 0 | } |
564 | | |
565 | | /* A generic export function. Will export the given ASN.1 encoded data |
566 | | * to PEM or DER raw data. |
567 | | */ |
568 | | int |
569 | | _gnutls_x509_export_int_named2(asn1_node asn1_data, const char *name, |
570 | | gnutls_x509_crt_fmt_t format, |
571 | | const char *pem_header, gnutls_datum_t * out) |
572 | 0 | { |
573 | 0 | int ret; |
574 | |
|
575 | 0 | if (format == GNUTLS_X509_FMT_DER) { |
576 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, out, 0); |
577 | 0 | if (ret < 0) |
578 | 0 | return gnutls_assert_val(ret); |
579 | 0 | } else { /* PEM */ |
580 | 0 | gnutls_datum_t tmp; |
581 | |
|
582 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, &tmp, 0); |
583 | 0 | if (ret < 0) |
584 | 0 | return gnutls_assert_val(ret); |
585 | | |
586 | 0 | ret = |
587 | 0 | _gnutls_fbase64_encode(pem_header, tmp.data, tmp.size, out); |
588 | 0 | _gnutls_free_datum(&tmp); |
589 | |
|
590 | 0 | if (ret < 0) |
591 | 0 | return gnutls_assert_val(ret); |
592 | 0 | } |
593 | | |
594 | 0 | return 0; |
595 | 0 | } |
596 | | |
597 | | /* Decodes an octet string. The etype specifies the string type. |
598 | | * The returned string is always null terminated (but null is not |
599 | | * included in size). |
600 | | */ |
601 | | int |
602 | | _gnutls_x509_decode_string(unsigned int etype, |
603 | | const uint8_t * der, size_t der_size, |
604 | | gnutls_datum_t * output, unsigned allow_ber) |
605 | 0 | { |
606 | 0 | int ret; |
607 | 0 | uint8_t *str; |
608 | 0 | unsigned int str_size, len; |
609 | 0 | gnutls_datum_t td; |
610 | |
|
611 | 0 | output->data = NULL; |
612 | 0 | output->size = 0; |
613 | |
|
614 | 0 | if (allow_ber) |
615 | 0 | ret = |
616 | 0 | asn1_decode_simple_ber(etype, der, der_size, &str, |
617 | 0 | &str_size, NULL); |
618 | 0 | else |
619 | 0 | ret = |
620 | 0 | asn1_decode_simple_der(etype, der, der_size, |
621 | 0 | (const uint8_t **)&str, &str_size); |
622 | 0 | if (ret != ASN1_SUCCESS) { |
623 | 0 | gnutls_assert(); |
624 | 0 | ret = _gnutls_asn2err(ret); |
625 | 0 | return ret; |
626 | 0 | } |
627 | | |
628 | 0 | td.size = str_size; |
629 | 0 | td.data = gnutls_malloc(str_size + 1); |
630 | 0 | if (td.data == NULL) |
631 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
632 | | |
633 | 0 | if (str_size > 0) |
634 | 0 | memcpy(td.data, str, str_size); |
635 | 0 | td.data[str_size] = 0; |
636 | |
|
637 | 0 | if (allow_ber) |
638 | 0 | free(str); |
639 | |
|
640 | 0 | ret = make_printable_string(etype, &td, output); |
641 | 0 | if (ret == GNUTLS_E_INVALID_REQUEST) { /* unsupported etype */ |
642 | 0 | output->data = td.data; |
643 | 0 | output->size = td.size; |
644 | 0 | ret = 0; |
645 | 0 | } else if (ret <= 0) { |
646 | 0 | _gnutls_free_datum(&td); |
647 | 0 | } |
648 | | |
649 | | /* Refuse to deal with strings containing NULs. */ |
650 | 0 | if (etype != ASN1_ETYPE_OCTET_STRING) { |
651 | 0 | if (output->data) |
652 | 0 | len = strlen((void *)output->data); |
653 | 0 | else |
654 | 0 | len = 0; |
655 | |
|
656 | 0 | if (len != (size_t)output->size) { |
657 | 0 | _gnutls_free_datum(output); |
658 | 0 | ret = |
659 | 0 | gnutls_assert_val |
660 | 0 | (GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
661 | 0 | } |
662 | 0 | } |
663 | |
|
664 | 0 | return ret; |
665 | 0 | } |
666 | | |
667 | | /* Reads a value from an ASN1 tree, and puts the output |
668 | | * in an allocated variable in the given datum. |
669 | | * |
670 | | * Note that this function always allocates one plus |
671 | | * the required data size (and places a null byte). |
672 | | */ |
673 | | static int |
674 | | x509_read_value(asn1_node c, const char *root, |
675 | | gnutls_datum_t * ret, unsigned allow_null) |
676 | 0 | { |
677 | 0 | int len = 0, result; |
678 | 0 | uint8_t *tmp = NULL; |
679 | 0 | unsigned int etype; |
680 | |
|
681 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &etype); |
682 | 0 | if (result == 0 && allow_null == 0 && len == 0) { |
683 | | /* don't allow null strings */ |
684 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
685 | 0 | } else if (result == 0 && allow_null == 0 |
686 | 0 | && etype == ASN1_ETYPE_OBJECT_ID && len == 1) { |
687 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
688 | 0 | } |
689 | | |
690 | 0 | if (result != ASN1_MEM_ERROR) { |
691 | 0 | if (result != ASN1_SUCCESS || allow_null == 0 || len != 0) { |
692 | 0 | result = _gnutls_asn2err(result); |
693 | 0 | return result; |
694 | 0 | } |
695 | 0 | } |
696 | | |
697 | 0 | if (etype == ASN1_ETYPE_BIT_STRING) { |
698 | 0 | len = (len + 7) / 8; |
699 | 0 | } |
700 | |
|
701 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
702 | 0 | if (tmp == NULL) { |
703 | 0 | gnutls_assert(); |
704 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
705 | 0 | goto cleanup; |
706 | 0 | } |
707 | | |
708 | 0 | if (len > 0) { |
709 | 0 | result = asn1_read_value(c, root, tmp, &len); |
710 | 0 | if (result != ASN1_SUCCESS) { |
711 | 0 | gnutls_assert(); |
712 | 0 | result = _gnutls_asn2err(result); |
713 | 0 | goto cleanup; |
714 | 0 | } |
715 | | |
716 | 0 | switch (etype) { |
717 | 0 | case ASN1_ETYPE_BIT_STRING: |
718 | 0 | ret->size = (len + 7) / 8; |
719 | 0 | break; |
720 | 0 | case ASN1_ETYPE_OBJECT_ID: |
721 | 0 | if (len > 0) { |
722 | 0 | ret->size = len - 1; |
723 | 0 | } else { |
724 | 0 | result = |
725 | 0 | gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
726 | 0 | goto cleanup; |
727 | 0 | } |
728 | 0 | break; |
729 | 0 | default: |
730 | 0 | ret->size = (unsigned)len; |
731 | 0 | break; |
732 | 0 | } |
733 | 0 | } else { |
734 | 0 | ret->size = 0; |
735 | 0 | } |
736 | | |
737 | 0 | tmp[ret->size] = 0; |
738 | 0 | ret->data = tmp; |
739 | |
|
740 | 0 | return 0; |
741 | | |
742 | 0 | cleanup: |
743 | 0 | gnutls_free(tmp); |
744 | 0 | return result; |
745 | 0 | } |
746 | | |
747 | | int _gnutls_x509_read_value(asn1_node c, const char *root, gnutls_datum_t * ret) |
748 | 0 | { |
749 | 0 | return x509_read_value(c, root, ret, 0); |
750 | 0 | } |
751 | | |
752 | | int |
753 | | _gnutls_x509_read_null_value(asn1_node c, const char *root, |
754 | | gnutls_datum_t * ret) |
755 | 0 | { |
756 | 0 | return x509_read_value(c, root, ret, 1); |
757 | 0 | } |
758 | | |
759 | | /* Reads a value from an ASN1 tree, then interprets it as the provided |
760 | | * type of string and returns the output in an allocated variable. |
761 | | * |
762 | | * Note that this function always places a null character |
763 | | * at the end of a readable string value (which is not accounted into size) |
764 | | */ |
765 | | int |
766 | | _gnutls_x509_read_string(asn1_node c, const char *root, |
767 | | gnutls_datum_t * ret, unsigned int etype, |
768 | | unsigned int allow_ber) |
769 | 0 | { |
770 | 0 | int len = 0, result; |
771 | 0 | size_t slen; |
772 | 0 | uint8_t *tmp = NULL; |
773 | 0 | unsigned rtype; |
774 | |
|
775 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &rtype); |
776 | 0 | if (result != ASN1_MEM_ERROR) { |
777 | 0 | gnutls_assert(); |
778 | 0 | result = _gnutls_asn2err(result); |
779 | 0 | return result; |
780 | 0 | } |
781 | | |
782 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
783 | 0 | len /= 8; |
784 | |
|
785 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
786 | 0 | if (tmp == NULL) { |
787 | 0 | gnutls_assert(); |
788 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
789 | 0 | goto cleanup; |
790 | 0 | } |
791 | | |
792 | 0 | result = asn1_read_value(c, root, tmp, &len); |
793 | 0 | if (result != ASN1_SUCCESS) { |
794 | 0 | gnutls_assert(); |
795 | 0 | result = _gnutls_asn2err(result); |
796 | 0 | goto cleanup; |
797 | 0 | } |
798 | | |
799 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
800 | 0 | len /= 8; |
801 | | |
802 | | /* Extract the STRING. |
803 | | */ |
804 | 0 | slen = (size_t)len; |
805 | |
|
806 | 0 | result = _gnutls_x509_decode_string(etype, tmp, slen, ret, allow_ber); |
807 | 0 | if (result < 0) { |
808 | 0 | gnutls_assert(); |
809 | 0 | goto cleanup; |
810 | 0 | } |
811 | 0 | gnutls_free(tmp); |
812 | |
|
813 | 0 | return 0; |
814 | | |
815 | 0 | cleanup: |
816 | 0 | gnutls_free(tmp); |
817 | 0 | return result; |
818 | 0 | } |
819 | | |
820 | | /* The string type should be IA5String, UTF8String etc. Leave |
821 | | * null for octet string */ |
822 | | int _gnutls_x509_encode_string(unsigned int etype, |
823 | | const void *input_data, size_t input_size, |
824 | | gnutls_datum_t * output) |
825 | 0 | { |
826 | 0 | uint8_t tl[ASN1_MAX_TL_SIZE]; |
827 | 0 | unsigned int tl_size; |
828 | 0 | int ret; |
829 | |
|
830 | 0 | tl_size = sizeof(tl); |
831 | 0 | ret = |
832 | 0 | asn1_encode_simple_der(etype, input_data, input_size, tl, &tl_size); |
833 | 0 | if (ret != ASN1_SUCCESS) { |
834 | 0 | gnutls_assert(); |
835 | 0 | ret = _gnutls_asn2err(ret); |
836 | 0 | return ret; |
837 | 0 | } |
838 | | |
839 | 0 | output->data = gnutls_malloc(tl_size + input_size); |
840 | 0 | if (output->data == NULL) |
841 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
842 | | |
843 | 0 | memcpy(output->data, tl, tl_size); |
844 | 0 | memcpy(output->data + tl_size, input_data, input_size); |
845 | |
|
846 | 0 | output->size = tl_size + input_size; |
847 | |
|
848 | 0 | return 0; |
849 | 0 | } |
850 | | |
851 | | /* DER Encodes the src asn1_node and stores it to |
852 | | * the given datum. If str is non zero then the data are encoded as |
853 | | * an OCTET STRING. |
854 | | */ |
855 | | int |
856 | | _gnutls_x509_der_encode(asn1_node src, const char *src_name, |
857 | | gnutls_datum_t * res, int str) |
858 | 0 | { |
859 | 0 | int size, result; |
860 | 0 | int asize; |
861 | 0 | uint8_t *data = NULL; |
862 | 0 | asn1_node c2 = NULL; |
863 | |
|
864 | 0 | size = 0; |
865 | 0 | result = asn1_der_coding(src, src_name, NULL, &size, NULL); |
866 | | /* this check explicitly covers the case where size == 0 && result == 0 */ |
867 | 0 | if (result != ASN1_MEM_ERROR) { |
868 | 0 | gnutls_assert(); |
869 | 0 | return _gnutls_asn2err(result); |
870 | 0 | } |
871 | | |
872 | | /* allocate data for the der |
873 | | */ |
874 | | |
875 | 0 | if (str) |
876 | 0 | size += 16; /* for later to include the octet tags */ |
877 | 0 | asize = size; |
878 | |
|
879 | 0 | data = gnutls_malloc((size_t)size); |
880 | 0 | if (data == NULL) { |
881 | 0 | gnutls_assert(); |
882 | 0 | return GNUTLS_E_MEMORY_ERROR; |
883 | 0 | } |
884 | | |
885 | 0 | result = asn1_der_coding(src, src_name, data, &size, NULL); |
886 | 0 | if (result != ASN1_SUCCESS) { |
887 | 0 | gnutls_assert(); |
888 | 0 | result = _gnutls_asn2err(result); |
889 | 0 | goto cleanup; |
890 | 0 | } |
891 | | |
892 | 0 | if (str) { |
893 | 0 | if ((result = asn1_create_element |
894 | 0 | (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", |
895 | 0 | &c2)) != ASN1_SUCCESS) { |
896 | 0 | gnutls_assert(); |
897 | 0 | result = _gnutls_asn2err(result); |
898 | 0 | goto cleanup; |
899 | 0 | } |
900 | | |
901 | 0 | result = asn1_write_value(c2, "", data, size); |
902 | 0 | if (result != ASN1_SUCCESS) { |
903 | 0 | gnutls_assert(); |
904 | 0 | result = _gnutls_asn2err(result); |
905 | 0 | goto cleanup; |
906 | 0 | } |
907 | | |
908 | 0 | result = asn1_der_coding(c2, "", data, &asize, NULL); |
909 | 0 | if (result != ASN1_SUCCESS) { |
910 | 0 | gnutls_assert(); |
911 | 0 | result = _gnutls_asn2err(result); |
912 | 0 | goto cleanup; |
913 | 0 | } |
914 | | |
915 | 0 | size = asize; |
916 | |
|
917 | 0 | asn1_delete_structure(&c2); |
918 | 0 | } |
919 | | |
920 | 0 | res->data = data; |
921 | 0 | res->size = (unsigned)size; |
922 | 0 | return 0; |
923 | | |
924 | 0 | cleanup: |
925 | 0 | gnutls_free(data); |
926 | 0 | asn1_delete_structure(&c2); |
927 | 0 | return result; |
928 | |
|
929 | 0 | } |
930 | | |
931 | | /* DER Encodes the src asn1_node and stores it to |
932 | | * dest in dest_name. Useful to encode something and store it |
933 | | * as OCTET. If str is non null then the data are encoded as |
934 | | * an OCTET STRING. |
935 | | */ |
936 | | int |
937 | | _gnutls_x509_der_encode_and_copy(asn1_node src, const char *src_name, |
938 | | asn1_node dest, const char *dest_name, int str) |
939 | 0 | { |
940 | 0 | int result; |
941 | 0 | gnutls_datum_t encoded = { NULL, 0 }; |
942 | |
|
943 | 0 | result = _gnutls_x509_der_encode(src, src_name, &encoded, str); |
944 | |
|
945 | 0 | if (result < 0) { |
946 | 0 | gnutls_assert(); |
947 | 0 | return result; |
948 | 0 | } |
949 | | |
950 | | /* Write the data. |
951 | | */ |
952 | 0 | result = |
953 | 0 | asn1_write_value(dest, dest_name, encoded.data, (int)encoded.size); |
954 | |
|
955 | 0 | _gnutls_free_datum(&encoded); |
956 | |
|
957 | 0 | if (result != ASN1_SUCCESS) { |
958 | 0 | gnutls_assert(); |
959 | 0 | return _gnutls_asn2err(result); |
960 | 0 | } |
961 | | |
962 | 0 | return 0; |
963 | 0 | } |
964 | | |
965 | | /* Writes the value of the datum in the given asn1_node. |
966 | | */ |
967 | | int |
968 | | _gnutls_x509_write_value(asn1_node c, const char *root, |
969 | | const gnutls_datum_t * data) |
970 | 0 | { |
971 | 0 | int ret; |
972 | | |
973 | | /* Write the data. |
974 | | */ |
975 | 0 | ret = asn1_write_value(c, root, data->data, data->size); |
976 | 0 | if (ret != ASN1_SUCCESS) { |
977 | 0 | gnutls_assert(); |
978 | 0 | return _gnutls_asn2err(ret); |
979 | 0 | } |
980 | | |
981 | 0 | return 0; |
982 | 0 | } |
983 | | |
984 | | /* Writes the value of the datum in the given asn1_node as a string. |
985 | | */ |
986 | | int |
987 | | _gnutls_x509_write_string(asn1_node c, const char *root, |
988 | | const gnutls_datum_t * data, unsigned int etype) |
989 | 0 | { |
990 | 0 | int ret; |
991 | 0 | gnutls_datum_t val = { NULL, 0 }; |
992 | |
|
993 | 0 | ret = _gnutls_x509_encode_string(etype, data->data, data->size, &val); |
994 | 0 | if (ret < 0) |
995 | 0 | return gnutls_assert_val(ret); |
996 | | |
997 | | /* Write the data. |
998 | | */ |
999 | 0 | ret = asn1_write_value(c, root, val.data, val.size); |
1000 | 0 | if (ret != ASN1_SUCCESS) { |
1001 | 0 | gnutls_assert(); |
1002 | 0 | ret = _gnutls_asn2err(ret); |
1003 | 0 | goto cleanup; |
1004 | 0 | } |
1005 | | |
1006 | 0 | ret = 0; |
1007 | |
|
1008 | 0 | cleanup: |
1009 | 0 | _gnutls_free_datum(&val); |
1010 | 0 | return ret; |
1011 | 0 | } |
1012 | | |
1013 | | void |
1014 | | _asnstr_append_name(char *name, size_t name_size, const char *part1, |
1015 | | const char *part2) |
1016 | 0 | { |
1017 | 0 | if (part1[0] != 0) { |
1018 | 0 | _gnutls_str_cpy(name, name_size, part1); |
1019 | 0 | _gnutls_str_cat(name, name_size, part2); |
1020 | 0 | } else |
1021 | 0 | _gnutls_str_cpy(name, name_size, |
1022 | 0 | part2 + 1 /* remove initial dot */ ); |
1023 | 0 | } |
1024 | | |
1025 | | /* Encodes and copies the private key parameters into a |
1026 | | * subjectPublicKeyInfo structure. |
1027 | | * |
1028 | | */ |
1029 | | int |
1030 | | _gnutls_x509_encode_and_copy_PKI_params(asn1_node dst, |
1031 | | const char *dst_name, |
1032 | | const gnutls_pk_params_st * params) |
1033 | 0 | { |
1034 | 0 | const char *oid; |
1035 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1036 | 0 | int result; |
1037 | 0 | char name[128]; |
1038 | |
|
1039 | 0 | oid = gnutls_pk_get_oid(params->algo); |
1040 | 0 | if (oid == NULL) { |
1041 | 0 | gnutls_assert(); |
1042 | 0 | return GNUTLS_E_UNKNOWN_PK_ALGORITHM; |
1043 | 0 | } |
1044 | | |
1045 | | /* write the OID |
1046 | | */ |
1047 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1048 | 0 | ".algorithm.algorithm"); |
1049 | |
|
1050 | 0 | result = asn1_write_value(dst, name, oid, 1); |
1051 | 0 | if (result != ASN1_SUCCESS) { |
1052 | 0 | gnutls_assert(); |
1053 | 0 | return _gnutls_asn2err(result); |
1054 | 0 | } |
1055 | | |
1056 | 0 | result = _gnutls_x509_write_pubkey_params(params, &der); |
1057 | 0 | if (result < 0) { |
1058 | 0 | gnutls_assert(); |
1059 | 0 | return result; |
1060 | 0 | } |
1061 | | |
1062 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1063 | 0 | ".algorithm.parameters"); |
1064 | |
|
1065 | 0 | result = asn1_write_value(dst, name, der.data, der.size); |
1066 | 0 | _gnutls_free_datum(&der); |
1067 | |
|
1068 | 0 | if (result != ASN1_SUCCESS) { |
1069 | 0 | gnutls_assert(); |
1070 | 0 | return _gnutls_asn2err(result); |
1071 | 0 | } |
1072 | | |
1073 | 0 | result = _gnutls_x509_write_pubkey(params, &der); |
1074 | 0 | if (result < 0) { |
1075 | 0 | gnutls_assert(); |
1076 | 0 | return result; |
1077 | 0 | } |
1078 | | |
1079 | | /* Write the DER parameters. (in bits) |
1080 | | */ |
1081 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, ".subjectPublicKey"); |
1082 | 0 | result = asn1_write_value(dst, name, der.data, der.size * 8); |
1083 | 0 | _gnutls_free_datum(&der); |
1084 | |
|
1085 | 0 | if (result != ASN1_SUCCESS) { |
1086 | 0 | gnutls_assert(); |
1087 | 0 | return _gnutls_asn2err(result); |
1088 | 0 | } |
1089 | | |
1090 | 0 | return 0; |
1091 | 0 | } |
1092 | | |
1093 | | /* Encodes and public key parameters into a |
1094 | | * subjectPublicKeyInfo structure and stores it in der. |
1095 | | */ |
1096 | | int |
1097 | | _gnutls_x509_encode_PKI_params(gnutls_datum_t * der, |
1098 | | const gnutls_pk_params_st * params) |
1099 | 0 | { |
1100 | 0 | int ret; |
1101 | 0 | asn1_node tmp; |
1102 | |
|
1103 | 0 | ret = asn1_create_element(_gnutls_get_pkix(), |
1104 | 0 | "PKIX1.Certificate", &tmp); |
1105 | 0 | if (ret != ASN1_SUCCESS) { |
1106 | 0 | gnutls_assert(); |
1107 | 0 | return _gnutls_asn2err(ret); |
1108 | 0 | } |
1109 | | |
1110 | 0 | ret = _gnutls_x509_encode_and_copy_PKI_params(tmp, |
1111 | 0 | "tbsCertificate.subjectPublicKeyInfo", |
1112 | 0 | params); |
1113 | 0 | if (ret != ASN1_SUCCESS) { |
1114 | 0 | gnutls_assert(); |
1115 | 0 | ret = _gnutls_asn2err(ret); |
1116 | 0 | goto cleanup; |
1117 | 0 | } |
1118 | | |
1119 | 0 | ret = |
1120 | 0 | _gnutls_x509_der_encode(tmp, |
1121 | 0 | "tbsCertificate.subjectPublicKeyInfo", |
1122 | 0 | der, 0); |
1123 | |
|
1124 | 0 | cleanup: |
1125 | 0 | asn1_delete_structure(&tmp); |
1126 | |
|
1127 | 0 | return ret; |
1128 | 0 | } |
1129 | | |
1130 | | /* Reads and returns the PK algorithm of the given certificate-like |
1131 | | * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". |
1132 | | */ |
1133 | | int |
1134 | | _gnutls_x509_get_pk_algorithm(asn1_node src, const char *src_name, |
1135 | | gnutls_ecc_curve_t * curve, unsigned int *bits) |
1136 | 0 | { |
1137 | 0 | int result; |
1138 | 0 | int algo; |
1139 | 0 | char oid[64]; |
1140 | 0 | int len; |
1141 | 0 | gnutls_ecc_curve_t lcurve = GNUTLS_ECC_CURVE_INVALID; |
1142 | 0 | char name[128]; |
1143 | |
|
1144 | 0 | _asnstr_append_name(name, sizeof(name), src_name, |
1145 | 0 | ".algorithm.algorithm"); |
1146 | 0 | len = sizeof(oid); |
1147 | 0 | result = asn1_read_value(src, name, oid, &len); |
1148 | |
|
1149 | 0 | if (result != ASN1_SUCCESS) { |
1150 | 0 | gnutls_assert(); |
1151 | 0 | return _gnutls_asn2err(result); |
1152 | 0 | } |
1153 | | |
1154 | 0 | algo = _gnutls_oid_to_pk_and_curve(oid, &lcurve); |
1155 | 0 | if (algo == GNUTLS_PK_UNKNOWN) { |
1156 | 0 | _gnutls_debug_log |
1157 | 0 | ("%s: unknown public key algorithm: %s\n", __func__, oid); |
1158 | 0 | } |
1159 | |
|
1160 | 0 | if (curve) |
1161 | 0 | *curve = lcurve; |
1162 | |
|
1163 | 0 | if (bits == NULL) { |
1164 | 0 | return algo; |
1165 | 0 | } |
1166 | | |
1167 | | /* Now read the parameters' bits |
1168 | | */ |
1169 | 0 | if (lcurve != GNUTLS_ECC_CURVE_INVALID) { /* curve present */ |
1170 | 0 | bits[0] = gnutls_ecc_curve_get_size(lcurve) * 8; |
1171 | 0 | } else { |
1172 | 0 | gnutls_pk_params_st params; |
1173 | 0 | gnutls_pk_params_init(¶ms); |
1174 | |
|
1175 | 0 | result = _gnutls_get_asn_mpis(src, src_name, ¶ms); |
1176 | 0 | if (result < 0) |
1177 | 0 | return gnutls_assert_val(result); |
1178 | | |
1179 | 0 | bits[0] = pubkey_to_bits(¶ms); |
1180 | 0 | gnutls_pk_params_release(¶ms); |
1181 | 0 | } |
1182 | | |
1183 | 0 | return algo; |
1184 | 0 | } |
1185 | | |
1186 | | /* Reads the DER signed data from the certificate and allocates space and |
1187 | | * returns them into signed_data. |
1188 | | */ |
1189 | | int |
1190 | | _gnutls_x509_get_signed_data(asn1_node src, const gnutls_datum_t * der, |
1191 | | const char *src_name, gnutls_datum_t * signed_data) |
1192 | 0 | { |
1193 | 0 | int start, end, result; |
1194 | |
|
1195 | 0 | if (der == NULL || der->size == 0) { |
1196 | 0 | return _gnutls_x509_der_encode(src, src_name, signed_data, 0); |
1197 | 0 | } |
1198 | | |
1199 | | /* Get the signed data |
1200 | | */ |
1201 | 0 | result = asn1_der_decoding_startEnd(src, der->data, der->size, |
1202 | 0 | src_name, &start, &end); |
1203 | 0 | if (result != ASN1_SUCCESS) { |
1204 | 0 | result = _gnutls_asn2err(result); |
1205 | 0 | gnutls_assert(); |
1206 | 0 | goto cleanup; |
1207 | 0 | } |
1208 | | |
1209 | 0 | result = |
1210 | 0 | _gnutls_set_datum(signed_data, &der->data[start], end - start + 1); |
1211 | |
|
1212 | 0 | if (result < 0) { |
1213 | 0 | gnutls_assert(); |
1214 | 0 | goto cleanup; |
1215 | 0 | } |
1216 | | |
1217 | 0 | result = 0; |
1218 | |
|
1219 | 0 | cleanup: |
1220 | 0 | return result; |
1221 | 0 | } |
1222 | | |
1223 | | /*- |
1224 | | * gnutls_x509_get_signature_algorithm: |
1225 | | * @src: should contain an asn1_node structure |
1226 | | * @src_name: the description of the signature field |
1227 | | * |
1228 | | * This function will return a value of the #gnutls_sign_algorithm_t |
1229 | | * enumeration that is the signature algorithm that has been used to |
1230 | | * sign this certificate. |
1231 | | * |
1232 | | * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on |
1233 | | * error. |
1234 | | -*/ |
1235 | | int _gnutls_x509_get_signature_algorithm(asn1_node src, const char *src_name) |
1236 | 0 | { |
1237 | 0 | int result; |
1238 | 0 | char name[128]; |
1239 | 0 | gnutls_datum_t sa = { NULL, 0 }; |
1240 | |
|
1241 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1242 | 0 | _gnutls_str_cat(name, sizeof(name), ".algorithm"); |
1243 | | |
1244 | | /* Read the signature algorithm */ |
1245 | 0 | result = _gnutls_x509_read_value(src, name, &sa); |
1246 | |
|
1247 | 0 | if (result < 0) { |
1248 | 0 | gnutls_assert(); |
1249 | 0 | return result; |
1250 | 0 | } |
1251 | | |
1252 | | /* Read the signature parameters. Unless the algorithm is |
1253 | | * RSA-PSS, parameters are not read. They will be read from |
1254 | | * the issuer's certificate if needed. |
1255 | | */ |
1256 | 0 | if (sa.data && strcmp((char *)sa.data, PK_PKIX1_RSA_PSS_OID) == 0) { |
1257 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1258 | 0 | gnutls_x509_spki_st params; |
1259 | |
|
1260 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1261 | 0 | _gnutls_str_cat(name, sizeof(name), ".parameters"); |
1262 | |
|
1263 | 0 | result = _gnutls_x509_read_value(src, name, &der); |
1264 | 0 | if (result < 0) { |
1265 | 0 | _gnutls_free_datum(&sa); |
1266 | 0 | return gnutls_assert_val(result); |
1267 | 0 | } |
1268 | | |
1269 | 0 | result = _gnutls_x509_read_rsa_pss_params(der.data, der.size, |
1270 | 0 | ¶ms); |
1271 | 0 | _gnutls_free_datum(&der); |
1272 | |
|
1273 | 0 | if (result == 0) |
1274 | 0 | result = |
1275 | 0 | gnutls_pk_to_sign(params.pk, params.rsa_pss_dig); |
1276 | 0 | } else if (sa.data) { |
1277 | 0 | result = gnutls_oid_to_sign((char *)sa.data); |
1278 | 0 | } else { |
1279 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1280 | 0 | } |
1281 | | |
1282 | 0 | _gnutls_free_datum(&sa); |
1283 | |
|
1284 | 0 | if (result == GNUTLS_SIGN_UNKNOWN) |
1285 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1286 | |
|
1287 | 0 | return result; |
1288 | 0 | } |
1289 | | |
1290 | | /* Reads the DER signature from the certificate and allocates space and |
1291 | | * returns them into signed_data. |
1292 | | */ |
1293 | | int |
1294 | | _gnutls_x509_get_signature(asn1_node src, const char *src_name, |
1295 | | gnutls_datum_t * signature) |
1296 | 0 | { |
1297 | 0 | int result, len; |
1298 | 0 | int bits; |
1299 | |
|
1300 | 0 | signature->data = NULL; |
1301 | 0 | signature->size = 0; |
1302 | | |
1303 | | /* Read the signature |
1304 | | */ |
1305 | 0 | len = 0; |
1306 | 0 | result = asn1_read_value(src, src_name, NULL, &len); |
1307 | |
|
1308 | 0 | if (result != ASN1_MEM_ERROR) { |
1309 | 0 | result = _gnutls_asn2err(result); |
1310 | 0 | gnutls_assert(); |
1311 | 0 | goto cleanup; |
1312 | 0 | } |
1313 | | |
1314 | 0 | bits = len; |
1315 | 0 | if (bits % 8 != 0 || bits < 8) { |
1316 | 0 | gnutls_assert(); |
1317 | 0 | result = GNUTLS_E_CERTIFICATE_ERROR; |
1318 | 0 | goto cleanup; |
1319 | 0 | } |
1320 | | |
1321 | 0 | len = bits / 8; |
1322 | |
|
1323 | 0 | signature->data = gnutls_malloc(len); |
1324 | 0 | if (signature->data == NULL) { |
1325 | 0 | gnutls_assert(); |
1326 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
1327 | 0 | return result; |
1328 | 0 | } |
1329 | | |
1330 | | /* read the bit string of the signature |
1331 | | */ |
1332 | 0 | bits = len; |
1333 | 0 | result = asn1_read_value(src, src_name, signature->data, &bits); |
1334 | |
|
1335 | 0 | if (result != ASN1_SUCCESS) { |
1336 | 0 | result = _gnutls_asn2err(result); |
1337 | 0 | gnutls_assert(); |
1338 | 0 | goto cleanup; |
1339 | 0 | } |
1340 | | |
1341 | 0 | signature->size = len; |
1342 | |
|
1343 | 0 | return 0; |
1344 | | |
1345 | 0 | cleanup: |
1346 | 0 | gnutls_free(signature->data); |
1347 | 0 | return result; |
1348 | 0 | } |
1349 | | |
1350 | | /* ASN.1 PrintableString rules */ |
1351 | | static int is_printable(char p) |
1352 | 0 | { |
1353 | 0 | if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') || |
1354 | 0 | (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' || |
1355 | 0 | p == '+' || p == ',' || p == '-' || p == '.' || p == '/' || |
1356 | 0 | p == ':' || p == '=' || p == '?') |
1357 | 0 | return 1; |
1358 | | |
1359 | 0 | return 0; |
1360 | 0 | } |
1361 | | |
1362 | | static int write_complex_string(asn1_node asn_struct, const char *where, |
1363 | | const struct oid_to_string *oentry, |
1364 | | const uint8_t * data, size_t data_size) |
1365 | 0 | { |
1366 | 0 | char tmp[128]; |
1367 | 0 | asn1_node c2; |
1368 | 0 | int result; |
1369 | 0 | const char *string_type; |
1370 | 0 | unsigned int i; |
1371 | |
|
1372 | 0 | result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, &c2); |
1373 | 0 | if (result != ASN1_SUCCESS) { |
1374 | 0 | gnutls_assert(); |
1375 | 0 | return _gnutls_asn2err(result); |
1376 | 0 | } |
1377 | | |
1378 | 0 | tmp[0] = 0; |
1379 | |
|
1380 | 0 | string_type = "printableString"; |
1381 | | |
1382 | | /* Check if the data is ASN.1 printable, and use |
1383 | | * the UTF8 string type if not. |
1384 | | */ |
1385 | 0 | for (i = 0; i < data_size; i++) { |
1386 | 0 | if (!is_printable(data[i])) { |
1387 | 0 | string_type = "utf8String"; |
1388 | 0 | break; |
1389 | 0 | } |
1390 | 0 | } |
1391 | | |
1392 | | /* if the type is a CHOICE then write the |
1393 | | * type we'll use. |
1394 | | */ |
1395 | 0 | result = asn1_write_value(c2, "", string_type, 1); |
1396 | 0 | if (result != ASN1_SUCCESS) { |
1397 | 0 | gnutls_assert(); |
1398 | 0 | result = _gnutls_asn2err(result); |
1399 | 0 | goto error; |
1400 | 0 | } |
1401 | | |
1402 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), string_type); |
1403 | |
|
1404 | 0 | result = asn1_write_value(c2, tmp, data, data_size); |
1405 | 0 | if (result != ASN1_SUCCESS) { |
1406 | 0 | gnutls_assert(); |
1407 | 0 | result = _gnutls_asn2err(result); |
1408 | 0 | goto error; |
1409 | 0 | } |
1410 | | |
1411 | 0 | result = _gnutls_x509_der_encode_and_copy(c2, "", asn_struct, where, 0); |
1412 | 0 | if (result < 0) { |
1413 | 0 | gnutls_assert(); |
1414 | 0 | goto error; |
1415 | 0 | } |
1416 | | |
1417 | 0 | result = 0; |
1418 | |
|
1419 | 0 | error: |
1420 | 0 | asn1_delete_structure(&c2); |
1421 | 0 | return result; |
1422 | 0 | } |
1423 | | |
1424 | | /* This will encode and write the AttributeTypeAndValue field. |
1425 | | * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute. |
1426 | | * In all cases only one value is written. |
1427 | | */ |
1428 | | int |
1429 | | _gnutls_x509_encode_and_write_attribute(const char *given_oid, |
1430 | | asn1_node asn1_struct, |
1431 | | const char *where, |
1432 | | const void *_data, |
1433 | | int data_size, int multi) |
1434 | 0 | { |
1435 | 0 | const uint8_t *data = _data; |
1436 | 0 | char tmp[128]; |
1437 | 0 | int result; |
1438 | 0 | const struct oid_to_string *oentry; |
1439 | |
|
1440 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, given_oid); |
1441 | 0 | if (oentry == NULL) { |
1442 | 0 | gnutls_assert(); |
1443 | 0 | _gnutls_debug_log("Cannot find OID: %s\n", given_oid); |
1444 | 0 | return GNUTLS_E_X509_UNSUPPORTED_OID; |
1445 | 0 | } |
1446 | | |
1447 | | /* write the data (value) |
1448 | | */ |
1449 | | |
1450 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1451 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".value"); |
1452 | |
|
1453 | 0 | if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ |
1454 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ |
1455 | |
|
1456 | 0 | result = asn1_write_value(asn1_struct, tmp, "NEW", 1); |
1457 | 0 | if (result != ASN1_SUCCESS) { |
1458 | 0 | gnutls_assert(); |
1459 | 0 | result = _gnutls_asn2err(result); |
1460 | 0 | goto error; |
1461 | 0 | } |
1462 | | |
1463 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); |
1464 | 0 | } |
1465 | | |
1466 | 0 | if (oentry->asn_desc != NULL) { /* write a complex string API */ |
1467 | 0 | result = |
1468 | 0 | write_complex_string(asn1_struct, tmp, oentry, data, |
1469 | 0 | data_size); |
1470 | 0 | if (result < 0) |
1471 | 0 | return gnutls_assert_val(result); |
1472 | 0 | } else { /* write a simple string */ |
1473 | |
|
1474 | 0 | gnutls_datum_t td; |
1475 | |
|
1476 | 0 | td.data = (void *)data; |
1477 | 0 | td.size = data_size; |
1478 | 0 | result = |
1479 | 0 | _gnutls_x509_write_string(asn1_struct, tmp, &td, |
1480 | 0 | oentry->etype); |
1481 | 0 | if (result < 0) { |
1482 | 0 | gnutls_assert(); |
1483 | 0 | goto error; |
1484 | 0 | } |
1485 | 0 | } |
1486 | | |
1487 | | /* write the type |
1488 | | */ |
1489 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1490 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".type"); |
1491 | |
|
1492 | 0 | result = asn1_write_value(asn1_struct, tmp, given_oid, 1); |
1493 | 0 | if (result != ASN1_SUCCESS) { |
1494 | 0 | gnutls_assert(); |
1495 | 0 | result = _gnutls_asn2err(result); |
1496 | 0 | goto error; |
1497 | 0 | } |
1498 | | |
1499 | 0 | result = 0; |
1500 | |
|
1501 | 0 | error: |
1502 | 0 | return result; |
1503 | 0 | } |
1504 | | |
1505 | | /* copies a datum to a buffer. If it doesn't fit it returns |
1506 | | * GNUTLS_E_SHORT_MEMORY_BUFFER. It always deinitializes the datum |
1507 | | * after the copy. |
1508 | | * |
1509 | | * The buffer will always be null terminated. |
1510 | | */ |
1511 | | int _gnutls_strdatum_to_buf(gnutls_datum_t * d, void *buf, size_t *buf_size) |
1512 | 0 | { |
1513 | 0 | int ret; |
1514 | 0 | uint8_t *_buf = buf; |
1515 | |
|
1516 | 0 | if (buf == NULL || *buf_size < d->size + 1) { |
1517 | 0 | *buf_size = d->size + 1; |
1518 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1519 | 0 | goto cleanup; |
1520 | 0 | } |
1521 | 0 | memcpy(buf, d->data, d->size); |
1522 | 0 | _buf[d->size] = 0; |
1523 | |
|
1524 | 0 | *buf_size = d->size; |
1525 | 0 | ret = 0; |
1526 | |
|
1527 | 0 | cleanup: |
1528 | 0 | _gnutls_free_datum(d); |
1529 | |
|
1530 | 0 | return ret; |
1531 | 0 | } |
1532 | | |
1533 | | int |
1534 | | _gnutls_x509_get_raw_field2(asn1_node c2, const gnutls_datum_t * raw, |
1535 | | const char *whom, gnutls_datum_t * dn) |
1536 | 0 | { |
1537 | 0 | int result, len1; |
1538 | 0 | int start1, end1; |
1539 | 0 | result = |
1540 | 0 | asn1_der_decoding_startEnd(c2, raw->data, raw->size, |
1541 | 0 | whom, &start1, &end1); |
1542 | |
|
1543 | 0 | if (result != ASN1_SUCCESS) { |
1544 | 0 | gnutls_assert(); |
1545 | 0 | result = _gnutls_asn2err(result); |
1546 | 0 | goto cleanup; |
1547 | 0 | } |
1548 | | |
1549 | 0 | len1 = end1 - start1 + 1; |
1550 | |
|
1551 | 0 | dn->data = &raw->data[start1]; |
1552 | 0 | dn->size = len1; |
1553 | 0 | result = 0; |
1554 | |
|
1555 | 0 | cleanup: |
1556 | 0 | return result; |
1557 | 0 | } |
1558 | | |
1559 | | int _gnutls_copy_string(const gnutls_datum_t * str, uint8_t * out, |
1560 | | size_t *out_size) |
1561 | 0 | { |
1562 | 0 | unsigned size_to_check; |
1563 | |
|
1564 | 0 | size_to_check = str->size + 1; |
1565 | |
|
1566 | 0 | if ((unsigned)size_to_check > *out_size) { |
1567 | 0 | gnutls_assert(); |
1568 | 0 | (*out_size) = size_to_check; |
1569 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1570 | 0 | } |
1571 | | |
1572 | 0 | if (out != NULL && str->data != NULL) { |
1573 | 0 | memcpy(out, str->data, str->size); |
1574 | 0 | out[str->size] = 0; |
1575 | 0 | } else if (out != NULL) { |
1576 | 0 | out[0] = 0; |
1577 | 0 | } |
1578 | 0 | *out_size = str->size; |
1579 | |
|
1580 | 0 | return 0; |
1581 | 0 | } |
1582 | | |
1583 | | int _gnutls_copy_data(const gnutls_datum_t * str, uint8_t * out, |
1584 | | size_t *out_size) |
1585 | 0 | { |
1586 | 0 | if ((unsigned)str->size > *out_size) { |
1587 | 0 | gnutls_assert(); |
1588 | 0 | (*out_size) = str->size; |
1589 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1590 | 0 | } |
1591 | | |
1592 | 0 | if (out != NULL && str->data != NULL) { |
1593 | 0 | memcpy(out, str->data, str->size); |
1594 | 0 | } |
1595 | 0 | *out_size = str->size; |
1596 | |
|
1597 | 0 | return 0; |
1598 | 0 | } |
1599 | | |
1600 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1601 | | int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t * rpubkey) |
1602 | 0 | { |
1603 | 0 | gnutls_pubkey_t pubkey = NULL; |
1604 | 0 | int ret; |
1605 | |
|
1606 | 0 | ret = gnutls_pubkey_init(&pubkey); |
1607 | 0 | if (ret < 0) |
1608 | 0 | return gnutls_assert_val(ret); |
1609 | | |
1610 | 0 | ret = gnutls_pubkey_import_x509(pubkey, crt, 0); |
1611 | 0 | if (ret < 0) { |
1612 | 0 | gnutls_assert(); |
1613 | 0 | goto cleanup; |
1614 | 0 | } |
1615 | | |
1616 | 0 | ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, rpubkey); |
1617 | 0 | if (ret < 0) { |
1618 | 0 | gnutls_assert(); |
1619 | 0 | goto cleanup; |
1620 | 0 | } |
1621 | | |
1622 | 0 | ret = 0; |
1623 | |
|
1624 | 0 | cleanup: |
1625 | 0 | gnutls_pubkey_deinit(pubkey); |
1626 | 0 | return ret; |
1627 | 0 | } |
1628 | | |
1629 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1630 | | int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, |
1631 | | gnutls_datum_t * rpubkey) |
1632 | 0 | { |
1633 | 0 | gnutls_x509_crt_t crt = NULL; |
1634 | 0 | int ret; |
1635 | |
|
1636 | 0 | ret = gnutls_x509_crt_init(&crt); |
1637 | 0 | if (ret < 0) |
1638 | 0 | return gnutls_assert_val(ret); |
1639 | | |
1640 | 0 | ret = gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_DER); |
1641 | 0 | if (ret < 0) { |
1642 | 0 | gnutls_assert(); |
1643 | 0 | goto cleanup; |
1644 | 0 | } |
1645 | | |
1646 | 0 | ret = x509_crt_to_raw_pubkey(crt, rpubkey); |
1647 | 0 | cleanup: |
1648 | 0 | gnutls_x509_crt_deinit(crt); |
1649 | |
|
1650 | 0 | return ret; |
1651 | 0 | } |
1652 | | |
1653 | | unsigned |
1654 | | _gnutls_check_valid_key_id(const gnutls_datum_t * key_id, |
1655 | | gnutls_x509_crt_t cert, time_t now, |
1656 | | unsigned *has_ski) |
1657 | 0 | { |
1658 | 0 | uint8_t id[MAX_KEY_ID_SIZE]; |
1659 | 0 | size_t id_size; |
1660 | 0 | unsigned result = 0; |
1661 | |
|
1662 | 0 | if (has_ski) |
1663 | 0 | *has_ski = 0; |
1664 | |
|
1665 | 0 | if (now > gnutls_x509_crt_get_expiration_time(cert) || |
1666 | 0 | now < gnutls_x509_crt_get_activation_time(cert)) { |
1667 | | /* don't bother, certificate is not yet activated or expired */ |
1668 | 0 | gnutls_assert(); |
1669 | 0 | goto out; |
1670 | 0 | } |
1671 | | |
1672 | 0 | id_size = sizeof(id); |
1673 | 0 | if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) { |
1674 | 0 | gnutls_assert(); |
1675 | 0 | goto out; |
1676 | 0 | } |
1677 | | |
1678 | 0 | if (has_ski) |
1679 | 0 | *has_ski = 1; |
1680 | |
|
1681 | 0 | if (id_size == key_id->size && !memcmp(id, key_id->data, id_size)) |
1682 | 0 | result = 1; |
1683 | |
|
1684 | 0 | out: |
1685 | 0 | return result; |
1686 | 0 | } |
1687 | | |
1688 | | /* Sort a certificate list in place with subject, issuer order. @clist_size must |
1689 | | * be equal to or less than %DEFAULT_MAX_VERIFY_DEPTH. |
1690 | | * |
1691 | | * Returns the index in clist where the initial contiguous segment ends. If the |
1692 | | * chain contains multiple segments separated by gaps (e.g., missing issuers), |
1693 | | * the caller shall call this function multiple times. |
1694 | | * |
1695 | | * For example, suppose we want the following certificate chain as a result of |
1696 | | * sorting: |
1697 | | * |
1698 | | * A -> (B) -> C -> D -> E -> (F) -> G -> H -> I |
1699 | | * |
1700 | | * from the input [A, C, E, D, G, I, H] (B and F are missing). |
1701 | | * |
1702 | | * On the first call of this function: |
1703 | | * |
1704 | | * _gnutls_sort_clist(clist, clist_size) |
1705 | | * |
1706 | | * it returns 1, meaning that the first segment only contains A. The content of |
1707 | | * @clist will remain the same [A, C, E, D, G, I, H]. |
1708 | | * |
1709 | | * Then the caller will call this function again, starting from the second |
1710 | | * element: |
1711 | | * |
1712 | | * _gnutls_sort_clist(&clist[1], clist_size - 1) |
1713 | | * |
1714 | | * This time it returns 3, meaning that the first segment contains [C, D, E]. |
1715 | | * The content of @clist will be [A, C, D, E, G, I, H]. |
1716 | | * |
1717 | | * Finally, after calling the function on the remaining elements: |
1718 | | * |
1719 | | * _gnutls_sort_clist(&clist[1 + 3], clist_size - (1 + 3)) |
1720 | | * |
1721 | | * It will return 3, meaning that the first segment contains [G, H, I]. At this |
1722 | | * point, sorting of @clist is complete. |
1723 | | */ |
1724 | | unsigned int _gnutls_sort_clist(gnutls_x509_crt_t * clist, |
1725 | | unsigned int clist_size) |
1726 | 0 | { |
1727 | 0 | int prev; |
1728 | 0 | unsigned int i, j, k; |
1729 | 0 | int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */ |
1730 | 0 | bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */ |
1731 | 0 | gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; |
1732 | |
|
1733 | 0 | assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH); |
1734 | | |
1735 | 0 | for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) { |
1736 | 0 | issuer[i] = -1; |
1737 | 0 | insorted[i] = 0; |
1738 | 0 | } |
1739 | | |
1740 | | /* Find the issuer of each certificate and store it |
1741 | | * in issuer array. O(n^2) so consider that before |
1742 | | * increasing DEFAULT_MAX_VERIFY_DEPTH. |
1743 | | */ |
1744 | 0 | for (i = 0; i < clist_size; i++) { |
1745 | | /* Self-signed certificate found in the chain; skip it |
1746 | | * as it should only appear in the trusted set. |
1747 | | */ |
1748 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { |
1749 | 0 | _gnutls_cert_log("self-signed cert found", clist[i]); |
1750 | 0 | continue; |
1751 | 0 | } |
1752 | | |
1753 | 0 | for (j = 1; j < clist_size; j++) { |
1754 | 0 | if (i == j) |
1755 | 0 | continue; |
1756 | | |
1757 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[j])) { |
1758 | 0 | issuer[i] = j; |
1759 | 0 | break; |
1760 | 0 | } |
1761 | 0 | } |
1762 | 0 | } |
1763 | |
|
1764 | 0 | sorted[0] = clist[0]; |
1765 | 0 | insorted[0] = 1; |
1766 | |
|
1767 | 0 | prev = 0; |
1768 | 0 | for (i = 1; i < clist_size; i++) { |
1769 | 0 | prev = issuer[prev]; |
1770 | 0 | if (prev < 0) { /* no issuer */ |
1771 | 0 | break; |
1772 | 0 | } |
1773 | | |
1774 | 0 | sorted[i] = clist[prev]; |
1775 | 0 | insorted[prev] = 1; |
1776 | 0 | } |
1777 | | |
1778 | | /* append the remaining certs */ |
1779 | 0 | for (j = 1, k = i; j < clist_size; j++) { |
1780 | 0 | if (!insorted[j]) { |
1781 | 0 | sorted[k++] = clist[j]; |
1782 | 0 | } |
1783 | 0 | } |
1784 | | |
1785 | | /* write out the sorted list */ |
1786 | 0 | assert(k == clist_size); |
1787 | 0 | for (j = 0; j < clist_size; j++) { |
1788 | 0 | clist[j] = sorted[j]; |
1789 | 0 | } |
1790 | |
|
1791 | 0 | return i; |
1792 | 0 | } |
1793 | | |
1794 | | int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr) |
1795 | 0 | { |
1796 | 0 | int i, ret; |
1797 | | |
1798 | | /* check if the X.509 list is ordered */ |
1799 | 0 | if (nr > 1) { |
1800 | 0 | for (i = 0; i < nr; i++) { |
1801 | 0 | if (i > 0) { |
1802 | 0 | if (!_gnutls_x509_compare_raw_dn |
1803 | 0 | (&crt[i]->raw_dn, |
1804 | 0 | &crt[i - 1]->raw_issuer_dn)) { |
1805 | 0 | ret = |
1806 | 0 | gnutls_assert_val |
1807 | 0 | (GNUTLS_E_CERTIFICATE_LIST_UNSORTED); |
1808 | 0 | goto cleanup; |
1809 | 0 | } |
1810 | 0 | } |
1811 | 0 | } |
1812 | 0 | } |
1813 | 0 | ret = 0; |
1814 | |
|
1815 | 0 | cleanup: |
1816 | 0 | return ret; |
1817 | 0 | } |
1818 | | |
1819 | | /** |
1820 | | * gnutls_gost_paramset_get_name: |
1821 | | * @param: is a GOST 28147 param set |
1822 | | * |
1823 | | * Convert a #gnutls_gost_paramset_t value to a string. |
1824 | | * |
1825 | | * Returns: a string that contains the name of the specified GOST param set, |
1826 | | * or %NULL. |
1827 | | * |
1828 | | * Since: 3.6.3 |
1829 | | **/ |
1830 | | const char *gnutls_gost_paramset_get_name(gnutls_gost_paramset_t param) |
1831 | 0 | { |
1832 | 0 | switch (param) { |
1833 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1834 | 0 | return "TC26-Z"; |
1835 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1836 | 0 | return "CryptoPro-A"; |
1837 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1838 | 0 | return "CryptoPro-B"; |
1839 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1840 | 0 | return "CryptoPro-C"; |
1841 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1842 | 0 | return "CryptoPro-D"; |
1843 | 0 | default: |
1844 | 0 | gnutls_assert(); |
1845 | 0 | return "Unknown"; |
1846 | 0 | } |
1847 | 0 | } |
1848 | | |
1849 | | /** |
1850 | | * gnutls_gost_paramset_get_oid: |
1851 | | * @param: is a GOST 28147 param set |
1852 | | * |
1853 | | * Convert a #gnutls_gost_paramset_t value to its object identifier. |
1854 | | * |
1855 | | * Returns: a string that contains the object identifier of the specified GOST |
1856 | | * param set, or %NULL. |
1857 | | * |
1858 | | * Since: 3.6.3 |
1859 | | **/ |
1860 | | const char *gnutls_gost_paramset_get_oid(gnutls_gost_paramset_t param) |
1861 | 0 | { |
1862 | 0 | switch (param) { |
1863 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1864 | 0 | return GOST28147_89_TC26Z_OID; |
1865 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1866 | 0 | return GOST28147_89_CPA_OID; |
1867 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1868 | 0 | return GOST28147_89_CPB_OID; |
1869 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1870 | 0 | return GOST28147_89_CPC_OID; |
1871 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1872 | 0 | return GOST28147_89_CPD_OID; |
1873 | 0 | default: |
1874 | 0 | gnutls_assert(); |
1875 | 0 | return NULL; |
1876 | 0 | } |
1877 | 0 | } |
1878 | | |
1879 | | /** |
1880 | | * gnutls_oid_to_gost_paramset: |
1881 | | * @oid: is an object identifier |
1882 | | * |
1883 | | * Converts a textual object identifier to a #gnutls_gost_paramset_t value. |
1884 | | * |
1885 | | * Returns: a #gnutls_gost_paramset_get_oid of the specified GOST 28147 |
1886 | | * param st, or %GNUTLS_GOST_PARAMSET_UNKNOWN on failure. |
1887 | | * |
1888 | | * Since: 3.6.3 |
1889 | | **/ |
1890 | | gnutls_gost_paramset_t gnutls_oid_to_gost_paramset(const char *oid) |
1891 | 0 | { |
1892 | 0 | if (!strcmp(oid, GOST28147_89_TC26Z_OID)) |
1893 | 0 | return GNUTLS_GOST_PARAMSET_TC26_Z; |
1894 | 0 | else if (!strcmp(oid, GOST28147_89_CPA_OID)) |
1895 | 0 | return GNUTLS_GOST_PARAMSET_CP_A; |
1896 | 0 | else if (!strcmp(oid, GOST28147_89_CPB_OID)) |
1897 | 0 | return GNUTLS_GOST_PARAMSET_CP_B; |
1898 | 0 | else if (!strcmp(oid, GOST28147_89_CPC_OID)) |
1899 | 0 | return GNUTLS_GOST_PARAMSET_CP_C; |
1900 | 0 | else if (!strcmp(oid, GOST28147_89_CPD_OID)) |
1901 | 0 | return GNUTLS_GOST_PARAMSET_CP_D; |
1902 | 0 | else |
1903 | 0 | return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); |
1904 | 0 | } |
1905 | | |
1906 | | int _gnutls_x509_get_version(asn1_node root, const char *name) |
1907 | 0 | { |
1908 | 0 | uint8_t version[8]; |
1909 | 0 | int len, result; |
1910 | |
|
1911 | 0 | len = sizeof(version); |
1912 | 0 | result = asn1_read_value(root, name, version, &len); |
1913 | 0 | if (result != ASN1_SUCCESS) { |
1914 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) |
1915 | 0 | return 1; /* the DEFAULT version */ |
1916 | 0 | gnutls_assert(); |
1917 | 0 | return _gnutls_asn2err(result); |
1918 | 0 | } |
1919 | | |
1920 | 0 | if (len != 1 || version[0] >= 0x80) |
1921 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
1922 | | |
1923 | 0 | return (int)version[0] + 1; |
1924 | 0 | } |