TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / d9fd87be3368ad9a393e571cdee1c0b41b55736e / . / library / x509.c
blob: 7928eea842acd7b92e1f60a92698c7e61c8a6b79 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
37#include "polarssl/config.h"
38
39#if defined(POLARSSL_X509_USE_C)
40
41#include "polarssl/x509.h"
42#include "polarssl/asn1.h"
43#include "polarssl/oid.h"
44#if defined(POLARSSL_PEM_PARSE_C)
45#include "polarssl/pem.h"
46#endif
47
48#if defined(POLARSSL_MEMORY_C)
49#include "polarssl/memory.h"
50#else
51#define polarssl_malloc malloc
52#define polarssl_free free
53#endif
54
55#include <string.h>
56#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]57#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58#include <windows.h>
59#else
60#include <time.h>
61#endif
62
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]63#if defined(EFIX64) || defined(EFI32)
64#include <stdio.h>
65#endif
66
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]67#if defined(POLARSSL_FS_IO)
68#include <stdio.h>
69#if !defined(_WIN32)
70#include <sys/types.h>
71#include <sys/stat.h>
72#include <dirent.h>
73#endif
74#endif
75
76/*
77 * CertificateSerialNumber ::= INTEGER
78 */
79int x509_get_serial( unsigned char **p, const unsigned char *end,
80 x509_buf *serial )
81{
82 int ret;
83
84 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]85 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]86 POLARSSL_ERR_ASN1_OUT_OF_DATA );
87
88 if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
89 **p != ASN1_INTEGER )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]90 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]91 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
92
93 serial->tag = *(*p)++;
94
95 if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]96 return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]97
98 serial->p = *p;
99 *p += serial->len;
100
101 return( 0 );
102}
103
104/* Get an algorithm identifier without parameters (eg for signatures)
105 *
106 * AlgorithmIdentifier ::= SEQUENCE {
107 * algorithm OBJECT IDENTIFIER,
108 * parameters ANY DEFINED BY algorithm OPTIONAL }
109 */
110int x509_get_alg_null( unsigned char **p, const unsigned char *end,
111 x509_buf *alg )
112{
113 int ret;
114
115 if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]116 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]117
118 return( 0 );
119}
120
121/*
Manuel Pégourié-Gonnardb1d4eb12014-01-22 10:12:57 +0100[diff] [blame]122 * Parse an algorithm identifier with (optional) paramaters
123 */
124int x509_get_alg( unsigned char **p, const unsigned char *end,
125 x509_buf *alg, x509_buf *params )
126{
127 int ret;
128
129 if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
130 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
131
132 return( 0 );
133}
134
135/*
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame^]136 * RSASSA-PSS-params ::= SEQUENCE {
137 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
138 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
139 * saltLength [2] INTEGER DEFAULT 20,
140 * trailerField [3] INTEGER DEFAULT 1 }
141 * -- Note that the tags in this Sequence are explicit.
142 */
143int x509_get_rsassa_pss_params( const x509_buf *params,
144 md_type_t *md_alg,
145 int *salt_len,
146 int *trailer_field )
147{
148 int ret;
149 unsigned char *p;
150 const unsigned char *end;
151 size_t len;
152 x509_buf alg_id;
153
154 /* First set everything to defaults */
155 *md_alg = POLARSSL_MD_SHA1;
156 *salt_len = 20;
157 *trailer_field = 1;
158
159 /* Make sure params is a SEQUENCE and setup bounds */
160 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
161 return( POLARSSL_ERR_X509_INVALID_ALG +
162 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
163
164 p = (unsigned char *) params->p;
165 end = p + params->len;
166
167 if( p == end )
168 return( 0 );
169
170 if( ( ret = asn1_get_tag( &p, end, &len,
171 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
172 {
173 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
174 // TODO: WIP
175 }
176 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
177 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
178
179 if( ( ret = asn1_get_tag( &p, end, &len,
180 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
181 {
182 /* MaskGenAlgorithm ::= AlgorithmIdentifier */
183 // TODO: WIP
184 }
185 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
186 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
187
188 if( p == end )
189 return( 0 );
190
191 if( ( ret = asn1_get_tag( &p, end, &len,
192 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 )
193 {
194 /* salt_len */
195 if( ( ret = asn1_get_int( &p, p + len, salt_len ) ) != 0 )
196 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
197 }
198 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
199 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
200
201 if( p == end )
202 return( 0 );
203
204 if( ( ret = asn1_get_tag( &p, end, &len,
205 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 )
206 {
207 /* trailer_field */
208 if( ( ret = asn1_get_int( &p, p + len, trailer_field ) ) != 0 )
209 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
210 }
211 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
212 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
213
214 if( p != end )
215 return( POLARSSL_ERR_X509_INVALID_ALG +
216 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
217
218 return( 0 );
219}
220
221/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]222 * AttributeTypeAndValue ::= SEQUENCE {
223 * type AttributeType,
224 * value AttributeValue }
225 *
226 * AttributeType ::= OBJECT IDENTIFIER
227 *
228 * AttributeValue ::= ANY DEFINED BY AttributeType
229 */
230static int x509_get_attr_type_value( unsigned char **p,
231 const unsigned char *end,
232 x509_name *cur )
233{
234 int ret;
235 size_t len;
236 x509_buf *oid;
237 x509_buf *val;
238
239 if( ( ret = asn1_get_tag( p, end, &len,
240 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]241 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]242
243 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]244 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]245 POLARSSL_ERR_ASN1_OUT_OF_DATA );
246
247 oid = &cur->oid;
248 oid->tag = **p;
249
250 if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]251 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]252
253 oid->p = *p;
254 *p += oid->len;
255
256 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]257 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]258 POLARSSL_ERR_ASN1_OUT_OF_DATA );
259
260 if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
261 **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
262 **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]263 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]264 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
265
266 val = &cur->val;
267 val->tag = *(*p)++;
268
269 if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]270 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]271
272 val->p = *p;
273 *p += val->len;
274
275 cur->next = NULL;
276
277 return( 0 );
278}
279
280/*
281 * RelativeDistinguishedName ::=
282 * SET OF AttributeTypeAndValue
283 *
284 * AttributeTypeAndValue ::= SEQUENCE {
285 * type AttributeType,
286 * value AttributeValue }
287 *
288 * AttributeType ::= OBJECT IDENTIFIER
289 *
290 * AttributeValue ::= ANY DEFINED BY AttributeType
291 */
292int x509_get_name( unsigned char **p, const unsigned char *end,
293 x509_name *cur )
294{
295 int ret;
296 size_t len;
297 const unsigned char *end2;
298 x509_name *use;
299
300 if( ( ret = asn1_get_tag( p, end, &len,
301 ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]302 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]303
304 end2 = end;
305 end = *p + len;
306 use = cur;
307
308 do
309 {
310 if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
311 return( ret );
312
313 if( *p != end )
314 {
315 use->next = (x509_name *) polarssl_malloc(
316 sizeof( x509_name ) );
317
318 if( use->next == NULL )
319 return( POLARSSL_ERR_X509_MALLOC_FAILED );
320
321 memset( use->next, 0, sizeof( x509_name ) );
322
323 use = use->next;
324 }
325 }
326 while( *p != end );
327
328 /*
329 * recurse until end of SEQUENCE is reached
330 */
331 if( *p == end2 )
332 return( 0 );
333
334 cur->next = (x509_name *) polarssl_malloc(
335 sizeof( x509_name ) );
336
337 if( cur->next == NULL )
338 return( POLARSSL_ERR_X509_MALLOC_FAILED );
339
340 memset( cur->next, 0, sizeof( x509_name ) );
341
342 return( x509_get_name( p, end2, cur->next ) );
343}
344
345/*
346 * Time ::= CHOICE {
347 * utcTime UTCTime,
348 * generalTime GeneralizedTime }
349 */
350int x509_get_time( unsigned char **p, const unsigned char *end,
351 x509_time *time )
352{
353 int ret;
354 size_t len;
355 char date[64];
356 unsigned char tag;
357
358 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]359 return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]360 POLARSSL_ERR_ASN1_OUT_OF_DATA );
361
362 tag = **p;
363
364 if ( tag == ASN1_UTC_TIME )
365 {
366 (*p)++;
367 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]368
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]369 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]370 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]371
372 memset( date, 0, sizeof( date ) );
373 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
374 len : sizeof( date ) - 1 );
375
376 if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
377 &time->year, &time->mon, &time->day,
378 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]379 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]380
381 time->year += 100 * ( time->year < 50 );
382 time->year += 1900;
383
384 *p += len;
385
386 return( 0 );
387 }
388 else if ( tag == ASN1_GENERALIZED_TIME )
389 {
390 (*p)++;
391 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]392
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]393 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]394 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]395
396 memset( date, 0, sizeof( date ) );
397 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
398 len : sizeof( date ) - 1 );
399
400 if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
401 &time->year, &time->mon, &time->day,
402 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]403 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]404
405 *p += len;
406
407 return( 0 );
408 }
409 else
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]410 return( POLARSSL_ERR_X509_INVALID_DATE +
411 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]412}
413
414int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig )
415{
416 int ret;
417 size_t len;
418
419 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]420 return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]421 POLARSSL_ERR_ASN1_OUT_OF_DATA );
422
423 sig->tag = **p;
424
425 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]426 return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]427
428 sig->len = len;
429 sig->p = *p;
430
431 *p += len;
432
433 return( 0 );
434}
435
436int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg,
437 pk_type_t *pk_alg )
438{
439 int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg );
440
441 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]442 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]443
444 return( 0 );
445}
446
447/*
448 * X.509 Extensions (No parsing of extensions, pointer should
449 * be either manually updated or extensions should be parsed!
450 */
451int x509_get_ext( unsigned char **p, const unsigned char *end,
452 x509_buf *ext, int tag )
453{
454 int ret;
455 size_t len;
456
457 if( *p == end )
458 return( 0 );
459
460 ext->tag = **p;
461
462 if( ( ret = asn1_get_tag( p, end, &ext->len,
463 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
464 return( ret );
465
466 ext->p = *p;
467 end = *p + ext->len;
468
469 /*
470 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
471 *
472 * Extension ::= SEQUENCE {
473 * extnID OBJECT IDENTIFIER,
474 * critical BOOLEAN DEFAULT FALSE,
475 * extnValue OCTET STRING }
476 */
477 if( ( ret = asn1_get_tag( p, end, &len,
478 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]479 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]480
481 if( end != *p + len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]482 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]483 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
484
485 return( 0 );
486}
487
488#if defined(POLARSSL_FS_IO)
489/*
490 * Load all data from a file into a given buffer.
491 */
492int x509_load_file( const char *path, unsigned char **buf, size_t *n )
493{
494 FILE *f;
495 long size;
496
497 if( ( f = fopen( path, "rb" ) ) == NULL )
498 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
499
500 fseek( f, 0, SEEK_END );
501 if( ( size = ftell( f ) ) == -1 )
502 {
503 fclose( f );
504 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
505 }
506 fseek( f, 0, SEEK_SET );
507
508 *n = (size_t) size;
509
510 if( *n + 1 == 0 ||
511 ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
512 {
513 fclose( f );
514 return( POLARSSL_ERR_X509_MALLOC_FAILED );
515 }
516
517 if( fread( *buf, 1, *n, f ) != *n )
518 {
519 fclose( f );
520 polarssl_free( *buf );
521 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
522 }
523
524 fclose( f );
525
526 (*buf)[*n] = '\0';
527
528 return( 0 );
529}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]530#endif /* POLARSSL_FS_IO */
531
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]532#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
533 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]534#include <stdarg.h>
535
536#if !defined vsnprintf
537#define vsnprintf _vsnprintf
538#endif // vsnprintf
539
540/*
541 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
542 * Result value is not size of buffer needed, but -1 if no fit is possible.
543 *
544 * This fuction tries to 'fix' this by at least suggesting enlarging the
545 * size by 20.
546 */
547static int compat_snprintf(char *str, size_t size, const char *format, ...)
548{
549 va_list ap;
550 int res = -1;
551
552 va_start( ap, format );
553
554 res = vsnprintf( str, size, format, ap );
555
556 va_end( ap );
557
558 // No quick fix possible
559 if ( res < 0 )
560 return( (int) size + 20 );
561
562 return res;
563}
564
565#define snprintf compat_snprintf
566#endif
567
568#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
569
570#define SAFE_SNPRINTF() \
571{ \
572 if( ret == -1 ) \
573 return( -1 ); \
574 \
575 if ( (unsigned int) ret > n ) { \
576 p[n - 1] = '\0'; \
577 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
578 } \
579 \
580 n -= (unsigned int) ret; \
581 p += (unsigned int) ret; \
582}
583
584/*
585 * Store the name in printable form into buf; no more
586 * than size characters will be written
587 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]588int x509_dn_gets( char *buf, size_t size, const x509_name *dn )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]589{
590 int ret;
591 size_t i, n;
592 unsigned char c;
593 const x509_name *name;
594 const char *short_name = NULL;
595 char s[128], *p;
596
597 memset( s, 0, sizeof( s ) );
598
599 name = dn;
600 p = buf;
601 n = size;
602
603 while( name != NULL )
604 {
605 if( !name->oid.p )
606 {
607 name = name->next;
608 continue;
609 }
610
611 if( name != dn )
612 {
613 ret = snprintf( p, n, ", " );
614 SAFE_SNPRINTF();
615 }
616
617 ret = oid_get_attr_short_name( &name->oid, &short_name );
618
619 if( ret == 0 )
620 ret = snprintf( p, n, "%s=", short_name );
621 else
622 ret = snprintf( p, n, "\?\?=" );
623 SAFE_SNPRINTF();
624
625 for( i = 0; i < name->val.len; i++ )
626 {
627 if( i >= sizeof( s ) - 1 )
628 break;
629
630 c = name->val.p[i];
631 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
632 s[i] = '?';
633 else s[i] = c;
634 }
635 s[i] = '\0';
636 ret = snprintf( p, n, "%s", s );
637 SAFE_SNPRINTF();
638 name = name->next;
639 }
640
641 return( (int) ( size - n ) );
642}
643
644/*
645 * Store the serial in printable form into buf; no more
646 * than size characters will be written
647 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]648int x509_serial_gets( char *buf, size_t size, const x509_buf *serial )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]649{
650 int ret;
651 size_t i, n, nr;
652 char *p;
653
654 p = buf;
655 n = size;
656
657 nr = ( serial->len <= 32 )
658 ? serial->len : 28;
659
660 for( i = 0; i < nr; i++ )
661 {
662 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
663 continue;
664
665 ret = snprintf( p, n, "%02X%s",
666 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
667 SAFE_SNPRINTF();
668 }
669
670 if( nr != serial->len )
671 {
672 ret = snprintf( p, n, "...." );
673 SAFE_SNPRINTF();
674 }
675
676 return( (int) ( size - n ) );
677}
678
679/*
680 * Helper for writing "RSA key size", "EC key size", etc
681 */
682int x509_key_size_helper( char *buf, size_t size, const char *name )
683{
684 char *p = buf;
685 size_t n = size;
686 int ret;
687
688 if( strlen( name ) + sizeof( " key size" ) > size )
689 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;
690
691 ret = snprintf( p, n, "%s key size", name );
692 SAFE_SNPRINTF();
693
694 return( 0 );
695}
696
697/*
698 * Return an informational string describing the given OID
699 */
700const char *x509_oid_get_description( x509_buf *oid )
701{
702 const char *desc = NULL;
703 int ret;
704
705 ret = oid_get_extended_key_usage( oid, &desc );
706
707 if( ret != 0 )
708 return( NULL );
709
710 return( desc );
711}
712
713/* Return the x.y.z.... style numeric string for the given OID */
714int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
715{
716 return oid_get_numeric_string( buf, size, oid );
717}
718
719/*
720 * Return 0 if the x509_time is still valid, or 1 otherwise.
721 */
722#if defined(POLARSSL_HAVE_TIME)
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]723int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]724{
725 int year, mon, day;
726 int hour, min, sec;
727
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]728#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]729 SYSTEMTIME st;
730
731 GetLocalTime(&st);
732
733 year = st.wYear;
734 mon = st.wMonth;
735 day = st.wDay;
736 hour = st.wHour;
737 min = st.wMinute;
738 sec = st.wSecond;
739#else
740 struct tm *lt;
741 time_t tt;
742
743 tt = time( NULL );
744 lt = localtime( &tt );
745
746 year = lt->tm_year + 1900;
747 mon = lt->tm_mon + 1;
748 day = lt->tm_mday;
749 hour = lt->tm_hour;
750 min = lt->tm_min;
751 sec = lt->tm_sec;
752#endif
753
754 if( year > to->year )
755 return( 1 );
756
757 if( year == to->year &&
758 mon > to->mon )
759 return( 1 );
760
761 if( year == to->year &&
762 mon == to->mon &&
763 day > to->day )
764 return( 1 );
765
766 if( year == to->year &&
767 mon == to->mon &&
768 day == to->day &&
769 hour > to->hour )
770 return( 1 );
771
772 if( year == to->year &&
773 mon == to->mon &&
774 day == to->day &&
775 hour == to->hour &&
776 min > to->min )
777 return( 1 );
778
779 if( year == to->year &&
780 mon == to->mon &&
781 day == to->day &&
782 hour == to->hour &&
783 min == to->min &&
784 sec > to->sec )
785 return( 1 );
786
787 return( 0 );
788}
789#else /* POLARSSL_HAVE_TIME */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]790int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]791{
792 ((void) to);
793 return( 0 );
794}
795#endif /* POLARSSL_HAVE_TIME */
796
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]797#if defined(POLARSSL_SELF_TEST)
798
799#include "polarssl/x509_crt.h"
800#include "polarssl/certs.h"
801
802/*
803 * Checkup routine
804 */
805int x509_self_test( int verbose )
806{
807#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C)
808 int ret;
809 int flags;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]810 x509_crt cacert;
811 x509_crt clicert;
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]812
813 if( verbose != 0 )
814 printf( " X.509 certificate load: " );
815
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]816 x509_crt_init( &clicert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]817
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]818 ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
819 strlen( test_cli_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]820 if( ret != 0 )
821 {
822 if( verbose != 0 )
823 printf( "failed\n" );
824
825 return( ret );
826 }
827
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]828 x509_crt_init( &cacert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]829
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]830 ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
831 strlen( test_ca_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]832 if( ret != 0 )
833 {
834 if( verbose != 0 )
835 printf( "failed\n" );
836
837 return( ret );
838 }
839
840 if( verbose != 0 )
841 printf( "passed\n X.509 signature verify: ");
842
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]843 ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]844 if( ret != 0 )
845 {
846 if( verbose != 0 )
847 printf( "failed\n" );
848
849 printf("ret = %d, &flags = %04x\n", ret, flags);
850
851 return( ret );
852 }
853
854 if( verbose != 0 )
855 printf( "passed\n\n");
856
857 x509_crt_free( &cacert );
858 x509_crt_free( &clicert );
859
860 return( 0 );
861#else
862 ((void) verbose);
863 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
864#endif
865}
866
867#endif
868
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]869#endif /* POLARSSL_X509_USE_C */