TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 00ab47026bde24fca88362dab620c6ff835606ac / . / library / x509_crl.c
blob: b957e37657f5efcb60e35324f5672e2e372e7c3f [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]2 * X.509 Certidicate Revocation List (CRL) parsing
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_CRL_PARSE_C)
40
41#include "polarssl/x509_crl.h"
42#include "polarssl/oid.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame^]43
44#include <string.h>
45
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]46#if defined(POLARSSL_PEM_PARSE_C)
47#include "polarssl/pem.h"
48#endif
49
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame^]53#include <stdlib.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54#define polarssl_malloc malloc
55#define polarssl_free free
56#endif
57
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]58#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]59#include <windows.h>
60#else
61#include <time.h>
62#endif
63
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]64#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]65#include <stdio.h>
66#endif
67
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]68/* Implementation that should never be optimized out by the compiler */
69static void polarssl_zeroize( void *v, size_t n ) {
70 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
71}
72
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]73/*
74 * Version ::= INTEGER { v1(0), v2(1) }
75 */
76static int x509_crl_get_version( unsigned char **p,
77 const unsigned char *end,
78 int *ver )
79{
80 int ret;
81
82 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
83 {
84 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
85 {
86 *ver = 0;
87 return( 0 );
88 }
89
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]90 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]91 }
92
93 return( 0 );
94}
95
96/*
97 * X.509 CRL v2 extensions (no extensions parsed yet.)
98 */
99static int x509_get_crl_ext( unsigned char **p,
100 const unsigned char *end,
101 x509_buf *ext )
102{
103 int ret;
104 size_t len = 0;
105
106 /* Get explicit tag */
107 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
108 {
109 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
110 return( 0 );
111
112 return( ret );
113 }
114
115 while( *p < end )
116 {
117 if( ( ret = asn1_get_tag( p, end, &len,
118 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]119 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]120
121 *p += len;
122 }
123
124 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]125 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]126 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
127
128 return( 0 );
129}
130
131/*
132 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
133 */
134static int x509_get_crl_entry_ext( unsigned char **p,
135 const unsigned char *end,
136 x509_buf *ext )
137{
138 int ret;
139 size_t len = 0;
140
141 /* OPTIONAL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]142 if( end <= *p )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]143 return( 0 );
144
145 ext->tag = **p;
146 ext->p = *p;
147
148 /*
149 * Get CRL-entry extension sequence header
150 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
151 */
152 if( ( ret = asn1_get_tag( p, end, &ext->len,
153 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
154 {
155 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
156 {
157 ext->p = NULL;
158 return( 0 );
159 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]160 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]161 }
162
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]163 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]164
165 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]166 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]167 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
168
169 while( *p < end )
170 {
171 if( ( ret = asn1_get_tag( p, end, &len,
172 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]173 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]174
175 *p += len;
176 }
177
178 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]179 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]180 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
181
182 return( 0 );
183}
184
185/*
186 * X.509 CRL Entries
187 */
188static int x509_get_entries( unsigned char **p,
189 const unsigned char *end,
190 x509_crl_entry *entry )
191{
192 int ret;
193 size_t entry_len;
194 x509_crl_entry *cur_entry = entry;
195
196 if( *p == end )
197 return( 0 );
198
199 if( ( ret = asn1_get_tag( p, end, &entry_len,
200 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
201 {
202 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
203 return( 0 );
204
205 return( ret );
206 }
207
208 end = *p + entry_len;
209
210 while( *p < end )
211 {
212 size_t len2;
213 const unsigned char *end2;
214
215 if( ( ret = asn1_get_tag( p, end, &len2,
216 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
217 {
218 return( ret );
219 }
220
221 cur_entry->raw.tag = **p;
222 cur_entry->raw.p = *p;
223 cur_entry->raw.len = len2;
224 end2 = *p + len2;
225
226 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
227 return( ret );
228
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]229 if( ( ret = x509_get_time( p, end2,
230 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]231 return( ret );
232
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]233 if( ( ret = x509_get_crl_entry_ext( p, end2,
234 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]235 return( ret );
236
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]237 if( *p < end )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]238 {
239 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
240
241 if( cur_entry->next == NULL )
242 return( POLARSSL_ERR_X509_MALLOC_FAILED );
243
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]244 memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]245 cur_entry = cur_entry->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]246 }
247 }
248
249 return( 0 );
250}
251
252/*
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]253 * Parse one CRLs in DER format and append it to the chained list
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]254 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]255int x509_crl_parse_der( x509_crl *chain,
256 const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]257{
258 int ret;
259 size_t len;
260 unsigned char *p, *end;
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]261 x509_buf sig_params1, sig_params2;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]262 x509_crl *crl = chain;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]263
264 /*
265 * Check for valid input
266 */
267 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]268 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]269
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]270 memset( &sig_params1, 0, sizeof( x509_buf ) );
271 memset( &sig_params2, 0, sizeof( x509_buf ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]272
273 /*
274 * Add new CRL on the end of the chain if needed.
275 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]276 while( crl->version != 0 && crl->next != NULL )
277 crl = crl->next;
278
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]279 if( crl->version != 0 && crl->next == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]280 {
281 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
282
283 if( crl->next == NULL )
284 {
285 x509_crl_free( crl );
286 return( POLARSSL_ERR_X509_MALLOC_FAILED );
287 }
288
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]289 x509_crl_init( crl->next );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]290 crl = crl->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]291 }
292
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]293 /*
294 * Copy raw DER-encoded CRL
295 */
296 if( ( p = polarssl_malloc( buflen ) ) == NULL )
297 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]298
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]299 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]300
301 crl->raw.p = p;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]302 crl->raw.len = buflen;
303
304 end = p + buflen;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]305
306 /*
307 * CertificateList ::= SEQUENCE {
308 * tbsCertList TBSCertList,
309 * signatureAlgorithm AlgorithmIdentifier,
310 * signatureValue BIT STRING }
311 */
312 if( ( ret = asn1_get_tag( &p, end, &len,
313 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
314 {
315 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]316 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]317 }
318
319 if( len != (size_t) ( end - p ) )
320 {
321 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]322 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]323 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
324 }
325
326 /*
327 * TBSCertList ::= SEQUENCE {
328 */
329 crl->tbs.p = p;
330
331 if( ( ret = asn1_get_tag( &p, end, &len,
332 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
333 {
334 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]335 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]336 }
337
338 end = p + len;
339 crl->tbs.len = end - crl->tbs.p;
340
341 /*
342 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
343 * -- if present, MUST be v2
344 *
345 * signature AlgorithmIdentifier
346 */
347 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]348 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]349 {
350 x509_crl_free( crl );
351 return( ret );
352 }
353
354 crl->version++;
355
356 if( crl->version > 2 )
357 {
358 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]359 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]360 }
361
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]362 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]363 &crl->sig_md, &crl->sig_pk,
364 &crl->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]365 {
366 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]367 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]368 }
369
370 /*
371 * issuer Name
372 */
373 crl->issuer_raw.p = p;
374
375 if( ( ret = asn1_get_tag( &p, end, &len,
376 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
377 {
378 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]379 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]380 }
381
382 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
383 {
384 x509_crl_free( crl );
385 return( ret );
386 }
387
388 crl->issuer_raw.len = p - crl->issuer_raw.p;
389
390 /*
391 * thisUpdate Time
392 * nextUpdate Time OPTIONAL
393 */
394 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
395 {
396 x509_crl_free( crl );
397 return( ret );
398 }
399
400 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
401 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]402 if( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]403 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]404 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]405 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
406 {
407 x509_crl_free( crl );
408 return( ret );
409 }
410 }
411
412 /*
413 * revokedCertificates SEQUENCE OF SEQUENCE {
414 * userCertificate CertificateSerialNumber,
415 * revocationDate Time,
416 * crlEntryExtensions Extensions OPTIONAL
417 * -- if present, MUST be v2
418 * } OPTIONAL
419 */
420 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
421 {
422 x509_crl_free( crl );
423 return( ret );
424 }
425
426 /*
427 * crlExtensions EXPLICIT Extensions OPTIONAL
428 * -- if present, MUST be v2
429 */
430 if( crl->version == 2 )
431 {
432 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
433
434 if( ret != 0 )
435 {
436 x509_crl_free( crl );
437 return( ret );
438 }
439 }
440
441 if( p != end )
442 {
443 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]444 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]445 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
446 }
447
448 end = crl->raw.p + crl->raw.len;
449
450 /*
451 * signatureAlgorithm AlgorithmIdentifier,
452 * signatureValue BIT STRING
453 */
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]454 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]455 {
456 x509_crl_free( crl );
457 return( ret );
458 }
459
460 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]461 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ||
462 sig_params1.len != sig_params2.len ||
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]463 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]464 {
465 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]466 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]467 }
468
469 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
470 {
471 x509_crl_free( crl );
472 return( ret );
473 }
474
475 if( p != end )
476 {
477 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]478 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]479 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
480 }
481
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]482 return( 0 );
483}
484
485/*
486 * Parse one or more CRLs and add them to the chained list
487 */
488int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
489{
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]490#if defined(POLARSSL_PEM_PARSE_C)
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]491 int ret;
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]492 size_t use_len;
493 pem_context pem;
494 int is_pem = 0;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]495
496 if( chain == NULL || buf == NULL )
497 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
498
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]499 do
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]500 {
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]501 pem_init( &pem );
502 ret = pem_read_buffer( &pem,
503 "-----BEGIN X509 CRL-----",
504 "-----END X509 CRL-----",
505 buf, NULL, 0, &use_len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]506
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]507 if( ret == 0 )
508 {
509 /*
510 * Was PEM encoded
511 */
512 is_pem = 1;
513
514 buflen -= use_len;
515 buf += use_len;
516
517 if( ( ret = x509_crl_parse_der( chain,
518 pem.buf, pem.buflen ) ) != 0 )
519 {
520 return( ret );
521 }
522
523 pem_free( &pem );
524 }
525 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
526 {
527 pem_free( &pem );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]528 return( ret );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]529 }
530 }
531 while( is_pem && buflen > 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]532
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]533 if( is_pem )
534 return( 0 );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]535 else
536#endif /* POLARSSL_PEM_PARSE_C */
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]537 return( x509_crl_parse_der( chain, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]538}
539
540#if defined(POLARSSL_FS_IO)
541/*
542 * Load one or more CRLs and add them to the chained list
543 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]544int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]545{
546 int ret;
547 size_t n;
548 unsigned char *buf;
549
Manuel Pégourié-Gonnard9439f932014-11-21 09:49:43 +0100[diff] [blame]550 if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]551 return( ret );
552
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]553 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]554
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]555 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]556 polarssl_free( buf );
557
558 return( ret );
559}
560#endif /* POLARSSL_FS_IO */
561
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]562#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
563 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]564#include <stdarg.h>
565
566#if !defined vsnprintf
567#define vsnprintf _vsnprintf
568#endif // vsnprintf
569
570/*
571 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
572 * Result value is not size of buffer needed, but -1 if no fit is possible.
573 *
574 * This fuction tries to 'fix' this by at least suggesting enlarging the
575 * size by 20.
576 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]577static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]578{
579 va_list ap;
580 int res = -1;
581
582 va_start( ap, format );
583
584 res = vsnprintf( str, size, format, ap );
585
586 va_end( ap );
587
588 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]589 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]590 return( (int) size + 20 );
591
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]592 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]593}
594
595#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]596#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]597
598#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
599
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]600#define SAFE_SNPRINTF() \
601{ \
602 if( ret == -1 ) \
603 return( -1 ); \
604 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]605 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]606 p[n - 1] = '\0'; \
607 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
608 } \
609 \
610 n -= (unsigned int) ret; \
611 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]612}
613
614/*
615 * Return an informational string about the certificate.
616 */
617#define BEFORE_COLON 14
618#define BC "14"
619/*
620 * Return an informational string about the CRL.
621 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]622int x509_crl_info( char *buf, size_t size, const char *prefix,
623 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]624{
625 int ret;
626 size_t n;
627 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]628 const x509_crl_entry *entry;
629
630 p = buf;
631 n = size;
632
633 ret = snprintf( p, n, "%sCRL version : %d",
634 prefix, crl->version );
635 SAFE_SNPRINTF();
636
637 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
638 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]639 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]640 SAFE_SNPRINTF();
641
642 ret = snprintf( p, n, "\n%sthis update : " \
643 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
644 crl->this_update.year, crl->this_update.mon,
645 crl->this_update.day, crl->this_update.hour,
646 crl->this_update.min, crl->this_update.sec );
647 SAFE_SNPRINTF();
648
649 ret = snprintf( p, n, "\n%snext update : " \
650 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
651 crl->next_update.year, crl->next_update.mon,
652 crl->next_update.day, crl->next_update.hour,
653 crl->next_update.min, crl->next_update.sec );
654 SAFE_SNPRINTF();
655
656 entry = &crl->entry;
657
658 ret = snprintf( p, n, "\n%sRevoked certificates:",
659 prefix );
660 SAFE_SNPRINTF();
661
662 while( entry != NULL && entry->raw.len != 0 )
663 {
664 ret = snprintf( p, n, "\n%sserial number: ",
665 prefix );
666 SAFE_SNPRINTF();
667
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]668 ret = x509_serial_gets( p, n, &entry->serial );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]669 SAFE_SNPRINTF();
670
671 ret = snprintf( p, n, " revocation date: " \
672 "%04d-%02d-%02d %02d:%02d:%02d",
673 entry->revocation_date.year, entry->revocation_date.mon,
674 entry->revocation_date.day, entry->revocation_date.hour,
675 entry->revocation_date.min, entry->revocation_date.sec );
676 SAFE_SNPRINTF();
677
678 entry = entry->next;
679 }
680
681 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
682 SAFE_SNPRINTF();
683
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]684 ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]685 crl->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]686 SAFE_SNPRINTF();
687
688 ret = snprintf( p, n, "\n" );
689 SAFE_SNPRINTF();
690
691 return( (int) ( size - n ) );
692}
693
694/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]695 * Initialize a CRL chain
696 */
697void x509_crl_init( x509_crl *crl )
698{
699 memset( crl, 0, sizeof(x509_crl) );
700}
701
702/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]703 * Unallocate all CRL data
704 */
705void x509_crl_free( x509_crl *crl )
706{
707 x509_crl *crl_cur = crl;
708 x509_crl *crl_prv;
709 x509_name *name_cur;
710 x509_name *name_prv;
711 x509_crl_entry *entry_cur;
712 x509_crl_entry *entry_prv;
713
714 if( crl == NULL )
715 return;
716
717 do
718 {
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]719#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]720 polarssl_free( crl_cur->sig_opts );
721#endif
722
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]723 name_cur = crl_cur->issuer.next;
724 while( name_cur != NULL )
725 {
726 name_prv = name_cur;
727 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]728 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]729 polarssl_free( name_prv );
730 }
731
732 entry_cur = crl_cur->entry.next;
733 while( entry_cur != NULL )
734 {
735 entry_prv = entry_cur;
736 entry_cur = entry_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]737 polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]738 polarssl_free( entry_prv );
739 }
740
741 if( crl_cur->raw.p != NULL )
742 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]743 polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]744 polarssl_free( crl_cur->raw.p );
745 }
746
747 crl_cur = crl_cur->next;
748 }
749 while( crl_cur != NULL );
750
751 crl_cur = crl;
752 do
753 {
754 crl_prv = crl_cur;
755 crl_cur = crl_cur->next;
756
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]757 polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]758 if( crl_prv != crl )
759 polarssl_free( crl_prv );
760 }
761 while( crl_cur != NULL );
762}
763
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]764#endif /* POLARSSL_X509_CRL_PARSE_C */