/src/gnutls/lib/x509/extensions.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2014 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* Functions that relate to the X.509 extension parsing. |
24 | | */ |
25 | | |
26 | | #include "gnutls_int.h" |
27 | | #include "errors.h" |
28 | | #include <global.h> |
29 | | #include <libtasn1.h> |
30 | | #include <common.h> |
31 | | #include <gnutls/x509-ext.h> |
32 | | #include <gnutls/x509.h> |
33 | | #include <x509_int.h> |
34 | | #include <datum.h> |
35 | | |
36 | | int |
37 | | _gnutls_get_extension(asn1_node asn, const char *root, |
38 | | const char *extension_id, int indx, |
39 | | gnutls_datum_t * ret, unsigned int *_critical) |
40 | 0 | { |
41 | 0 | int k, result, len; |
42 | 0 | char name[MAX_NAME_SIZE], name2[MAX_NAME_SIZE]; |
43 | 0 | char str_critical[10]; |
44 | 0 | int critical = 0; |
45 | 0 | char extnID[MAX_OID_SIZE]; |
46 | 0 | gnutls_datum_t value; |
47 | 0 | int indx_counter = 0; |
48 | |
|
49 | 0 | ret->data = NULL; |
50 | 0 | ret->size = 0; |
51 | |
|
52 | 0 | k = 0; |
53 | 0 | do { |
54 | 0 | k++; |
55 | |
|
56 | 0 | snprintf(name, sizeof(name), "%s.?%d", root, k); |
57 | |
|
58 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
59 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".extnID"); |
60 | |
|
61 | 0 | len = sizeof(extnID) - 1; |
62 | 0 | result = asn1_read_value(asn, name2, extnID, &len); |
63 | |
|
64 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
65 | 0 | break; |
66 | 0 | } else if (result != ASN1_SUCCESS) { |
67 | 0 | gnutls_assert(); |
68 | 0 | return _gnutls_asn2err(result); |
69 | 0 | } |
70 | | |
71 | | /* Handle Extension |
72 | | */ |
73 | 0 | if (strcmp(extnID, extension_id) == 0 && indx == indx_counter++) { |
74 | | /* extension was found |
75 | | */ |
76 | | |
77 | | /* read the critical status. |
78 | | */ |
79 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
80 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".critical"); |
81 | |
|
82 | 0 | len = sizeof(str_critical); |
83 | 0 | result = |
84 | 0 | asn1_read_value(asn, name2, str_critical, &len); |
85 | |
|
86 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
87 | 0 | gnutls_assert(); |
88 | 0 | break; |
89 | 0 | } else if (result != ASN1_SUCCESS) { |
90 | 0 | gnutls_assert(); |
91 | 0 | return _gnutls_asn2err(result); |
92 | 0 | } |
93 | | |
94 | 0 | if (str_critical[0] == 'T') |
95 | 0 | critical = 1; |
96 | 0 | else |
97 | 0 | critical = 0; |
98 | | |
99 | | /* read the value. |
100 | | */ |
101 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
102 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); |
103 | |
|
104 | 0 | result = _gnutls_x509_read_value(asn, name2, &value); |
105 | 0 | if (result < 0) { |
106 | 0 | gnutls_assert(); |
107 | 0 | return result; |
108 | 0 | } |
109 | | |
110 | 0 | ret->data = value.data; |
111 | 0 | ret->size = value.size; |
112 | |
|
113 | 0 | if (_critical) |
114 | 0 | *_critical = critical; |
115 | |
|
116 | 0 | return 0; |
117 | 0 | } |
118 | 0 | } |
119 | 0 | while (1); |
120 | | |
121 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
122 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
123 | 0 | } else { |
124 | 0 | gnutls_assert(); |
125 | 0 | return _gnutls_asn2err(result); |
126 | 0 | } |
127 | 0 | } |
128 | | |
129 | | static int |
130 | | get_indx_extension(asn1_node asn, const char *root, |
131 | | int indx, gnutls_datum_t * out) |
132 | 0 | { |
133 | 0 | char name[MAX_NAME_SIZE]; |
134 | 0 | int ret; |
135 | |
|
136 | 0 | out->data = NULL; |
137 | 0 | out->size = 0; |
138 | |
|
139 | 0 | snprintf(name, sizeof(name), "%s.?%d.extnValue", root, indx + 1); |
140 | |
|
141 | 0 | ret = _gnutls_x509_read_value(asn, name, out); |
142 | 0 | if (ret < 0) |
143 | 0 | return gnutls_assert_val(ret); |
144 | | |
145 | 0 | return 0; |
146 | 0 | } |
147 | | |
148 | | int |
149 | | _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, |
150 | | const char *extension_id, int indx, |
151 | | gnutls_datum_t * data, unsigned int *critical) |
152 | 0 | { |
153 | 0 | return _gnutls_get_extension(cert->cert, "tbsCertificate.extensions", |
154 | 0 | extension_id, indx, data, critical); |
155 | 0 | } |
156 | | |
157 | | /** |
158 | | * gnutls_x509_crt_get_extension_data2: |
159 | | * @cert: should contain a #gnutls_x509_crt_t type |
160 | | * @indx: Specifies which extension OID to read. Use (0) to get the first one. |
161 | | * @data: will contain the extension DER-encoded data |
162 | | * |
163 | | * This function will return the requested by the index extension data in the |
164 | | * certificate. The extension data will be allocated using |
165 | | * gnutls_malloc(). |
166 | | * |
167 | | * Use gnutls_x509_crt_get_extension_info() to extract the OID. |
168 | | * |
169 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
170 | | * otherwise a negative error code is returned. If you have reached the |
171 | | * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE |
172 | | * will be returned. |
173 | | **/ |
174 | | int |
175 | | gnutls_x509_crt_get_extension_data2(gnutls_x509_crt_t cert, |
176 | | unsigned indx, gnutls_datum_t * data) |
177 | 0 | { |
178 | 0 | return get_indx_extension(cert->cert, "tbsCertificate.extensions", |
179 | 0 | indx, data); |
180 | 0 | } |
181 | | |
182 | | int |
183 | | _gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl, |
184 | | const char *extension_id, int indx, |
185 | | gnutls_datum_t * data, unsigned int *critical) |
186 | 0 | { |
187 | 0 | return _gnutls_get_extension(crl->crl, "tbsCertList.crlExtensions", |
188 | 0 | extension_id, indx, data, critical); |
189 | 0 | } |
190 | | |
191 | | /** |
192 | | * gnutls_x509_crl_get_extension_data2: |
193 | | * @crl: should contain a #gnutls_x509_crl_t type |
194 | | * @indx: Specifies which extension OID to read. Use (0) to get the first one. |
195 | | * @data: will contain the extension DER-encoded data |
196 | | * |
197 | | * This function will return the requested by the index extension data in the |
198 | | * certificate revocation list. The extension data will be allocated using |
199 | | * gnutls_malloc(). |
200 | | * |
201 | | * Use gnutls_x509_crt_get_extension_info() to extract the OID. |
202 | | * |
203 | | * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, |
204 | | * otherwise a negative error code is returned. If you have reached the |
205 | | * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE |
206 | | * will be returned. |
207 | | **/ |
208 | | int |
209 | | gnutls_x509_crl_get_extension_data2(gnutls_x509_crl_t crl, |
210 | | unsigned indx, gnutls_datum_t * data) |
211 | 0 | { |
212 | 0 | return get_indx_extension(crl->crl, "tbsCertList.crlExtensions", |
213 | 0 | indx, data); |
214 | 0 | } |
215 | | |
216 | | /* This function will attempt to return the requested extension OID found in |
217 | | * the given X509v3 certificate. |
218 | | * |
219 | | * If you have passed the last extension, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will |
220 | | * be returned. |
221 | | */ |
222 | | static int get_extension_oid(asn1_node asn, const char *root, |
223 | | unsigned indx, void *oid, size_t *sizeof_oid) |
224 | 0 | { |
225 | 0 | int k, result, len; |
226 | 0 | char name[MAX_NAME_SIZE], name2[MAX_NAME_SIZE]; |
227 | 0 | char extnID[MAX_OID_SIZE]; |
228 | 0 | unsigned indx_counter = 0; |
229 | |
|
230 | 0 | k = 0; |
231 | 0 | do { |
232 | 0 | k++; |
233 | |
|
234 | 0 | snprintf(name, sizeof(name), "%s.?%d", root, k); |
235 | |
|
236 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
237 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".extnID"); |
238 | |
|
239 | 0 | len = sizeof(extnID) - 1; |
240 | 0 | result = asn1_read_value(asn, name2, extnID, &len); |
241 | |
|
242 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
243 | 0 | gnutls_assert(); |
244 | 0 | break; |
245 | 0 | } else if (result != ASN1_SUCCESS) { |
246 | 0 | gnutls_assert(); |
247 | 0 | return _gnutls_asn2err(result); |
248 | 0 | } |
249 | | |
250 | | /* Handle Extension |
251 | | */ |
252 | 0 | if (indx == indx_counter++) { |
253 | 0 | len = strlen(extnID) + 1; |
254 | |
|
255 | 0 | if (*sizeof_oid < (unsigned)len) { |
256 | 0 | *sizeof_oid = len; |
257 | 0 | gnutls_assert(); |
258 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
259 | 0 | } |
260 | | |
261 | 0 | memcpy(oid, extnID, len); |
262 | 0 | *sizeof_oid = len - 1; |
263 | |
|
264 | 0 | return 0; |
265 | 0 | } |
266 | |
|
267 | 0 | } |
268 | 0 | while (1); |
269 | | |
270 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
271 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
272 | 0 | } else { |
273 | 0 | gnutls_assert(); |
274 | 0 | return _gnutls_asn2err(result); |
275 | 0 | } |
276 | 0 | } |
277 | | |
278 | | /* This function will attempt to return the requested extension OID found in |
279 | | * the given X509v3 certificate. |
280 | | * |
281 | | * If you have passed the last extension, GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will |
282 | | * be returned. |
283 | | */ |
284 | | int |
285 | | _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, |
286 | | int indx, void *oid, size_t *sizeof_oid) |
287 | 0 | { |
288 | 0 | return get_extension_oid(cert->cert, "tbsCertificate.extensions", |
289 | 0 | indx, oid, sizeof_oid); |
290 | 0 | } |
291 | | |
292 | | int |
293 | | _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, |
294 | | int indx, void *oid, size_t *sizeof_oid) |
295 | 0 | { |
296 | 0 | return get_extension_oid(crl->crl, "tbsCertList.crlExtensions", |
297 | 0 | indx, oid, sizeof_oid); |
298 | 0 | } |
299 | | |
300 | | /* This function will attempt to set the requested extension in |
301 | | * the given X509v3 certificate. |
302 | | * |
303 | | * Critical will be either 0 or 1. |
304 | | */ |
305 | | static int |
306 | | add_extension(asn1_node asn, const char *root, const char *extension_id, |
307 | | const gnutls_datum_t * ext_data, unsigned int critical) |
308 | 0 | { |
309 | 0 | int result; |
310 | 0 | const char *str; |
311 | 0 | char name[MAX_NAME_SIZE]; |
312 | |
|
313 | 0 | snprintf(name, sizeof(name), "%s", root); |
314 | | |
315 | | /* Add a new extension in the list. |
316 | | */ |
317 | 0 | result = asn1_write_value(asn, name, "NEW", 1); |
318 | 0 | if (result != ASN1_SUCCESS) { |
319 | 0 | gnutls_assert(); |
320 | 0 | return _gnutls_asn2err(result); |
321 | 0 | } |
322 | | |
323 | 0 | if (root[0] != 0) |
324 | 0 | snprintf(name, sizeof(name), "%s.?LAST.extnID", root); |
325 | 0 | else |
326 | 0 | snprintf(name, sizeof(name), "?LAST.extnID"); |
327 | |
|
328 | 0 | result = asn1_write_value(asn, name, extension_id, 1); |
329 | 0 | if (result != ASN1_SUCCESS) { |
330 | 0 | gnutls_assert(); |
331 | 0 | return _gnutls_asn2err(result); |
332 | 0 | } |
333 | | |
334 | 0 | if (critical == 0) |
335 | 0 | str = "FALSE"; |
336 | 0 | else |
337 | 0 | str = "TRUE"; |
338 | |
|
339 | 0 | if (root[0] != 0) |
340 | 0 | snprintf(name, sizeof(name), "%s.?LAST.critical", root); |
341 | 0 | else |
342 | 0 | snprintf(name, sizeof(name), "?LAST.critical"); |
343 | |
|
344 | 0 | result = asn1_write_value(asn, name, str, 1); |
345 | 0 | if (result != ASN1_SUCCESS) { |
346 | 0 | gnutls_assert(); |
347 | 0 | return _gnutls_asn2err(result); |
348 | 0 | } |
349 | | |
350 | 0 | if (root[0] != 0) |
351 | 0 | snprintf(name, sizeof(name), "%s.?LAST.extnValue", root); |
352 | 0 | else |
353 | 0 | snprintf(name, sizeof(name), "?LAST.extnValue"); |
354 | |
|
355 | 0 | result = _gnutls_x509_write_value(asn, name, ext_data); |
356 | 0 | if (result < 0) { |
357 | 0 | gnutls_assert(); |
358 | 0 | return result; |
359 | 0 | } |
360 | | |
361 | 0 | return 0; |
362 | 0 | } |
363 | | |
364 | | /* Overwrite the given extension (using the index) |
365 | | * index here starts from one. |
366 | | */ |
367 | | static int |
368 | | overwrite_extension(asn1_node asn, const char *root, unsigned int indx, |
369 | | const gnutls_datum_t * ext_data, unsigned int critical) |
370 | 0 | { |
371 | 0 | char name[MAX_NAME_SIZE], name2[MAX_NAME_SIZE]; |
372 | 0 | const char *str; |
373 | 0 | int result; |
374 | |
|
375 | 0 | if (root[0] != 0) |
376 | 0 | snprintf(name, sizeof(name), "%s.?%u", root, indx); |
377 | 0 | else |
378 | 0 | snprintf(name, sizeof(name), "?%u", indx); |
379 | |
|
380 | 0 | if (critical == 0) |
381 | 0 | str = "FALSE"; |
382 | 0 | else |
383 | 0 | str = "TRUE"; |
384 | |
|
385 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
386 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".critical"); |
387 | |
|
388 | 0 | result = asn1_write_value(asn, name2, str, 1); |
389 | 0 | if (result != ASN1_SUCCESS) { |
390 | 0 | gnutls_assert(); |
391 | 0 | return _gnutls_asn2err(result); |
392 | 0 | } |
393 | | |
394 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
395 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); |
396 | |
|
397 | 0 | result = _gnutls_x509_write_value(asn, name2, ext_data); |
398 | 0 | if (result < 0) { |
399 | 0 | gnutls_assert(); |
400 | 0 | return result; |
401 | 0 | } |
402 | | |
403 | 0 | return 0; |
404 | 0 | } |
405 | | |
406 | | int |
407 | | _gnutls_set_extension(asn1_node asn, const char *root, |
408 | | const char *ext_id, |
409 | | const gnutls_datum_t * ext_data, unsigned int critical) |
410 | 0 | { |
411 | 0 | int result = 0; |
412 | 0 | int k, len; |
413 | 0 | char name[MAX_NAME_SIZE], name2[MAX_NAME_SIZE]; |
414 | 0 | char extnID[MAX_OID_SIZE]; |
415 | | |
416 | | /* Find the index of the given extension. |
417 | | */ |
418 | 0 | k = 0; |
419 | 0 | do { |
420 | 0 | k++; |
421 | |
|
422 | 0 | if (root[0] != 0) |
423 | 0 | snprintf(name, sizeof(name), "%s.?%d", root, k); |
424 | 0 | else |
425 | 0 | snprintf(name, sizeof(name), "?%d", k); |
426 | |
|
427 | 0 | len = sizeof(extnID) - 1; |
428 | 0 | result = asn1_read_value(asn, name, extnID, &len); |
429 | | |
430 | | /* move to next |
431 | | */ |
432 | |
|
433 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
434 | 0 | break; |
435 | 0 | } |
436 | | |
437 | 0 | do { |
438 | |
|
439 | 0 | _gnutls_str_cpy(name2, sizeof(name2), name); |
440 | 0 | _gnutls_str_cat(name2, sizeof(name2), ".extnID"); |
441 | |
|
442 | 0 | len = sizeof(extnID) - 1; |
443 | 0 | result = asn1_read_value(asn, name2, extnID, &len); |
444 | |
|
445 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
446 | 0 | gnutls_assert(); |
447 | 0 | break; |
448 | 0 | } else if (result != ASN1_SUCCESS) { |
449 | 0 | gnutls_assert(); |
450 | 0 | return _gnutls_asn2err(result); |
451 | 0 | } |
452 | | |
453 | | /* Handle Extension |
454 | | */ |
455 | 0 | if (strcmp(extnID, ext_id) == 0) { |
456 | | /* extension was found |
457 | | */ |
458 | 0 | return overwrite_extension(asn, root, k, |
459 | 0 | ext_data, critical); |
460 | 0 | } |
461 | |
|
462 | 0 | } |
463 | 0 | while (0); |
464 | 0 | } |
465 | 0 | while (1); |
466 | | |
467 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) { |
468 | 0 | return add_extension(asn, root, ext_id, ext_data, critical); |
469 | 0 | } else { |
470 | 0 | gnutls_assert(); |
471 | 0 | return _gnutls_asn2err(result); |
472 | 0 | } |
473 | | |
474 | 0 | return 0; |
475 | 0 | } |
476 | | |
477 | | /* This function will attempt to overwrite the requested extension with |
478 | | * the given one. |
479 | | * |
480 | | * Critical will be either 0 or 1. |
481 | | */ |
482 | | int |
483 | | _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert, |
484 | | const char *ext_id, |
485 | | const gnutls_datum_t * ext_data, |
486 | | unsigned int critical) |
487 | 0 | { |
488 | 0 | MODIFIED(cert); |
489 | 0 | cert->use_extensions = 1; |
490 | |
|
491 | 0 | return _gnutls_set_extension(cert->cert, "tbsCertificate.extensions", |
492 | 0 | ext_id, ext_data, critical); |
493 | 0 | } |
494 | | |
495 | | int |
496 | | _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl, |
497 | | const char *ext_id, |
498 | | const gnutls_datum_t * ext_data, |
499 | | unsigned int critical) |
500 | 0 | { |
501 | 0 | return _gnutls_set_extension(crl->crl, "tbsCertList.crlExtensions", |
502 | 0 | ext_id, ext_data, critical); |
503 | 0 | } |
504 | | |
505 | | int |
506 | | _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq, |
507 | | const char *ext_id, |
508 | | const gnutls_datum_t * ext_data, |
509 | | unsigned int critical) |
510 | 0 | { |
511 | 0 | unsigned char *extensions = NULL; |
512 | 0 | size_t extensions_size = 0; |
513 | 0 | gnutls_datum_t der; |
514 | 0 | asn1_node c2; |
515 | 0 | int result; |
516 | |
|
517 | 0 | result = |
518 | 0 | gnutls_x509_crq_get_attribute_by_oid(crq, |
519 | 0 | "1.2.840.113549.1.9.14", |
520 | 0 | 0, NULL, &extensions_size); |
521 | 0 | if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) { |
522 | 0 | extensions = gnutls_malloc(extensions_size); |
523 | 0 | if (extensions == NULL) { |
524 | 0 | gnutls_assert(); |
525 | 0 | return GNUTLS_E_MEMORY_ERROR; |
526 | 0 | } |
527 | | |
528 | 0 | result = gnutls_x509_crq_get_attribute_by_oid(crq, |
529 | 0 | "1.2.840.113549.1.9.14", |
530 | 0 | 0, |
531 | 0 | extensions, |
532 | 0 | &extensions_size); |
533 | 0 | } |
534 | 0 | if (result < 0) { |
535 | 0 | if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { |
536 | 0 | extensions_size = 0; |
537 | 0 | } else { |
538 | 0 | gnutls_assert(); |
539 | 0 | gnutls_free(extensions); |
540 | 0 | return result; |
541 | 0 | } |
542 | 0 | } |
543 | | |
544 | 0 | result = |
545 | 0 | asn1_create_element(_gnutls_get_pkix(), "PKIX1.Extensions", &c2); |
546 | 0 | if (result != ASN1_SUCCESS) { |
547 | 0 | gnutls_assert(); |
548 | 0 | gnutls_free(extensions); |
549 | 0 | return _gnutls_asn2err(result); |
550 | 0 | } |
551 | | |
552 | 0 | if (extensions_size > 0) { |
553 | 0 | result = |
554 | 0 | _asn1_strict_der_decode(&c2, extensions, extensions_size, |
555 | 0 | NULL); |
556 | 0 | gnutls_free(extensions); |
557 | 0 | if (result != ASN1_SUCCESS) { |
558 | 0 | gnutls_assert(); |
559 | 0 | asn1_delete_structure(&c2); |
560 | 0 | return _gnutls_asn2err(result); |
561 | 0 | } |
562 | 0 | } |
563 | | |
564 | 0 | result = _gnutls_set_extension(c2, "", ext_id, ext_data, critical); |
565 | 0 | if (result < 0) { |
566 | 0 | gnutls_assert(); |
567 | 0 | asn1_delete_structure(&c2); |
568 | 0 | return result; |
569 | 0 | } |
570 | | |
571 | 0 | result = _gnutls_x509_der_encode(c2, "", &der, 0); |
572 | |
|
573 | 0 | asn1_delete_structure(&c2); |
574 | |
|
575 | 0 | if (result < 0) { |
576 | 0 | gnutls_assert(); |
577 | 0 | return result; |
578 | 0 | } |
579 | | |
580 | 0 | result = |
581 | 0 | gnutls_x509_crq_set_attribute_by_oid(crq, |
582 | 0 | "1.2.840.113549.1.9.14", |
583 | 0 | der.data, der.size); |
584 | 0 | gnutls_free(der.data); |
585 | 0 | if (result < 0) { |
586 | 0 | gnutls_assert(); |
587 | 0 | return result; |
588 | 0 | } |
589 | | |
590 | 0 | return 0; |
591 | 0 | } |
592 | | |
593 | | /* extract an INTEGER from the DER encoded extension |
594 | | */ |
595 | | int |
596 | | _gnutls_x509_ext_extract_number(uint8_t * number, |
597 | | size_t *_nr_size, |
598 | | uint8_t * extnValue, int extnValueLen) |
599 | 0 | { |
600 | 0 | asn1_node ext = NULL; |
601 | 0 | int result; |
602 | 0 | int nr_size = *_nr_size; |
603 | | |
604 | | /* here it doesn't matter so much that we use CertificateSerialNumber. It is equal |
605 | | * to using INTEGER. |
606 | | */ |
607 | 0 | if ((result = asn1_create_element |
608 | 0 | (_gnutls_get_pkix(), "PKIX1.CertificateSerialNumber", |
609 | 0 | &ext)) != ASN1_SUCCESS) { |
610 | 0 | gnutls_assert(); |
611 | 0 | return _gnutls_asn2err(result); |
612 | 0 | } |
613 | | |
614 | 0 | result = _asn1_strict_der_decode(&ext, extnValue, extnValueLen, NULL); |
615 | 0 | if (result != ASN1_SUCCESS) { |
616 | 0 | gnutls_assert(); |
617 | 0 | asn1_delete_structure(&ext); |
618 | 0 | return _gnutls_asn2err(result); |
619 | 0 | } |
620 | | |
621 | | /* the default value of cA is false. |
622 | | */ |
623 | 0 | result = asn1_read_value(ext, "", number, &nr_size); |
624 | 0 | if (result != ASN1_SUCCESS) |
625 | 0 | result = _gnutls_asn2err(result); |
626 | 0 | else |
627 | 0 | result = 0; |
628 | |
|
629 | 0 | *_nr_size = nr_size; |
630 | |
|
631 | 0 | asn1_delete_structure(&ext); |
632 | |
|
633 | 0 | return result; |
634 | 0 | } |
635 | | |
636 | | /* generate an INTEGER in a DER encoded extension |
637 | | */ |
638 | | int |
639 | | _gnutls_x509_ext_gen_number(const uint8_t * number, size_t nr_size, |
640 | | gnutls_datum_t * der_ext) |
641 | 0 | { |
642 | 0 | asn1_node ext = NULL; |
643 | 0 | int result; |
644 | |
|
645 | 0 | result = |
646 | 0 | asn1_create_element(_gnutls_get_pkix(), |
647 | 0 | "PKIX1.CertificateSerialNumber", &ext); |
648 | 0 | if (result != ASN1_SUCCESS) { |
649 | 0 | gnutls_assert(); |
650 | 0 | return _gnutls_asn2err(result); |
651 | 0 | } |
652 | | |
653 | 0 | result = asn1_write_value(ext, "", number, nr_size); |
654 | 0 | if (result != ASN1_SUCCESS) { |
655 | 0 | gnutls_assert(); |
656 | 0 | asn1_delete_structure(&ext); |
657 | 0 | return _gnutls_asn2err(result); |
658 | 0 | } |
659 | | |
660 | 0 | result = _gnutls_x509_der_encode(ext, "", der_ext, 0); |
661 | |
|
662 | 0 | asn1_delete_structure(&ext); |
663 | |
|
664 | 0 | if (result < 0) { |
665 | 0 | gnutls_assert(); |
666 | 0 | return result; |
667 | 0 | } |
668 | | |
669 | 0 | return 0; |
670 | 0 | } |
671 | | |
672 | | int |
673 | | _gnutls_write_general_name(asn1_node ext, const char *ext_name, |
674 | | gnutls_x509_subject_alt_name_t type, |
675 | | const void *data, unsigned int data_size) |
676 | 0 | { |
677 | 0 | const char *str; |
678 | 0 | int result; |
679 | 0 | char name[128]; |
680 | |
|
681 | 0 | if (data == NULL) { |
682 | 0 | if (data_size == 0) |
683 | 0 | data = (void *)""; |
684 | 0 | else |
685 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
686 | 0 | } |
687 | | |
688 | 0 | switch (type) { |
689 | 0 | case GNUTLS_SAN_DNSNAME: |
690 | 0 | str = "dNSName"; |
691 | 0 | break; |
692 | 0 | case GNUTLS_SAN_RFC822NAME: |
693 | 0 | str = "rfc822Name"; |
694 | 0 | break; |
695 | 0 | case GNUTLS_SAN_URI: |
696 | 0 | str = "uniformResourceIdentifier"; |
697 | 0 | break; |
698 | 0 | case GNUTLS_SAN_IPADDRESS: |
699 | 0 | str = "iPAddress"; |
700 | 0 | break; |
701 | 0 | case GNUTLS_SAN_REGISTERED_ID: |
702 | 0 | str = "registeredID"; |
703 | 0 | break; |
704 | 0 | default: |
705 | 0 | gnutls_assert(); |
706 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
707 | 0 | } |
708 | | |
709 | 0 | result = asn1_write_value(ext, ext_name, str, 1); |
710 | 0 | if (result != ASN1_SUCCESS) { |
711 | 0 | gnutls_assert(); |
712 | 0 | return _gnutls_asn2err(result); |
713 | 0 | } |
714 | | |
715 | 0 | snprintf(name, sizeof(name), "%s.%s", ext_name, str); |
716 | |
|
717 | 0 | result = asn1_write_value(ext, name, data, data_size); |
718 | 0 | if (result != ASN1_SUCCESS) { |
719 | 0 | gnutls_assert(); |
720 | 0 | asn1_delete_structure(&ext); |
721 | 0 | return _gnutls_asn2err(result); |
722 | 0 | } |
723 | | |
724 | 0 | return 0; |
725 | 0 | } |
726 | | |
727 | | int |
728 | | _gnutls_write_new_general_name(asn1_node ext, const char *ext_name, |
729 | | gnutls_x509_subject_alt_name_t type, |
730 | | const void *data, unsigned int data_size) |
731 | 0 | { |
732 | 0 | int result; |
733 | 0 | char name[128]; |
734 | |
|
735 | 0 | result = asn1_write_value(ext, ext_name, "NEW", 1); |
736 | 0 | if (result != ASN1_SUCCESS) { |
737 | 0 | gnutls_assert(); |
738 | 0 | return _gnutls_asn2err(result); |
739 | 0 | } |
740 | | |
741 | 0 | if (ext_name[0] == 0) { /* no dot */ |
742 | 0 | _gnutls_str_cpy(name, sizeof(name), "?LAST"); |
743 | 0 | } else { |
744 | 0 | _gnutls_str_cpy(name, sizeof(name), ext_name); |
745 | 0 | _gnutls_str_cat(name, sizeof(name), ".?LAST"); |
746 | 0 | } |
747 | |
|
748 | 0 | result = _gnutls_write_general_name(ext, name, type, data, data_size); |
749 | 0 | if (result < 0) { |
750 | 0 | gnutls_assert(); |
751 | 0 | return result; |
752 | 0 | } |
753 | | |
754 | 0 | return 0; |
755 | 0 | } |
756 | | |
757 | | int |
758 | | _gnutls_write_new_othername(asn1_node ext, const char *ext_name, |
759 | | const char *oid, |
760 | | const void *data, unsigned int data_size) |
761 | 0 | { |
762 | 0 | int result; |
763 | 0 | char name[128]; |
764 | 0 | char name2[128]; |
765 | |
|
766 | 0 | result = asn1_write_value(ext, ext_name, "NEW", 1); |
767 | 0 | if (result != ASN1_SUCCESS) { |
768 | 0 | gnutls_assert(); |
769 | 0 | return _gnutls_asn2err(result); |
770 | 0 | } |
771 | | |
772 | 0 | if (ext_name[0] == 0) { /* no dot */ |
773 | 0 | _gnutls_str_cpy(name, sizeof(name), "?LAST"); |
774 | 0 | } else { |
775 | 0 | _gnutls_str_cpy(name, sizeof(name), ext_name); |
776 | 0 | _gnutls_str_cat(name, sizeof(name), ".?LAST"); |
777 | 0 | } |
778 | |
|
779 | 0 | result = asn1_write_value(ext, name, "otherName", 1); |
780 | 0 | if (result != ASN1_SUCCESS) { |
781 | 0 | gnutls_assert(); |
782 | 0 | return _gnutls_asn2err(result); |
783 | 0 | } |
784 | | |
785 | 0 | snprintf(name2, sizeof(name2), "%s.otherName.type-id", name); |
786 | |
|
787 | 0 | result = asn1_write_value(ext, name2, oid, 1); |
788 | 0 | if (result != ASN1_SUCCESS) { |
789 | 0 | gnutls_assert(); |
790 | 0 | asn1_delete_structure(&ext); |
791 | 0 | return _gnutls_asn2err(result); |
792 | 0 | } |
793 | | |
794 | 0 | snprintf(name2, sizeof(name2), "%s.otherName.value", name); |
795 | |
|
796 | 0 | result = asn1_write_value(ext, name2, data, data_size); |
797 | 0 | if (result != ASN1_SUCCESS) { |
798 | 0 | gnutls_assert(); |
799 | 0 | asn1_delete_structure(&ext); |
800 | 0 | return _gnutls_asn2err(result); |
801 | 0 | } |
802 | | |
803 | 0 | return 0; |
804 | 0 | } |
805 | | |
806 | | /* Convert the given name to GeneralNames in a DER encoded extension. |
807 | | * This is the same as subject alternative name. |
808 | | */ |
809 | | int |
810 | | _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t |
811 | | type, |
812 | | const char *othername_oid, |
813 | | const void *data, |
814 | | unsigned int data_size, |
815 | | const gnutls_datum_t * prev_der_ext, |
816 | | gnutls_datum_t * der_ext) |
817 | 0 | { |
818 | 0 | int ret; |
819 | 0 | gnutls_subject_alt_names_t sans = NULL; |
820 | 0 | gnutls_datum_t name; |
821 | |
|
822 | 0 | ret = gnutls_subject_alt_names_init(&sans); |
823 | 0 | if (ret < 0) { |
824 | 0 | gnutls_assert(); |
825 | 0 | return ret; |
826 | 0 | } |
827 | | |
828 | 0 | if (prev_der_ext && prev_der_ext->data != NULL && |
829 | 0 | prev_der_ext->size != 0) { |
830 | |
|
831 | 0 | ret = |
832 | 0 | gnutls_x509_ext_import_subject_alt_names(prev_der_ext, sans, |
833 | 0 | 0); |
834 | 0 | if (ret < 0) { |
835 | 0 | gnutls_assert(); |
836 | 0 | goto cleanup; |
837 | 0 | } |
838 | 0 | } |
839 | | |
840 | 0 | name.data = (void *)data; |
841 | 0 | name.size = data_size; |
842 | 0 | ret = gnutls_subject_alt_names_set(sans, type, &name, othername_oid); |
843 | 0 | if (ret < 0) { |
844 | 0 | gnutls_assert(); |
845 | 0 | goto cleanup; |
846 | 0 | } |
847 | | |
848 | 0 | ret = gnutls_x509_ext_export_subject_alt_names(sans, der_ext); |
849 | 0 | if (ret < 0) { |
850 | 0 | gnutls_assert(); |
851 | 0 | goto cleanup; |
852 | 0 | } |
853 | | |
854 | 0 | ret = 0; |
855 | 0 | cleanup: |
856 | 0 | if (sans != NULL) |
857 | 0 | gnutls_subject_alt_names_deinit(sans); |
858 | |
|
859 | 0 | return ret; |
860 | 0 | } |
861 | | |
862 | | /* generate the AuthorityKeyID in a DER encoded extension |
863 | | */ |
864 | | int |
865 | | _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, |
866 | | gnutls_datum_t * der_ext) |
867 | 0 | { |
868 | 0 | gnutls_x509_aki_t aki; |
869 | 0 | int ret; |
870 | 0 | gnutls_datum_t l_id; |
871 | |
|
872 | 0 | ret = gnutls_x509_aki_init(&aki); |
873 | 0 | if (ret < 0) |
874 | 0 | return gnutls_assert_val(ret); |
875 | | |
876 | 0 | l_id.data = (void *)id; |
877 | 0 | l_id.size = id_size; |
878 | 0 | ret = gnutls_x509_aki_set_id(aki, &l_id); |
879 | 0 | if (ret < 0) { |
880 | 0 | gnutls_assert(); |
881 | 0 | goto cleanup; |
882 | 0 | } |
883 | | |
884 | 0 | ret = gnutls_x509_ext_export_authority_key_id(aki, der_ext); |
885 | 0 | if (ret < 0) { |
886 | 0 | gnutls_assert(); |
887 | 0 | goto cleanup; |
888 | 0 | } |
889 | | |
890 | 0 | ret = 0; |
891 | |
|
892 | 0 | cleanup: |
893 | 0 | gnutls_x509_aki_deinit(aki); |
894 | 0 | return ret; |
895 | 0 | } |