Blame - library/x509.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: e671fabff093b6ad66517c75d7826eb6f703d9f0 [file] [log] [blame]

Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1	/*
Manuel Pégourié-Gonnard	1c082f3	2014-06-12 22:34:55 +0200	[diff] [blame]	2	* X.509 common functions for parsing and verification
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	3	*
Manuel Pégourié-Gonnard	a658a40	2015-01-23 09:45:19 +0000	[diff] [blame]	4	* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	5	*
Manuel Pégourié-Gonnard	fe44643	2015-03-06 13:17:10 +0000	[diff] [blame]	6	* This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	7	*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	8	* This program is free software; you can redistribute it and/or modify
				9	* it under the terms of the GNU General Public License as published by
				10	* the Free Software Foundation; either version 2 of the License, or
				11	* (at your option) any later version.
				12	*
				13	* This program is distributed in the hope that it will be useful,
				14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				16	* GNU General Public License for more details.
				17	*
				18	* You should have received a copy of the GNU General Public License along
				19	* with this program; if not, write to the Free Software Foundation, Inc.,
				20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				21	*/
				22	/*
				23	* The ITU-T X.509 standard defines a certificate format for PKI.
				24	*
Manuel Pégourié-Gonnard	1c082f3	2014-06-12 22:34:55 +0200	[diff] [blame]	25	* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
				26	* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
				27	* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	28	*
				29	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
				30	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
				31	*/
				32
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	33	#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	34	#include "polarssl/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	35	#else
				36	#include POLARSSL_CONFIG_FILE
				37	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	38
				39	#if defined(POLARSSL_X509_USE_C)
				40
				41	#include "polarssl/x509.h"
				42	#include "polarssl/asn1.h"
				43	#include "polarssl/oid.h"
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	44
Rich Evans	36796df	2015-02-12 18:27:14 +0000	[diff] [blame]	45	#include <stdio.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	46	#include <string.h>
				47
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	48	#if defined(POLARSSL_PEM_PARSE_C)
				49	#include "polarssl/pem.h"
				50	#endif
				51
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	52	#if defined(POLARSSL_PLATFORM_C)
				53	#include "polarssl/platform.h"
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	54	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	55	#include <stdio.h>
				56	#include <stdlib.h>
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	57	#define polarssl_free free
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	58	#define polarssl_malloc malloc
				59	#define polarssl_printf printf
				60	#define polarssl_snprintf snprintf
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	61	#endif
				62
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	63	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	64	#include <windows.h>
				65	#else
				66	#include <time.h>
				67	#endif
				68
				69	#if defined(POLARSSL_FS_IO)
Rich Evans	36796df	2015-02-12 18:27:14 +0000	[diff] [blame]	70	#include <stdio.h>
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	71	#if !defined(_WIN32)
				72	#include <sys/types.h>
				73	#include <sys/stat.h>
				74	#include <dirent.h>
				75	#endif
				76	#endif
				77
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	78	#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
Andres AG	0da3e44	2016-09-23 13:16:02 +0100	[diff] [blame]	79	#define CHECK_RANGE(min, max, val) if( val < min \|\| val > max ){ return( ret ); }
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	80
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	81	/*
				82	* CertificateSerialNumber ::= INTEGER
				83	*/
				84	int x509_get_serial( unsigned char *p, const unsigned char end,
				85	x509_buf *serial )
				86	{
				87	int ret;
				88
				89	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	90	return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	91	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				92
				93	if( **p != ( ASN1_CONTEXT_SPECIFIC \| ASN1_PRIMITIVE \| 2 ) &&
				94	**p != ASN1_INTEGER )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	95	return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	96	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				97
				98	serial->tag = (p)++;
				99
				100	if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	101	return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	102
				103	serial->p = *p;
				104	*p += serial->len;
				105
				106	return( 0 );
				107	}
				108
				109	/* Get an algorithm identifier without parameters (eg for signatures)
				110	*
				111	* AlgorithmIdentifier ::= SEQUENCE {
				112	* algorithm OBJECT IDENTIFIER,
				113	* parameters ANY DEFINED BY algorithm OPTIONAL }
				114	*/
				115	int x509_get_alg_null( unsigned char *p, const unsigned char end,
				116	x509_buf *alg )
				117	{
				118	int ret;
				119
				120	if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	121	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	122
				123	return( 0 );
				124	}
				125
				126	/*
Manuel Pégourié-Gonnard	59a75d5	2014-01-22 10:12:57 +0100	[diff] [blame]	127	* Parse an algorithm identifier with (optional) paramaters
				128	*/
				129	int x509_get_alg( unsigned char *p, const unsigned char end,
				130	x509_buf alg, x509_buf params )
				131	{
				132	int ret;
				133
				134	if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
				135	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				136
				137	return( 0 );
				138	}
				139
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	140	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	59a75d5	2014-01-22 10:12:57 +0100	[diff] [blame]	141	/*
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	142	* HashAlgorithm ::= AlgorithmIdentifier
				143	*
				144	* AlgorithmIdentifier ::= SEQUENCE {
				145	* algorithm OBJECT IDENTIFIER,
				146	* parameters ANY DEFINED BY algorithm OPTIONAL }
				147	*
				148	* For HashAlgorithm, parameters MUST be NULL or absent.
				149	*/
				150	static int x509_get_hash_alg( const x509_buf alg, md_type_t md_alg )
				151	{
				152	int ret;
				153	unsigned char *p;
				154	const unsigned char *end;
				155	x509_buf md_oid;
				156	size_t len;
				157
				158	/* Make sure we got a SEQUENCE and setup bounds */
				159	if( alg->tag != ( ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) )
				160	return( POLARSSL_ERR_X509_INVALID_ALG +
				161	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				162
				163	p = (unsigned char *) alg->p;
				164	end = p + alg->len;
				165
				166	if( p >= end )
				167	return( POLARSSL_ERR_X509_INVALID_ALG +
				168	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				169
				170	/* Parse md_oid */
				171	md_oid.tag = *p;
				172
				173	if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 )
				174	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				175
				176	md_oid.p = p;
				177	p += md_oid.len;
				178
				179	/* Get md_alg from md_oid */
				180	if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
				181	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				182
				183	/* Make sure params is absent of NULL */
				184	if( p == end )
				185	return( 0 );
				186
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	187	if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 \|\| len != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	188	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				189
				190	if( p != end )
				191	return( POLARSSL_ERR_X509_INVALID_ALG +
				192	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				193
				194	return( 0 );
				195	}
				196
				197	/*
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	198	* RSASSA-PSS-params ::= SEQUENCE {
				199	* hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
				200	* maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
				201	* saltLength [2] INTEGER DEFAULT 20,
				202	* trailerField [3] INTEGER DEFAULT 1 }
				203	* -- Note that the tags in this Sequence are explicit.
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	204	*
				205	* RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
				206	* of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
				207	* option. Enfore this at parsing time.
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	208	*/
				209	int x509_get_rsassa_pss_params( const x509_buf *params,
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	210	md_type_t md_alg, md_type_t mgf_md,
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	211	int *salt_len )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	212	{
				213	int ret;
				214	unsigned char *p;
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	215	const unsigned char end, end2;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	216	size_t len;
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	217	x509_buf alg_id, alg_params;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	218
				219	/* First set everything to defaults */
				220	*md_alg = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	221	*mgf_md = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	222	*salt_len = 20;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	223
				224	/* Make sure params is a SEQUENCE and setup bounds */
				225	if( params->tag != ( ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) )
				226	return( POLARSSL_ERR_X509_INVALID_ALG +
				227	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				228
				229	p = (unsigned char *) params->p;
				230	end = p + params->len;
				231
				232	if( p == end )
				233	return( 0 );
				234
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	235	/*
				236	* HashAlgorithm
				237	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	238	if( ( ret = asn1_get_tag( &p, end, &len,
				239	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 0 ) ) == 0 )
				240	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	241	end2 = p + len;
				242
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	243	/* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	244	if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	245	return( ret );
				246
				247	if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
				248	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	249
				250	if( p != end2 )
				251	return( POLARSSL_ERR_X509_INVALID_ALG +
				252	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	253	}
				254	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				255	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				256
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	257	if( p == end )
				258	return( 0 );
				259
				260	/*
				261	* MaskGenAlgorithm
				262	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	263	if( ( ret = asn1_get_tag( &p, end, &len,
				264	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 1 ) ) == 0 )
				265	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	266	end2 = p + len;
				267
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	268	/* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	269	if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	270	return( ret );
				271
				272	/* Only MFG1 is recognised for now */
				273	if( ! OID_CMP( OID_MGF1, &alg_id ) )
				274	return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE +
				275	POLARSSL_ERR_OID_NOT_FOUND );
				276
				277	/* Parse HashAlgorithm */
				278	if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
				279	return( ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	280
				281	if( p != end2 )
				282	return( POLARSSL_ERR_X509_INVALID_ALG +
				283	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	284	}
				285	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				286	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				287
				288	if( p == end )
				289	return( 0 );
				290
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	291	/*
				292	* salt_len
				293	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	294	if( ( ret = asn1_get_tag( &p, end, &len,
				295	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 2 ) ) == 0 )
				296	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	297	end2 = p + len;
				298
				299	if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	300	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	301
				302	if( p != end2 )
				303	return( POLARSSL_ERR_X509_INVALID_ALG +
				304	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	305	}
				306	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				307	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				308
				309	if( p == end )
				310	return( 0 );
				311
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	312	/*
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	313	* trailer_field (if present, must be 1)
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	314	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	315	if( ( ret = asn1_get_tag( &p, end, &len,
				316	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 3 ) ) == 0 )
				317	{
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	318	int trailer_field;
				319
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	320	end2 = p + len;
				321
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	322	if( ( ret = asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	323	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	324
				325	if( p != end2 )
				326	return( POLARSSL_ERR_X509_INVALID_ALG +
				327	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	328
				329	if( trailer_field != 1 )
				330	return( POLARSSL_ERR_X509_INVALID_ALG );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	331	}
				332	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				333	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				334
				335	if( p != end )
				336	return( POLARSSL_ERR_X509_INVALID_ALG +
				337	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				338
				339	return( 0 );
				340	}
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	341	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	342
				343	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	344	* AttributeTypeAndValue ::= SEQUENCE {
				345	* type AttributeType,
				346	* value AttributeValue }
				347	*
				348	* AttributeType ::= OBJECT IDENTIFIER
				349	*
				350	* AttributeValue ::= ANY DEFINED BY AttributeType
				351	*/
				352	static int x509_get_attr_type_value( unsigned char **p,
				353	const unsigned char *end,
				354	x509_name *cur )
				355	{
				356	int ret;
				357	size_t len;
				358	x509_buf *oid;
				359	x509_buf *val;
				360
				361	if( ( ret = asn1_get_tag( p, end, &len,
				362	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	363	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	364
				365	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	366	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	367	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				368
				369	oid = &cur->oid;
				370	oid->tag = **p;
				371
				372	if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	373	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	374
				375	oid->p = *p;
				376	*p += oid->len;
				377
				378	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	379	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	380	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				381
				382	if( p != ASN1_BMP_STRING && p != ASN1_UTF8_STRING &&
				383	p != ASN1_T61_STRING && p != ASN1_PRINTABLE_STRING &&
Manuel Pégourié-Gonnard	dd5dbca	2015-03-27 13:03:09 +0100	[diff] [blame]	384	p != ASN1_IA5_STRING && p != ASN1_UNIVERSAL_STRING &&
				385	**p != ASN1_BIT_STRING )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	386	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	387	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				388
				389	val = &cur->val;
				390	val->tag = (p)++;
				391
				392	if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	393	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	394
				395	val->p = *p;
				396	*p += val->len;
				397
				398	cur->next = NULL;
				399
				400	return( 0 );
				401	}
				402
				403	/*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	404	* Name ::= CHOICE { -- only one possibility for now --
				405	* rdnSequence RDNSequence }
				406	*
				407	* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
				408	*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	409	* RelativeDistinguishedName ::=
				410	* SET OF AttributeTypeAndValue
				411	*
				412	* AttributeTypeAndValue ::= SEQUENCE {
				413	* type AttributeType,
				414	* value AttributeValue }
				415	*
				416	* AttributeType ::= OBJECT IDENTIFIER
				417	*
				418	* AttributeValue ::= ANY DEFINED BY AttributeType
Manuel Pégourié-Gonnard	5d86185	2014-10-17 12:41:41 +0200	[diff] [blame]	419	*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	420	* The data structure is optimized for the common case where each RDN has only
				421	* one element, which is represented as a list of AttributeTypeAndValue.
				422	* For the general case we still use a flat list, but we mark elements of the
				423	* same set so that they are "merged" together in the functions that consume
				424	* this list, eg x509_dn_gets().
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	425	*/
				426	int x509_get_name( unsigned char *p, const unsigned char end,
				427	x509_name *cur )
				428	{
				429	int ret;
Manuel Pégourié-Gonnard	5d86185	2014-10-17 12:41:41 +0200	[diff] [blame]	430	size_t set_len;
				431	const unsigned char *end_set;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	432
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	433	/* don't use recursion, we'd risk stack overflow if not optimized */
				434	while( 1 )
				435	{
				436	/*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	437	* parse SET
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	438	*/
				439	if( ( ret = asn1_get_tag( p, end, &set_len,
				440	ASN1_CONSTRUCTED \| ASN1_SET ) ) != 0 )
				441	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	442
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	443	end_set = *p + set_len;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	444
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	445	while( 1 )
				446	{
				447	if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
				448	return( ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	449
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	450	if( *p == end_set )
				451	break;
				452
Nicholas Wilson	d0fa5cc	2015-05-11 10:39:49 +0100	[diff] [blame]	453	/* Mark this item as being not the only one in a set */
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	454	cur->next_merged = 1;
				455
Mansour Moufid	c531b4a	2015-02-15 17:35:38 -0500	[diff] [blame]	456	cur->next = polarssl_malloc( sizeof( x509_name ) );
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	457
				458	if( cur->next == NULL )
				459	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				460
				461	memset( cur->next, 0, sizeof( x509_name ) );
				462
				463	cur = cur->next;
				464	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	465
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	466	/*
				467	* continue until end of SEQUENCE is reached
				468	*/
				469	if( *p == end )
				470	return( 0 );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	471
Mansour Moufid	c531b4a	2015-02-15 17:35:38 -0500	[diff] [blame]	472	cur->next = polarssl_malloc( sizeof( x509_name ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	473
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	474	if( cur->next == NULL )
				475	return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	476
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	477	memset( cur->next, 0, sizeof( x509_name ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	478
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	479	cur = cur->next;
				480	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	481	}
				482
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	483	static int x509_parse_int(unsigned char *p, unsigned n, int res){
				484	*res = 0;
				485	for( ; n > 0; --n ){
				486	if( ( p < '0') \|\| ( p > '9' ) ) return POLARSSL_ERR_X509_INVALID_DATE;
				487	res = 10;
				488	res += ((*p)++ - '0');
				489	}
				490	return 0;
				491	}
				492
Andres AG	0da3e44	2016-09-23 13:16:02 +0100	[diff] [blame]	493	static int x509_date_is_valid(const x509_time *time)
				494	{
				495	int ret = POLARSSL_ERR_X509_INVALID_DATE;
				496
				497	CHECK_RANGE( 0, 9999, time->year );
				498	CHECK_RANGE( 0, 23, time->hour );
				499	CHECK_RANGE( 0, 59, time->min );
				500	CHECK_RANGE( 0, 59, time->sec );
				501
				502	switch( time->mon )
				503	{
				504	case 1: case 3: case 5: case 7: case 8: case 10: case 12:
				505	CHECK_RANGE( 1, 31, time->day );
				506	break;
				507	case 4: case 6: case 9: case 11:
				508	CHECK_RANGE( 1, 30, time->day );
				509	break;
				510	case 2:
				511	CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
				512	break;
				513	default:
				514	return( ret );
				515	}
				516
				517	return( 0 );
				518	}
				519
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	520	/*
Janos Follath	17da9dd	2016-09-19 09:35:18 +0100	[diff] [blame]	521	* Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4) field.
				522	*/
				523	static int x509_parse_time( unsigned char *p, size_t len, unsigned int yearlen, x509_time time )
				524	{
				525	int ret;
				526
				527	/*
				528	* minimum length is 10 or 12 depending on yearlen
				529	*/
				530	if ( len < yearlen + 8 )
				531	return POLARSSL_ERR_X509_INVALID_DATE;
				532	len -= yearlen + 8;
				533
				534	/*
				535	* parse year, month, day, hour, minute
				536	*/
				537	CHECK( x509_parse_int( p, yearlen, &time->year ) );
				538	if ( 2 == yearlen )
				539	{
				540	if ( time->year < 50 )
				541	time->year += 100;
				542
				543	time->year += 1900;
				544	}
				545
				546	CHECK( x509_parse_int( p, 2, &time->mon ) );
				547	CHECK( x509_parse_int( p, 2, &time->day ) );
				548	CHECK( x509_parse_int( p, 2, &time->hour ) );
				549	CHECK( x509_parse_int( p, 2, &time->min ) );
				550
				551	/*
				552	* parse seconds if present
				553	*/
				554	if ( len >= 2 && p >= '0' && p <= '9' )
				555	{
				556	CHECK( x509_parse_int( p, 2, &time->sec ) );
				557	len -= 2;
				558	}
				559	else
				560	{
				561	#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
				562	/*
				563	* if relaxed mode, allow seconds to be absent
				564	*/
				565	time->sec = 0;
				566	#else
				567	return POLARSSL_ERR_X509_INVALID_DATE;
				568	#endif
				569	}
				570
				571	/*
				572	* parse trailing 'Z' if present
				573	*/
				574	if ( 1 == len && 'Z' == **p )
				575	{
				576	(*p)++;
				577	return 0;
				578	}
				579	#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
				580	/*
				581	* if relaxed mode, allow timezone to be present
				582	*/
				583	else if ( 5 == len && ( '+' == p \|\| '-' == p ) )
				584	{
				585	int tz; /* throwaway timezone */
				586
				587	(*p)++;
				588	CHECK( x509_parse_int( p, 4, &tz ) );
				589
				590	return 0;
				591	}
				592	#endif
				593	/*
				594	* okay if no trailing 'Z' or timezone specified
				595	*/
				596	else if ( 0 == len )
				597	return 0;
				598	else
				599	return POLARSSL_ERR_X509_INVALID_DATE;
				600	}
				601
				602	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	603	* Time ::= CHOICE {
				604	* utcTime UTCTime,
				605	* generalTime GeneralizedTime }
				606	*/
				607	int x509_get_time( unsigned char *p, const unsigned char end,
				608	x509_time *time )
				609	{
				610	int ret;
				611	size_t len;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	612	unsigned char tag;
				613
				614	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	615	return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	616	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				617
				618	tag = **p;
				619
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	620	if( tag == ASN1_UTC_TIME )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	621	{
				622	(*p)++;
				623	ret = asn1_get_len( p, end, &len );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	624
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	625	if( ret != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	626	return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	627
Janos Follath	17da9dd	2016-09-19 09:35:18 +0100	[diff] [blame]	628	return x509_parse_time( p, len, 2, time );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	629	}
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	630	else if( tag == ASN1_GENERALIZED_TIME )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	631	{
				632	(*p)++;
				633	ret = asn1_get_len( p, end, &len );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	634
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	635	if( ret != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	636	return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	637
Janos Follath	17da9dd	2016-09-19 09:35:18 +0100	[diff] [blame]	638	return x509_parse_time( p, len, 4, time );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	639	}
				640	else
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	641	return( POLARSSL_ERR_X509_INVALID_DATE +
				642	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	643	}
				644
				645	int x509_get_sig( unsigned char *p, const unsigned char end, x509_buf *sig )
				646	{
				647	int ret;
				648	size_t len;
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	649	int tag_type;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	650
				651	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	652	return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	653	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				654
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	655	tag_type = **p;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	656
				657	if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	658	return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	659
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	660	sig->tag = tag_type;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	661	sig->len = len;
				662	sig->p = *p;
				663
				664	*p += len;
				665
				666	return( 0 );
				667	}
				668
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	669	/*
				670	* Get signature algorithm from alg OID and optional parameters
				671	*/
				672	int x509_get_sig_alg( const x509_buf sig_oid, const x509_buf sig_params,
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	673	md_type_t md_alg, pk_type_t pk_alg,
				674	void **sig_opts )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	675	{
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	676	int ret;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	677
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	678	if( *sig_opts != NULL )
				679	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
				680
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	681	if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	682	return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	683
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	684	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	685	if( *pk_alg == POLARSSL_PK_RSASSA_PSS )
				686	{
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	687	pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	688
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	689	pss_opts = polarssl_malloc( sizeof( pk_rsassa_pss_options ) );
				690	if( pss_opts == NULL )
				691	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				692
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	693	ret = x509_get_rsassa_pss_params( sig_params,
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	694	md_alg,
				695	&pss_opts->mgf1_hash_id,
				696	&pss_opts->expected_salt_len );
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	697	if( ret != 0 )
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	698	{
				699	polarssl_free( pss_opts );
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	700	return( ret );
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	701	}
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	702
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	703	sig_opts = (void ) pss_opts;
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	704	}
				705	else
Paul Bakker	db20c10	2014-06-17 14:34:44 +0200	[diff] [blame]	706	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	707	{
				708	/* Make sure parameters are absent or NULL */
				709	if( ( sig_params->tag != ASN1_NULL && sig_params->tag != 0 ) \|\|
				710	sig_params->len != 0 )
				711	return( POLARSSL_ERR_X509_INVALID_ALG );
				712	}
				713
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	714	return( 0 );
				715	}
				716
				717	/*
				718	* X.509 Extensions (No parsing of extensions, pointer should
				719	* be either manually updated or extensions should be parsed!
				720	*/
				721	int x509_get_ext( unsigned char *p, const unsigned char end,
				722	x509_buf *ext, int tag )
				723	{
				724	int ret;
				725	size_t len;
				726
				727	if( *p == end )
				728	return( 0 );
				729
				730	ext->tag = **p;
				731
				732	if( ( ret = asn1_get_tag( p, end, &ext->len,
				733	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| tag ) ) != 0 )
				734	return( ret );
				735
				736	ext->p = *p;
				737	end = *p + ext->len;
				738
				739	/*
				740	* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
				741	*
				742	* Extension ::= SEQUENCE {
				743	* extnID OBJECT IDENTIFIER,
				744	* critical BOOLEAN DEFAULT FALSE,
				745	* extnValue OCTET STRING }
				746	*/
				747	if( ( ret = asn1_get_tag( p, end, &len,
				748	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	749	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	750
				751	if( end != *p + len )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	752	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	753	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				754
				755	return( 0 );
				756	}
				757
Paul Bakker	6edcd41	2013-10-29 15:22:54 +0100	[diff] [blame]	758	#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
				759	!defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	760	#include <stdarg.h>
				761
				762	#if !defined vsnprintf
				763	#define vsnprintf _vsnprintf
				764	#endif // vsnprintf
				765
				766	/*
				767	* Windows _snprintf and _vsnprintf are not compatible to linux versions.
				768	* Result value is not size of buffer needed, but -1 if no fit is possible.
				769	*
				770	* This fuction tries to 'fix' this by at least suggesting enlarging the
				771	* size by 20.
				772	*/
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	773	static int compat_snprintf( char str, size_t size, const char format, ... )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	774	{
				775	va_list ap;
				776	int res = -1;
				777
				778	va_start( ap, format );
				779
				780	res = vsnprintf( str, size, format, ap );
				781
				782	va_end( ap );
				783
				784	// No quick fix possible
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	785	if( res < 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	786	return( (int) size + 20 );
				787
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	788	return( res );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	789	}
				790
				791	#define snprintf compat_snprintf
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	792	#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	793
				794	#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
				795
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	796	#define SAFE_SNPRINTF() \
				797	{ \
				798	if( ret == -1 ) \
				799	return( -1 ); \
				800	\
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	801	if( (unsigned int) ret > n ) { \
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	802	p[n - 1] = '\0'; \
				803	return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
				804	} \
				805	\
				806	n -= (unsigned int) ret; \
				807	p += (unsigned int) ret; \
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	808	}
				809
				810	/*
				811	* Store the name in printable form into buf; no more
				812	* than size characters will be written
				813	*/
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	814	int x509_dn_gets( char buf, size_t size, const x509_name dn )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	815	{
				816	int ret;
				817	size_t i, n;
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	818	unsigned char c, merge = 0;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	819	const x509_name *name;
				820	const char *short_name = NULL;
Paul Bakker	8dcb2d7	2014-08-08 12:22:30 +0200	[diff] [blame]	821	char s[X509_MAX_DN_NAME_SIZE], *p;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	822
				823	memset( s, 0, sizeof( s ) );
				824
				825	name = dn;
				826	p = buf;
				827	n = size;
				828
				829	while( name != NULL )
				830	{
				831	if( !name->oid.p )
				832	{
				833	name = name->next;
				834	continue;
				835	}
				836
				837	if( name != dn )
				838	{
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	839	ret = polarssl_snprintf( p, n, merge ? " + " : ", " );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	840	SAFE_SNPRINTF();
				841	}
				842
				843	ret = oid_get_attr_short_name( &name->oid, &short_name );
				844
				845	if( ret == 0 )
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	846	ret = polarssl_snprintf( p, n, "%s=", short_name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	847	else
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	848	ret = polarssl_snprintf( p, n, "\?\?=" );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	849	SAFE_SNPRINTF();
				850
				851	for( i = 0; i < name->val.len; i++ )
				852	{
				853	if( i >= sizeof( s ) - 1 )
				854	break;
				855
				856	c = name->val.p[i];
				857	if( c < 32 \|\| c == 127 \|\| ( c > 128 && c < 160 ) )
				858	s[i] = '?';
				859	else s[i] = c;
				860	}
				861	s[i] = '\0';
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	862	ret = polarssl_snprintf( p, n, "%s", s );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	863	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	864
				865	merge = name->next_merged;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	866	name = name->next;
				867	}
				868
				869	return( (int) ( size - n ) );
				870	}
				871
				872	/*
				873	* Store the serial in printable form into buf; no more
				874	* than size characters will be written
				875	*/
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	876	int x509_serial_gets( char buf, size_t size, const x509_buf serial )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	877	{
				878	int ret;
				879	size_t i, n, nr;
				880	char *p;
				881
				882	p = buf;
				883	n = size;
				884
				885	nr = ( serial->len <= 32 )
				886	? serial->len : 28;
				887
				888	for( i = 0; i < nr; i++ )
				889	{
				890	if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
				891	continue;
				892
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	893	ret = polarssl_snprintf( p, n, "%02X%s",
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	894	serial->p[i], ( i < nr - 1 ) ? ":" : "" );
				895	SAFE_SNPRINTF();
				896	}
				897
				898	if( nr != serial->len )
				899	{
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	900	ret = polarssl_snprintf( p, n, "...." );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	901	SAFE_SNPRINTF();
				902	}
				903
				904	return( (int) ( size - n ) );
				905	}
				906
				907	/*
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	908	* Helper for writing signature algorithms
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	909	*/
				910	int x509_sig_alg_gets( char buf, size_t size, const x509_buf sig_oid,
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	911	pk_type_t pk_alg, md_type_t md_alg,
				912	const void *sig_opts )
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	913	{
				914	int ret;
				915	char *p = buf;
				916	size_t n = size;
				917	const char *desc = NULL;
				918
				919	ret = oid_get_sig_alg_desc( sig_oid, &desc );
				920	if( ret != 0 )
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	921	ret = polarssl_snprintf( p, n, "???" );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	922	else
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	923	ret = polarssl_snprintf( p, n, "%s", desc );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	924	SAFE_SNPRINTF();
				925
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	926	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	927	if( pk_alg == POLARSSL_PK_RSASSA_PSS )
				928	{
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	929	const pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	930	const md_info_t md_info, mgf_md_info;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	931
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	932	pss_opts = (const pk_rsassa_pss_options *) sig_opts;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	933
				934	md_info = md_info_from_type( md_alg );
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	935	mgf_md_info = md_info_from_type( pss_opts->mgf1_hash_id );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	936
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	937	ret = polarssl_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	938	md_info ? md_info->name : "???",
				939	mgf_md_info ? mgf_md_info->name : "???",
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	940	pss_opts->expected_salt_len );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	941	SAFE_SNPRINTF();
				942	}
				943	#else
				944	((void) pk_alg);
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	945	((void) md_alg);
				946	((void) sig_opts);
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	947	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	948
Sander Niemeijer	ef5087d	2014-08-16 12:45:52 +0200	[diff] [blame]	949	return( (int)( size - n ) );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	950	}
				951
				952	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	953	* Helper for writing "RSA key size", "EC key size", etc
				954	*/
				955	int x509_key_size_helper( char buf, size_t size, const char name )
				956	{
				957	char *p = buf;
				958	size_t n = size;
				959	int ret;
				960
				961	if( strlen( name ) + sizeof( " key size" ) > size )
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	962	return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	963
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	964	ret = polarssl_snprintf( p, n, "%s key size", name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	965	SAFE_SNPRINTF();
				966
				967	return( 0 );
				968	}
				969
				970	/*
				971	* Return an informational string describing the given OID
				972	*/
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	973	#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	974	const char x509_oid_get_description( x509_buf oid )
				975	{
				976	const char *desc = NULL;
				977	int ret;
				978
				979	ret = oid_get_extended_key_usage( oid, &desc );
				980
				981	if( ret != 0 )
				982	return( NULL );
				983
				984	return( desc );
				985	}
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	986	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	987
				988	/* Return the x.y.z.... style numeric string for the given OID */
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	989	#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	990	int x509_oid_get_numeric_string( char buf, size_t size, x509_buf oid )
				991	{
				992	return oid_get_numeric_string( buf, size, oid );
				993	}
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	994	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	995
				996	/*
				997	* Return 0 if the x509_time is still valid, or 1 otherwise.
				998	*/
				999	#if defined(POLARSSL_HAVE_TIME)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1000
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1001	static void x509_get_current_time( x509_time *now )
				1002	{
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	1003	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1004	SYSTEMTIME st;
				1005
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1006	GetSystemTime( &st );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1007
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1008	now->year = st.wYear;
				1009	now->mon = st.wMonth;
				1010	now->day = st.wDay;
				1011	now->hour = st.wHour;
				1012	now->min = st.wMinute;
				1013	now->sec = st.wSecond;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1014	#else
Paul Bakker	5fff23b	2014-03-26 15:34:54 +0100	[diff] [blame]	1015	struct tm lt;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1016	time_t tt;
				1017
				1018	tt = time( NULL );
Manuel Pégourié-Gonnard	0776a43	2014-04-11 12:25:45 +0200	[diff] [blame]	1019	gmtime_r( &tt, &lt );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1020
Paul Bakker	5fff23b	2014-03-26 15:34:54 +0100	[diff] [blame]	1021	now->year = lt.tm_year + 1900;
				1022	now->mon = lt.tm_mon + 1;
				1023	now->day = lt.tm_mday;
				1024	now->hour = lt.tm_hour;
				1025	now->min = lt.tm_min;
				1026	now->sec = lt.tm_sec;
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1027	#endif /* _WIN32 && !EFIX64 && !EFI32 */
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1028	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1029
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1030	/*
				1031	* Return 0 if before <= after, 1 otherwise
				1032	*/
				1033	static int x509_check_time( const x509_time before, const x509_time after )
				1034	{
				1035	if( before->year > after->year )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1036	return( 1 );
				1037
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1038	if( before->year == after->year &&
				1039	before->mon > after->mon )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1040	return( 1 );
				1041
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1042	if( before->year == after->year &&
				1043	before->mon == after->mon &&
				1044	before->day > after->day )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1045	return( 1 );
				1046
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1047	if( before->year == after->year &&
				1048	before->mon == after->mon &&
				1049	before->day == after->day &&
				1050	before->hour > after->hour )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1051	return( 1 );
				1052
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1053	if( before->year == after->year &&
				1054	before->mon == after->mon &&
				1055	before->day == after->day &&
				1056	before->hour == after->hour &&
				1057	before->min > after->min )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1058	return( 1 );
				1059
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1060	if( before->year == after->year &&
				1061	before->mon == after->mon &&
				1062	before->day == after->day &&
				1063	before->hour == after->hour &&
				1064	before->min == after->min &&
				1065	before->sec > after->sec )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1066	return( 1 );
				1067
				1068	return( 0 );
				1069	}
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1070
				1071	int x509_time_expired( const x509_time *to )
				1072	{
				1073	x509_time now;
				1074
				1075	x509_get_current_time( &now );
				1076
				1077	return( x509_check_time( &now, to ) );
				1078	}
				1079
				1080	int x509_time_future( const x509_time *from )
				1081	{
				1082	x509_time now;
				1083
				1084	x509_get_current_time( &now );
				1085
				1086	return( x509_check_time( from, &now ) );
				1087	}
				1088
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1089	#else /* POLARSSL_HAVE_TIME */
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1090
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1091	int x509_time_expired( const x509_time *to )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1092	{
				1093	((void) to);
				1094	return( 0 );
				1095	}
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1096
				1097	int x509_time_future( const x509_time *from )
				1098	{
				1099	((void) from);
				1100	return( 0 );
				1101	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1102	#endif /* POLARSSL_HAVE_TIME */
				1103
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1104	#if defined(POLARSSL_SELF_TEST)
				1105
				1106	#include "polarssl/x509_crt.h"
				1107	#include "polarssl/certs.h"
				1108
				1109	/*
				1110	* Checkup routine
				1111	*/
				1112	int x509_self_test( int verbose )
				1113	{
Manuel Pégourié-Gonnard	3d41370	2014-04-29 15:29:41 +0200	[diff] [blame]	1114	#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C)
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1115	int ret;
				1116	int flags;
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1117	x509_crt cacert;
				1118	x509_crt clicert;
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1119
				1120	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1121	polarssl_printf( " X.509 certificate load: " );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1122
Paul Bakker	b6b0956	2013-09-18 14:17:41 +0200	[diff] [blame]	1123	x509_crt_init( &clicert );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1124
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1125	ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
				1126	strlen( test_cli_crt ) );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1127	if( ret != 0 )
				1128	{
				1129	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1130	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1131
				1132	return( ret );
				1133	}
				1134
Paul Bakker	b6b0956	2013-09-18 14:17:41 +0200	[diff] [blame]	1135	x509_crt_init( &cacert );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1136
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1137	ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
				1138	strlen( test_ca_crt ) );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1139	if( ret != 0 )
				1140	{
				1141	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1142	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1143
				1144	return( ret );
				1145	}
				1146
				1147	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1148	polarssl_printf( "passed\n X.509 signature verify: ");
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1149
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1150	ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1151	if( ret != 0 )
				1152	{
				1153	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1154	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1155
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1156	polarssl_printf( "ret = %d, &flags = %04x\n", ret, flags );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1157
				1158	return( ret );
				1159	}
				1160
				1161	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1162	polarssl_printf( "passed\n\n");
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1163
				1164	x509_crt_free( &cacert );
				1165	x509_crt_free( &clicert );
				1166
				1167	return( 0 );
				1168	#else
				1169	((void) verbose);
				1170	return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1171	#endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1172	}
				1173
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1174	#endif /* POLARSSL_SELF_TEST */
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1175
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1176	#endif /* POLARSSL_X509_USE_C */