/src/gnutls/lib/x509/common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2003-2014 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2015-2016 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include <libtasn1.h> |
26 | | #include "datum.h" |
27 | | #include "global.h" |
28 | | #include "errors.h" |
29 | | #include "str.h" |
30 | | #include "x509.h" |
31 | | #include "num.h" |
32 | | #include "x509_b64.h" |
33 | | #include <c-strcase.h> |
34 | | #include "x509_int.h" |
35 | | #include "extras/hex.h" |
36 | | #include "common.h" |
37 | | |
38 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out); |
39 | | |
40 | | #define ENTRY(oid, ldap, asn, etype) \ |
41 | | { oid, sizeof(oid) - 1, ldap, sizeof(ldap) - 1, asn, etype } |
42 | | |
43 | | /* when there is no name description */ |
44 | | #define ENTRY_ND(oid, asn, etype) { oid, sizeof(oid) - 1, NULL, 0, asn, etype } |
45 | | |
46 | | /* This list contains all the OIDs that may be |
47 | | * contained in a rdnSequence and are printable. |
48 | | */ |
49 | | static const struct oid_to_string _oid2str[] = { |
50 | | /* PKIX |
51 | | */ |
52 | | ENTRY("1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString", |
53 | | ASN1_ETYPE_INVALID), |
54 | | ENTRY("1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
55 | | ENTRY("1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL, |
56 | | ASN1_ETYPE_PRINTABLE_STRING), |
57 | | ENTRY("1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL, |
58 | | ASN1_ETYPE_PRINTABLE_STRING), |
59 | | |
60 | | ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
61 | | ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
62 | | ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
63 | | ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
64 | | ENTRY("2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
65 | | ENTRY("2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
66 | | ENTRY("2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
67 | | ENTRY("2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
68 | | ENTRY("2.5.4.13", "description", "PKIX1.DirectoryString", |
69 | | ASN1_ETYPE_INVALID), |
70 | | |
71 | | ENTRY("2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
72 | | ENTRY("2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
73 | | ENTRY("2.5.4.4", "surName", "PKIX1.DirectoryString", |
74 | | ASN1_ETYPE_INVALID), |
75 | | ENTRY("2.5.4.43", "initials", "PKIX1.DirectoryString", |
76 | | ASN1_ETYPE_INVALID), |
77 | | ENTRY("2.5.4.44", "generationQualifier", "PKIX1.DirectoryString", |
78 | | ASN1_ETYPE_INVALID), |
79 | | ENTRY("2.5.4.42", "givenName", "PKIX1.DirectoryString", |
80 | | ASN1_ETYPE_INVALID), |
81 | | ENTRY("2.5.4.65", "pseudonym", "PKIX1.DirectoryString", |
82 | | ASN1_ETYPE_INVALID), |
83 | | ENTRY("2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING), |
84 | | ENTRY("2.5.4.17", "postalCode", "PKIX1.DirectoryString", |
85 | | ASN1_ETYPE_INVALID), |
86 | | ENTRY("2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
87 | | ENTRY("2.5.4.15", "businessCategory", "PKIX1.DirectoryString", |
88 | | ASN1_ETYPE_INVALID), |
89 | | |
90 | | ENTRY("0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING), |
91 | | ENTRY("0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString", |
92 | | ASN1_ETYPE_INVALID), |
93 | | ENTRY("1.2.840.113556.1.4.656", "userPrincipalName", |
94 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
95 | | |
96 | | /* Extended validation |
97 | | */ |
98 | | ENTRY("1.3.6.1.4.1.311.60.2.1.1", |
99 | | "jurisdictionOfIncorporationLocalityName", |
100 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
101 | | ENTRY("1.3.6.1.4.1.311.60.2.1.2", |
102 | | "jurisdictionOfIncorporationStateOrProvinceName", |
103 | | "PKIX1.DirectoryString", ASN1_ETYPE_INVALID), |
104 | | ENTRY("1.3.6.1.4.1.311.60.2.1.3", |
105 | | "jurisdictionOfIncorporationCountryName", NULL, |
106 | | ASN1_ETYPE_PRINTABLE_STRING), |
107 | | |
108 | | /* PKCS #9 |
109 | | */ |
110 | | ENTRY("1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING), |
111 | | ENTRY_ND("1.2.840.113549.1.9.7", "PKIX1.pkcs-9-challengePassword", |
112 | | ASN1_ETYPE_INVALID), |
113 | | |
114 | | /* friendly name */ |
115 | | ENTRY_ND("1.2.840.113549.1.9.20", NULL, ASN1_ETYPE_BMP_STRING), |
116 | | /* local key id */ |
117 | | ENTRY_ND("1.2.840.113549.1.9.21", NULL, ASN1_ETYPE_OCTET_STRING), |
118 | | ENTRY_ND("1.2.840.113549.1.9.4", NULL, ASN1_ETYPE_OCTET_STRING), |
119 | | |
120 | | /* rfc3920 section 5.1.1 */ |
121 | | ENTRY("1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING), |
122 | | |
123 | | /* Russian things: https://cdnimg.rg.ru/pril/66/91/91/23041_pril.pdf */ |
124 | | /* Main state registration number */ |
125 | | ENTRY("1.2.643.100.1", "OGRN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
126 | | /* Individual insurance account number */ |
127 | | ENTRY("1.2.643.100.3", "SNILS", NULL, ASN1_ETYPE_NUMERIC_STRING), |
128 | | /* Main state registration number for individual enterpreneurs */ |
129 | | ENTRY("1.2.643.100.5", "OGRNIP", NULL, ASN1_ETYPE_NUMERIC_STRING), |
130 | | /* VAT identification number */ |
131 | | ENTRY("1.2.643.3.131.1.1", "INN", NULL, ASN1_ETYPE_NUMERIC_STRING), |
132 | | |
133 | | { NULL, 0, NULL, 0, NULL, 0 } |
134 | | }; |
135 | | |
136 | | const struct oid_to_string * |
137 | | _gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid) |
138 | 0 | { |
139 | 0 | unsigned int i = 0; |
140 | 0 | unsigned len = strlen(oid); |
141 | |
|
142 | 0 | do { |
143 | 0 | if (len == ots[i].oid_size && strcmp(ots[i].oid, oid) == 0) |
144 | 0 | return &ots[i]; |
145 | 0 | i++; |
146 | 0 | } while (ots[i].oid != NULL); |
147 | | |
148 | 0 | return NULL; |
149 | 0 | } |
150 | | |
151 | | const char *_gnutls_oid_get_asn_desc(const char *oid) |
152 | 0 | { |
153 | 0 | const struct oid_to_string *entry = |
154 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
155 | 0 | return entry ? entry->asn_desc : NULL; |
156 | 0 | } |
157 | | |
158 | | const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len) |
159 | 0 | { |
160 | 0 | unsigned int i = 0; |
161 | |
|
162 | 0 | do { |
163 | 0 | if ((_oid2str[i].name_desc != NULL) && |
164 | 0 | (str_len == _oid2str[i].name_desc_size) && |
165 | 0 | (c_strncasecmp(_oid2str[i].name_desc, str, str_len) == 0)) |
166 | 0 | return _oid2str[i].oid; |
167 | 0 | i++; |
168 | 0 | } while (_oid2str[i].oid != NULL); |
169 | | |
170 | 0 | return NULL; |
171 | 0 | } |
172 | | |
173 | | /* Escapes a string following the rules from RFC4514. |
174 | | */ |
175 | | static int str_escape(const gnutls_datum_t *str, gnutls_datum_t *escaped) |
176 | 0 | { |
177 | 0 | unsigned int j, i; |
178 | 0 | uint8_t *buffer = NULL; |
179 | 0 | int ret; |
180 | |
|
181 | 0 | if (str == NULL) |
182 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
183 | | |
184 | | /* the string will be at most twice the original */ |
185 | 0 | buffer = gnutls_malloc(str->size * 2 + 2); |
186 | 0 | if (buffer == NULL) |
187 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
188 | | |
189 | 0 | for (i = j = 0; i < str->size; i++) { |
190 | 0 | if (str->data[i] == 0) { |
191 | | /* this is handled earlier */ |
192 | 0 | ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
193 | 0 | goto cleanup; |
194 | 0 | } |
195 | | |
196 | 0 | if (str->data[i] == ',' || str->data[i] == '+' || |
197 | 0 | str->data[i] == '"' || str->data[i] == '\\' || |
198 | 0 | str->data[i] == '<' || str->data[i] == '>' || |
199 | 0 | str->data[i] == ';' || str->data[i] == 0) |
200 | 0 | buffer[j++] = '\\'; |
201 | 0 | else if (i == 0 && str->data[i] == '#') |
202 | 0 | buffer[j++] = '\\'; |
203 | 0 | else if (i == 0 && str->data[i] == ' ') |
204 | 0 | buffer[j++] = '\\'; |
205 | 0 | else if (i == (str->size - 1) && str->data[i] == ' ') |
206 | 0 | buffer[j++] = '\\'; |
207 | |
|
208 | 0 | buffer[j++] = str->data[i]; |
209 | 0 | } |
210 | | |
211 | | /* null terminate the string */ |
212 | 0 | buffer[j] = 0; |
213 | 0 | escaped->data = buffer; |
214 | 0 | escaped->size = j; |
215 | |
|
216 | 0 | return 0; |
217 | 0 | cleanup: |
218 | 0 | gnutls_free(buffer); |
219 | 0 | return ret; |
220 | 0 | } |
221 | | |
222 | | /** |
223 | | * gnutls_x509_dn_oid_known: |
224 | | * @oid: holds an Object Identifier in a null terminated string |
225 | | * |
226 | | * This function will inform about known DN OIDs. This is useful since |
227 | | * functions like gnutls_x509_crt_set_dn_by_oid() use the information |
228 | | * on known OIDs to properly encode their input. Object Identifiers |
229 | | * that are not known are not encoded by these functions, and their |
230 | | * input is stored directly into the ASN.1 structure. In that case of |
231 | | * unknown OIDs, you have the responsibility of DER encoding your |
232 | | * data. |
233 | | * |
234 | | * Returns: 1 on known OIDs and 0 otherwise. |
235 | | **/ |
236 | | int gnutls_x509_dn_oid_known(const char *oid) |
237 | 0 | { |
238 | 0 | return _gnutls_oid_get_entry(_oid2str, oid) != NULL; |
239 | 0 | } |
240 | | |
241 | | /** |
242 | | * gnutls_x509_dn_oid_name: |
243 | | * @oid: holds an Object Identifier in a null terminated string |
244 | | * @flags: 0 or GNUTLS_X509_DN_OID_* |
245 | | * |
246 | | * This function will return the name of a known DN OID. If |
247 | | * %GNUTLS_X509_DN_OID_RETURN_OID is specified this function |
248 | | * will return the given OID if no descriptive name has been |
249 | | * found. |
250 | | * |
251 | | * Returns: A null terminated string or NULL otherwise. |
252 | | * |
253 | | * Since: 3.0 |
254 | | **/ |
255 | | const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags) |
256 | 0 | { |
257 | 0 | const struct oid_to_string *entry = |
258 | 0 | _gnutls_oid_get_entry(_oid2str, oid); |
259 | |
|
260 | 0 | if (entry && entry->name_desc) |
261 | 0 | return entry->name_desc; |
262 | 0 | if (flags & GNUTLS_X509_DN_OID_RETURN_OID) |
263 | 0 | return oid; |
264 | 0 | else |
265 | 0 | return NULL; |
266 | 0 | } |
267 | | |
268 | | static int make_printable_string(unsigned etype, const gnutls_datum_t *input, |
269 | | gnutls_datum_t *out) |
270 | 0 | { |
271 | 0 | int printable = 0; |
272 | 0 | int ret; |
273 | | |
274 | | /* empty input strings result to a null string */ |
275 | 0 | if (input->data == NULL || input->size == 0) { |
276 | 0 | out->data = gnutls_calloc(1, 1); |
277 | 0 | if (out->data == NULL) |
278 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
279 | 0 | out->size = 0; |
280 | 0 | return 0; |
281 | 0 | } |
282 | | |
283 | 0 | if (etype == ASN1_ETYPE_BMP_STRING) { |
284 | 0 | ret = _gnutls_ucs2_to_utf8(input->data, input->size, out, 1); |
285 | 0 | if (ret < 0) { |
286 | | /* could not convert. Handle it as non-printable */ |
287 | 0 | printable = 0; |
288 | 0 | } else |
289 | 0 | printable = 1; |
290 | 0 | } else if (etype == ASN1_ETYPE_TELETEX_STRING) { |
291 | | /* HACK: if the teletex string contains only ascii |
292 | | * characters then treat it as printable. |
293 | | */ |
294 | 0 | if (_gnutls_str_is_print((char *)input->data, input->size)) { |
295 | 0 | out->data = gnutls_malloc(input->size + 1); |
296 | 0 | if (out->data == NULL) |
297 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
298 | | |
299 | 0 | memcpy(out->data, input->data, input->size); |
300 | 0 | out->size = input->size; |
301 | |
|
302 | 0 | out->data[out->size] = 0; |
303 | |
|
304 | 0 | printable = 1; |
305 | 0 | } |
306 | 0 | } else if (etype != |
307 | 0 | ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */ |
308 | 0 | return GNUTLS_E_INVALID_REQUEST; |
309 | | |
310 | 0 | if (printable == 0) { /* need to allocate out */ |
311 | 0 | ret = data2hex(input->data, input->size, out); |
312 | 0 | if (ret < 0) { |
313 | 0 | gnutls_assert(); |
314 | 0 | return ret; |
315 | 0 | } |
316 | 0 | } |
317 | | |
318 | 0 | return 0; |
319 | 0 | } |
320 | | |
321 | | static int decode_complex_string(const struct oid_to_string *oentry, |
322 | | void *value, int value_size, |
323 | | gnutls_datum_t *out) |
324 | 0 | { |
325 | 0 | char str[MAX_STRING_LEN], tmpname[128]; |
326 | 0 | int len = -1, result; |
327 | 0 | asn1_node tmpasn = NULL; |
328 | 0 | char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; |
329 | 0 | unsigned int etype; |
330 | 0 | gnutls_datum_t td = { NULL, 0 }; |
331 | |
|
332 | 0 | if (oentry->asn_desc == NULL) { |
333 | 0 | gnutls_assert(); |
334 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
335 | 0 | } |
336 | | |
337 | 0 | if ((result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, |
338 | 0 | &tmpasn)) != ASN1_SUCCESS) { |
339 | 0 | gnutls_assert(); |
340 | 0 | return _gnutls_asn2err(result); |
341 | 0 | } |
342 | | |
343 | 0 | if ((result = _asn1_strict_der_decode(&tmpasn, value, value_size, |
344 | 0 | asn1_err)) != ASN1_SUCCESS) { |
345 | 0 | gnutls_assert(); |
346 | 0 | _gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err); |
347 | 0 | asn1_delete_structure(&tmpasn); |
348 | 0 | return _gnutls_asn2err(result); |
349 | 0 | } |
350 | | |
351 | | /* Read the type of choice. |
352 | | */ |
353 | 0 | len = sizeof(str) - 1; |
354 | 0 | if ((result = asn1_read_value(tmpasn, "", str, &len)) != |
355 | 0 | ASN1_SUCCESS) { /* CHOICE */ |
356 | 0 | gnutls_assert(); |
357 | 0 | asn1_delete_structure(&tmpasn); |
358 | 0 | return _gnutls_asn2err(result); |
359 | 0 | } |
360 | | |
361 | 0 | str[len] = 0; |
362 | | |
363 | | /* We set the etype on the strings that may need |
364 | | * some conversion to UTF-8. The INVALID flag indicates |
365 | | * no conversion needed */ |
366 | 0 | if (strcmp(str, "teletexString") == 0) |
367 | 0 | etype = ASN1_ETYPE_TELETEX_STRING; |
368 | 0 | else if (strcmp(str, "bmpString") == 0) |
369 | 0 | etype = ASN1_ETYPE_BMP_STRING; |
370 | 0 | else if (strcmp(str, "universalString") == 0) |
371 | 0 | etype = ASN1_ETYPE_UNIVERSAL_STRING; |
372 | 0 | else |
373 | 0 | etype = ASN1_ETYPE_INVALID; |
374 | |
|
375 | 0 | _gnutls_str_cpy(tmpname, sizeof(tmpname), str); |
376 | |
|
377 | 0 | result = _gnutls_x509_read_value(tmpasn, tmpname, &td); |
378 | 0 | asn1_delete_structure(&tmpasn); |
379 | 0 | if (result < 0) |
380 | 0 | return gnutls_assert_val(result); |
381 | | |
382 | 0 | if (etype != ASN1_ETYPE_INVALID) { |
383 | 0 | result = make_printable_string(etype, &td, out); |
384 | |
|
385 | 0 | _gnutls_free_datum(&td); |
386 | |
|
387 | 0 | if (result < 0) |
388 | 0 | return gnutls_assert_val(result); |
389 | 0 | } else { |
390 | 0 | out->data = td.data; |
391 | 0 | out->size = td.size; |
392 | | /* _gnutls_x509_read_value always null terminates */ |
393 | 0 | } |
394 | | |
395 | 0 | assert(out->data != NULL); |
396 | | |
397 | | /* Refuse to deal with strings containing NULs. */ |
398 | 0 | if (strlen((void *)out->data) != (size_t)out->size) { |
399 | 0 | _gnutls_free_datum(out); |
400 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
401 | 0 | } |
402 | | |
403 | 0 | return 0; |
404 | 0 | } |
405 | | |
406 | | /* This function will convert an attribute value, specified by the OID, |
407 | | * to a string. The result will be a null terminated string. |
408 | | * |
409 | | * res may be null. This will just return the res_size, needed to |
410 | | * hold the string. |
411 | | */ |
412 | | int _gnutls_x509_dn_to_string(const char *oid, void *value, int value_size, |
413 | | gnutls_datum_t *str) |
414 | 0 | { |
415 | 0 | const struct oid_to_string *oentry; |
416 | 0 | int ret; |
417 | 0 | gnutls_datum_t tmp = { NULL, 0 }; |
418 | |
|
419 | 0 | if (value == NULL || value_size <= 0) { |
420 | 0 | gnutls_assert(); |
421 | 0 | return GNUTLS_E_INVALID_REQUEST; |
422 | 0 | } |
423 | | |
424 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, oid); |
425 | 0 | if (oentry == NULL) { /* unknown OID -> hex */ |
426 | 0 | unknown_oid: |
427 | 0 | ret = data2hex(value, value_size, str); |
428 | 0 | if (ret < 0) { |
429 | 0 | gnutls_assert(); |
430 | 0 | return ret; |
431 | 0 | } |
432 | 0 | return 0; |
433 | 0 | } |
434 | | |
435 | 0 | if (oentry->asn_desc != NULL) { /* complex */ |
436 | 0 | ret = decode_complex_string(oentry, value, value_size, &tmp); |
437 | 0 | if (ret < 0) { |
438 | | /* we failed decoding -> handle it as unknown OID */ |
439 | 0 | goto unknown_oid; |
440 | 0 | } |
441 | 0 | } else { |
442 | 0 | ret = _gnutls_x509_decode_string(oentry->etype, value, |
443 | 0 | value_size, &tmp, 0); |
444 | 0 | if (ret < 0) { |
445 | | /* we failed decoding -> handle it as unknown OID */ |
446 | 0 | goto unknown_oid; |
447 | 0 | } |
448 | 0 | } |
449 | | |
450 | 0 | ret = str_escape(&tmp, str); |
451 | 0 | _gnutls_free_datum(&tmp); |
452 | |
|
453 | 0 | if (ret < 0) |
454 | 0 | return gnutls_assert_val(ret); |
455 | | |
456 | 0 | return 0; |
457 | 0 | } |
458 | | |
459 | | /* Converts a data string to an LDAP rfc2253 hex string |
460 | | * something like '#01020304' |
461 | | */ |
462 | | static int data2hex(const void *data, size_t data_size, gnutls_datum_t *out) |
463 | 0 | { |
464 | 0 | gnutls_datum_t tmp, td; |
465 | 0 | int ret; |
466 | 0 | size_t size; |
467 | |
|
468 | 0 | td.size = hex_str_size(data_size) + 1; /* +1 for '#' */ |
469 | 0 | td.data = gnutls_malloc(td.size); |
470 | 0 | if (td.data == NULL) |
471 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
472 | | |
473 | 0 | tmp.data = (void *)data; |
474 | 0 | tmp.size = data_size; |
475 | |
|
476 | 0 | td.data[0] = '#'; |
477 | 0 | size = td.size - 1; /* don't include '#' */ |
478 | 0 | ret = gnutls_hex_encode(&tmp, (char *)&td.data[1], &size); |
479 | 0 | if (ret < 0) { |
480 | 0 | gnutls_assert(); |
481 | 0 | gnutls_free(td.data); |
482 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
483 | 0 | } |
484 | | |
485 | 0 | td.size--; /* don't include null */ |
486 | |
|
487 | 0 | out->data = td.data; |
488 | 0 | out->size = td.size; |
489 | |
|
490 | 0 | return 0; |
491 | 0 | } |
492 | | |
493 | | gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) |
494 | 0 | { |
495 | 0 | if (strcmp(str_type, "dNSName") == 0) |
496 | 0 | return GNUTLS_SAN_DNSNAME; |
497 | 0 | if (strcmp(str_type, "rfc822Name") == 0) |
498 | 0 | return GNUTLS_SAN_RFC822NAME; |
499 | 0 | if (strcmp(str_type, "uniformResourceIdentifier") == 0) |
500 | 0 | return GNUTLS_SAN_URI; |
501 | 0 | if (strcmp(str_type, "iPAddress") == 0) |
502 | 0 | return GNUTLS_SAN_IPADDRESS; |
503 | 0 | if (strcmp(str_type, "otherName") == 0) |
504 | 0 | return GNUTLS_SAN_OTHERNAME; |
505 | 0 | if (strcmp(str_type, "directoryName") == 0) |
506 | 0 | return GNUTLS_SAN_DN; |
507 | 0 | if (strcmp(str_type, "registeredID") == 0) |
508 | 0 | return GNUTLS_SAN_REGISTERED_ID; |
509 | | |
510 | 0 | return (gnutls_x509_subject_alt_name_t)-1; |
511 | 0 | } |
512 | | |
513 | | /* A generic export function. Will export the given ASN.1 encoded data |
514 | | * to PEM or DER raw data. |
515 | | */ |
516 | | int _gnutls_x509_export_int_named(asn1_node asn1_data, const char *name, |
517 | | gnutls_x509_crt_fmt_t format, |
518 | | const char *pem_header, |
519 | | unsigned char *output_data, |
520 | | size_t *output_data_size) |
521 | 0 | { |
522 | 0 | int ret; |
523 | 0 | gnutls_datum_t out = { NULL, 0 }; |
524 | 0 | size_t size; |
525 | |
|
526 | 0 | ret = _gnutls_x509_export_int_named2(asn1_data, name, format, |
527 | 0 | pem_header, &out); |
528 | 0 | if (ret < 0) |
529 | 0 | return gnutls_assert_val(ret); |
530 | | |
531 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
532 | 0 | size = out.size + 1; |
533 | 0 | else |
534 | 0 | size = out.size; |
535 | |
|
536 | 0 | if (*output_data_size < size) { |
537 | 0 | *output_data_size = size; |
538 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
539 | 0 | goto cleanup; |
540 | 0 | } |
541 | | |
542 | 0 | *output_data_size = (size_t)out.size; |
543 | 0 | if (output_data) { |
544 | 0 | if (out.size > 0) { |
545 | 0 | memcpy(output_data, out.data, (size_t)out.size); |
546 | 0 | } |
547 | 0 | if (format == GNUTLS_X509_FMT_PEM) |
548 | 0 | output_data[out.size] = 0; |
549 | 0 | } |
550 | |
|
551 | 0 | ret = 0; |
552 | |
|
553 | 0 | cleanup: |
554 | 0 | gnutls_free(out.data); |
555 | |
|
556 | 0 | return ret; |
557 | 0 | } |
558 | | |
559 | | /* A generic export function. Will export the given ASN.1 encoded data |
560 | | * to PEM or DER raw data. |
561 | | */ |
562 | | int _gnutls_x509_export_int_named2(asn1_node asn1_data, const char *name, |
563 | | gnutls_x509_crt_fmt_t format, |
564 | | const char *pem_header, gnutls_datum_t *out) |
565 | 0 | { |
566 | 0 | int ret; |
567 | |
|
568 | 0 | if (format == GNUTLS_X509_FMT_DER) { |
569 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, out, 0); |
570 | 0 | if (ret < 0) |
571 | 0 | return gnutls_assert_val(ret); |
572 | 0 | } else { /* PEM */ |
573 | 0 | gnutls_datum_t tmp; |
574 | |
|
575 | 0 | ret = _gnutls_x509_der_encode(asn1_data, name, &tmp, 0); |
576 | 0 | if (ret < 0) |
577 | 0 | return gnutls_assert_val(ret); |
578 | | |
579 | 0 | ret = _gnutls_fbase64_encode(pem_header, tmp.data, tmp.size, |
580 | 0 | out); |
581 | 0 | _gnutls_free_datum(&tmp); |
582 | |
|
583 | 0 | if (ret < 0) |
584 | 0 | return gnutls_assert_val(ret); |
585 | 0 | } |
586 | | |
587 | 0 | return 0; |
588 | 0 | } |
589 | | |
590 | | /* Decodes an octet string. The etype specifies the string type. |
591 | | * The returned string is always null terminated (but null is not |
592 | | * included in size). |
593 | | */ |
594 | | int _gnutls_x509_decode_string(unsigned int etype, const uint8_t *der, |
595 | | size_t der_size, gnutls_datum_t *output, |
596 | | unsigned allow_ber) |
597 | 0 | { |
598 | 0 | long ret; |
599 | 0 | uint8_t *str; |
600 | 0 | unsigned int str_size, len; |
601 | 0 | gnutls_datum_t td; |
602 | 0 | int tag_len, len_len; |
603 | 0 | unsigned char class; |
604 | 0 | unsigned long tag; |
605 | |
|
606 | 0 | output->data = NULL; |
607 | 0 | output->size = 0; |
608 | | |
609 | | /* asn1_decode_simple_{ber,der} don't accept empty string, |
610 | | * check it beforehand. |
611 | | */ |
612 | 0 | ret = asn1_get_tag_der(der, der_size, &class, &tag_len, &tag); |
613 | 0 | if (ret != ASN1_SUCCESS) { |
614 | 0 | gnutls_assert(); |
615 | 0 | ret = _gnutls_asn2err(ret); |
616 | 0 | return ret; |
617 | 0 | } |
618 | | |
619 | 0 | if (allow_ber) |
620 | 0 | ret = asn1_get_length_ber(der + tag_len, der_size - tag_len, |
621 | 0 | &len_len); |
622 | 0 | else |
623 | 0 | ret = asn1_get_length_der(der + tag_len, der_size - tag_len, |
624 | 0 | &len_len); |
625 | 0 | if (ret == 0) { |
626 | 0 | output->data = NULL; |
627 | 0 | output->size = 0; |
628 | 0 | return 0; |
629 | 0 | } |
630 | | |
631 | 0 | if (allow_ber) |
632 | 0 | ret = asn1_decode_simple_ber(etype, der, der_size, &str, |
633 | 0 | &str_size, NULL); |
634 | 0 | else |
635 | 0 | ret = asn1_decode_simple_der(etype, der, der_size, |
636 | 0 | (const uint8_t **)&str, &str_size); |
637 | 0 | if (ret != ASN1_SUCCESS) { |
638 | 0 | gnutls_assert(); |
639 | 0 | ret = _gnutls_asn2err(ret); |
640 | 0 | return ret; |
641 | 0 | } |
642 | | |
643 | 0 | td.size = str_size; |
644 | 0 | td.data = gnutls_malloc(str_size + 1); |
645 | 0 | if (td.data == NULL) |
646 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
647 | | |
648 | 0 | if (str_size > 0) |
649 | 0 | memcpy(td.data, str, str_size); |
650 | 0 | td.data[str_size] = 0; |
651 | |
|
652 | 0 | if (allow_ber) |
653 | 0 | free(str); |
654 | |
|
655 | 0 | ret = make_printable_string(etype, &td, output); |
656 | 0 | if (ret == GNUTLS_E_INVALID_REQUEST) { /* unsupported etype */ |
657 | 0 | output->data = td.data; |
658 | 0 | output->size = td.size; |
659 | 0 | ret = 0; |
660 | 0 | } else if (ret <= 0) { |
661 | 0 | _gnutls_free_datum(&td); |
662 | 0 | } |
663 | | |
664 | | /* Refuse to deal with strings containing NULs. */ |
665 | 0 | if (etype != ASN1_ETYPE_OCTET_STRING) { |
666 | 0 | if (output->data) |
667 | 0 | len = strlen((void *)output->data); |
668 | 0 | else |
669 | 0 | len = 0; |
670 | |
|
671 | 0 | if (len != (size_t)output->size) { |
672 | 0 | _gnutls_free_datum(output); |
673 | 0 | ret = gnutls_assert_val( |
674 | 0 | GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING); |
675 | 0 | } |
676 | 0 | } |
677 | |
|
678 | 0 | return ret; |
679 | 0 | } |
680 | | |
681 | | /* Reads a value from an ASN1 tree, and puts the output |
682 | | * in an allocated variable in the given datum. |
683 | | * |
684 | | * Note that this function always allocates one plus |
685 | | * the required data size (and places a null byte). |
686 | | */ |
687 | | static int x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret, |
688 | | unsigned allow_null) |
689 | 0 | { |
690 | 0 | int len = 0, result; |
691 | 0 | uint8_t *tmp = NULL; |
692 | 0 | unsigned int etype; |
693 | |
|
694 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &etype); |
695 | 0 | if (result == 0 && allow_null == 0 && len == 0) { |
696 | | /* don't allow null strings */ |
697 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
698 | 0 | } else if (result == 0 && allow_null == 0 && |
699 | 0 | etype == ASN1_ETYPE_OBJECT_ID && len == 1) { |
700 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
701 | 0 | } |
702 | | |
703 | 0 | if (result != ASN1_MEM_ERROR) { |
704 | 0 | if (result != ASN1_SUCCESS || allow_null == 0 || len != 0) { |
705 | 0 | result = _gnutls_asn2err(result); |
706 | 0 | return result; |
707 | 0 | } |
708 | 0 | } |
709 | | |
710 | 0 | if (etype == ASN1_ETYPE_BIT_STRING) { |
711 | 0 | len = (len + 7) / 8; |
712 | 0 | } |
713 | |
|
714 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
715 | 0 | if (tmp == NULL) { |
716 | 0 | gnutls_assert(); |
717 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
718 | 0 | goto cleanup; |
719 | 0 | } |
720 | | |
721 | 0 | if (len > 0) { |
722 | 0 | result = asn1_read_value(c, root, tmp, &len); |
723 | 0 | if (result != ASN1_SUCCESS) { |
724 | 0 | gnutls_assert(); |
725 | 0 | result = _gnutls_asn2err(result); |
726 | 0 | goto cleanup; |
727 | 0 | } |
728 | | |
729 | 0 | switch (etype) { |
730 | 0 | case ASN1_ETYPE_BIT_STRING: |
731 | 0 | ret->size = (len + 7) / 8; |
732 | 0 | break; |
733 | 0 | case ASN1_ETYPE_OBJECT_ID: |
734 | 0 | if (len > 0) { |
735 | 0 | ret->size = len - 1; |
736 | 0 | } else { |
737 | 0 | result = gnutls_assert_val( |
738 | 0 | GNUTLS_E_ASN1_DER_ERROR); |
739 | 0 | goto cleanup; |
740 | 0 | } |
741 | 0 | break; |
742 | 0 | default: |
743 | 0 | ret->size = (unsigned)len; |
744 | 0 | break; |
745 | 0 | } |
746 | 0 | } else { |
747 | 0 | ret->size = 0; |
748 | 0 | } |
749 | | |
750 | 0 | tmp[ret->size] = 0; |
751 | 0 | ret->data = tmp; |
752 | |
|
753 | 0 | return 0; |
754 | | |
755 | 0 | cleanup: |
756 | 0 | gnutls_free(tmp); |
757 | 0 | return result; |
758 | 0 | } |
759 | | |
760 | | int _gnutls_x509_read_value(asn1_node c, const char *root, gnutls_datum_t *ret) |
761 | 0 | { |
762 | 0 | return x509_read_value(c, root, ret, 0); |
763 | 0 | } |
764 | | |
765 | | int _gnutls_x509_read_null_value(asn1_node c, const char *root, |
766 | | gnutls_datum_t *ret) |
767 | 0 | { |
768 | 0 | return x509_read_value(c, root, ret, 1); |
769 | 0 | } |
770 | | |
771 | | /* Reads a value from an ASN1 tree, then interprets it as the provided |
772 | | * type of string and returns the output in an allocated variable. |
773 | | * |
774 | | * Note that this function always places a null character |
775 | | * at the end of a readable string value (which is not accounted into size) |
776 | | */ |
777 | | int _gnutls_x509_read_string(asn1_node c, const char *root, gnutls_datum_t *ret, |
778 | | unsigned int etype, unsigned int allow_ber) |
779 | 0 | { |
780 | 0 | int len = 0, result; |
781 | 0 | size_t slen; |
782 | 0 | uint8_t *tmp = NULL; |
783 | 0 | unsigned rtype; |
784 | |
|
785 | 0 | result = asn1_read_value_type(c, root, NULL, &len, &rtype); |
786 | 0 | if (result != ASN1_MEM_ERROR) { |
787 | 0 | gnutls_assert(); |
788 | 0 | result = _gnutls_asn2err(result); |
789 | 0 | return result; |
790 | 0 | } |
791 | | |
792 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
793 | 0 | len /= 8; |
794 | |
|
795 | 0 | tmp = gnutls_malloc((size_t)len + 1); |
796 | 0 | if (tmp == NULL) { |
797 | 0 | gnutls_assert(); |
798 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
799 | 0 | goto cleanup; |
800 | 0 | } |
801 | | |
802 | 0 | result = asn1_read_value(c, root, tmp, &len); |
803 | 0 | if (result != ASN1_SUCCESS) { |
804 | 0 | gnutls_assert(); |
805 | 0 | result = _gnutls_asn2err(result); |
806 | 0 | goto cleanup; |
807 | 0 | } |
808 | | |
809 | 0 | if (rtype == ASN1_ETYPE_BIT_STRING) |
810 | 0 | len /= 8; |
811 | | |
812 | | /* Extract the STRING. |
813 | | */ |
814 | 0 | slen = (size_t)len; |
815 | |
|
816 | 0 | result = _gnutls_x509_decode_string(etype, tmp, slen, ret, allow_ber); |
817 | 0 | if (result < 0) { |
818 | 0 | gnutls_assert(); |
819 | 0 | goto cleanup; |
820 | 0 | } |
821 | 0 | gnutls_free(tmp); |
822 | |
|
823 | 0 | return 0; |
824 | | |
825 | 0 | cleanup: |
826 | 0 | gnutls_free(tmp); |
827 | 0 | return result; |
828 | 0 | } |
829 | | |
830 | | /* The string type should be IA5String, UTF8String etc. Leave |
831 | | * null for octet string */ |
832 | | int _gnutls_x509_encode_string(unsigned int etype, const void *input_data, |
833 | | size_t input_size, gnutls_datum_t *output) |
834 | 0 | { |
835 | 0 | uint8_t tl[ASN1_MAX_TL_SIZE]; |
836 | 0 | unsigned int tl_size; |
837 | 0 | int ret; |
838 | |
|
839 | 0 | tl_size = sizeof(tl); |
840 | 0 | ret = asn1_encode_simple_der(etype, input_data, input_size, tl, |
841 | 0 | &tl_size); |
842 | 0 | if (ret != ASN1_SUCCESS) { |
843 | 0 | gnutls_assert(); |
844 | 0 | ret = _gnutls_asn2err(ret); |
845 | 0 | return ret; |
846 | 0 | } |
847 | | |
848 | 0 | output->data = gnutls_malloc(tl_size + input_size); |
849 | 0 | if (output->data == NULL) |
850 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
851 | | |
852 | 0 | memcpy(output->data, tl, tl_size); |
853 | 0 | memcpy(output->data + tl_size, input_data, input_size); |
854 | |
|
855 | 0 | output->size = tl_size + input_size; |
856 | |
|
857 | 0 | return 0; |
858 | 0 | } |
859 | | |
860 | | /* DER Encodes the src asn1_node and stores it to |
861 | | * the given datum. If str is non zero then the data are encoded as |
862 | | * an OCTET STRING. |
863 | | */ |
864 | | int _gnutls_x509_der_encode(asn1_node src, const char *src_name, |
865 | | gnutls_datum_t *res, int str) |
866 | 0 | { |
867 | 0 | int size, result; |
868 | 0 | int asize; |
869 | 0 | uint8_t *data = NULL; |
870 | 0 | asn1_node c2 = NULL; |
871 | |
|
872 | 0 | size = 0; |
873 | 0 | result = asn1_der_coding(src, src_name, NULL, &size, NULL); |
874 | | /* this check explicitly covers the case where size == 0 && result == 0 */ |
875 | 0 | if (result != ASN1_MEM_ERROR) { |
876 | 0 | gnutls_assert(); |
877 | 0 | return _gnutls_asn2err(result); |
878 | 0 | } |
879 | | |
880 | | /* allocate data for the der |
881 | | */ |
882 | | |
883 | 0 | if (str) |
884 | 0 | size += 16; /* for later to include the octet tags */ |
885 | 0 | asize = size; |
886 | |
|
887 | 0 | data = gnutls_malloc((size_t)size); |
888 | 0 | if (data == NULL) { |
889 | 0 | gnutls_assert(); |
890 | 0 | return GNUTLS_E_MEMORY_ERROR; |
891 | 0 | } |
892 | | |
893 | 0 | result = asn1_der_coding(src, src_name, data, &size, NULL); |
894 | 0 | if (result != ASN1_SUCCESS) { |
895 | 0 | gnutls_assert(); |
896 | 0 | result = _gnutls_asn2err(result); |
897 | 0 | goto cleanup; |
898 | 0 | } |
899 | | |
900 | 0 | if (str) { |
901 | 0 | if ((result = asn1_create_element(_gnutls_get_pkix(), |
902 | 0 | "PKIX1.pkcs-7-Data", &c2)) != |
903 | 0 | ASN1_SUCCESS) { |
904 | 0 | gnutls_assert(); |
905 | 0 | result = _gnutls_asn2err(result); |
906 | 0 | goto cleanup; |
907 | 0 | } |
908 | | |
909 | 0 | result = asn1_write_value(c2, "", data, size); |
910 | 0 | if (result != ASN1_SUCCESS) { |
911 | 0 | gnutls_assert(); |
912 | 0 | result = _gnutls_asn2err(result); |
913 | 0 | goto cleanup; |
914 | 0 | } |
915 | | |
916 | 0 | result = asn1_der_coding(c2, "", data, &asize, NULL); |
917 | 0 | if (result != ASN1_SUCCESS) { |
918 | 0 | gnutls_assert(); |
919 | 0 | result = _gnutls_asn2err(result); |
920 | 0 | goto cleanup; |
921 | 0 | } |
922 | | |
923 | 0 | size = asize; |
924 | |
|
925 | 0 | asn1_delete_structure(&c2); |
926 | 0 | } |
927 | | |
928 | 0 | res->data = data; |
929 | 0 | res->size = (unsigned)size; |
930 | 0 | return 0; |
931 | | |
932 | 0 | cleanup: |
933 | 0 | gnutls_free(data); |
934 | 0 | asn1_delete_structure(&c2); |
935 | 0 | return result; |
936 | 0 | } |
937 | | |
938 | | /* DER Encodes the src asn1_node and stores it to |
939 | | * dest in dest_name. Useful to encode something and store it |
940 | | * as OCTET. If str is non null then the data are encoded as |
941 | | * an OCTET STRING. |
942 | | */ |
943 | | int _gnutls_x509_der_encode_and_copy(asn1_node src, const char *src_name, |
944 | | asn1_node dest, const char *dest_name, |
945 | | int str) |
946 | 0 | { |
947 | 0 | int result; |
948 | 0 | gnutls_datum_t encoded = { NULL, 0 }; |
949 | |
|
950 | 0 | result = _gnutls_x509_der_encode(src, src_name, &encoded, str); |
951 | |
|
952 | 0 | if (result < 0) { |
953 | 0 | gnutls_assert(); |
954 | 0 | return result; |
955 | 0 | } |
956 | | |
957 | | /* Write the data. |
958 | | */ |
959 | 0 | result = asn1_write_value(dest, dest_name, encoded.data, |
960 | 0 | (int)encoded.size); |
961 | |
|
962 | 0 | _gnutls_free_datum(&encoded); |
963 | |
|
964 | 0 | if (result != ASN1_SUCCESS) { |
965 | 0 | gnutls_assert(); |
966 | 0 | return _gnutls_asn2err(result); |
967 | 0 | } |
968 | | |
969 | 0 | return 0; |
970 | 0 | } |
971 | | |
972 | | /* Writes the value of the datum in the given asn1_node. |
973 | | */ |
974 | | int _gnutls_x509_write_value(asn1_node c, const char *root, |
975 | | const gnutls_datum_t *data) |
976 | 0 | { |
977 | 0 | int ret; |
978 | | |
979 | | /* Write the data. |
980 | | */ |
981 | 0 | ret = asn1_write_value(c, root, data->data, data->size); |
982 | 0 | if (ret != ASN1_SUCCESS) { |
983 | 0 | gnutls_assert(); |
984 | 0 | return _gnutls_asn2err(ret); |
985 | 0 | } |
986 | | |
987 | 0 | return 0; |
988 | 0 | } |
989 | | |
990 | | /* Writes the value of the datum in the given asn1_node as a string. |
991 | | */ |
992 | | int _gnutls_x509_write_string(asn1_node c, const char *root, |
993 | | const gnutls_datum_t *data, unsigned int etype) |
994 | 0 | { |
995 | 0 | int ret; |
996 | 0 | gnutls_datum_t val = { NULL, 0 }; |
997 | |
|
998 | 0 | ret = _gnutls_x509_encode_string(etype, data->data, data->size, &val); |
999 | 0 | if (ret < 0) |
1000 | 0 | return gnutls_assert_val(ret); |
1001 | | |
1002 | | /* Write the data. |
1003 | | */ |
1004 | 0 | ret = asn1_write_value(c, root, val.data, val.size); |
1005 | 0 | if (ret != ASN1_SUCCESS) { |
1006 | 0 | gnutls_assert(); |
1007 | 0 | ret = _gnutls_asn2err(ret); |
1008 | 0 | goto cleanup; |
1009 | 0 | } |
1010 | | |
1011 | 0 | ret = 0; |
1012 | |
|
1013 | 0 | cleanup: |
1014 | 0 | _gnutls_free_datum(&val); |
1015 | 0 | return ret; |
1016 | 0 | } |
1017 | | |
1018 | | void _asnstr_append_name(char *name, size_t name_size, const char *part1, |
1019 | | const char *part2) |
1020 | 0 | { |
1021 | 0 | if (part1[0] != 0) { |
1022 | 0 | _gnutls_str_cpy(name, name_size, part1); |
1023 | 0 | _gnutls_str_cat(name, name_size, part2); |
1024 | 0 | } else |
1025 | 0 | _gnutls_str_cpy(name, name_size, |
1026 | 0 | part2 + 1 /* remove initial dot */); |
1027 | 0 | } |
1028 | | |
1029 | | /* Encodes and copies the private key parameters into a |
1030 | | * subjectPublicKeyInfo structure. |
1031 | | * |
1032 | | */ |
1033 | | int _gnutls_x509_encode_and_copy_PKI_params(asn1_node dst, const char *dst_name, |
1034 | | const gnutls_pk_params_st *params) |
1035 | 0 | { |
1036 | 0 | const char *oid; |
1037 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1038 | 0 | int result; |
1039 | 0 | char name[128]; |
1040 | |
|
1041 | 0 | oid = gnutls_pk_get_oid(params->algo); |
1042 | 0 | if (oid == NULL) { |
1043 | 0 | gnutls_assert(); |
1044 | 0 | return GNUTLS_E_UNKNOWN_PK_ALGORITHM; |
1045 | 0 | } |
1046 | | |
1047 | | /* write the OID |
1048 | | */ |
1049 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1050 | 0 | ".algorithm.algorithm"); |
1051 | |
|
1052 | 0 | result = asn1_write_value(dst, name, oid, 1); |
1053 | 0 | if (result != ASN1_SUCCESS) { |
1054 | 0 | gnutls_assert(); |
1055 | 0 | return _gnutls_asn2err(result); |
1056 | 0 | } |
1057 | | |
1058 | 0 | result = _gnutls_x509_write_pubkey_params(params, &der); |
1059 | 0 | if (result < 0) { |
1060 | 0 | gnutls_assert(); |
1061 | 0 | return result; |
1062 | 0 | } |
1063 | | |
1064 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, |
1065 | 0 | ".algorithm.parameters"); |
1066 | |
|
1067 | 0 | result = asn1_write_value(dst, name, der.data, der.size); |
1068 | 0 | _gnutls_free_datum(&der); |
1069 | |
|
1070 | 0 | if (result != ASN1_SUCCESS) { |
1071 | 0 | gnutls_assert(); |
1072 | 0 | return _gnutls_asn2err(result); |
1073 | 0 | } |
1074 | | |
1075 | 0 | result = _gnutls_x509_write_pubkey(params, &der); |
1076 | 0 | if (result < 0) { |
1077 | 0 | gnutls_assert(); |
1078 | 0 | return result; |
1079 | 0 | } |
1080 | | |
1081 | | /* Write the DER parameters. (in bits) |
1082 | | */ |
1083 | 0 | _asnstr_append_name(name, sizeof(name), dst_name, ".subjectPublicKey"); |
1084 | 0 | result = asn1_write_value(dst, name, der.data, der.size * 8); |
1085 | 0 | _gnutls_free_datum(&der); |
1086 | |
|
1087 | 0 | if (result != ASN1_SUCCESS) { |
1088 | 0 | gnutls_assert(); |
1089 | 0 | return _gnutls_asn2err(result); |
1090 | 0 | } |
1091 | | |
1092 | 0 | return 0; |
1093 | 0 | } |
1094 | | |
1095 | | /* Encodes and public key parameters into a |
1096 | | * subjectPublicKeyInfo structure and stores it in der. |
1097 | | */ |
1098 | | int _gnutls_x509_encode_PKI_params(gnutls_datum_t *der, |
1099 | | const gnutls_pk_params_st *params) |
1100 | 0 | { |
1101 | 0 | int ret; |
1102 | 0 | asn1_node tmp; |
1103 | |
|
1104 | 0 | ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.Certificate", |
1105 | 0 | &tmp); |
1106 | 0 | if (ret != ASN1_SUCCESS) { |
1107 | 0 | gnutls_assert(); |
1108 | 0 | return _gnutls_asn2err(ret); |
1109 | 0 | } |
1110 | | |
1111 | 0 | ret = _gnutls_x509_encode_and_copy_PKI_params( |
1112 | 0 | tmp, "tbsCertificate.subjectPublicKeyInfo", params); |
1113 | 0 | if (ret != ASN1_SUCCESS) { |
1114 | 0 | gnutls_assert(); |
1115 | 0 | ret = _gnutls_asn2err(ret); |
1116 | 0 | goto cleanup; |
1117 | 0 | } |
1118 | | |
1119 | 0 | ret = _gnutls_x509_der_encode( |
1120 | 0 | tmp, "tbsCertificate.subjectPublicKeyInfo", der, 0); |
1121 | |
|
1122 | 0 | cleanup: |
1123 | 0 | asn1_delete_structure(&tmp); |
1124 | |
|
1125 | 0 | return ret; |
1126 | 0 | } |
1127 | | |
1128 | | /* Reads and returns the PK algorithm of the given certificate-like |
1129 | | * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". |
1130 | | */ |
1131 | | int _gnutls_x509_get_pk_algorithm(asn1_node src, const char *src_name, |
1132 | | gnutls_ecc_curve_t *curve, unsigned int *bits) |
1133 | 0 | { |
1134 | 0 | int result; |
1135 | 0 | int algo; |
1136 | 0 | char oid[64]; |
1137 | 0 | int len; |
1138 | 0 | gnutls_ecc_curve_t lcurve = GNUTLS_ECC_CURVE_INVALID; |
1139 | 0 | char name[128]; |
1140 | |
|
1141 | 0 | _asnstr_append_name(name, sizeof(name), src_name, |
1142 | 0 | ".algorithm.algorithm"); |
1143 | 0 | len = sizeof(oid); |
1144 | 0 | result = asn1_read_value(src, name, oid, &len); |
1145 | |
|
1146 | 0 | if (result != ASN1_SUCCESS) { |
1147 | 0 | gnutls_assert(); |
1148 | 0 | return _gnutls_asn2err(result); |
1149 | 0 | } |
1150 | | |
1151 | 0 | algo = _gnutls_oid_to_pk_and_curve(oid, &lcurve); |
1152 | 0 | if (algo == GNUTLS_PK_UNKNOWN) { |
1153 | 0 | _gnutls_debug_log("%s: unknown public key algorithm: %s\n", |
1154 | 0 | __func__, oid); |
1155 | 0 | } |
1156 | |
|
1157 | 0 | if (curve) |
1158 | 0 | *curve = lcurve; |
1159 | |
|
1160 | 0 | if (bits == NULL) { |
1161 | 0 | return algo; |
1162 | 0 | } |
1163 | | |
1164 | | /* Now read the parameters' bits |
1165 | | */ |
1166 | 0 | if (lcurve != GNUTLS_ECC_CURVE_INVALID) { /* curve present */ |
1167 | 0 | bits[0] = gnutls_ecc_curve_get_size(lcurve) * 8; |
1168 | 0 | } else { |
1169 | 0 | gnutls_pk_params_st params; |
1170 | 0 | gnutls_pk_params_init(¶ms); |
1171 | |
|
1172 | 0 | result = _gnutls_get_asn_mpis(src, src_name, ¶ms); |
1173 | 0 | if (result < 0) |
1174 | 0 | return gnutls_assert_val(result); |
1175 | | |
1176 | 0 | bits[0] = pubkey_to_bits(¶ms); |
1177 | 0 | gnutls_pk_params_release(¶ms); |
1178 | 0 | } |
1179 | | |
1180 | 0 | return algo; |
1181 | 0 | } |
1182 | | |
1183 | | /* Reads the DER signed data from the certificate and allocates space and |
1184 | | * returns them into signed_data. |
1185 | | */ |
1186 | | int _gnutls_x509_get_signed_data(asn1_node src, const gnutls_datum_t *der, |
1187 | | const char *src_name, |
1188 | | gnutls_datum_t *signed_data) |
1189 | 0 | { |
1190 | 0 | int start, end, result; |
1191 | |
|
1192 | 0 | if (der == NULL || der->size == 0) { |
1193 | 0 | return _gnutls_x509_der_encode(src, src_name, signed_data, 0); |
1194 | 0 | } |
1195 | | |
1196 | | /* Get the signed data |
1197 | | */ |
1198 | 0 | result = asn1_der_decoding_startEnd(src, der->data, der->size, src_name, |
1199 | 0 | &start, &end); |
1200 | 0 | if (result != ASN1_SUCCESS) { |
1201 | 0 | result = _gnutls_asn2err(result); |
1202 | 0 | gnutls_assert(); |
1203 | 0 | goto cleanup; |
1204 | 0 | } |
1205 | | |
1206 | 0 | result = _gnutls_set_datum(signed_data, &der->data[start], |
1207 | 0 | end - start + 1); |
1208 | |
|
1209 | 0 | if (result < 0) { |
1210 | 0 | gnutls_assert(); |
1211 | 0 | goto cleanup; |
1212 | 0 | } |
1213 | | |
1214 | 0 | result = 0; |
1215 | |
|
1216 | 0 | cleanup: |
1217 | 0 | return result; |
1218 | 0 | } |
1219 | | |
1220 | | /*- |
1221 | | * gnutls_x509_get_signature_algorithm: |
1222 | | * @src: should contain an asn1_node structure |
1223 | | * @src_name: the description of the signature field |
1224 | | * |
1225 | | * This function will return a value of the #gnutls_sign_algorithm_t |
1226 | | * enumeration that is the signature algorithm that has been used to |
1227 | | * sign this certificate. |
1228 | | * |
1229 | | * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on |
1230 | | * error. |
1231 | | -*/ |
1232 | | int _gnutls_x509_get_signature_algorithm(asn1_node src, const char *src_name) |
1233 | 0 | { |
1234 | 0 | int result; |
1235 | 0 | char name[128]; |
1236 | 0 | gnutls_datum_t sa = { NULL, 0 }; |
1237 | |
|
1238 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1239 | 0 | _gnutls_str_cat(name, sizeof(name), ".algorithm"); |
1240 | | |
1241 | | /* Read the signature algorithm */ |
1242 | 0 | result = _gnutls_x509_read_value(src, name, &sa); |
1243 | |
|
1244 | 0 | if (result < 0) { |
1245 | 0 | gnutls_assert(); |
1246 | 0 | return result; |
1247 | 0 | } |
1248 | | |
1249 | | /* Read the signature parameters. Unless the algorithm is |
1250 | | * RSA-PSS, parameters are not read. They will be read from |
1251 | | * the issuer's certificate if needed. |
1252 | | */ |
1253 | 0 | if (sa.data && strcmp((char *)sa.data, PK_PKIX1_RSA_PSS_OID) == 0) { |
1254 | 0 | gnutls_datum_t der = { NULL, 0 }; |
1255 | 0 | gnutls_x509_spki_st params; |
1256 | |
|
1257 | 0 | _gnutls_str_cpy(name, sizeof(name), src_name); |
1258 | 0 | _gnutls_str_cat(name, sizeof(name), ".parameters"); |
1259 | |
|
1260 | 0 | result = _gnutls_x509_read_value(src, name, &der); |
1261 | 0 | if (result < 0) { |
1262 | 0 | _gnutls_free_datum(&sa); |
1263 | 0 | return gnutls_assert_val(result); |
1264 | 0 | } |
1265 | | |
1266 | 0 | result = _gnutls_x509_read_rsa_pss_params(der.data, der.size, |
1267 | 0 | ¶ms); |
1268 | 0 | _gnutls_free_datum(&der); |
1269 | |
|
1270 | 0 | if (result == 0) |
1271 | 0 | result = gnutls_pk_to_sign(params.pk, |
1272 | 0 | params.rsa_pss_dig); |
1273 | 0 | } else if (sa.data) { |
1274 | 0 | result = gnutls_oid_to_sign((char *)sa.data); |
1275 | 0 | } else { |
1276 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1277 | 0 | } |
1278 | | |
1279 | 0 | _gnutls_free_datum(&sa); |
1280 | |
|
1281 | 0 | if (result == GNUTLS_SIGN_UNKNOWN) |
1282 | 0 | result = GNUTLS_E_UNKNOWN_ALGORITHM; |
1283 | |
|
1284 | 0 | return result; |
1285 | 0 | } |
1286 | | |
1287 | | /* Reads the DER signature from the certificate and allocates space and |
1288 | | * returns them into signed_data. |
1289 | | */ |
1290 | | int _gnutls_x509_get_signature(asn1_node src, const char *src_name, |
1291 | | gnutls_datum_t *signature) |
1292 | 0 | { |
1293 | 0 | int result, len; |
1294 | 0 | int bits; |
1295 | |
|
1296 | 0 | signature->data = NULL; |
1297 | 0 | signature->size = 0; |
1298 | | |
1299 | | /* Read the signature |
1300 | | */ |
1301 | 0 | len = 0; |
1302 | 0 | result = asn1_read_value(src, src_name, NULL, &len); |
1303 | |
|
1304 | 0 | if (result != ASN1_MEM_ERROR) { |
1305 | 0 | result = _gnutls_asn2err(result); |
1306 | 0 | gnutls_assert(); |
1307 | 0 | goto cleanup; |
1308 | 0 | } |
1309 | | |
1310 | 0 | bits = len; |
1311 | 0 | if (bits % 8 != 0 || bits < 8) { |
1312 | 0 | gnutls_assert(); |
1313 | 0 | result = GNUTLS_E_CERTIFICATE_ERROR; |
1314 | 0 | goto cleanup; |
1315 | 0 | } |
1316 | | |
1317 | 0 | len = bits / 8; |
1318 | |
|
1319 | 0 | signature->data = gnutls_malloc(len); |
1320 | 0 | if (signature->data == NULL) { |
1321 | 0 | gnutls_assert(); |
1322 | 0 | result = GNUTLS_E_MEMORY_ERROR; |
1323 | 0 | return result; |
1324 | 0 | } |
1325 | | |
1326 | | /* read the bit string of the signature |
1327 | | */ |
1328 | 0 | bits = len; |
1329 | 0 | result = asn1_read_value(src, src_name, signature->data, &bits); |
1330 | |
|
1331 | 0 | if (result != ASN1_SUCCESS) { |
1332 | 0 | result = _gnutls_asn2err(result); |
1333 | 0 | gnutls_assert(); |
1334 | 0 | goto cleanup; |
1335 | 0 | } |
1336 | | |
1337 | 0 | signature->size = len; |
1338 | |
|
1339 | 0 | return 0; |
1340 | | |
1341 | 0 | cleanup: |
1342 | 0 | gnutls_free(signature->data); |
1343 | 0 | return result; |
1344 | 0 | } |
1345 | | |
1346 | | /* ASN.1 PrintableString rules */ |
1347 | | static int is_printable(char p) |
1348 | 0 | { |
1349 | 0 | if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') || |
1350 | 0 | (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' || |
1351 | 0 | p == '+' || p == ',' || p == '-' || p == '.' || p == '/' || |
1352 | 0 | p == ':' || p == '=' || p == '?') |
1353 | 0 | return 1; |
1354 | | |
1355 | 0 | return 0; |
1356 | 0 | } |
1357 | | |
1358 | | static int write_complex_string(asn1_node asn_struct, const char *where, |
1359 | | const struct oid_to_string *oentry, |
1360 | | const uint8_t *data, size_t data_size) |
1361 | 0 | { |
1362 | 0 | char tmp[128]; |
1363 | 0 | asn1_node c2; |
1364 | 0 | int result; |
1365 | 0 | const char *string_type; |
1366 | 0 | unsigned int i; |
1367 | |
|
1368 | 0 | result = asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, &c2); |
1369 | 0 | if (result != ASN1_SUCCESS) { |
1370 | 0 | gnutls_assert(); |
1371 | 0 | return _gnutls_asn2err(result); |
1372 | 0 | } |
1373 | | |
1374 | 0 | tmp[0] = 0; |
1375 | |
|
1376 | 0 | string_type = "printableString"; |
1377 | | |
1378 | | /* Check if the data is ASN.1 printable, and use |
1379 | | * the UTF8 string type if not. |
1380 | | */ |
1381 | 0 | for (i = 0; i < data_size; i++) { |
1382 | 0 | if (!is_printable(data[i])) { |
1383 | 0 | string_type = "utf8String"; |
1384 | 0 | break; |
1385 | 0 | } |
1386 | 0 | } |
1387 | | |
1388 | | /* if the type is a CHOICE then write the |
1389 | | * type we'll use. |
1390 | | */ |
1391 | 0 | result = asn1_write_value(c2, "", string_type, 1); |
1392 | 0 | if (result != ASN1_SUCCESS) { |
1393 | 0 | gnutls_assert(); |
1394 | 0 | result = _gnutls_asn2err(result); |
1395 | 0 | goto error; |
1396 | 0 | } |
1397 | | |
1398 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), string_type); |
1399 | |
|
1400 | 0 | result = asn1_write_value(c2, tmp, data, data_size); |
1401 | 0 | if (result != ASN1_SUCCESS) { |
1402 | 0 | gnutls_assert(); |
1403 | 0 | result = _gnutls_asn2err(result); |
1404 | 0 | goto error; |
1405 | 0 | } |
1406 | | |
1407 | 0 | result = _gnutls_x509_der_encode_and_copy(c2, "", asn_struct, where, 0); |
1408 | 0 | if (result < 0) { |
1409 | 0 | gnutls_assert(); |
1410 | 0 | goto error; |
1411 | 0 | } |
1412 | | |
1413 | 0 | result = 0; |
1414 | |
|
1415 | 0 | error: |
1416 | 0 | asn1_delete_structure(&c2); |
1417 | 0 | return result; |
1418 | 0 | } |
1419 | | |
1420 | | /* This will encode and write the AttributeTypeAndValue field. |
1421 | | * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute. |
1422 | | * In all cases only one value is written. |
1423 | | */ |
1424 | | int _gnutls_x509_encode_and_write_attribute(const char *given_oid, |
1425 | | asn1_node asn1_struct, |
1426 | | const char *where, |
1427 | | const void *_data, int data_size, |
1428 | | int multi) |
1429 | 0 | { |
1430 | 0 | const uint8_t *data = _data; |
1431 | 0 | char tmp[128]; |
1432 | 0 | int result; |
1433 | 0 | const struct oid_to_string *oentry; |
1434 | |
|
1435 | 0 | oentry = _gnutls_oid_get_entry(_oid2str, given_oid); |
1436 | 0 | if (oentry == NULL) { |
1437 | 0 | gnutls_assert(); |
1438 | 0 | _gnutls_debug_log("Cannot find OID: %s\n", given_oid); |
1439 | 0 | return GNUTLS_E_X509_UNSUPPORTED_OID; |
1440 | 0 | } |
1441 | | |
1442 | | /* write the data (value) |
1443 | | */ |
1444 | | |
1445 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1446 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".value"); |
1447 | |
|
1448 | 0 | if (multi != |
1449 | 0 | 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ |
1450 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ |
1451 | |
|
1452 | 0 | result = asn1_write_value(asn1_struct, tmp, "NEW", 1); |
1453 | 0 | if (result != ASN1_SUCCESS) { |
1454 | 0 | gnutls_assert(); |
1455 | 0 | result = _gnutls_asn2err(result); |
1456 | 0 | goto error; |
1457 | 0 | } |
1458 | | |
1459 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); |
1460 | 0 | } |
1461 | | |
1462 | 0 | if (oentry->asn_desc != NULL) { /* write a complex string API */ |
1463 | 0 | result = write_complex_string(asn1_struct, tmp, oentry, data, |
1464 | 0 | data_size); |
1465 | 0 | if (result < 0) |
1466 | 0 | return gnutls_assert_val(result); |
1467 | 0 | } else { /* write a simple string */ |
1468 | |
|
1469 | 0 | gnutls_datum_t td; |
1470 | |
|
1471 | 0 | td.data = (void *)data; |
1472 | 0 | td.size = data_size; |
1473 | 0 | result = _gnutls_x509_write_string(asn1_struct, tmp, &td, |
1474 | 0 | oentry->etype); |
1475 | 0 | if (result < 0) { |
1476 | 0 | gnutls_assert(); |
1477 | 0 | goto error; |
1478 | 0 | } |
1479 | 0 | } |
1480 | | |
1481 | | /* write the type |
1482 | | */ |
1483 | 0 | _gnutls_str_cpy(tmp, sizeof(tmp), where); |
1484 | 0 | _gnutls_str_cat(tmp, sizeof(tmp), ".type"); |
1485 | |
|
1486 | 0 | result = asn1_write_value(asn1_struct, tmp, given_oid, 1); |
1487 | 0 | if (result != ASN1_SUCCESS) { |
1488 | 0 | gnutls_assert(); |
1489 | 0 | result = _gnutls_asn2err(result); |
1490 | 0 | goto error; |
1491 | 0 | } |
1492 | | |
1493 | 0 | result = 0; |
1494 | |
|
1495 | 0 | error: |
1496 | 0 | return result; |
1497 | 0 | } |
1498 | | |
1499 | | /* copies a datum to a buffer. If it doesn't fit it returns |
1500 | | * GNUTLS_E_SHORT_MEMORY_BUFFER. It always deinitializes the datum |
1501 | | * after the copy. |
1502 | | * |
1503 | | * The buffer will always be null terminated. |
1504 | | */ |
1505 | | int _gnutls_strdatum_to_buf(gnutls_datum_t *d, void *buf, size_t *buf_size) |
1506 | 0 | { |
1507 | 0 | int ret; |
1508 | 0 | uint8_t *_buf = buf; |
1509 | |
|
1510 | 0 | if (buf == NULL || *buf_size < d->size + 1) { |
1511 | 0 | *buf_size = d->size + 1; |
1512 | 0 | ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); |
1513 | 0 | goto cleanup; |
1514 | 0 | } |
1515 | 0 | memcpy(buf, d->data, d->size); |
1516 | 0 | _buf[d->size] = 0; |
1517 | |
|
1518 | 0 | *buf_size = d->size; |
1519 | 0 | ret = 0; |
1520 | |
|
1521 | 0 | cleanup: |
1522 | 0 | _gnutls_free_datum(d); |
1523 | |
|
1524 | 0 | return ret; |
1525 | 0 | } |
1526 | | |
1527 | | int _gnutls_x509_get_raw_field2(asn1_node c2, const gnutls_datum_t *raw, |
1528 | | const char *whom, gnutls_datum_t *dn) |
1529 | 0 | { |
1530 | 0 | int result, len1; |
1531 | 0 | int start1, end1; |
1532 | 0 | result = asn1_der_decoding_startEnd(c2, raw->data, raw->size, whom, |
1533 | 0 | &start1, &end1); |
1534 | |
|
1535 | 0 | if (result != ASN1_SUCCESS) { |
1536 | 0 | gnutls_assert(); |
1537 | 0 | result = _gnutls_asn2err(result); |
1538 | 0 | goto cleanup; |
1539 | 0 | } |
1540 | | |
1541 | 0 | len1 = end1 - start1 + 1; |
1542 | |
|
1543 | 0 | dn->data = &raw->data[start1]; |
1544 | 0 | dn->size = len1; |
1545 | 0 | result = 0; |
1546 | |
|
1547 | 0 | cleanup: |
1548 | 0 | return result; |
1549 | 0 | } |
1550 | | |
1551 | | int _gnutls_copy_string(const gnutls_datum_t *str, uint8_t *out, |
1552 | | size_t *out_size) |
1553 | 0 | { |
1554 | 0 | unsigned size_to_check; |
1555 | |
|
1556 | 0 | size_to_check = str->size + 1; |
1557 | |
|
1558 | 0 | if ((unsigned)size_to_check > *out_size) { |
1559 | 0 | gnutls_assert(); |
1560 | 0 | (*out_size) = size_to_check; |
1561 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1562 | 0 | } |
1563 | | |
1564 | 0 | if (out != NULL && str->data != NULL) { |
1565 | 0 | memcpy(out, str->data, str->size); |
1566 | 0 | out[str->size] = 0; |
1567 | 0 | } else if (out != NULL) { |
1568 | 0 | out[0] = 0; |
1569 | 0 | } |
1570 | 0 | *out_size = str->size; |
1571 | |
|
1572 | 0 | return 0; |
1573 | 0 | } |
1574 | | |
1575 | | int _gnutls_copy_data(const gnutls_datum_t *str, uint8_t *out, size_t *out_size) |
1576 | 0 | { |
1577 | 0 | if ((unsigned)str->size > *out_size) { |
1578 | 0 | gnutls_assert(); |
1579 | 0 | (*out_size) = str->size; |
1580 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
1581 | 0 | } |
1582 | | |
1583 | 0 | if (out != NULL && str->data != NULL) { |
1584 | 0 | memcpy(out, str->data, str->size); |
1585 | 0 | } |
1586 | 0 | *out_size = str->size; |
1587 | |
|
1588 | 0 | return 0; |
1589 | 0 | } |
1590 | | |
1591 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1592 | | int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt, gnutls_datum_t *rpubkey) |
1593 | 0 | { |
1594 | 0 | gnutls_pubkey_t pubkey = NULL; |
1595 | 0 | int ret; |
1596 | |
|
1597 | 0 | ret = gnutls_pubkey_init(&pubkey); |
1598 | 0 | if (ret < 0) |
1599 | 0 | return gnutls_assert_val(ret); |
1600 | | |
1601 | 0 | ret = gnutls_pubkey_import_x509(pubkey, crt, 0); |
1602 | 0 | if (ret < 0) { |
1603 | 0 | gnutls_assert(); |
1604 | 0 | goto cleanup; |
1605 | 0 | } |
1606 | | |
1607 | 0 | ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, rpubkey); |
1608 | 0 | if (ret < 0) { |
1609 | 0 | gnutls_assert(); |
1610 | 0 | goto cleanup; |
1611 | 0 | } |
1612 | | |
1613 | 0 | ret = 0; |
1614 | |
|
1615 | 0 | cleanup: |
1616 | 0 | gnutls_pubkey_deinit(pubkey); |
1617 | 0 | return ret; |
1618 | 0 | } |
1619 | | |
1620 | | /* Converts an X.509 certificate to subjectPublicKeyInfo */ |
1621 | | int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t *cert, |
1622 | | gnutls_datum_t *rpubkey) |
1623 | 0 | { |
1624 | 0 | gnutls_x509_crt_t crt = NULL; |
1625 | 0 | int ret; |
1626 | |
|
1627 | 0 | ret = gnutls_x509_crt_init(&crt); |
1628 | 0 | if (ret < 0) |
1629 | 0 | return gnutls_assert_val(ret); |
1630 | | |
1631 | 0 | ret = gnutls_x509_crt_import(crt, cert, GNUTLS_X509_FMT_DER); |
1632 | 0 | if (ret < 0) { |
1633 | 0 | gnutls_assert(); |
1634 | 0 | goto cleanup; |
1635 | 0 | } |
1636 | | |
1637 | 0 | ret = x509_crt_to_raw_pubkey(crt, rpubkey); |
1638 | 0 | cleanup: |
1639 | 0 | gnutls_x509_crt_deinit(crt); |
1640 | |
|
1641 | 0 | return ret; |
1642 | 0 | } |
1643 | | |
1644 | | unsigned _gnutls_check_valid_key_id(const gnutls_datum_t *key_id, |
1645 | | gnutls_x509_crt_t cert, time_t now, |
1646 | | unsigned *has_ski) |
1647 | 0 | { |
1648 | 0 | uint8_t id[MAX_KEY_ID_SIZE]; |
1649 | 0 | size_t id_size; |
1650 | 0 | unsigned result = 0; |
1651 | |
|
1652 | 0 | if (has_ski) |
1653 | 0 | *has_ski = 0; |
1654 | |
|
1655 | 0 | if (now > gnutls_x509_crt_get_expiration_time(cert) || |
1656 | 0 | now < gnutls_x509_crt_get_activation_time(cert)) { |
1657 | | /* don't bother, certificate is not yet activated or expired */ |
1658 | 0 | gnutls_assert(); |
1659 | 0 | goto out; |
1660 | 0 | } |
1661 | | |
1662 | 0 | id_size = sizeof(id); |
1663 | 0 | if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) { |
1664 | 0 | gnutls_assert(); |
1665 | 0 | goto out; |
1666 | 0 | } |
1667 | | |
1668 | 0 | if (has_ski) |
1669 | 0 | *has_ski = 1; |
1670 | |
|
1671 | 0 | if (id_size == key_id->size && !memcmp(id, key_id->data, id_size)) |
1672 | 0 | result = 1; |
1673 | |
|
1674 | 0 | out: |
1675 | 0 | return result; |
1676 | 0 | } |
1677 | | |
1678 | | /* Sort a certificate list in place with subject, issuer order. @clist_size must |
1679 | | * be equal to or less than %DEFAULT_MAX_VERIFY_DEPTH. |
1680 | | * |
1681 | | * Returns the index in clist where the initial contiguous segment ends. If the |
1682 | | * chain contains multiple segments separated by gaps (e.g., missing issuers), |
1683 | | * the caller shall call this function multiple times. |
1684 | | * |
1685 | | * For example, suppose we want the following certificate chain as a result of |
1686 | | * sorting: |
1687 | | * |
1688 | | * A -> (B) -> C -> D -> E -> (F) -> G -> H -> I |
1689 | | * |
1690 | | * from the input [A, C, E, D, G, I, H] (B and F are missing). |
1691 | | * |
1692 | | * On the first call of this function: |
1693 | | * |
1694 | | * _gnutls_sort_clist(clist, clist_size) |
1695 | | * |
1696 | | * it returns 1, meaning that the first segment only contains A. The content of |
1697 | | * @clist will remain the same [A, C, E, D, G, I, H]. |
1698 | | * |
1699 | | * Then the caller will call this function again, starting from the second |
1700 | | * element: |
1701 | | * |
1702 | | * _gnutls_sort_clist(&clist[1], clist_size - 1) |
1703 | | * |
1704 | | * This time it returns 3, meaning that the first segment contains [C, D, E]. |
1705 | | * The content of @clist will be [A, C, D, E, G, I, H]. |
1706 | | * |
1707 | | * Finally, after calling the function on the remaining elements: |
1708 | | * |
1709 | | * _gnutls_sort_clist(&clist[1 + 3], clist_size - (1 + 3)) |
1710 | | * |
1711 | | * It will return 3, meaning that the first segment contains [G, H, I]. At this |
1712 | | * point, sorting of @clist is complete. |
1713 | | */ |
1714 | | unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist, |
1715 | | unsigned int clist_size) |
1716 | 0 | { |
1717 | 0 | int prev; |
1718 | 0 | unsigned int i, j, k; |
1719 | 0 | int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */ |
1720 | 0 | bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used in sorted list */ |
1721 | 0 | gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; |
1722 | | |
1723 | | /* Limit the number of certificates in the chain, to avoid DoS |
1724 | | * because of the O(n^2) sorting below. FIXME: Switch to a |
1725 | | * topological sort algorithm which should be linear to the |
1726 | | * number of certificates and subject-issuer relationships. |
1727 | | */ |
1728 | 0 | if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) { |
1729 | 0 | _gnutls_debug_log("too many certificates; skipping sorting\n"); |
1730 | 0 | return 1; |
1731 | 0 | } |
1732 | | |
1733 | 0 | for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) { |
1734 | 0 | issuer[i] = -1; |
1735 | 0 | insorted[i] = 0; |
1736 | 0 | } |
1737 | | |
1738 | | /* Find the issuer of each certificate and store it |
1739 | | * in issuer array. O(n^2) so consider that before |
1740 | | * increasing DEFAULT_MAX_VERIFY_DEPTH. |
1741 | | */ |
1742 | 0 | for (i = 0; i < clist_size; i++) { |
1743 | | /* Self-signed certificate found in the chain; skip it |
1744 | | * as it should only appear in the trusted set. |
1745 | | */ |
1746 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) { |
1747 | 0 | _gnutls_cert_log("self-signed cert found", clist[i]); |
1748 | 0 | continue; |
1749 | 0 | } |
1750 | | |
1751 | 0 | for (j = 1; j < clist_size; j++) { |
1752 | 0 | if (i == j) |
1753 | 0 | continue; |
1754 | | |
1755 | 0 | if (gnutls_x509_crt_check_issuer(clist[i], clist[j])) { |
1756 | 0 | issuer[i] = j; |
1757 | 0 | break; |
1758 | 0 | } |
1759 | 0 | } |
1760 | 0 | } |
1761 | |
|
1762 | 0 | sorted[0] = clist[0]; |
1763 | 0 | insorted[0] = 1; |
1764 | |
|
1765 | 0 | prev = 0; |
1766 | 0 | for (i = 1; i < clist_size; i++) { |
1767 | 0 | prev = issuer[prev]; |
1768 | 0 | if (prev < 0) { /* no issuer */ |
1769 | 0 | break; |
1770 | 0 | } |
1771 | | |
1772 | 0 | if (insorted[prev]) { /* loop detected */ |
1773 | 0 | break; |
1774 | 0 | } |
1775 | | |
1776 | 0 | sorted[i] = clist[prev]; |
1777 | 0 | insorted[prev] = 1; |
1778 | 0 | } |
1779 | | |
1780 | | /* append the remaining certs */ |
1781 | 0 | for (j = 1, k = i; j < clist_size; j++) { |
1782 | 0 | if (!insorted[j]) { |
1783 | 0 | sorted[k++] = clist[j]; |
1784 | 0 | } |
1785 | 0 | } |
1786 | | |
1787 | | /* write out the sorted list */ |
1788 | 0 | assert(k == clist_size); |
1789 | 0 | for (j = 0; j < clist_size; j++) { |
1790 | 0 | clist[j] = sorted[j]; |
1791 | 0 | } |
1792 | |
|
1793 | 0 | return i; |
1794 | 0 | } |
1795 | | |
1796 | | int _gnutls_check_if_sorted(gnutls_x509_crt_t *crt, int nr) |
1797 | 0 | { |
1798 | 0 | int i, ret; |
1799 | | |
1800 | | /* check if the X.509 list is ordered */ |
1801 | 0 | if (nr > 1) { |
1802 | 0 | for (i = 0; i < nr; i++) { |
1803 | 0 | if (i > 0) { |
1804 | 0 | if (!_gnutls_x509_compare_raw_dn( |
1805 | 0 | &crt[i]->raw_dn, |
1806 | 0 | &crt[i - 1]->raw_issuer_dn)) { |
1807 | 0 | ret = gnutls_assert_val( |
1808 | 0 | GNUTLS_E_CERTIFICATE_LIST_UNSORTED); |
1809 | 0 | goto cleanup; |
1810 | 0 | } |
1811 | 0 | } |
1812 | 0 | } |
1813 | 0 | } |
1814 | 0 | ret = 0; |
1815 | |
|
1816 | 0 | cleanup: |
1817 | 0 | return ret; |
1818 | 0 | } |
1819 | | |
1820 | | /** |
1821 | | * gnutls_gost_paramset_get_name: |
1822 | | * @param: is a GOST 28147 param set |
1823 | | * |
1824 | | * Convert a #gnutls_gost_paramset_t value to a string. |
1825 | | * |
1826 | | * Returns: a string that contains the name of the specified GOST param set, |
1827 | | * or %NULL. |
1828 | | * |
1829 | | * Since: 3.6.3 |
1830 | | **/ |
1831 | | const char *gnutls_gost_paramset_get_name(gnutls_gost_paramset_t param) |
1832 | 0 | { |
1833 | 0 | switch (param) { |
1834 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1835 | 0 | return "TC26-Z"; |
1836 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1837 | 0 | return "CryptoPro-A"; |
1838 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1839 | 0 | return "CryptoPro-B"; |
1840 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1841 | 0 | return "CryptoPro-C"; |
1842 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1843 | 0 | return "CryptoPro-D"; |
1844 | 0 | default: |
1845 | 0 | gnutls_assert(); |
1846 | 0 | return "Unknown"; |
1847 | 0 | } |
1848 | 0 | } |
1849 | | |
1850 | | /** |
1851 | | * gnutls_gost_paramset_get_oid: |
1852 | | * @param: is a GOST 28147 param set |
1853 | | * |
1854 | | * Convert a #gnutls_gost_paramset_t value to its object identifier. |
1855 | | * |
1856 | | * Returns: a string that contains the object identifier of the specified GOST |
1857 | | * param set, or %NULL. |
1858 | | * |
1859 | | * Since: 3.6.3 |
1860 | | **/ |
1861 | | const char *gnutls_gost_paramset_get_oid(gnutls_gost_paramset_t param) |
1862 | 0 | { |
1863 | 0 | switch (param) { |
1864 | 0 | case GNUTLS_GOST_PARAMSET_TC26_Z: |
1865 | 0 | return GOST28147_89_TC26Z_OID; |
1866 | 0 | case GNUTLS_GOST_PARAMSET_CP_A: |
1867 | 0 | return GOST28147_89_CPA_OID; |
1868 | 0 | case GNUTLS_GOST_PARAMSET_CP_B: |
1869 | 0 | return GOST28147_89_CPB_OID; |
1870 | 0 | case GNUTLS_GOST_PARAMSET_CP_C: |
1871 | 0 | return GOST28147_89_CPC_OID; |
1872 | 0 | case GNUTLS_GOST_PARAMSET_CP_D: |
1873 | 0 | return GOST28147_89_CPD_OID; |
1874 | 0 | default: |
1875 | 0 | gnutls_assert(); |
1876 | 0 | return NULL; |
1877 | 0 | } |
1878 | 0 | } |
1879 | | |
1880 | | /** |
1881 | | * gnutls_oid_to_gost_paramset: |
1882 | | * @oid: is an object identifier |
1883 | | * |
1884 | | * Converts a textual object identifier to a #gnutls_gost_paramset_t value. |
1885 | | * |
1886 | | * Returns: a #gnutls_gost_paramset_get_oid of the specified GOST 28147 |
1887 | | * param st, or %GNUTLS_GOST_PARAMSET_UNKNOWN on failure. |
1888 | | * |
1889 | | * Since: 3.6.3 |
1890 | | **/ |
1891 | | gnutls_gost_paramset_t gnutls_oid_to_gost_paramset(const char *oid) |
1892 | 0 | { |
1893 | 0 | if (!strcmp(oid, GOST28147_89_TC26Z_OID)) |
1894 | 0 | return GNUTLS_GOST_PARAMSET_TC26_Z; |
1895 | 0 | else if (!strcmp(oid, GOST28147_89_CPA_OID)) |
1896 | 0 | return GNUTLS_GOST_PARAMSET_CP_A; |
1897 | 0 | else if (!strcmp(oid, GOST28147_89_CPB_OID)) |
1898 | 0 | return GNUTLS_GOST_PARAMSET_CP_B; |
1899 | 0 | else if (!strcmp(oid, GOST28147_89_CPC_OID)) |
1900 | 0 | return GNUTLS_GOST_PARAMSET_CP_C; |
1901 | 0 | else if (!strcmp(oid, GOST28147_89_CPD_OID)) |
1902 | 0 | return GNUTLS_GOST_PARAMSET_CP_D; |
1903 | 0 | else |
1904 | 0 | return gnutls_assert_val(GNUTLS_GOST_PARAMSET_UNKNOWN); |
1905 | 0 | } |
1906 | | |
1907 | | int _gnutls_x509_get_version(asn1_node root, const char *name) |
1908 | 0 | { |
1909 | 0 | uint8_t version[8]; |
1910 | 0 | int len, result; |
1911 | |
|
1912 | 0 | len = sizeof(version); |
1913 | 0 | result = asn1_read_value(root, name, version, &len); |
1914 | 0 | if (result != ASN1_SUCCESS) { |
1915 | 0 | if (result == ASN1_ELEMENT_NOT_FOUND) |
1916 | 0 | return 1; /* the DEFAULT version */ |
1917 | 0 | gnutls_assert(); |
1918 | 0 | return _gnutls_asn2err(result); |
1919 | 0 | } |
1920 | | |
1921 | 0 | if (len != 1 || version[0] >= 0x80) |
1922 | 0 | return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); |
1923 | | |
1924 | 0 | return (int)version[0] + 1; |
1925 | 0 | } |