Coverage Report

Created: 2025-03-06 06:58

/src/gnutls/lib/x509/common.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2003-2014 Free Software Foundation, Inc.
3
 * Copyright (C) 2015-2016 Red Hat, Inc.
4
 *
5
 * Author: Nikos Mavrogiannopoulos
6
 *
7
 * This file is part of GnuTLS.
8
 *
9
 * The GnuTLS is free software; you can redistribute it and/or
10
 * modify it under the terms of the GNU Lesser General Public License
11
 * as published by the Free Software Foundation; either version 2.1 of
12
 * the License, or (at your option) any later version.
13
 *
14
 * This library is distributed in the hope that it will be useful, but
15
 * WITHOUT ANY WARRANTY; without even the implied warranty of
16
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17
 * Lesser General Public License for more details.
18
 *
19
 * You should have received a copy of the GNU Lesser General Public License
20
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
21
 *
22
 */
23
24
#include "gnutls_int.h"
25
#include <libtasn1.h>
26
#include "datum.h"
27
#include "global.h"
28
#include "errors.h"
29
#include "str.h"
30
#include "x509.h"
31
#include "num.h"
32
#include "x509_b64.h"
33
#include <c-strcase.h>
34
#include "x509_int.h"
35
#include "extras/hex.h"
36
#include "common.h"
37
38
static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out);
39
40
#define ENTRY(oid, ldap, asn, etype) \
41
  { oid, sizeof(oid) - 1, ldap, sizeof(ldap) - 1, asn, etype }
42
43
/* when there is no name description */
44
#define ENTRY_ND(oid, asn, etype) { oid, sizeof(oid) - 1, NULL, 0, asn, etype }
45
46
/* This list contains all the OIDs that may be
47
 * contained in a rdnSequence and are printable.
48
 */
49
static const struct oid_to_string _oid2str[] = {
50
  /* PKIX
51
   */
52
  ENTRY("1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString",
53
        ASN1_ETYPE_INVALID),
54
  ENTRY("1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING),
55
  ENTRY("1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL,
56
        ASN1_ETYPE_PRINTABLE_STRING),
57
  ENTRY("1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL,
58
        ASN1_ETYPE_PRINTABLE_STRING),
59
60
  ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING),
61
  ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
62
  ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
63
  ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
64
  ENTRY("2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
65
  ENTRY("2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
66
  ENTRY("2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
67
  ENTRY("2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
68
  ENTRY("2.5.4.13", "description", "PKIX1.DirectoryString",
69
        ASN1_ETYPE_INVALID),
70
71
  ENTRY("2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING),
72
  ENTRY("2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING),
73
  ENTRY("2.5.4.4", "surName", "PKIX1.DirectoryString",
74
        ASN1_ETYPE_INVALID),
75
  ENTRY("2.5.4.43", "initials", "PKIX1.DirectoryString",
76
        ASN1_ETYPE_INVALID),
77
  ENTRY("2.5.4.44", "generationQualifier", "PKIX1.DirectoryString",
78
        ASN1_ETYPE_INVALID),
79
  ENTRY("2.5.4.42", "givenName", "PKIX1.DirectoryString",
80
        ASN1_ETYPE_INVALID),
81
  ENTRY("2.5.4.65", "pseudonym", "PKIX1.DirectoryString",
82
        ASN1_ETYPE_INVALID),
83
  ENTRY("2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING),
84
  ENTRY("2.5.4.17", "postalCode", "PKIX1.DirectoryString",
85
        ASN1_ETYPE_INVALID),
86
  ENTRY("2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
87
  ENTRY("2.5.4.15", "businessCategory", "PKIX1.DirectoryString",
88
        ASN1_ETYPE_INVALID),
89
90
  ENTRY("0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING),
91
  ENTRY("0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString",
92
        ASN1_ETYPE_INVALID),
93
  ENTRY("1.2.840.113556.1.4.656", "userPrincipalName",
94
        "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
95
96
  /* Extended validation
97
   */
98
  ENTRY("1.3.6.1.4.1.311.60.2.1.1",
99
        "jurisdictionOfIncorporationLocalityName",
100
        "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
101
  ENTRY("1.3.6.1.4.1.311.60.2.1.2",
102
        "jurisdictionOfIncorporationStateOrProvinceName",
103
        "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
104
  ENTRY("1.3.6.1.4.1.311.60.2.1.3",
105
        "jurisdictionOfIncorporationCountryName", NULL,
106
        ASN1_ETYPE_PRINTABLE_STRING),
107
108
  /* PKCS #9
109
   */
110
  ENTRY("1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING),
111
  ENTRY_ND("1.2.840.113549.1.9.7", "PKIX1.pkcs-9-challengePassword",
112
     ASN1_ETYPE_INVALID),
113
114
  /* friendly name */
115
  ENTRY_ND("1.2.840.113549.1.9.20", NULL, ASN1_ETYPE_BMP_STRING),
116
  /* local key id */
117
  ENTRY_ND("1.2.840.113549.1.9.21", NULL, ASN1_ETYPE_OCTET_STRING),
118
  ENTRY_ND("1.2.840.113549.1.9.4", NULL, ASN1_ETYPE_OCTET_STRING),
119
120
  /* rfc3920 section 5.1.1 */
121
  ENTRY("1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING),
122
123
  /* Russian things: https://cdnimg.rg.ru/pril/66/91/91/23041_pril.pdf */
124
  /* Main state registration number */
125
  ENTRY("1.2.643.100.1", "OGRN", NULL, ASN1_ETYPE_NUMERIC_STRING),
126
  /* Individual insurance account number */
127
  ENTRY("1.2.643.100.3", "SNILS", NULL, ASN1_ETYPE_NUMERIC_STRING),
128
  /* Main state registration number for individual enterpreneurs */
129
  ENTRY("1.2.643.100.5", "OGRNIP", NULL, ASN1_ETYPE_NUMERIC_STRING),
130
  /* VAT identification number */
131
  ENTRY("1.2.643.3.131.1.1", "INN", NULL, ASN1_ETYPE_NUMERIC_STRING),
132
133
  { NULL, 0, NULL, 0, NULL, 0 }
134
};
135
136
const struct oid_to_string *
137
_gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid)
138
0
{
139
0
  unsigned int i = 0;
140
0
  unsigned len = strlen(oid);
141
142
0
  do {
143
0
    if (len == ots[i].oid_size && strcmp(ots[i].oid, oid) == 0)
144
0
      return &ots[i];
145
0
    i++;
146
0
  } while (ots[i].oid != NULL);
147
148
0
  return NULL;
149
0
}
150
151
const char *_gnutls_oid_get_asn_desc(const char *oid)
152
0
{
153
0
  const struct oid_to_string *entry =
154
0
    _gnutls_oid_get_entry(_oid2str, oid);
155
0
  return entry ? entry->asn_desc : NULL;
156
0
}
157
158
const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len)
159
0
{
160
0
  unsigned int i = 0;
161
162
0
  do {
163
0
    if ((_oid2str[i].name_desc != NULL) &&
164
0
        (str_len == _oid2str[i].name_desc_size) &&
165
0
        (c_strncasecmp(_oid2str[i].name_desc, str, str_len) == 0))
166
0
      return _oid2str[i].oid;
167
0
    i++;
168
0
  } while (_oid2str[i].oid != NULL);
169
170
0
  return NULL;
171
0
}
172
173
/* Escapes a string following the rules from RFC4514.
174
 */
175
static int str_escape(const gnutls_datum_t *str, gnutls_datum_t *escaped)
176
0
{
177
0
  unsigned int j, i;
178
0
  uint8_t *buffer = NULL;
179
0
  int ret;
180
181
0
  if (str == NULL)
182
0
    return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
183
184
  /* the string will be at most twice the original */
185
0
  buffer = gnutls_malloc(str->size * 2 + 2);
186
0
  if (buffer == NULL)
187
0
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
188
189
0
  for (i = j = 0; i < str->size; i++) {
190
0
    if (str->data[i] == 0) {
191
      /* this is handled earlier */
192
0
      ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
193
0
      goto cleanup;
194
0
    }
195
196
0
    if (str->data[i] == ',' || str->data[i] == '+' ||
197
0
        str->data[i] == '"' || str->data[i] == '\\' ||
198
0
        str->data[i] == '<' || str->data[i] == '>' ||
199
0
        str->data[i] == ';' || str->data[i] == 0)
200
0
      buffer[j++] = '\\';
201
0
    else if (i == 0 && str->data[i] == '#')
202
0
      buffer[j++] = '\\';
203
0
    else if (i == 0 && str->data[i] == ' ')
204
0
      buffer[j++] = '\\';
205
0
    else if (i == (str->size - 1) && str->data[i] == ' ')
206
0
      buffer[j++] = '\\';
207
208
0
    buffer[j++] = str->data[i];
209
0
  }
210
211
  /* null terminate the string */
212
0
  buffer[j] = 0;
213
0
  escaped->data = buffer;
214
0
  escaped->size = j;
215
216
0
  return 0;
217
0
cleanup:
218
0
  gnutls_free(buffer);
219
0
  return ret;
220
0
}
221
222
/**
223
 * gnutls_x509_dn_oid_known:
224
 * @oid: holds an Object Identifier in a null terminated string
225
 *
226
 * This function will inform about known DN OIDs. This is useful since
227
 * functions like gnutls_x509_crt_set_dn_by_oid() use the information
228
 * on known OIDs to properly encode their input. Object Identifiers
229
 * that are not known are not encoded by these functions, and their
230
 * input is stored directly into the ASN.1 structure. In that case of
231
 * unknown OIDs, you have the responsibility of DER encoding your
232
 * data.
233
 *
234
 * Returns: 1 on known OIDs and 0 otherwise.
235
 **/
236
int gnutls_x509_dn_oid_known(const char *oid)
237
0
{
238
0
  return _gnutls_oid_get_entry(_oid2str, oid) != NULL;
239
0
}
240
241
/**
242
 * gnutls_x509_dn_oid_name:
243
 * @oid: holds an Object Identifier in a null terminated string
244
 * @flags: 0 or GNUTLS_X509_DN_OID_*
245
 *
246
 * This function will return the name of a known DN OID. If
247
 * %GNUTLS_X509_DN_OID_RETURN_OID is specified this function
248
 * will return the given OID if no descriptive name has been
249
 * found.
250
 *
251
 * Returns: A null terminated string or NULL otherwise.
252
 *
253
 * Since: 3.0
254
 **/
255
const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags)
256
0
{
257
0
  const struct oid_to_string *entry =
258
0
    _gnutls_oid_get_entry(_oid2str, oid);
259
260
0
  if (entry && entry->name_desc)
261
0
    return entry->name_desc;
262
0
  if (flags & GNUTLS_X509_DN_OID_RETURN_OID)
263
0
    return oid;
264
0
  else
265
0
    return NULL;
266
0
}
267
268
static int make_printable_string(unsigned etype, const gnutls_datum_t *input,
269
         gnutls_datum_t *out)
270
0
{
271
0
  int printable = 0;
272
0
  int ret;
273
274
  /* empty input strings result to a null string */
275
0
  if (input->data == NULL || input->size == 0) {
276
0
    out->data = gnutls_calloc(1, 1);
277
0
    if (out->data == NULL)
278
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
279
0
    out->size = 0;
280
0
    return 0;
281
0
  }
282
283
0
  if (etype == ASN1_ETYPE_BMP_STRING) {
284
0
    ret = _gnutls_ucs2_to_utf8(input->data, input->size, out, 1);
285
0
    if (ret < 0) {
286
      /* could not convert. Handle it as non-printable */
287
0
      printable = 0;
288
0
    } else
289
0
      printable = 1;
290
0
  } else if (etype == ASN1_ETYPE_TELETEX_STRING) {
291
    /* HACK: if the teletex string contains only ascii
292
     * characters then treat it as printable.
293
     */
294
0
    if (_gnutls_str_is_print((char *)input->data, input->size)) {
295
0
      out->data = gnutls_malloc(input->size + 1);
296
0
      if (out->data == NULL)
297
0
        return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
298
299
0
      memcpy(out->data, input->data, input->size);
300
0
      out->size = input->size;
301
302
0
      out->data[out->size] = 0;
303
304
0
      printable = 1;
305
0
    }
306
0
  } else if (etype !=
307
0
       ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */
308
0
    return GNUTLS_E_INVALID_REQUEST;
309
310
0
  if (printable == 0) { /* need to allocate out */
311
0
    ret = data2hex(input->data, input->size, out);
312
0
    if (ret < 0) {
313
0
      gnutls_assert();
314
0
      return ret;
315
0
    }
316
0
  }
317
318
0
  return 0;
319
0
}
320
321
static int decode_complex_string(const struct oid_to_string *oentry,
322
         void *value, int value_size,
323
         gnutls_datum_t *out)
324
0
{
325
0
  char str[MAX_STRING_LEN], tmpname[128];
326
0
  int len = -1, result;
327
0
  asn1_node tmpasn = NULL;
328
0
  char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = "";
329
0
  unsigned int etype;
330
0
  gnutls_datum_t td = { NULL, 0 };
331
332
0
  if (oentry->asn_desc == NULL) {
333
0
    gnutls_assert();
334
0
    return GNUTLS_E_INTERNAL_ERROR;
335
0
  }
336
337
0
  if ((result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc,
338
0
            &tmpasn)) != ASN1_SUCCESS) {
339
0
    gnutls_assert();
340
0
    return _gnutls_asn2err(result);
341
0
  }
342
343
0
  if ((result = _asn1_strict_der_decode(&tmpasn, value, value_size,
344
0
                asn1_err)) != ASN1_SUCCESS) {
345
0
    gnutls_assert();
346
0
    _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err);
347
0
    asn1_delete_structure(&tmpasn);
348
0
    return _gnutls_asn2err(result);
349
0
  }
350
351
  /* Read the type of choice.
352
   */
353
0
  len = sizeof(str) - 1;
354
0
  if ((result = asn1_read_value(tmpasn, "", str, &len)) !=
355
0
      ASN1_SUCCESS) { /* CHOICE */
356
0
    gnutls_assert();
357
0
    asn1_delete_structure(&tmpasn);
358
0
    return _gnutls_asn2err(result);
359
0
  }
360
361
0
  str[len] = 0;
362
363
  /* We set the etype on the strings that may need
364
   * some conversion to UTF-8. The INVALID flag indicates
365
   * no conversion needed */
366
0
  if (strcmp(str, "teletexString") == 0)
367
0
    etype = ASN1_ETYPE_TELETEX_STRING;
368
0
  else if (strcmp(str, "bmpString") == 0)
369
0
    etype = ASN1_ETYPE_BMP_STRING;
370
0
  else if (strcmp(str, "universalString") == 0)
371
0
    etype = ASN1_ETYPE_UNIVERSAL_STRING;
372
0
  else
373
0
    etype = ASN1_ETYPE_INVALID;
374
375
0
  _gnutls_str_cpy(tmpname, sizeof(tmpname), str);
376
377
0
  result = _gnutls_x509_read_value(tmpasn, tmpname, &td);
378
0
  asn1_delete_structure(&tmpasn);
379
0
  if (result < 0)
380
0
    return gnutls_assert_val(result);
381
382
0
  if (etype != ASN1_ETYPE_INVALID) {
383
0
    result = make_printable_string(etype, &td, out);
384
385
0
    _gnutls_free_datum(&td);
386
387
0
    if (result < 0)
388
0
      return gnutls_assert_val(result);
389
0
  } else {
390
0
    out->data = td.data;
391
0
    out->size = td.size;
392
    /* _gnutls_x509_read_value always null terminates */
393
0
  }
394
395
0
  assert(out->data != NULL);
396
397
  /* Refuse to deal with strings containing NULs. */
398
0
  if (strlen((void *)out->data) != (size_t)out->size) {
399
0
    _gnutls_free_datum(out);
400
0
    return gnutls_assert_val(GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING);
401
0
  }
402
403
0
  return 0;
404
0
}
405
406
/* This function will convert an attribute value, specified by the OID,
407
 * to a string. The result will be a null terminated string.
408
 *
409
 * res may be null. This will just return the res_size, needed to
410
 * hold the string.
411
 */
412
int _gnutls_x509_dn_to_string(const char *oid, void *value, int value_size,
413
            gnutls_datum_t *str)
414
0
{
415
0
  const struct oid_to_string *oentry;
416
0
  int ret;
417
0
  gnutls_datum_t tmp = { NULL, 0 };
418
419
0
  if (value == NULL || value_size <= 0) {
420
0
    gnutls_assert();
421
0
    return GNUTLS_E_INVALID_REQUEST;
422
0
  }
423
424
0
  oentry = _gnutls_oid_get_entry(_oid2str, oid);
425
0
  if (oentry == NULL) { /* unknown OID -> hex */
426
0
  unknown_oid:
427
0
    ret = data2hex(value, value_size, str);
428
0
    if (ret < 0) {
429
0
      gnutls_assert();
430
0
      return ret;
431
0
    }
432
0
    return 0;
433
0
  }
434
435
0
  if (oentry->asn_desc != NULL) { /* complex */
436
0
    ret = decode_complex_string(oentry, value, value_size, &tmp);
437
0
    if (ret < 0) {
438
      /* we failed decoding -> handle it as unknown OID */
439
0
      goto unknown_oid;
440
0
    }
441
0
  } else {
442
0
    ret = _gnutls_x509_decode_string(oentry->etype, value,
443
0
             value_size, &tmp, 0);
444
0
    if (ret < 0) {
445
      /* we failed decoding -> handle it as unknown OID */
446
0
      goto unknown_oid;
447
0
    }
448
0
  }
449
450
0
  ret = str_escape(&tmp, str);
451
0
  _gnutls_free_datum(&tmp);
452
453
0
  if (ret < 0)
454
0
    return gnutls_assert_val(ret);
455
456
0
  return 0;
457
0
}
458
459
/* Converts a data string to an LDAP rfc2253 hex string
460
 * something like '#01020304'
461
 */
462
static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out)
463
0
{
464
0
  gnutls_datum_t tmp, td;
465
0
  int ret;
466
0
  size_t size;
467
468
0
  td.size = hex_str_size(data_size) + 1; /* +1 for '#' */
469
0
  td.data = gnutls_malloc(td.size);
470
0
  if (td.data == NULL)
471
0
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
472
473
0
  tmp.data = (void *)data;
474
0
  tmp.size = data_size;
475
476
0
  td.data[0] = '#';
477
0
  size = td.size - 1; /* don't include '#' */
478
0
  ret = gnutls_hex_encode(&tmp, (char *)&td.data[1], &size);
479
0
  if (ret < 0) {
480
0
    gnutls_assert();
481
0
    gnutls_free(td.data);
482
0
    return GNUTLS_E_SHORT_MEMORY_BUFFER;
483
0
  }
484
485
0
  td.size--; /* don't include null */
486
487
0
  out->data = td.data;
488
0
  out->size = td.size;
489
490
0
  return 0;
491
0
}
492
493
gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type)
494
0
{
495
0
  if (strcmp(str_type, "dNSName") == 0)
496
0
    return GNUTLS_SAN_DNSNAME;
497
0
  if (strcmp(str_type, "rfc822Name") == 0)
498
0
    return GNUTLS_SAN_RFC822NAME;
499
0
  if (strcmp(str_type, "uniformResourceIdentifier") == 0)
500
0
    return GNUTLS_SAN_URI;
501
0
  if (strcmp(str_type, "iPAddress") == 0)
502
0
    return GNUTLS_SAN_IPADDRESS;
503
0
  if (strcmp(str_type, "otherName") == 0)
504
0
    return GNUTLS_SAN_OTHERNAME;
505
0
  if (strcmp(str_type, "directoryName") == 0)
506
0
    return GNUTLS_SAN_DN;
507
0
  if (strcmp(str_type, "registeredID") == 0)
508
0
    return GNUTLS_SAN_REGISTERED_ID;
509
510
0
  return (gnutls_x509_subject_alt_name_t)-1;
511
0
}
512
513
/* A generic export function. Will export the given ASN.1 encoded data
514
 * to PEM or DER raw data.
515
 */
516
int _gnutls_x509_export_int_named(asn1_node asn1_data, const char *name,
517
          gnutls_x509_crt_fmt_t format,
518
          const char *pem_header,
519
          unsigned char *output_data,
520
          size_t *output_data_size)
521
0
{
522
0
  int ret;
523
0
  gnutls_datum_t out = { NULL, 0 };
524
0
  size_t size;
525
526
0
  ret = _gnutls_x509_export_int_named2(asn1_data, name, format,
527
0
               pem_header, &out);
528
0
  if (ret < 0)
529
0
    return gnutls_assert_val(ret);
530
531
0
  if (format == GNUTLS_X509_FMT_PEM)
532
0
    size = out.size + 1;
533
0
  else
534
0
    size = out.size;
535
536
0
  if (*output_data_size < size) {
537
0
    *output_data_size = size;
538
0
    ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
539
0
    goto cleanup;
540
0
  }
541
542
0
  *output_data_size = (size_t)out.size;
543
0
  if (output_data) {
544
0
    if (out.size > 0) {
545
0
      memcpy(output_data, out.data, (size_t)out.size);
546
0
    }
547
0
    if (format == GNUTLS_X509_FMT_PEM)
548
0
      output_data[out.size] = 0;
549
0
  }
550
551
0
  ret = 0;
552
553
0
cleanup:
554
0
  gnutls_free(out.data);
555
556
0
  return ret;
557
0
}
558
559
/* A generic export function. Will export the given ASN.1 encoded data
560
 * to PEM or DER raw data.
561
 */
562
int _gnutls_x509_export_int_named2(asn1_node asn1_data, const char *name,
563
           gnutls_x509_crt_fmt_t format,
564
           const char *pem_header, gnutls_datum_t *out)
565
0
{
566
0
  int ret;
567
568
0
  if (format == GNUTLS_X509_FMT_DER) {
569
0
    ret = _gnutls_x509_der_encode(asn1_data, name, out, 0);
570
0
    if (ret < 0)
571
0
      return gnutls_assert_val(ret);
572
0
  } else { /* PEM */
573
0
    gnutls_datum_t tmp;
574
575
0
    ret = _gnutls_x509_der_encode(asn1_data, name, &tmp, 0);
576
0
    if (ret < 0)
577
0
      return gnutls_assert_val(ret);
578
579
0
    ret = _gnutls_fbase64_encode(pem_header, tmp.data, tmp.size,
580
0
               out);
581
0
    _gnutls_free_datum(&tmp);
582
583
0
    if (ret < 0)
584
0
      return gnutls_assert_val(ret);
585
0
  }
586
587
0
  return 0;
588
0
}
589
590
/* Decodes an octet string. The etype specifies the string type.
591
 * The returned string is always null terminated (but null is not
592
 * included in size).
593
 */
594
int _gnutls_x509_decode_string(unsigned int etype, const uint8_t *der,
595
             size_t der_size, gnutls_datum_t *output,
596
             unsigned allow_ber)
597
0
{
598
0
  long ret;
599
0
  uint8_t *str;
600
0
  unsigned int str_size, len;
601
0
  gnutls_datum_t td;
602
0
  int tag_len, len_len;
603
0
  unsigned char class;
604
0
  unsigned long tag;
605
606
0
  output->data = NULL;
607
0
  output->size = 0;
608
609
  /* asn1_decode_simple_{ber,der} don't accept empty string,
610
   * check it beforehand.
611
   */
612
0
  ret = asn1_get_tag_der(der, der_size, &class, &tag_len, &tag);
613
0
  if (ret != ASN1_SUCCESS) {
614
0
    gnutls_assert();
615
0
    ret = _gnutls_asn2err(ret);
616
0
    return ret;
617
0
  }
618
619
0
  if (allow_ber)
620
0
    ret = asn1_get_length_ber(der + tag_len, der_size - tag_len,
621
0
            &len_len);
622
0
  else
623
0
    ret = asn1_get_length_der(der + tag_len, der_size - tag_len,
624
0
            &len_len);
625
0
  if (ret == 0) {
626
0
    output->data = NULL;
627
0
    output->size = 0;
628
0
    return 0;
629
0
  }
630
631
0
  if (allow_ber)
632
0
    ret = asn1_decode_simple_ber(etype, der, der_size, &str,
633
0
               &str_size, NULL);
634
0
  else
635
0
    ret = asn1_decode_simple_der(etype, der, der_size,
636
0
               (const uint8_t **)&str, &str_size);
637
0
  if (ret != ASN1_SUCCESS) {
638
0
    gnutls_assert();
639
0
    ret = _gnutls_asn2err(ret);
640
0
    return ret;
641
0
  }
642
643
0
  td.size = str_size;
644
0
  td.data = gnutls_malloc(str_size + 1);
645
0
  if (td.data == NULL)
646
0
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
647
648
0
  if (str_size > 0)
649
0
    memcpy(td.data, str, str_size);
650
0
  td.data[str_size] = 0;
651
652
0
  if (allow_ber)
653
0
    free(str);
654
655
0
  ret = make_printable_string(etype, &td, output);
656
0
  if (ret == GNUTLS_E_INVALID_REQUEST) { /* unsupported etype */
657
0
    output->data = td.data;
658
0
    output->size = td.size;
659
0
    ret = 0;
660
0
  } else if (ret <= 0) {
661
0
    _gnutls_free_datum(&td);
662
0
  }
663
664
  /* Refuse to deal with strings containing NULs. */
665
0
  if (etype != ASN1_ETYPE_OCTET_STRING) {
666
0
    if (output->data)
667
0
      len = strlen((void *)output->data);
668
0
    else
669
0
      len = 0;
670
671
0
    if (len != (size_t)output->size) {
672
0
      _gnutls_free_datum(output);
673
0
      ret = gnutls_assert_val(
674
0
        GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING);
675
0
    }
676
0
  }
677
678
0
  return ret;
679
0
}
680
681
/* Reads a value from an ASN1 tree, and puts the output
682
 * in an allocated variable in the given datum.
683
 *
684
 * Note that this function always allocates one plus
685
 * the required data size (and places a null byte).
686
 */
687
static int x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret,
688
         unsigned allow_null)
689
0
{
690
0
  int len = 0, result;
691
0
  uint8_t *tmp = NULL;
692
0
  unsigned int etype;
693
694
0
  result = asn1_read_value_type(c, root, NULL, &len, &etype);
695
0
  if (result == 0 && allow_null == 0 && len == 0) {
696
    /* don't allow null strings */
697
0
    return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
698
0
  } else if (result == 0 && allow_null == 0 &&
699
0
       etype == ASN1_ETYPE_OBJECT_ID && len == 1) {
700
0
    return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
701
0
  }
702
703
0
  if (result != ASN1_MEM_ERROR) {
704
0
    if (result != ASN1_SUCCESS || allow_null == 0 || len != 0) {
705
0
      result = _gnutls_asn2err(result);
706
0
      return result;
707
0
    }
708
0
  }
709
710
0
  if (etype == ASN1_ETYPE_BIT_STRING) {
711
0
    len = (len + 7) / 8;
712
0
  }
713
714
0
  tmp = gnutls_malloc((size_t)len + 1);
715
0
  if (tmp == NULL) {
716
0
    gnutls_assert();
717
0
    result = GNUTLS_E_MEMORY_ERROR;
718
0
    goto cleanup;
719
0
  }
720
721
0
  if (len > 0) {
722
0
    result = asn1_read_value(c, root, tmp, &len);
723
0
    if (result != ASN1_SUCCESS) {
724
0
      gnutls_assert();
725
0
      result = _gnutls_asn2err(result);
726
0
      goto cleanup;
727
0
    }
728
729
0
    switch (etype) {
730
0
    case ASN1_ETYPE_BIT_STRING:
731
0
      ret->size = (len + 7) / 8;
732
0
      break;
733
0
    case ASN1_ETYPE_OBJECT_ID:
734
0
      if (len > 0) {
735
0
        ret->size = len - 1;
736
0
      } else {
737
0
        result = gnutls_assert_val(
738
0
          GNUTLS_E_ASN1_DER_ERROR);
739
0
        goto cleanup;
740
0
      }
741
0
      break;
742
0
    default:
743
0
      ret->size = (unsigned)len;
744
0
      break;
745
0
    }
746
0
  } else {
747
0
    ret->size = 0;
748
0
  }
749
750
0
  tmp[ret->size] = 0;
751
0
  ret->data = tmp;
752
753
0
  return 0;
754
755
0
cleanup:
756
0
  gnutls_free(tmp);
757
0
  return result;
758
0
}
759
760
int _gnutls_x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret)
761
0
{
762
0
  return x509_read_value(c, root, ret, 0);
763
0
}
764
765
int _gnutls_x509_read_null_value(asn1_node c, const char *root,
766
         gnutls_datum_t *ret)
767
0
{
768
0
  return x509_read_value(c, root, ret, 1);
769
0
}
770
771
/* Reads a value from an ASN1 tree, then interprets it as the provided
772
 * type of string and returns the output in an allocated variable.
773
 *
774
 * Note that this function always places a null character
775
 * at the end of a readable string value (which is not accounted into size)
776
 */
777
int _gnutls_x509_read_string(asn1_node c, const char *root, gnutls_datum_t *ret,
778
           unsigned int etype, unsigned int allow_ber)
779
0
{
780
0
  int len = 0, result;
781
0
  size_t slen;
782
0
  uint8_t *tmp = NULL;
783
0
  unsigned rtype;
784
785
0
  result = asn1_read_value_type(c, root, NULL, &len, &rtype);
786
0
  if (result != ASN1_MEM_ERROR) {
787
0
    gnutls_assert();
788
0
    result = _gnutls_asn2err(result);
789
0
    return result;
790
0
  }
791
792
0
  if (rtype == ASN1_ETYPE_BIT_STRING)
793
0
    len /= 8;
794
795
0
  tmp = gnutls_malloc((size_t)len + 1);
796
0
  if (tmp == NULL) {
797
0
    gnutls_assert();
798
0
    result = GNUTLS_E_MEMORY_ERROR;
799
0
    goto cleanup;
800
0
  }
801
802
0
  result = asn1_read_value(c, root, tmp, &len);
803
0
  if (result != ASN1_SUCCESS) {
804
0
    gnutls_assert();
805
0
    result = _gnutls_asn2err(result);
806
0
    goto cleanup;
807
0
  }
808
809
0
  if (rtype == ASN1_ETYPE_BIT_STRING)
810
0
    len /= 8;
811
812
  /* Extract the STRING.
813
   */
814
0
  slen = (size_t)len;
815
816
0
  result = _gnutls_x509_decode_string(etype, tmp, slen, ret, allow_ber);
817
0
  if (result < 0) {
818
0
    gnutls_assert();
819
0
    goto cleanup;
820
0
  }
821
0
  gnutls_free(tmp);
822
823
0
  return 0;
824
825
0
cleanup:
826
0
  gnutls_free(tmp);
827
0
  return result;
828
0
}
829
830
/* The string type should be IA5String, UTF8String etc. Leave
831
 * null for octet string */
832
int _gnutls_x509_encode_string(unsigned int etype, const void *input_data,
833
             size_t input_size, gnutls_datum_t *output)
834
0
{
835
0
  uint8_t tl[ASN1_MAX_TL_SIZE];
836
0
  unsigned int tl_size;
837
0
  int ret;
838
839
0
  tl_size = sizeof(tl);
840
0
  ret = asn1_encode_simple_der(etype, input_data, input_size, tl,
841
0
             &tl_size);
842
0
  if (ret != ASN1_SUCCESS) {
843
0
    gnutls_assert();
844
0
    ret = _gnutls_asn2err(ret);
845
0
    return ret;
846
0
  }
847
848
0
  output->data = gnutls_malloc(tl_size + input_size);
849
0
  if (output->data == NULL)
850
0
    return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
851
852
0
  memcpy(output->data, tl, tl_size);
853
0
  memcpy(output->data + tl_size, input_data, input_size);
854
855
0
  output->size = tl_size + input_size;
856
857
0
  return 0;
858
0
}
859
860
/* DER Encodes the src asn1_node and stores it to
861
 * the given datum. If str is non zero then the data are encoded as
862
 * an OCTET STRING.
863
 */
864
int _gnutls_x509_der_encode(asn1_node src, const char *src_name,
865
          gnutls_datum_t *res, int str)
866
0
{
867
0
  int size, result;
868
0
  int asize;
869
0
  uint8_t *data = NULL;
870
0
  asn1_node c2 = NULL;
871
872
0
  size = 0;
873
0
  result = asn1_der_coding(src, src_name, NULL, &size, NULL);
874
  /* this check explicitly covers the case where size == 0 && result == 0 */
875
0
  if (result != ASN1_MEM_ERROR) {
876
0
    gnutls_assert();
877
0
    return _gnutls_asn2err(result);
878
0
  }
879
880
  /* allocate data for the der
881
   */
882
883
0
  if (str)
884
0
    size += 16; /* for later to include the octet tags */
885
0
  asize = size;
886
887
0
  data = gnutls_malloc((size_t)size);
888
0
  if (data == NULL) {
889
0
    gnutls_assert();
890
0
    return GNUTLS_E_MEMORY_ERROR;
891
0
  }
892
893
0
  result = asn1_der_coding(src, src_name, data, &size, NULL);
894
0
  if (result != ASN1_SUCCESS) {
895
0
    gnutls_assert();
896
0
    result = _gnutls_asn2err(result);
897
0
    goto cleanup;
898
0
  }
899
900
0
  if (str) {
901
0
    if ((result = asn1_create_element(_gnutls_get_pkix(),
902
0
              "PKIX1.pkcs-7-Data", &c2)) !=
903
0
        ASN1_SUCCESS) {
904
0
      gnutls_assert();
905
0
      result = _gnutls_asn2err(result);
906
0
      goto cleanup;
907
0
    }
908
909
0
    result = asn1_write_value(c2, "", data, size);
910
0
    if (result != ASN1_SUCCESS) {
911
0
      gnutls_assert();
912
0
      result = _gnutls_asn2err(result);
913
0
      goto cleanup;
914
0
    }
915
916
0
    result = asn1_der_coding(c2, "", data, &asize, NULL);
917
0
    if (result != ASN1_SUCCESS) {
918
0
      gnutls_assert();
919
0
      result = _gnutls_asn2err(result);
920
0
      goto cleanup;
921
0
    }
922
923
0
    size = asize;
924
925
0
    asn1_delete_structure(&c2);
926
0
  }
927
928
0
  res->data = data;
929
0
  res->size = (unsigned)size;
930
0
  return 0;
931
932
0
cleanup:
933
0
  gnutls_free(data);
934
0
  asn1_delete_structure(&c2);
935
0
  return result;
936
0
}
937
938
/* DER Encodes the src asn1_node and stores it to
939
 * dest in dest_name. Useful to encode something and store it
940
 * as OCTET. If str is non null then the data are encoded as
941
 * an OCTET STRING.
942
 */
943
int _gnutls_x509_der_encode_and_copy(asn1_node src, const char *src_name,
944
             asn1_node dest, const char *dest_name,
945
             int str)
946
0
{
947
0
  int result;
948
0
  gnutls_datum_t encoded = { NULL, 0 };
949
950
0
  result = _gnutls_x509_der_encode(src, src_name, &encoded, str);
951
952
0
  if (result < 0) {
953
0
    gnutls_assert();
954
0
    return result;
955
0
  }
956
957
  /* Write the data.
958
   */
959
0
  result = asn1_write_value(dest, dest_name, encoded.data,
960
0
          (int)encoded.size);
961
962
0
  _gnutls_free_datum(&encoded);
963
964
0
  if (result != ASN1_SUCCESS) {
965
0
    gnutls_assert();
966
0
    return _gnutls_asn2err(result);
967
0
  }
968
969
0
  return 0;
970
0
}
971
972
/* Writes the value of the datum in the given asn1_node.
973
 */
974
int _gnutls_x509_write_value(asn1_node c, const char *root,
975
           const gnutls_datum_t *data)
976
0
{
977
0
  int ret;
978
979
  /* Write the data.
980
   */
981
0
  ret = asn1_write_value(c, root, data->data, data->size);
982
0
  if (ret != ASN1_SUCCESS) {
983
0
    gnutls_assert();
984
0
    return _gnutls_asn2err(ret);
985
0
  }
986
987
0
  return 0;
988
0
}
989
990
/* Writes the value of the datum in the given asn1_node as a string.
991
 */
992
int _gnutls_x509_write_string(asn1_node c, const char *root,
993
            const gnutls_datum_t *data, unsigned int etype)
994
0
{
995
0
  int ret;
996
0
  gnutls_datum_t val = { NULL, 0 };
997
998
0
  ret = _gnutls_x509_encode_string(etype, data->data, data->size, &val);
999
0
  if (ret < 0)
1000
0
    return gnutls_assert_val(ret);
1001
1002
  /* Write the data.
1003
   */
1004
0
  ret = asn1_write_value(c, root, val.data, val.size);
1005
0
  if (ret != ASN1_SUCCESS) {
1006
0
    gnutls_assert();
1007
0
    ret = _gnutls_asn2err(ret);
1008
0
    goto cleanup;
1009
0
  }
1010
1011
0
  ret = 0;
1012
1013
0
cleanup:
1014
0
  _gnutls_free_datum(&val);
1015
0
  return ret;
1016
0
}
1017
1018
void _asnstr_append_name(char *name, size_t name_size, const char *part1,
1019
       const char *part2)
1020
0
{
1021
0
  if (part1[0] != 0) {
1022
0
    _gnutls_str_cpy(name, name_size, part1);
1023
0
    _gnutls_str_cat(name, name_size, part2);
1024
0
  } else
1025
0
    _gnutls_str_cpy(name, name_size,
1026
0
        part2 + 1 /* remove initial dot */);
1027
0
}
1028
1029
/* Encodes and copies the private key parameters into a
1030
 * subjectPublicKeyInfo structure.
1031
 *
1032
 */
1033
int _gnutls_x509_encode_and_copy_PKI_params(asn1_node dst, const char *dst_name,
1034
              const gnutls_pk_params_st *params)
1035
0
{
1036
0
  const char *oid;
1037
0
  gnutls_datum_t der = { NULL, 0 };
1038
0
  int result;
1039
0
  char name[128];
1040
1041
0
  oid = gnutls_pk_get_oid(params->algo);
1042
0
  if (oid == NULL) {
1043
0
    gnutls_assert();
1044
0
    return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
1045
0
  }
1046
1047
  /* write the OID
1048
   */
1049
0
  _asnstr_append_name(name, sizeof(name), dst_name,
1050
0
          ".algorithm.algorithm");
1051
1052
0
  result = asn1_write_value(dst, name, oid, 1);
1053
0
  if (result != ASN1_SUCCESS) {
1054
0
    gnutls_assert();
1055
0
    return _gnutls_asn2err(result);
1056
0
  }
1057
1058
0
  result = _gnutls_x509_write_pubkey_params(params, &der);
1059
0
  if (result < 0) {
1060
0
    gnutls_assert();
1061
0
    return result;
1062
0
  }
1063
1064
0
  _asnstr_append_name(name, sizeof(name), dst_name,
1065
0
          ".algorithm.parameters");
1066
1067
0
  result = asn1_write_value(dst, name, der.data, der.size);
1068
0
  _gnutls_free_datum(&der);
1069
1070
0
  if (result != ASN1_SUCCESS) {
1071
0
    gnutls_assert();
1072
0
    return _gnutls_asn2err(result);
1073
0
  }
1074
1075
0
  result = _gnutls_x509_write_pubkey(params, &der);
1076
0
  if (result < 0) {
1077
0
    gnutls_assert();
1078
0
    return result;
1079
0
  }
1080
1081
  /* Write the DER parameters. (in bits)
1082
   */
1083
0
  _asnstr_append_name(name, sizeof(name), dst_name, ".subjectPublicKey");
1084
0
  result = asn1_write_value(dst, name, der.data, der.size * 8);
1085
0
  _gnutls_free_datum(&der);
1086
1087
0
  if (result != ASN1_SUCCESS) {
1088
0
    gnutls_assert();
1089
0
    return _gnutls_asn2err(result);
1090
0
  }
1091
1092
0
  return 0;
1093
0
}
1094
1095
/* Encodes and public key parameters into a
1096
 * subjectPublicKeyInfo structure and stores it in der.
1097
 */
1098
int _gnutls_x509_encode_PKI_params(gnutls_datum_t *der,
1099
           const gnutls_pk_params_st *params)
1100
0
{
1101
0
  int ret;
1102
0
  asn1_node tmp;
1103
1104
0
  ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.Certificate",
1105
0
          &tmp);
1106
0
  if (ret != ASN1_SUCCESS) {
1107
0
    gnutls_assert();
1108
0
    return _gnutls_asn2err(ret);
1109
0
  }
1110
1111
0
  ret = _gnutls_x509_encode_and_copy_PKI_params(
1112
0
    tmp, "tbsCertificate.subjectPublicKeyInfo", params);
1113
0
  if (ret != ASN1_SUCCESS) {
1114
0
    gnutls_assert();
1115
0
    ret = _gnutls_asn2err(ret);
1116
0
    goto cleanup;
1117
0
  }
1118
1119
0
  ret = _gnutls_x509_der_encode(
1120
0
    tmp, "tbsCertificate.subjectPublicKeyInfo", der, 0);
1121
1122
0
cleanup:
1123
0
  asn1_delete_structure(&tmp);
1124
1125
0
  return ret;
1126
0
}
1127
1128
/* Reads and returns the PK algorithm of the given certificate-like
1129
 * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo".
1130
 */
1131
int _gnutls_x509_get_pk_algorithm(asn1_node src, const char *src_name,
1132
          gnutls_ecc_curve_t *curve, unsigned int *bits)
1133
0
{
1134
0
  int result;
1135
0
  int algo;
1136
0
  char oid[64];
1137
0
  int len;
1138
0
  gnutls_ecc_curve_t lcurve = GNUTLS_ECC_CURVE_INVALID;
1139
0
  char name[128];
1140
1141
0
  _asnstr_append_name(name, sizeof(name), src_name,
1142
0
          ".algorithm.algorithm");
1143
0
  len = sizeof(oid);
1144
0
  result = asn1_read_value(src, name, oid, &len);
1145
1146
0
  if (result != ASN1_SUCCESS) {
1147
0
    gnutls_assert();
1148
0
    return _gnutls_asn2err(result);
1149
0
  }
1150
1151
0
  algo = _gnutls_oid_to_pk_and_curve(oid, &lcurve);
1152
0
  if (algo == GNUTLS_PK_UNKNOWN) {
1153
0
    _gnutls_debug_log("%s: unknown public key algorithm: %s\n",
1154
0
          __func__, oid);
1155
0
  }
1156
1157
0
  if (curve)
1158
0
    *curve = lcurve;
1159
1160
0
  if (bits == NULL) {
1161
0
    return algo;
1162
0
  }
1163
1164
  /* Now read the parameters' bits
1165
   */
1166
0
  if (lcurve != GNUTLS_ECC_CURVE_INVALID) { /* curve present */
1167
0
    bits[0] = gnutls_ecc_curve_get_size(lcurve) * 8;
1168
0
  } else {
1169
0
    gnutls_pk_params_st params;
1170
0
    gnutls_pk_params_init(&params);
1171
1172
0
    result = _gnutls_get_asn_mpis(src, src_name, &params);
1173
0
    if (result < 0)
1174
0
      return gnutls_assert_val(result);
1175
1176
0
    bits[0] = pubkey_to_bits(&params);
1177
0
    gnutls_pk_params_release(&params);
1178
0
  }
1179
1180
0
  return algo;
1181
0
}
1182
1183
/* Reads the DER signed data from the certificate and allocates space and
1184
 * returns them into signed_data.
1185
 */
1186
int _gnutls_x509_get_signed_data(asn1_node src, const gnutls_datum_t *der,
1187
         const char *src_name,
1188
         gnutls_datum_t *signed_data)
1189
0
{
1190
0
  int start, end, result;
1191
1192
0
  if (der == NULL || der->size == 0) {
1193
0
    return _gnutls_x509_der_encode(src, src_name, signed_data, 0);
1194
0
  }
1195
1196
  /* Get the signed data
1197
   */
1198
0
  result = asn1_der_decoding_startEnd(src, der->data, der->size, src_name,
1199
0
              &start, &end);
1200
0
  if (result != ASN1_SUCCESS) {
1201
0
    result = _gnutls_asn2err(result);
1202
0
    gnutls_assert();
1203
0
    goto cleanup;
1204
0
  }
1205
1206
0
  result = _gnutls_set_datum(signed_data, &der->data[start],
1207
0
           end - start + 1);
1208
1209
0
  if (result < 0) {
1210
0
    gnutls_assert();
1211
0
    goto cleanup;
1212
0
  }
1213
1214
0
  result = 0;
1215
1216
0
cleanup:
1217
0
  return result;
1218
0
}
1219
1220
/*-
1221
 * gnutls_x509_get_signature_algorithm:
1222
 * @src: should contain an asn1_node structure
1223
 * @src_name: the description of the signature field
1224
 *
1225
 * This function will return a value of the #gnutls_sign_algorithm_t
1226
 * enumeration that is the signature algorithm that has been used to
1227
 * sign this certificate.
1228
 *
1229
 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
1230
 *   error.
1231
 -*/
1232
int _gnutls_x509_get_signature_algorithm(asn1_node src, const char *src_name)
1233
0
{
1234
0
  int result;
1235
0
  char name[128];
1236
0
  gnutls_datum_t sa = { NULL, 0 };
1237
1238
0
  _gnutls_str_cpy(name, sizeof(name), src_name);
1239
0
  _gnutls_str_cat(name, sizeof(name), ".algorithm");
1240
1241
  /* Read the signature algorithm */
1242
0
  result = _gnutls_x509_read_value(src, name, &sa);
1243
1244
0
  if (result < 0) {
1245
0
    gnutls_assert();
1246
0
    return result;
1247
0
  }
1248
1249
  /* Read the signature parameters. Unless the algorithm is
1250
   * RSA-PSS, parameters are not read. They will be read from
1251
   * the issuer's certificate if needed.
1252
   */
1253
0
  if (sa.data && strcmp((char *)sa.data, PK_PKIX1_RSA_PSS_OID) == 0) {
1254
0
    gnutls_datum_t der = { NULL, 0 };
1255
0
    gnutls_x509_spki_st params;
1256
1257
0
    _gnutls_str_cpy(name, sizeof(name), src_name);
1258
0
    _gnutls_str_cat(name, sizeof(name), ".parameters");
1259
1260
0
    result = _gnutls_x509_read_value(src, name, &der);
1261
0
    if (result < 0) {
1262
0
      _gnutls_free_datum(&sa);
1263
0
      return gnutls_assert_val(result);
1264
0
    }
1265
1266
0
    result = _gnutls_x509_read_rsa_pss_params(der.data, der.size,
1267
0
                &params);
1268
0
    _gnutls_free_datum(&der);
1269
1270
0
    if (result == 0)
1271
0
      result = gnutls_pk_to_sign(params.pk,
1272
0
               params.rsa_pss_dig);
1273
0
  } else if (sa.data) {
1274
0
    result = gnutls_oid_to_sign((char *)sa.data);
1275
0
  } else {
1276
0
    result = GNUTLS_E_UNKNOWN_ALGORITHM;
1277
0
  }
1278
1279
0
  _gnutls_free_datum(&sa);
1280
1281
0
  if (result == GNUTLS_SIGN_UNKNOWN)
1282
0
    result = GNUTLS_E_UNKNOWN_ALGORITHM;
1283
1284
0
  return result;
1285
0
}
1286
1287
/* Reads the DER signature from the certificate and allocates space and
1288
 * returns them into signed_data.
1289
 */
1290
int _gnutls_x509_get_signature(asn1_node src, const char *src_name,
1291
             gnutls_datum_t *signature)
1292
0
{
1293
0
  int result, len;
1294
0
  int bits;
1295
1296
0
  signature->data = NULL;
1297
0
  signature->size = 0;
1298
1299
  /* Read the signature
1300
   */
1301
0
  len = 0;
1302
0
  result = asn1_read_value(src, src_name, NULL, &len);
1303
1304
0
  if (result != ASN1_MEM_ERROR) {
1305
0
    result = _gnutls_asn2err(result);
1306
0
    gnutls_assert();
1307
0
    goto cleanup;
1308
0
  }
1309
1310
0
  bits = len;
1311
0
  if (bits % 8 != 0 || bits < 8) {
1312
0
    gnutls_assert();
1313
0
    result = GNUTLS_E_CERTIFICATE_ERROR;
1314
0
    goto cleanup;
1315
0
  }
1316
1317
0
  len = bits / 8;
1318
1319
0
  signature->data = gnutls_malloc(len);
1320
0
  if (signature->data == NULL) {
1321
0
    gnutls_assert();
1322
0
    result = GNUTLS_E_MEMORY_ERROR;
1323
0
    return result;
1324
0
  }
1325
1326
  /* read the bit string of the signature
1327
   */
1328
0
  bits = len;
1329
0
  result = asn1_read_value(src, src_name, signature->data, &bits);
1330
1331
0
  if (result != ASN1_SUCCESS) {
1332
0
    result = _gnutls_asn2err(result);
1333
0
    gnutls_assert();
1334
0
    goto cleanup;
1335
0
  }
1336
1337
0
  signature->size = len;
1338
1339
0
  return 0;
1340
1341
0
cleanup:
1342
0
  gnutls_free(signature->data);
1343
0
  return result;
1344
0
}
1345
1346
/* ASN.1 PrintableString rules */
1347
static int is_printable(char p)
1348
0
{
1349
0
  if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') ||
1350
0
      (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' ||
1351
0
      p == '+' || p == ',' || p == '-' || p == '.' || p == '/' ||
1352
0
      p == ':' || p == '=' || p == '?')
1353
0
    return 1;
1354
1355
0
  return 0;
1356
0
}
1357
1358
static int write_complex_string(asn1_node asn_struct, const char *where,
1359
        const struct oid_to_string *oentry,
1360
        const uint8_t *data, size_t data_size)
1361
0
{
1362
0
  char tmp[128];
1363
0
  asn1_node c2;
1364
0
  int result;
1365
0
  const char *string_type;
1366
0
  unsigned int i;
1367
1368
0
  result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, &c2);
1369
0
  if (result != ASN1_SUCCESS) {
1370
0
    gnutls_assert();
1371
0
    return _gnutls_asn2err(result);
1372
0
  }
1373
1374
0
  tmp[0] = 0;
1375
1376
0
  string_type = "printableString";
1377
1378
  /* Check if the data is ASN.1 printable, and use
1379
   * the UTF8 string type if not.
1380
   */
1381
0
  for (i = 0; i < data_size; i++) {
1382
0
    if (!is_printable(data[i])) {
1383
0
      string_type = "utf8String";
1384
0
      break;
1385
0
    }
1386
0
  }
1387
1388
  /* if the type is a CHOICE then write the
1389
   * type we'll use.
1390
   */
1391
0
  result = asn1_write_value(c2, "", string_type, 1);
1392
0
  if (result != ASN1_SUCCESS) {
1393
0
    gnutls_assert();
1394
0
    result = _gnutls_asn2err(result);
1395
0
    goto error;
1396
0
  }
1397
1398
0
  _gnutls_str_cpy(tmp, sizeof(tmp), string_type);
1399
1400
0
  result = asn1_write_value(c2, tmp, data, data_size);
1401
0
  if (result != ASN1_SUCCESS) {
1402
0
    gnutls_assert();
1403
0
    result = _gnutls_asn2err(result);
1404
0
    goto error;
1405
0
  }
1406
1407
0
  result = _gnutls_x509_der_encode_and_copy(c2, "", asn_struct, where, 0);
1408
0
  if (result < 0) {
1409
0
    gnutls_assert();
1410
0
    goto error;
1411
0
  }
1412
1413
0
  result = 0;
1414
1415
0
error:
1416
0
  asn1_delete_structure(&c2);
1417
0
  return result;
1418
0
}
1419
1420
/* This will encode and write the AttributeTypeAndValue field.
1421
 * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
1422
 * In all cases only one value is written.
1423
 */
1424
int _gnutls_x509_encode_and_write_attribute(const char *given_oid,
1425
              asn1_node asn1_struct,
1426
              const char *where,
1427
              const void *_data, int data_size,
1428
              int multi)
1429
0
{
1430
0
  const uint8_t *data = _data;
1431
0
  char tmp[128];
1432
0
  int result;
1433
0
  const struct oid_to_string *oentry;
1434
1435
0
  oentry = _gnutls_oid_get_entry(_oid2str, given_oid);
1436
0
  if (oentry == NULL) {
1437
0
    gnutls_assert();
1438
0
    _gnutls_debug_log("Cannot find OID: %s\n", given_oid);
1439
0
    return GNUTLS_E_X509_UNSUPPORTED_OID;
1440
0
  }
1441
1442
  /* write the data (value)
1443
   */
1444
1445
0
  _gnutls_str_cpy(tmp, sizeof(tmp), where);
1446
0
  _gnutls_str_cat(tmp, sizeof(tmp), ".value");
1447
1448
0
  if (multi !=
1449
0
      0) { /* if not writing an AttributeTypeAndValue, but an Attribute */
1450
0
    _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */
1451
1452
0
    result = asn1_write_value(asn1_struct, tmp, "NEW", 1);
1453
0
    if (result != ASN1_SUCCESS) {
1454
0
      gnutls_assert();
1455
0
      result = _gnutls_asn2err(result);
1456
0
      goto error;
1457
0
    }
1458
1459
0
    _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST");
1460
0
  }
1461
1462
0
  if (oentry->asn_desc != NULL) { /* write a complex string API */
1463
0
    result = write_complex_string(asn1_struct, tmp, oentry, data,
1464
0
                data_size);
1465
0
    if (result < 0)
1466
0
      return gnutls_assert_val(result);
1467
0
  } else { /* write a simple string */
1468
1469
0
    gnutls_datum_t td;
1470
1471
0
    td.data = (void *)data;
1472
0
    td.size = data_size;
1473
0
    result = _gnutls_x509_write_string(asn1_struct, tmp, &td,
1474
0
               oentry->etype);
1475
0
    if (result < 0) {
1476
0
      gnutls_assert();
1477
0
      goto error;
1478
0
    }
1479
0
  }
1480
1481
  /* write the type
1482
   */
1483
0
  _gnutls_str_cpy(tmp, sizeof(tmp), where);
1484
0
  _gnutls_str_cat(tmp, sizeof(tmp), ".type");
1485
1486
0
  result = asn1_write_value(asn1_struct, tmp, given_oid, 1);
1487
0
  if (result != ASN1_SUCCESS) {
1488
0
    gnutls_assert();
1489
0
    result = _gnutls_asn2err(result);
1490
0
    goto error;
1491
0
  }
1492
1493
0
  result = 0;
1494
1495
0
error:
1496
0
  return result;
1497
0
}
1498
1499
/* copies a datum to a buffer. If it doesn't fit it returns
1500
 * GNUTLS_E_SHORT_MEMORY_BUFFER. It always deinitializes the datum
1501
 * after the copy.
1502
 *
1503
 * The buffer will always be null terminated.
1504
 */
1505
int _gnutls_strdatum_to_buf(gnutls_datum_t *d, void *buf, size_t *buf_size)
1506
0
{
1507
0
  int ret;
1508
0
  uint8_t *_buf = buf;
1509
1510
0
  if (buf == NULL || *buf_size < d->size + 1) {
1511
0
    *buf_size = d->size + 1;
1512
0
    ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
1513
0
    goto cleanup;
1514
0
  }
1515
0
  memcpy(buf, d->data, d->size);
1516
0
  _buf[d->size] = 0;
1517
1518
0
  *buf_size = d->size;
1519
0
  ret = 0;
1520
1521
0
cleanup:
1522
0
  _gnutls_free_datum(d);
1523
1524
0
  return ret;
1525
0
}
1526
1527
int _gnutls_x509_get_raw_field2(asn1_node c2, const gnutls_datum_t *raw,
1528
        const char *whom, gnutls_datum_t *dn)
1529
0
{
1530
0
  int result, len1;
1531
0
  int start1, end1;
1532
0
  result = asn1_der_decoding_startEnd(c2, raw->data, raw->size, whom,
1533
0
              &start1, &end1);
1534
1535
0
  if (result != ASN1_SUCCESS) {
1536
0
    gnutls_assert();
1537
0
    result = _gnutls_asn2err(result);
1538
0
    goto cleanup;
1539
0
  }
1540
1541
0
  len1 = end1 - start1 + 1;
1542
1543
0
  dn->data = &raw->data[start1];
1544
0
  dn->size = len1;
1545
0
  result = 0;
1546
1547
0
cleanup:
1548
0
  return result;
1549
0
}
1550
1551
int _gnutls_copy_string(const gnutls_datum_t *str, uint8_t *out,
1552
      size_t *out_size)
1553
0
{
1554
0
  unsigned size_to_check;
1555
1556
0
  size_to_check = str->size + 1;
1557
1558
0
  if ((unsigned)size_to_check > *out_size) {
1559
0
    gnutls_assert();
1560
0
    (*out_size) = size_to_check;
1561
0
    return GNUTLS_E_SHORT_MEMORY_BUFFER;
1562
0
  }
1563
1564
0
  if (out != NULL && str->data != NULL) {
1565
0
    memcpy(out, str->data, str->size);
1566
0
    out[str->size] = 0;
1567
0
  } else if (out != NULL) {
1568
0
    out[0] = 0;
1569
0
  }
1570
0
  *out_size = str->size;
1571
1572
0
  return 0;
1573
0
}
1574
1575
int _gnutls_copy_data(const gnutls_datum_t *str, uint8_t *out, size_t *out_size)
1576
0
{
1577
0
  if ((unsigned)str->size > *out_size) {
1578
0
    gnutls_assert();
1579
0
    (*out_size) = str->size;
1580
0
    return GNUTLS_E_SHORT_MEMORY_BUFFER;
1581
0
  }
1582
1583
0
  if (out != NULL && str->data != NULL) {
1584
0
    memcpy(out, str->data, str->size);
1585
0
  }
1586
0
  *out_size = str->size;
1587
1588
0
  return 0;
1589
0
}
1590
1591
/* Converts an X.509 certificate to subjectPublicKeyInfo */
1592
int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t *rpubkey)
1593
0
{
1594
0
  gnutls_pubkey_t pubkey = NULL;
1595
0
  int ret;
1596
1597
0
  ret = gnutls_pubkey_init(&pubkey);
1598
0
  if (ret < 0)
1599
0
    return gnutls_assert_val(ret);
1600
1601
0
  ret = gnutls_pubkey_import_x509(pubkey, crt, 0);
1602
0
  if (ret < 0) {
1603
0
    gnutls_assert();
1604
0
    goto cleanup;
1605
0
  }
1606
1607
0
  ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, rpubkey);
1608
0
  if (ret < 0) {
1609
0
    gnutls_assert();
1610
0
    goto cleanup;
1611
0
  }
1612
1613
0
  ret = 0;
1614
1615
0
cleanup:
1616
0
  gnutls_pubkey_deinit(pubkey);
1617
0
  return ret;
1618
0
}
1619
1620
/* Converts an X.509 certificate to subjectPublicKeyInfo */
1621
int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t *cert,
1622
               gnutls_datum_t *rpubkey)
1623
0
{
1624
0
  gnutls_x509_crt_t crt = NULL;
1625
0
  int ret;
1626
1627
0
  ret = gnutls_x509_crt_init(&crt);
1628
0
  if (ret < 0)
1629
0
    return gnutls_assert_val(ret);
1630
1631
0
  ret = gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_DER);
1632
0
  if (ret < 0) {
1633
0
    gnutls_assert();
1634
0
    goto cleanup;
1635
0
  }
1636
1637
0
  ret = x509_crt_to_raw_pubkey(crt, rpubkey);
1638
0
cleanup:
1639
0
  gnutls_x509_crt_deinit(crt);
1640
1641
0
  return ret;
1642
0
}
1643
1644
unsigned _gnutls_check_valid_key_id(const gnutls_datum_t *key_id,
1645
            gnutls_x509_crt_t cert, time_t now,
1646
            unsigned *has_ski)
1647
0
{
1648
0
  uint8_t id[MAX_KEY_ID_SIZE];
1649
0
  size_t id_size;
1650
0
  unsigned result = 0;
1651
1652
0
  if (has_ski)
1653
0
    *has_ski = 0;
1654
1655
0
  if (now > gnutls_x509_crt_get_expiration_time(cert) ||
1656
0
      now < gnutls_x509_crt_get_activation_time(cert)) {
1657
    /* don't bother, certificate is not yet activated or expired */
1658
0
    gnutls_assert();
1659
0
    goto out;
1660
0
  }
1661
1662
0
  id_size = sizeof(id);
1663
0
  if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) {
1664
0
    gnutls_assert();
1665
0
    goto out;
1666
0
  }
1667
1668
0
  if (has_ski)
1669
0
    *has_ski = 1;
1670
1671
0
  if (id_size == key_id->size && !memcmp(id, key_id->data, id_size))
1672
0
    result = 1;
1673
1674
0
out:
1675
0
  return result;
1676
0
}
1677
1678
/* Sort a certificate list in place with subject, issuer order. @clist_size must
1679
 * be equal to or less than %DEFAULT_MAX_VERIFY_DEPTH.
1680
 *
1681
 * Returns the index in clist where the initial contiguous segment ends. If the
1682
 * chain contains multiple segments separated by gaps (e.g., missing issuers),
1683
 * the caller shall call this function multiple times.
1684
 *
1685
 * For example, suppose we want the following certificate chain as a result of
1686
 * sorting:
1687
 *
1688
 *   A -> (B) -> C -> D -> E -> (F) -> G -> H -> I
1689
 *
1690
 * from the input [A, C, E, D, G, I, H] (B and F are missing).
1691
 *
1692
 * On the first call of this function:
1693
 *
1694
 *   _gnutls_sort_clist(clist, clist_size)
1695
 *
1696
 * it returns 1, meaning that the first segment only contains A.  The content of
1697
 * @clist will remain the same [A, C, E, D, G, I, H].
1698
 *
1699
 * Then the caller will call this function again, starting from the second
1700
 * element:
1701
 *
1702
 *   _gnutls_sort_clist(&clist[1], clist_size - 1)
1703
 *
1704
 * This time it returns 3, meaning that the first segment contains [C, D, E].
1705
 * The content of @clist will be [A, C, D, E, G, I, H].
1706
 *
1707
 * Finally, after calling the function on the remaining elements:
1708
 *
1709
 *   _gnutls_sort_clist(&clist[1 + 3], clist_size - (1 + 3))
1710
 *
1711
 * It will return 3, meaning that the first segment contains [G, H, I].  At this
1712
 * point, sorting of @clist is complete.
1713
 */
1714
unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
1715
        unsigned int clist_size)
1716
0
{
1717
0
  int prev;
1718
0
  unsigned int i, j, k;
1719
0
  int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */
1720
0
  bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */
1721
0
  gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
1722
1723
  /* Limit the number of certificates in the chain, to avoid DoS
1724
   * because of the O(n^2) sorting below.  FIXME: Switch to a
1725
   * topological sort algorithm which should be linear to the
1726
   * number of certificates and subject-issuer relationships.
1727
   */
1728
0
  if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
1729
0
    _gnutls_debug_log("too many certificates; skipping sorting\n");
1730
0
    return 1;
1731
0
  }
1732
1733
0
  for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
1734
0
    issuer[i] = -1;
1735
0
    insorted[i] = 0;
1736
0
  }
1737
1738
  /* Find the issuer of each certificate and store it
1739
   * in issuer array. O(n^2) so consider that before
1740
   * increasing DEFAULT_MAX_VERIFY_DEPTH.
1741
   */
1742
0
  for (i = 0; i < clist_size; i++) {
1743
    /* Self-signed certificate found in the chain; skip it
1744
     * as it should only appear in the trusted set.
1745
     */
1746
0
    if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
1747
0
      _gnutls_cert_log("self-signed cert found", clist[i]);
1748
0
      continue;
1749
0
    }
1750
1751
0
    for (j = 1; j < clist_size; j++) {
1752
0
      if (i == j)
1753
0
        continue;
1754
1755
0
      if (gnutls_x509_crt_check_issuer(clist[i], clist[j])) {
1756
0
        issuer[i] = j;
1757
0
        break;
1758
0
      }
1759
0
    }
1760
0
  }
1761
1762
0
  sorted[0] = clist[0];
1763
0
  insorted[0] = 1;
1764
1765
0
  prev = 0;
1766
0
  for (i = 1; i < clist_size; i++) {
1767
0
    prev = issuer[prev];
1768
0
    if (prev < 0) { /* no issuer */
1769
0
      break;
1770
0
    }
1771
1772
0
    if (insorted[prev]) { /* loop detected */
1773
0
      break;
1774
0
    }
1775
1776
0
    sorted[i] = clist[prev];
1777
0
    insorted[prev] = 1;
1778
0
  }
1779
1780
  /* append the remaining certs */
1781
0
  for (j = 1, k = i; j < clist_size; j++) {
1782
0
    if (!insorted[j]) {
1783
0
      sorted[k++] = clist[j];
1784
0
    }
1785
0
  }
1786
1787
  /* write out the sorted list */
1788
0
  assert(k == clist_size);
1789
0
  for (j = 0; j < clist_size; j++) {
1790
0
    clist[j] = sorted[j];
1791
0
  }
1792
1793
0
  return i;
1794
0
}
1795
1796
int _gnutls_check_if_sorted(gnutls_x509_crt_t *crt, int nr)
1797
0
{
1798
0
  int i, ret;
1799
1800
  /* check if the X.509 list is ordered */
1801
0
  if (nr > 1) {
1802
0
    for (i = 0; i < nr; i++) {
1803
0
      if (i > 0) {
1804
0
        if (!_gnutls_x509_compare_raw_dn(
1805
0
              &crt[i]->raw_dn,
1806
0
              &crt[i - 1]->raw_issuer_dn)) {
1807
0
          ret = gnutls_assert_val(
1808
0
            GNUTLS_E_CERTIFICATE_LIST_UNSORTED);
1809
0
          goto cleanup;
1810
0
        }
1811
0
      }
1812
0
    }
1813
0
  }
1814
0
  ret = 0;
1815
1816
0
cleanup:
1817
0
  return ret;
1818
0
}
1819
1820
/**
1821
 * gnutls_gost_paramset_get_name:
1822
 * @param: is a GOST 28147 param set
1823
 *
1824
 * Convert a #gnutls_gost_paramset_t value to a string.
1825
 *
1826
 * Returns: a string that contains the name of the specified GOST param set,
1827
 *   or %NULL.
1828
 *
1829
 * Since: 3.6.3
1830
 **/
1831
const char *gnutls_gost_paramset_get_name(gnutls_gost_paramset_t param)
1832
0
{
1833
0
  switch (param) {
1834
0
  case GNUTLS_GOST_PARAMSET_TC26_Z:
1835
0
    return "TC26-Z";
1836
0
  case GNUTLS_GOST_PARAMSET_CP_A:
1837
0
    return "CryptoPro-A";
1838
0
  case GNUTLS_GOST_PARAMSET_CP_B:
1839
0
    return "CryptoPro-B";
1840
0
  case GNUTLS_GOST_PARAMSET_CP_C:
1841
0
    return "CryptoPro-C";
1842
0
  case GNUTLS_GOST_PARAMSET_CP_D:
1843
0
    return "CryptoPro-D";
1844
0
  default:
1845
0
    gnutls_assert();
1846
0
    return "Unknown";
1847
0
  }
1848
0
}
1849
1850
/**
1851
 * gnutls_gost_paramset_get_oid:
1852
 * @param: is a GOST 28147 param set
1853
 *
1854
 * Convert a #gnutls_gost_paramset_t value to its object identifier.
1855
 *
1856
 * Returns: a string that contains the object identifier of the specified GOST
1857
 *   param set, or %NULL.
1858
 *
1859
 * Since: 3.6.3
1860
 **/
1861
const char *gnutls_gost_paramset_get_oid(gnutls_gost_paramset_t param)
1862
0
{
1863
0
  switch (param) {
1864
0
  case GNUTLS_GOST_PARAMSET_TC26_Z:
1865
0
    return GOST28147_89_TC26Z_OID;
1866
0
  case GNUTLS_GOST_PARAMSET_CP_A:
1867
0
    return GOST28147_89_CPA_OID;
1868
0
  case GNUTLS_GOST_PARAMSET_CP_B:
1869
0
    return GOST28147_89_CPB_OID;
1870
0
  case GNUTLS_GOST_PARAMSET_CP_C:
1871
0
    return GOST28147_89_CPC_OID;
1872
0
  case GNUTLS_GOST_PARAMSET_CP_D:
1873
0
    return GOST28147_89_CPD_OID;
1874
0
  default:
1875
0
    gnutls_assert();
1876
0
    return NULL;
1877
0
  }
1878
0
}
1879
1880
/**
1881
 * gnutls_oid_to_gost_paramset:
1882
 * @oid: is an object identifier
1883
 *
1884
 * Converts a textual object identifier to a #gnutls_gost_paramset_t value.
1885
 *
1886
 * Returns: a #gnutls_gost_paramset_get_oid of the specified GOST 28147
1887
 *   param st, or %GNUTLS_GOST_PARAMSET_UNKNOWN on failure.
1888
 *
1889
 * Since: 3.6.3
1890
 **/
1891
gnutls_gost_paramset_t gnutls_oid_to_gost_paramset(const char *oid)
1892
0
{
1893
0
  if (!strcmp(oid, GOST28147_89_TC26Z_OID))
1894
0
    return GNUTLS_GOST_PARAMSET_TC26_Z;
1895
0
  else if (!strcmp(oid, GOST28147_89_CPA_OID))
1896
0
    return GNUTLS_GOST_PARAMSET_CP_A;
1897
0
  else if (!strcmp(oid, GOST28147_89_CPB_OID))
1898
0
    return GNUTLS_GOST_PARAMSET_CP_B;
1899
0
  else if (!strcmp(oid, GOST28147_89_CPC_OID))
1900
0
    return GNUTLS_GOST_PARAMSET_CP_C;
1901
0
  else if (!strcmp(oid, GOST28147_89_CPD_OID))
1902
0
    return GNUTLS_GOST_PARAMSET_CP_D;
1903
0
  else
1904
0
    return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN);
1905
0
}
1906
1907
int _gnutls_x509_get_version(asn1_node root, const char *name)
1908
0
{
1909
0
  uint8_t version[8];
1910
0
  int len, result;
1911
1912
0
  len = sizeof(version);
1913
0
  result = asn1_read_value(root, name, version, &len);
1914
0
  if (result != ASN1_SUCCESS) {
1915
0
    if (result == ASN1_ELEMENT_NOT_FOUND)
1916
0
      return 1; /* the DEFAULT version */
1917
0
    gnutls_assert();
1918
0
    return _gnutls_asn2err(result);
1919
0
  }
1920
1921
0
  if (len != 1 || version[0] >= 0x80)
1922
0
    return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR);
1923
1924
0
  return (int)version[0] + 1;
1925
0
}