Blame - library/x509_crt.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: c6fbf6bf1a7490d59052dd93a3e8e73490ea5789 [file] [log] [blame]

Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1	/*
				2	* X.509 certificate and private key decoding
				3	*
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	4	* Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	5	*
				6	* This file is part of PolarSSL (http://www.polarssl.org)
				7	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
				8	*
				9	* All rights reserved.
				10	*
				11	* This program is free software; you can redistribute it and/or modify
				12	* it under the terms of the GNU General Public License as published by
				13	* the Free Software Foundation; either version 2 of the License, or
				14	* (at your option) any later version.
				15	*
				16	* This program is distributed in the hope that it will be useful,
				17	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				19	* GNU General Public License for more details.
				20	*
				21	* You should have received a copy of the GNU General Public License along
				22	* with this program; if not, write to the Free Software Foundation, Inc.,
				23	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				24	*/
				25	/*
				26	* The ITU-T X.509 standard defines a certificate format for PKI.
				27	*
				28	* http://www.ietf.org/rfc/rfc3279.txt
				29	* http://www.ietf.org/rfc/rfc3280.txt
				30	*
				31	* ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
				32	*
				33	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
				34	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
				35	*/
				36
				37	#include "polarssl/config.h"
				38
				39	#if defined(POLARSSL_X509_CRT_PARSE_C)
				40
				41	#include "polarssl/x509_crt.h"
				42	#include "polarssl/oid.h"
				43	#if defined(POLARSSL_PEM_PARSE_C)
				44	#include "polarssl/pem.h"
				45	#endif
				46
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	47	#if defined(POLARSSL_PLATFORM_C)
				48	#include "polarssl/platform.h"
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	49	#else
				50	#define polarssl_malloc malloc
				51	#define polarssl_free free
				52	#endif
				53
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	54	#if defined(POLARSSL_THREADING_C)
				55	#include "polarssl/threading.h"
				56	#endif
				57
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	58	#include <string.h>
				59	#include <stdlib.h>
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	60	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	61	#include <windows.h>
				62	#else
				63	#include <time.h>
				64	#endif
				65
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	66	#if defined(EFIX64) \|\| defined(EFI32)
				67	#include <stdio.h>
				68	#endif
				69
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	70	#if defined(POLARSSL_FS_IO)
				71	#include <stdio.h>
				72	#if !defined(_WIN32)
				73	#include <sys/types.h>
				74	#include <sys/stat.h>
				75	#include <dirent.h>
				76	#endif
				77	#endif
				78
				79	/*
				80	* Version ::= INTEGER { v1(0), v2(1), v3(2) }
				81	*/
				82	static int x509_get_version( unsigned char **p,
				83	const unsigned char *end,
				84	int *ver )
				85	{
				86	int ret;
				87	size_t len;
				88
				89	if( ( ret = asn1_get_tag( p, end, &len,
				90	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 0 ) ) != 0 )
				91	{
				92	if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				93	{
				94	*ver = 0;
				95	return( 0 );
				96	}
				97
				98	return( ret );
				99	}
				100
				101	end = *p + len;
				102
				103	if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	104	return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	105
				106	if( *p != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	107	return( POLARSSL_ERR_X509_INVALID_VERSION +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	108	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				109
				110	return( 0 );
				111	}
				112
				113	/*
				114	* Validity ::= SEQUENCE {
				115	* notBefore Time,
				116	* notAfter Time }
				117	*/
				118	static int x509_get_dates( unsigned char **p,
				119	const unsigned char *end,
				120	x509_time *from,
				121	x509_time *to )
				122	{
				123	int ret;
				124	size_t len;
				125
				126	if( ( ret = asn1_get_tag( p, end, &len,
				127	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	128	return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	129
				130	end = *p + len;
				131
				132	if( ( ret = x509_get_time( p, end, from ) ) != 0 )
				133	return( ret );
				134
				135	if( ( ret = x509_get_time( p, end, to ) ) != 0 )
				136	return( ret );
				137
				138	if( *p != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	139	return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	140	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				141
				142	return( 0 );
				143	}
				144
				145	/*
				146	* X.509 v2/v3 unique identifier (not parsed)
				147	*/
				148	static int x509_get_uid( unsigned char **p,
				149	const unsigned char *end,
				150	x509_buf *uid, int n )
				151	{
				152	int ret;
				153
				154	if( *p == end )
				155	return( 0 );
				156
				157	uid->tag = **p;
				158
				159	if( ( ret = asn1_get_tag( p, end, &uid->len,
				160	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| n ) ) != 0 )
				161	{
				162	if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				163	return( 0 );
				164
				165	return( ret );
				166	}
				167
				168	uid->p = *p;
				169	*p += uid->len;
				170
				171	return( 0 );
				172	}
				173
				174	static int x509_get_basic_constraints( unsigned char **p,
				175	const unsigned char *end,
				176	int *ca_istrue,
				177	int *max_pathlen )
				178	{
				179	int ret;
				180	size_t len;
				181
				182	/*
				183	* BasicConstraints ::= SEQUENCE {
				184	* cA BOOLEAN DEFAULT FALSE,
				185	* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
				186	*/
				187	ca_istrue = 0; / DEFAULT FALSE */
				188	max_pathlen = 0; / endless */
				189
				190	if( ( ret = asn1_get_tag( p, end, &len,
				191	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	192	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	193
				194	if( *p == end )
				195	return 0;
				196
				197	if( ( ret = asn1_get_bool( p, end, ca_istrue ) ) != 0 )
				198	{
				199	if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				200	ret = asn1_get_int( p, end, ca_istrue );
				201
				202	if( ret != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	203	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	204
				205	if( *ca_istrue != 0 )
				206	*ca_istrue = 1;
				207	}
				208
				209	if( *p == end )
				210	return 0;
				211
				212	if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	213	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	214
				215	if( *p != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	216	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	217	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				218
				219	(*max_pathlen)++;
				220
				221	return 0;
				222	}
				223
				224	static int x509_get_ns_cert_type( unsigned char **p,
				225	const unsigned char *end,
				226	unsigned char *ns_cert_type)
				227	{
				228	int ret;
				229	x509_bitstring bs = { 0, 0, NULL };
				230
				231	if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	232	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	233
				234	if( bs.len != 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	235	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	236	POLARSSL_ERR_ASN1_INVALID_LENGTH );
				237
				238	/* Get actual bitstring */
				239	ns_cert_type = bs.p;
				240	return 0;
				241	}
				242
				243	static int x509_get_key_usage( unsigned char **p,
				244	const unsigned char *end,
				245	unsigned char *key_usage)
				246	{
				247	int ret;
				248	x509_bitstring bs = { 0, 0, NULL };
				249
				250	if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	251	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	252
				253	if( bs.len < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	254	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	255	POLARSSL_ERR_ASN1_INVALID_LENGTH );
				256
				257	/* Get actual bitstring */
				258	key_usage = bs.p;
				259	return 0;
				260	}
				261
				262	/*
				263	* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
				264	*
				265	* KeyPurposeId ::= OBJECT IDENTIFIER
				266	*/
				267	static int x509_get_ext_key_usage( unsigned char **p,
				268	const unsigned char *end,
				269	x509_sequence *ext_key_usage)
				270	{
				271	int ret;
				272
				273	if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	274	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	275
				276	/* Sequence length must be >= 1 */
				277	if( ext_key_usage->buf.p == NULL )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	278	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	279	POLARSSL_ERR_ASN1_INVALID_LENGTH );
				280
				281	return 0;
				282	}
				283
				284	/*
				285	* SubjectAltName ::= GeneralNames
				286	*
				287	* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
				288	*
				289	* GeneralName ::= CHOICE {
				290	* otherName [0] OtherName,
				291	* rfc822Name [1] IA5String,
				292	* dNSName [2] IA5String,
				293	* x400Address [3] ORAddress,
				294	* directoryName [4] Name,
				295	* ediPartyName [5] EDIPartyName,
				296	* uniformResourceIdentifier [6] IA5String,
				297	* iPAddress [7] OCTET STRING,
				298	* registeredID [8] OBJECT IDENTIFIER }
				299	*
				300	* OtherName ::= SEQUENCE {
				301	* type-id OBJECT IDENTIFIER,
				302	* value [0] EXPLICIT ANY DEFINED BY type-id }
				303	*
				304	* EDIPartyName ::= SEQUENCE {
				305	* nameAssigner [0] DirectoryString OPTIONAL,
				306	* partyName [1] DirectoryString }
				307	*
				308	* NOTE: PolarSSL only parses and uses dNSName at this point.
				309	*/
				310	static int x509_get_subject_alt_name( unsigned char **p,
				311	const unsigned char *end,
				312	x509_sequence *subject_alt_name )
				313	{
				314	int ret;
				315	size_t len, tag_len;
				316	asn1_buf *buf;
				317	unsigned char tag;
				318	asn1_sequence *cur = subject_alt_name;
				319
				320	/* Get main sequence tag */
				321	if( ( ret = asn1_get_tag( p, end, &len,
				322	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	323	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	324
				325	if( *p + len != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	326	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	327	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				328
				329	while( *p < end )
				330	{
				331	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	332	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	333	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				334
				335	tag = **p;
				336	(*p)++;
				337	if( ( ret = asn1_get_len( p, end, &tag_len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	338	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	339
				340	if( ( tag & ASN1_CONTEXT_SPECIFIC ) != ASN1_CONTEXT_SPECIFIC )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	341	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	342	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				343
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	344	/* Skip everything but DNS name */
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	345	if( tag != ( ASN1_CONTEXT_SPECIFIC \| 2 ) )
				346	{
				347	*p += tag_len;
				348	continue;
				349	}
				350
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	351	/* Allocate and assign next pointer */
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	352	if( cur->buf.p != NULL )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	353	{
				354	cur->next = (asn1_sequence *) polarssl_malloc(
				355	sizeof( asn1_sequence ) );
				356
				357	if( cur->next == NULL )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	358	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	359	POLARSSL_ERR_ASN1_MALLOC_FAILED );
				360
				361	memset( cur->next, 0, sizeof( asn1_sequence ) );
				362	cur = cur->next;
				363	}
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	364
				365	buf = &(cur->buf);
				366	buf->tag = tag;
				367	buf->p = *p;
				368	buf->len = tag_len;
				369	*p += buf->len;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	370	}
				371
				372	/* Set final sequence entry's next pointer to NULL */
				373	cur->next = NULL;
				374
				375	if( *p != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	376	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	377	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				378
				379	return( 0 );
				380	}
				381
				382	/*
				383	* X.509 v3 extensions
				384	*
				385	* TODO: Perform all of the basic constraints tests required by the RFC
				386	* TODO: Set values for undetected extensions to a sane default?
				387	*
				388	*/
				389	static int x509_get_crt_ext( unsigned char **p,
				390	const unsigned char *end,
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	391	x509_crt *crt )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	392	{
				393	int ret;
				394	size_t len;
				395	unsigned char end_ext_data, end_ext_octet;
				396
				397	if( ( ret = x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
				398	{
				399	if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				400	return( 0 );
				401
				402	return( ret );
				403	}
				404
				405	while( *p < end )
				406	{
				407	/*
				408	* Extension ::= SEQUENCE {
				409	* extnID OBJECT IDENTIFIER,
				410	* critical BOOLEAN DEFAULT FALSE,
				411	* extnValue OCTET STRING }
				412	*/
				413	x509_buf extn_oid = {0, 0, NULL};
				414	int is_critical = 0; /* DEFAULT FALSE */
				415	int ext_type = 0;
				416
				417	if( ( ret = asn1_get_tag( p, end, &len,
				418	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	419	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	420
				421	end_ext_data = *p + len;
				422
				423	/* Get extension ID */
				424	extn_oid.tag = **p;
				425
				426	if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	427	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	428
				429	extn_oid.p = *p;
				430	*p += extn_oid.len;
				431
				432	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	433	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	434	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				435
				436	/* Get optional critical */
				437	if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
				438	( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	439	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	440
				441	/* Data should be octet string type */
				442	if( ( ret = asn1_get_tag( p, end_ext_data, &len,
				443	ASN1_OCTET_STRING ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	444	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	445
				446	end_ext_octet = *p + len;
				447
				448	if( end_ext_octet != end_ext_data )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	449	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	450	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				451
				452	/*
				453	* Detect supported extensions
				454	*/
				455	ret = oid_get_x509_ext_type( &extn_oid, &ext_type );
				456
				457	if( ret != 0 )
				458	{
				459	/* No parser found, skip extension */
				460	*p = end_ext_octet;
				461
				462	#if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
				463	if( is_critical )
				464	{
				465	/* Data is marked as critical: fail */
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	466	return ( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	467	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				468	}
				469	#endif
				470	continue;
				471	}
				472
				473	crt->ext_types \|= ext_type;
				474
				475	switch( ext_type )
				476	{
				477	case EXT_BASIC_CONSTRAINTS:
				478	/* Parse basic constraints */
				479	if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
				480	&crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
				481	return ( ret );
				482	break;
				483
				484	case EXT_KEY_USAGE:
				485	/* Parse key usage */
				486	if( ( ret = x509_get_key_usage( p, end_ext_octet,
				487	&crt->key_usage ) ) != 0 )
				488	return ( ret );
				489	break;
				490
				491	case EXT_EXTENDED_KEY_USAGE:
				492	/* Parse extended key usage */
				493	if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
				494	&crt->ext_key_usage ) ) != 0 )
				495	return ( ret );
				496	break;
				497
				498	case EXT_SUBJECT_ALT_NAME:
				499	/* Parse subject alt name */
				500	if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
				501	&crt->subject_alt_names ) ) != 0 )
				502	return ( ret );
				503	break;
				504
				505	case EXT_NS_CERT_TYPE:
				506	/* Parse netscape certificate type */
				507	if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
				508	&crt->ns_cert_type ) ) != 0 )
				509	return ( ret );
				510	break;
				511
				512	default:
				513	return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
				514	}
				515	}
				516
				517	if( *p != end )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	518	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	519	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				520
				521	return( 0 );
				522	}
				523
				524	/*
				525	* Parse and fill a single X.509 certificate in DER format
				526	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	527	static int x509_crt_parse_der_core( x509_crt crt, const unsigned char buf,
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	528	size_t buflen )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	529	{
				530	int ret;
				531	size_t len;
				532	unsigned char p, end, *crt_end;
				533
				534	/*
				535	* Check for valid input
				536	*/
				537	if( crt == NULL \|\| buf == NULL )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	538	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	539
				540	p = (unsigned char *) polarssl_malloc( len = buflen );
				541
				542	if( p == NULL )
				543	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				544
				545	memcpy( p, buf, buflen );
				546
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	547	crt->raw.p = p;
				548	crt->raw.len = len;
				549	end = p + len;
				550
				551	/*
				552	* Certificate ::= SEQUENCE {
				553	* tbsCertificate TBSCertificate,
				554	* signatureAlgorithm AlgorithmIdentifier,
				555	* signatureValue BIT STRING }
				556	*/
				557	if( ( ret = asn1_get_tag( &p, end, &len,
				558	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
				559	{
				560	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	561	return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	562	}
				563
				564	if( len > (size_t) ( end - p ) )
				565	{
				566	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	567	return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	568	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				569	}
				570	crt_end = p + len;
				571
				572	/*
				573	* TBSCertificate ::= SEQUENCE {
				574	*/
				575	crt->tbs.p = p;
				576
				577	if( ( ret = asn1_get_tag( &p, end, &len,
				578	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
				579	{
				580	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	581	return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	582	}
				583
				584	end = p + len;
				585	crt->tbs.len = end - crt->tbs.p;
				586
				587	/*
				588	* Version ::= INTEGER { v1(0), v2(1), v3(2) }
				589	*
				590	* CertificateSerialNumber ::= INTEGER
				591	*
				592	* signature AlgorithmIdentifier
				593	*/
				594	if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 \|\|
				595	( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 \|\|
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	596	( ret = x509_get_alg_null( &p, end, &crt->sig_oid1 ) ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	597	{
				598	x509_crt_free( crt );
				599	return( ret );
				600	}
				601
				602	crt->version++;
				603
				604	if( crt->version > 3 )
				605	{
				606	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	607	return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	608	}
				609
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	610	if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_md,
				611	&crt->sig_pk ) ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	612	{
				613	x509_crt_free( crt );
				614	return( ret );
				615	}
				616
				617	/*
				618	* issuer Name
				619	*/
				620	crt->issuer_raw.p = p;
				621
				622	if( ( ret = asn1_get_tag( &p, end, &len,
				623	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
				624	{
				625	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	626	return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	627	}
				628
				629	if( ( ret = x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
				630	{
				631	x509_crt_free( crt );
				632	return( ret );
				633	}
				634
				635	crt->issuer_raw.len = p - crt->issuer_raw.p;
				636
				637	/*
				638	* Validity ::= SEQUENCE {
				639	* notBefore Time,
				640	* notAfter Time }
				641	*
				642	*/
				643	if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
				644	&crt->valid_to ) ) != 0 )
				645	{
				646	x509_crt_free( crt );
				647	return( ret );
				648	}
				649
				650	/*
				651	* subject Name
				652	*/
				653	crt->subject_raw.p = p;
				654
				655	if( ( ret = asn1_get_tag( &p, end, &len,
				656	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
				657	{
				658	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	659	return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	660	}
				661
				662	if( len && ( ret = x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
				663	{
				664	x509_crt_free( crt );
				665	return( ret );
				666	}
				667
				668	crt->subject_raw.len = p - crt->subject_raw.p;
				669
				670	/*
				671	* SubjectPublicKeyInfo
				672	*/
Paul Bakker	da77115	2013-09-16 22:45:03 +0200	[diff] [blame]	673	if( ( ret = pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	674	{
				675	x509_crt_free( crt );
				676	return( ret );
				677	}
				678
				679	/*
				680	* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
				681	* -- If present, version shall be v2 or v3
				682	* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
				683	* -- If present, version shall be v2 or v3
				684	* extensions [3] EXPLICIT Extensions OPTIONAL
				685	* -- If present, version shall be v3
				686	*/
				687	if( crt->version == 2 \|\| crt->version == 3 )
				688	{
				689	ret = x509_get_uid( &p, end, &crt->issuer_id, 1 );
				690	if( ret != 0 )
				691	{
				692	x509_crt_free( crt );
				693	return( ret );
				694	}
				695	}
				696
				697	if( crt->version == 2 \|\| crt->version == 3 )
				698	{
				699	ret = x509_get_uid( &p, end, &crt->subject_id, 2 );
				700	if( ret != 0 )
				701	{
				702	x509_crt_free( crt );
				703	return( ret );
				704	}
				705	}
				706
Paul Bakker	c27c4e2	2013-09-23 15:01:36 +0200	[diff] [blame]	707	#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	708	if( crt->version == 3 )
				709	{
Paul Bakker	c27c4e2	2013-09-23 15:01:36 +0200	[diff] [blame]	710	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	711	ret = x509_get_crt_ext( &p, end, crt);
				712	if( ret != 0 )
				713	{
				714	x509_crt_free( crt );
				715	return( ret );
				716	}
Paul Bakker	c27c4e2	2013-09-23 15:01:36 +0200	[diff] [blame]	717	#if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	718	}
Paul Bakker	c27c4e2	2013-09-23 15:01:36 +0200	[diff] [blame]	719	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	720
				721	if( p != end )
				722	{
				723	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	724	return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	725	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				726	}
				727
				728	end = crt_end;
				729
				730	/*
				731	* }
				732	* -- end of TBSCertificate
				733	*
				734	* signatureAlgorithm AlgorithmIdentifier,
				735	* signatureValue BIT STRING
				736	*/
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	737	if( ( ret = x509_get_alg_null( &p, end, &crt->sig_oid2 ) ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	738	{
				739	x509_crt_free( crt );
				740	return( ret );
				741	}
				742
				743	if( crt->sig_oid1.len != crt->sig_oid2.len \|\|
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	744	memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	745	{
				746	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	747	return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	748	}
				749
				750	if( ( ret = x509_get_sig( &p, end, &crt->sig ) ) != 0 )
				751	{
				752	x509_crt_free( crt );
				753	return( ret );
				754	}
				755
				756	if( p != end )
				757	{
				758	x509_crt_free( crt );
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	759	return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	760	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				761	}
				762
				763	return( 0 );
				764	}
				765
				766	/*
				767	* Parse one X.509 certificate in DER format from a buffer and add them to a
				768	* chained list
				769	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	770	int x509_crt_parse_der( x509_crt chain, const unsigned char buf,
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	771	size_t buflen )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	772	{
				773	int ret;
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	774	x509_crt crt = chain, prev = NULL;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	775
				776	/*
				777	* Check for valid input
				778	*/
				779	if( crt == NULL \|\| buf == NULL )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	780	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	781
				782	while( crt->version != 0 && crt->next != NULL )
				783	{
				784	prev = crt;
				785	crt = crt->next;
				786	}
				787
				788	/*
				789	* Add new certificate on the end of the chain if needed.
				790	*/
				791	if ( crt->version != 0 && crt->next == NULL)
				792	{
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	793	crt->next = (x509_crt *) polarssl_malloc( sizeof( x509_crt ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	794
				795	if( crt->next == NULL )
				796	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				797
				798	prev = crt;
				799	crt = crt->next;
Paul Bakker	369d2eb	2013-09-18 11:58:25 +0200	[diff] [blame]	800	x509_crt_init( crt );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	801	}
				802
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	803	if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	804	{
				805	if( prev )
				806	prev->next = NULL;
				807
				808	if( crt != chain )
				809	polarssl_free( crt );
				810
				811	return( ret );
				812	}
				813
				814	return( 0 );
				815	}
				816
				817	/*
				818	* Parse one or more PEM certificates from a buffer and add them to the chained list
				819	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	820	int x509_crt_parse( x509_crt chain, const unsigned char buf, size_t buflen )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	821	{
				822	int success = 0, first_error = 0, total_failed = 0;
				823	int buf_format = X509_FORMAT_DER;
				824
				825	/*
				826	* Check for valid input
				827	*/
				828	if( chain == NULL \|\| buf == NULL )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	829	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	830
				831	/*
				832	* Determine buffer content. Buffer contains either one DER certificate or
				833	* one or more PEM certificates.
				834	*/
				835	#if defined(POLARSSL_PEM_PARSE_C)
				836	if( strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
				837	buf_format = X509_FORMAT_PEM;
				838	#endif
				839
				840	if( buf_format == X509_FORMAT_DER )
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	841	return x509_crt_parse_der( chain, buf, buflen );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	842
				843	#if defined(POLARSSL_PEM_PARSE_C)
				844	if( buf_format == X509_FORMAT_PEM )
				845	{
				846	int ret;
				847	pem_context pem;
				848
				849	while( buflen > 0 )
				850	{
				851	size_t use_len;
				852	pem_init( &pem );
				853
				854	ret = pem_read_buffer( &pem,
				855	"-----BEGIN CERTIFICATE-----",
				856	"-----END CERTIFICATE-----",
				857	buf, NULL, 0, &use_len );
				858
				859	if( ret == 0 )
				860	{
				861	/*
				862	* Was PEM encoded
				863	*/
				864	buflen -= use_len;
				865	buf += use_len;
				866	}
				867	else if( ret == POLARSSL_ERR_PEM_BAD_INPUT_DATA )
				868	{
				869	return( ret );
				870	}
				871	else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
				872	{
				873	pem_free( &pem );
				874
				875	/*
				876	* PEM header and footer were found
				877	*/
				878	buflen -= use_len;
				879	buf += use_len;
				880
				881	if( first_error == 0 )
				882	first_error = ret;
				883
				884	continue;
				885	}
				886	else
				887	break;
				888
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	889	ret = x509_crt_parse_der( chain, pem.buf, pem.buflen );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	890
				891	pem_free( &pem );
				892
				893	if( ret != 0 )
				894	{
				895	/*
				896	* Quit parsing on a memory error
				897	*/
				898	if( ret == POLARSSL_ERR_X509_MALLOC_FAILED )
				899	return( ret );
				900
				901	if( first_error == 0 )
				902	first_error = ret;
				903
				904	total_failed++;
				905	continue;
				906	}
				907
				908	success = 1;
				909	}
				910	}
				911	#endif
				912
				913	if( success )
				914	return( total_failed );
				915	else if( first_error )
				916	return( first_error );
				917	else
				918	return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT );
				919	}
				920
				921	#if defined(POLARSSL_FS_IO)
				922	/*
				923	* Load one or more certificates and add them to the chained list
				924	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	925	int x509_crt_parse_file( x509_crt chain, const char path )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	926	{
				927	int ret;
				928	size_t n;
				929	unsigned char *buf;
				930
				931	if ( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
				932	return( ret );
				933
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	934	ret = x509_crt_parse( chain, buf, n );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	935
				936	memset( buf, 0, n + 1 );
				937	polarssl_free( buf );
				938
				939	return( ret );
				940	}
				941
Manuel Pégourié-Gonnard	6df0957	2014-02-12 09:29:05 +0100	[diff] [blame]	942	#if defined(POLARSSL_THREADING_PTHREAD)
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	943	static threading_mutex_t readdir_mutex = PTHREAD_MUTEX_INITIALIZER;
				944	#endif
				945
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	946	int x509_crt_parse_path( x509_crt chain, const char path )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	947	{
				948	int ret = 0;
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	949	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	950	int w_ret;
				951	WCHAR szDir[MAX_PATH];
				952	char filename[MAX_PATH];
				953	char *p;
Paul Bakker	b9cfaa0	2013-10-11 18:58:55 +0200	[diff] [blame]	954	int len = (int) strlen( path );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	955
				956	WIN32_FIND_DATAW file_data;
				957	HANDLE hFind;
				958
				959	if( len > MAX_PATH - 3 )
Paul Bakker	3cf63ed	2013-09-23 15:10:16 +0200	[diff] [blame]	960	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	961
				962	memset( szDir, 0, sizeof(szDir) );
				963	memset( filename, 0, MAX_PATH );
				964	memcpy( filename, path, len );
				965	filename[len++] = '\\';
				966	p = filename + len;
				967	filename[len++] = '*';
				968
Paul Bakker	1a56fc9	2013-12-19 13:51:24 +0100	[diff] [blame]	969	w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	970
				971	hFind = FindFirstFileW( szDir, &file_data );
Paul Bakker	4aa40d4	2013-10-11 10:49:24 +0200	[diff] [blame]	972	if (hFind == INVALID_HANDLE_VALUE)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	973	return( POLARSSL_ERR_X509_FILE_IO_ERROR );
				974
				975	len = MAX_PATH - len;
				976	do
				977	{
				978	memset( p, 0, len );
				979
				980	if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
				981	continue;
				982
				983	w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
				984	lstrlenW(file_data.cFileName),
				985	p, len - 1,
				986	NULL, NULL );
				987
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	988	w_ret = x509_crt_parse_file( chain, filename );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	989	if( w_ret < 0 )
				990	ret++;
				991	else
				992	ret += w_ret;
				993	}
				994	while( FindNextFileW( hFind, &file_data ) != 0 );
				995
Paul Bakker	4aa40d4	2013-10-11 10:49:24 +0200	[diff] [blame]	996	if (GetLastError() != ERROR_NO_MORE_FILES)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	997	ret = POLARSSL_ERR_X509_FILE_IO_ERROR;
				998
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	999	FindClose( hFind );
Paul Bakker	be089b0	2013-10-14 15:51:50 +0200	[diff] [blame]	1000	#else /* _WIN32 */
Manuel Pégourié-Gonnard	964bf9b	2013-11-26 16:47:11 +0100	[diff] [blame]	1001	int t_ret;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1002	struct stat sb;
Manuel Pégourié-Gonnard	964bf9b	2013-11-26 16:47:11 +0100	[diff] [blame]	1003	struct dirent *entry;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1004	char entry_name[255];
				1005	DIR *dir = opendir( path );
				1006
				1007	if( dir == NULL)
				1008	return( POLARSSL_ERR_X509_FILE_IO_ERROR );
				1009
Manuel Pégourié-Gonnard	6df0957	2014-02-12 09:29:05 +0100	[diff] [blame]	1010	#if defined(POLARSSL_THREADING_PTHREAD)
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	1011	if( ( ret = polarssl_mutex_lock( &readdir_mutex ) ) != 0 )
				1012	return( ret );
				1013	#endif
				1014
Manuel Pégourié-Gonnard	964bf9b	2013-11-26 16:47:11 +0100	[diff] [blame]	1015	while( ( entry = readdir( dir ) ) != NULL )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1016	{
Manuel Pégourié-Gonnard	964bf9b	2013-11-26 16:47:11 +0100	[diff] [blame]	1017	snprintf( entry_name, sizeof entry_name, "%s/%s", path, entry->d_name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1018
Manuel Pégourié-Gonnard	964bf9b	2013-11-26 16:47:11 +0100	[diff] [blame]	1019	if( stat( entry_name, &sb ) == -1 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1020	{
				1021	closedir( dir );
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	1022	ret = POLARSSL_ERR_X509_FILE_IO_ERROR;
				1023	goto cleanup;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1024	}
				1025
				1026	if( !S_ISREG( sb.st_mode ) )
				1027	continue;
				1028
				1029	// Ignore parse errors
				1030	//
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1031	t_ret = x509_crt_parse_file( chain, entry_name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1032	if( t_ret < 0 )
				1033	ret++;
				1034	else
				1035	ret += t_ret;
				1036	}
				1037	closedir( dir );
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	1038
				1039	cleanup:
Manuel Pégourié-Gonnard	6df0957	2014-02-12 09:29:05 +0100	[diff] [blame]	1040	#if defined(POLARSSL_THREADING_PTHREAD)
Manuel Pégourié-Gonnard	5ad68e4	2013-11-28 17:11:54 +0100	[diff] [blame]	1041	if( polarssl_mutex_unlock( &readdir_mutex ) != 0 )
				1042	ret = POLARSSL_ERR_THREADING_MUTEX_ERROR;
				1043	#endif
				1044
Paul Bakker	be089b0	2013-10-14 15:51:50 +0200	[diff] [blame]	1045	#endif /* _WIN32 */
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1046
				1047	return( ret );
				1048	}
				1049	#endif /* POLARSSL_FS_IO */
				1050
Paul Bakker	6edcd41	2013-10-29 15:22:54 +0100	[diff] [blame]	1051	#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
				1052	!defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1053	#include <stdarg.h>
				1054
				1055	#if !defined vsnprintf
				1056	#define vsnprintf _vsnprintf
				1057	#endif // vsnprintf
				1058
				1059	/*
				1060	* Windows _snprintf and _vsnprintf are not compatible to linux versions.
				1061	* Result value is not size of buffer needed, but -1 if no fit is possible.
				1062	*
				1063	* This fuction tries to 'fix' this by at least suggesting enlarging the
				1064	* size by 20.
				1065	*/
				1066	static int compat_snprintf(char str, size_t size, const char format, ...)
				1067	{
				1068	va_list ap;
				1069	int res = -1;
				1070
				1071	va_start( ap, format );
				1072
				1073	res = vsnprintf( str, size, format, ap );
				1074
				1075	va_end( ap );
				1076
				1077	// No quick fix possible
				1078	if ( res < 0 )
				1079	return( (int) size + 20 );
				1080
				1081	return res;
				1082	}
				1083
				1084	#define snprintf compat_snprintf
				1085	#endif
				1086
				1087	#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
				1088
				1089	#define SAFE_SNPRINTF() \
				1090	{ \
				1091	if( ret == -1 ) \
				1092	return( -1 ); \
				1093	\
				1094	if ( (unsigned int) ret > n ) { \
				1095	p[n - 1] = '\0'; \
				1096	return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
				1097	} \
				1098	\
				1099	n -= (unsigned int) ret; \
				1100	p += (unsigned int) ret; \
				1101	}
				1102
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1103	static int x509_info_subject_alt_name( char *buf, size_t size,
				1104	const x509_sequence *subject_alt_name )
				1105	{
				1106	size_t i;
				1107	size_t n = *size;
				1108	char p = buf;
				1109	const x509_sequence *cur = subject_alt_name;
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1110	const char *sep = "";
				1111	size_t sep_len = 0;
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1112
				1113	while( cur != NULL )
				1114	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1115	if( cur->buf.len + sep_len >= n )
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1116	{
				1117	*p = '\0';
				1118	return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
				1119	}
				1120
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1121	n -= cur->buf.len + sep_len;
				1122	for( i = 0; i < sep_len; i++ )
				1123	*p++ = sep[i];
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1124	for( i = 0; i < cur->buf.len; i++ )
				1125	*p++ = cur->buf.p[i];
				1126
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1127	sep = ", ";
				1128	sep_len = 2;
				1129
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1130	cur = cur->next;
				1131	}
				1132
				1133	*p = '\0';
				1134
				1135	*size = n;
				1136	*buf = p;
				1137
				1138	return( 0 );
				1139	}
				1140
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1141	static int x509_info_cert_type( char *buf, size_t size,
				1142	unsigned char ns_cert_type )
				1143	{
				1144	int ret;
				1145	size_t n = *size;
				1146	char p = buf;
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1147	const char *sep = "";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1148
				1149	if( ns_cert_type & NS_CERT_TYPE_SSL_CLIENT )
				1150	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1151	ret = snprintf( p, n, "%sSSL Client", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1152	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1153	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1154	}
				1155	if( ns_cert_type & NS_CERT_TYPE_SSL_SERVER )
				1156	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1157	ret = snprintf( p, n, "%sSSL Server", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1158	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1159	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1160	}
				1161	if( ns_cert_type & NS_CERT_TYPE_EMAIL )
				1162	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1163	ret = snprintf( p, n, "%sEmail", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1164	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1165	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1166	}
				1167	if( ns_cert_type & NS_CERT_TYPE_OBJECT_SIGNING )
				1168	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1169	ret = snprintf( p, n, "%sObject Signing", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1170	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1171	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1172	}
				1173	if( ns_cert_type & NS_CERT_TYPE_RESERVED )
				1174	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1175	ret = snprintf( p, n, "%sReserved", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1176	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1177	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1178	}
				1179	if( ns_cert_type & NS_CERT_TYPE_SSL_CA )
				1180	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1181	ret = snprintf( p, n, "%sSSL CA", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1182	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1183	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1184	}
				1185	if( ns_cert_type & NS_CERT_TYPE_EMAIL_CA )
				1186	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1187	ret = snprintf( p, n, "%sEmail CA", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1188	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1189	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1190	}
				1191	if( ns_cert_type & NS_CERT_TYPE_OBJECT_SIGNING_CA )
				1192	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1193	ret = snprintf( p, n, "%sObject Signing CA", sep );
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1194	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1195	sep = ", ";
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1196	}
				1197
				1198	*size = n;
				1199	*buf = p;
				1200
				1201	return( 0 );
				1202	}
				1203
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1204	static int x509_info_key_usage( char *buf, size_t size,
				1205	unsigned char key_usage )
				1206	{
				1207	int ret;
				1208	size_t n = *size;
				1209	char p = buf;
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1210	const char *sep = "";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1211
				1212	if( key_usage & KU_DIGITAL_SIGNATURE )
				1213	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1214	ret = snprintf( p, n, "%sDigital Signature", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1215	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1216	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1217	}
				1218	if( key_usage & KU_NON_REPUDIATION )
				1219	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1220	ret = snprintf( p, n, "%sNon Repudiation", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1221	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1222	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1223	}
				1224	if( key_usage & KU_KEY_ENCIPHERMENT )
				1225	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1226	ret = snprintf( p, n, "%sKey Encipherment", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1227	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1228	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1229	}
				1230	if( key_usage & KU_DATA_ENCIPHERMENT )
				1231	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1232	ret = snprintf( p, n, "%sData Encipherment", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1233	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1234	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1235	}
				1236	if( key_usage & KU_KEY_AGREEMENT )
				1237	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1238	ret = snprintf( p, n, "%sKey Agreement", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1239	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1240	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1241	}
				1242	if( key_usage & KU_KEY_CERT_SIGN )
				1243	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1244	ret = snprintf( p, n, "%sKey Cert Sign", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1245	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1246	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1247	}
				1248	if( key_usage & KU_CRL_SIGN )
				1249	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1250	ret = snprintf( p, n, "%sCRL Sign", sep );
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1251	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1252	sep = ", ";
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1253	}
				1254
				1255	*size = n;
				1256	*buf = p;
				1257
				1258	return( 0 );
				1259	}
				1260
Manuel Pégourié-Gonnard	f6f4ab4	2014-04-01 17:32:44 +0200	[diff] [blame]	1261	static int x509_info_ext_key_usage( char *buf, size_t size,
				1262	const x509_sequence *extended_key_usage )
				1263	{
				1264	int ret;
				1265	const char *desc;
				1266	size_t n = *size;
				1267	char p = buf;
				1268	const x509_sequence *cur = extended_key_usage;
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1269	const char *sep = "";
Manuel Pégourié-Gonnard	f6f4ab4	2014-04-01 17:32:44 +0200	[diff] [blame]	1270
				1271	while( cur != NULL )
				1272	{
				1273	if( oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
				1274	desc = "???";
				1275
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1276	ret = snprintf( p, n, "%s%s", sep, desc );
Manuel Pégourié-Gonnard	f6f4ab4	2014-04-01 17:32:44 +0200	[diff] [blame]	1277	SAFE_SNPRINTF();
				1278
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1279	sep = ", ";
				1280
Manuel Pégourié-Gonnard	f6f4ab4	2014-04-01 17:32:44 +0200	[diff] [blame]	1281	cur = cur->next;
				1282	}
				1283
				1284	*size = n;
				1285	*buf = p;
				1286
				1287	return( 0 );
				1288	}
				1289
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1290	/*
				1291	* Return an informational string about the certificate.
				1292	*/
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1293	#define BEFORE_COLON 18
				1294	#define BC "18"
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1295	int x509_crt_info( char buf, size_t size, const char prefix,
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1296	const x509_crt *crt )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1297	{
				1298	int ret;
				1299	size_t n;
				1300	char *p;
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	1301	const char *desc = NULL;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1302	char key_size_str[BEFORE_COLON];
				1303
				1304	p = buf;
				1305	n = size;
				1306
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1307	ret = snprintf( p, n, "%scert. version : %d\n",
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1308	prefix, crt->version );
				1309	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1310	ret = snprintf( p, n, "%sserial number : ",
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1311	prefix );
				1312	SAFE_SNPRINTF();
				1313
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1314	ret = x509_serial_gets( p, n, &crt->serial);
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1315	SAFE_SNPRINTF();
				1316
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1317	ret = snprintf( p, n, "\n%sissuer name : ", prefix );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1318	SAFE_SNPRINTF();
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1319	ret = x509_dn_gets( p, n, &crt->issuer );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1320	SAFE_SNPRINTF();
				1321
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1322	ret = snprintf( p, n, "\n%ssubject name : ", prefix );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1323	SAFE_SNPRINTF();
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1324	ret = x509_dn_gets( p, n, &crt->subject );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1325	SAFE_SNPRINTF();
				1326
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1327	ret = snprintf( p, n, "\n%sissued on : " \
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1328	"%04d-%02d-%02d %02d:%02d:%02d", prefix,
				1329	crt->valid_from.year, crt->valid_from.mon,
				1330	crt->valid_from.day, crt->valid_from.hour,
				1331	crt->valid_from.min, crt->valid_from.sec );
				1332	SAFE_SNPRINTF();
				1333
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1334	ret = snprintf( p, n, "\n%sexpires on : " \
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1335	"%04d-%02d-%02d %02d:%02d:%02d", prefix,
				1336	crt->valid_to.year, crt->valid_to.mon,
				1337	crt->valid_to.day, crt->valid_to.hour,
				1338	crt->valid_to.min, crt->valid_to.sec );
				1339	SAFE_SNPRINTF();
				1340
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1341	ret = snprintf( p, n, "\n%ssigned using : ", prefix );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1342	SAFE_SNPRINTF();
				1343
Manuel Pégourié-Gonnard	c909308	2014-02-12 09:39:59 +0100	[diff] [blame]	1344	ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc );
				1345	if( ret != 0 )
				1346	ret = snprintf( p, n, "???" );
				1347	else
				1348	ret = snprintf( p, n, "%s", desc );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1349	SAFE_SNPRINTF();
				1350
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1351	/* Key size */
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1352	if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
				1353	pk_get_name( &crt->pk ) ) ) != 0 )
				1354	{
				1355	return( ret );
				1356	}
				1357
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1358	ret = snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1359	(int) pk_get_size( &crt->pk ) );
				1360	SAFE_SNPRINTF();
				1361
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1362	/*
				1363	* Optional extensions
				1364	*/
				1365
				1366	if( crt->ext_types & EXT_BASIC_CONSTRAINTS )
				1367	{
				1368	ret = snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
				1369	crt->ca_istrue ? "true" : "false" );
				1370	SAFE_SNPRINTF();
				1371
				1372	if( crt->max_pathlen > 0 )
				1373	{
				1374	ret = snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
				1375	SAFE_SNPRINTF();
				1376	}
				1377	}
				1378
				1379	if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
				1380	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1381	ret = snprintf( p, n, "\n%ssubject alt name : ", prefix );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1382	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	bce2b30	2014-04-01 13:43:28 +0200	[diff] [blame]	1383
				1384	if( ( ret = x509_info_subject_alt_name( &p, &n,
				1385	&crt->subject_alt_names ) ) != 0 )
				1386	return( ret );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1387	}
				1388
				1389	if( crt->ext_types & EXT_NS_CERT_TYPE )
				1390	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1391	ret = snprintf( p, n, "\n%scert. type : ", prefix );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1392	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	919f8f5	2014-04-01 13:01:11 +0200	[diff] [blame]	1393
				1394	if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
				1395	return( ret );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1396	}
				1397
				1398	if( crt->ext_types & EXT_KEY_USAGE )
				1399	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1400	ret = snprintf( p, n, "\n%skey usage : ", prefix );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1401	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	65c2ddc	2014-04-01 14:12:11 +0200	[diff] [blame]	1402
				1403	if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
				1404	return( ret );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1405	}
				1406
				1407	if( crt->ext_types & EXT_EXTENDED_KEY_USAGE )
				1408	{
Manuel Pégourié-Gonnard	7b30cfc	2014-04-01 18:00:07 +0200	[diff] [blame^]	1409	ret = snprintf( p, n, "\n%sext key usage : ", prefix );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1410	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	f6f4ab4	2014-04-01 17:32:44 +0200	[diff] [blame]	1411
				1412	if( ( ret = x509_info_ext_key_usage( &p, &n,
				1413	&crt->ext_key_usage ) ) != 0 )
				1414	return( ret );
Manuel Pégourié-Gonnard	b28487d	2014-04-01 12:19:09 +0200	[diff] [blame]	1415	}
				1416
				1417	ret = snprintf( p, n, "\n" );
				1418	SAFE_SNPRINTF();
				1419
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1420	return( (int) ( size - n ) );
				1421	}
				1422
				1423	#if defined(POLARSSL_X509_CRL_PARSE_C)
				1424	/*
				1425	* Return 1 if the certificate is revoked, or 0 otherwise.
				1426	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1427	int x509_crt_revoked( const x509_crt crt, const x509_crl crl )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1428	{
				1429	const x509_crl_entry *cur = &crl->entry;
				1430
				1431	while( cur != NULL && cur->serial.len != 0 )
				1432	{
				1433	if( crt->serial.len == cur->serial.len &&
				1434	memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
				1435	{
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1436	if( x509_time_expired( &cur->revocation_date ) )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1437	return( 1 );
				1438	}
				1439
				1440	cur = cur->next;
				1441	}
				1442
				1443	return( 0 );
				1444	}
				1445
				1446	/*
Paul Bakker	60b1d10	2013-10-29 10:02:51 +0100	[diff] [blame]	1447	* Check that the given certificate is valid according to the CRL.
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1448	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1449	static int x509_crt_verifycrl( x509_crt crt, x509_crt ca,
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1450	x509_crl *crl_list)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1451	{
				1452	int flags = 0;
				1453	unsigned char hash[POLARSSL_MD_MAX_SIZE];
				1454	const md_info_t *md_info;
				1455
				1456	if( ca == NULL )
				1457	return( flags );
				1458
				1459	/*
				1460	* TODO: What happens if no CRL is present?
				1461	* Suggestion: Revocation state should be unknown if no CRL is present.
				1462	* For backwards compatibility this is not yet implemented.
				1463	*/
				1464
				1465	while( crl_list != NULL )
				1466	{
				1467	if( crl_list->version == 0 \|\|
				1468	crl_list->issuer_raw.len != ca->subject_raw.len \|\|
				1469	memcmp( crl_list->issuer_raw.p, ca->subject_raw.p,
				1470	crl_list->issuer_raw.len ) != 0 )
				1471	{
				1472	crl_list = crl_list->next;
				1473	continue;
				1474	}
				1475
				1476	/*
				1477	* Check if CRL is correctly signed by the trusted CA
				1478	*/
				1479	md_info = md_info_from_type( crl_list->sig_md );
				1480	if( md_info == NULL )
				1481	{
				1482	/*
				1483	* Cannot check 'unknown' hash
				1484	*/
				1485	flags \|= BADCRL_NOT_TRUSTED;
				1486	break;
				1487	}
				1488
				1489	md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
				1490
				1491	if( pk_can_do( &ca->pk, crl_list->sig_pk ) == 0 \|\|
				1492	pk_verify( &ca->pk, crl_list->sig_md, hash, md_info->size,
				1493	crl_list->sig.p, crl_list->sig.len ) != 0 )
				1494	{
				1495	flags \|= BADCRL_NOT_TRUSTED;
				1496	break;
				1497	}
				1498
				1499	/*
				1500	* Check for validity of CRL (Do not drop out)
				1501	*/
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1502	if( x509_time_expired( &crl_list->next_update ) )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1503	flags \|= BADCRL_EXPIRED;
				1504
Manuel Pégourié-Gonnard	9533765	2014-03-10 13:15:18 +0100	[diff] [blame]	1505	if( x509_time_future( &crl_list->this_update ) )
				1506	flags \|= BADCRL_FUTURE;
				1507
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1508	/*
				1509	* Check if certificate is revoked
				1510	*/
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1511	if( x509_crt_revoked(crt, crl_list) )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1512	{
				1513	flags \|= BADCERT_REVOKED;
				1514	break;
				1515	}
				1516
				1517	crl_list = crl_list->next;
				1518	}
				1519	return flags;
				1520	}
				1521	#endif /* POLARSSL_X509_CRL_PARSE_C */
				1522
				1523	// Equal == 0, inequal == 1
				1524	static int x509_name_cmp( const void s1, const void s2, size_t len )
				1525	{
				1526	size_t i;
				1527	unsigned char diff;
				1528	const unsigned char n1 = s1, n2 = s2;
				1529
				1530	for( i = 0; i < len; i++ )
				1531	{
				1532	diff = n1[i] ^ n2[i];
				1533
Paul Bakker	f2b4d86	2013-11-20 17:23:53 +0100	[diff] [blame]	1534	if( diff == 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1535	continue;
				1536
Paul Bakker	f2b4d86	2013-11-20 17:23:53 +0100	[diff] [blame]	1537	if( diff == 32 &&
				1538	( ( n1[i] >= 'a' && n1[i] <= 'z' ) \|\|
				1539	( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
				1540	{
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1541	continue;
Paul Bakker	f2b4d86	2013-11-20 17:23:53 +0100	[diff] [blame]	1542	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1543
				1544	return( 1 );
				1545	}
				1546
				1547	return( 0 );
				1548	}
				1549
				1550	static int x509_wildcard_verify( const char cn, x509_buf name )
				1551	{
				1552	size_t i;
				1553	size_t cn_idx = 0;
				1554
				1555	if( name->len < 3 \|\| name->p[0] != '*' \|\| name->p[1] != '.' )
				1556	return( 0 );
				1557
				1558	for( i = 0; i < strlen( cn ); ++i )
				1559	{
				1560	if( cn[i] == '.' )
				1561	{
				1562	cn_idx = i;
				1563	break;
				1564	}
				1565	}
				1566
				1567	if( cn_idx == 0 )
				1568	return( 0 );
				1569
				1570	if( strlen( cn ) - cn_idx == name->len - 1 &&
				1571	x509_name_cmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
				1572	{
				1573	return( 1 );
				1574	}
				1575
				1576	return( 0 );
				1577	}
				1578
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1579	static int x509_crt_verify_top(
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1580	x509_crt child, x509_crt trust_ca,
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1581	x509_crl ca_crl, int path_cnt, int flags,
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1582	int (f_vrfy)(void , x509_crt , int, int ),
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1583	void *p_vrfy )
				1584	{
				1585	int ret;
				1586	int ca_flags = 0, check_path_cnt = path_cnt + 1;
				1587	unsigned char hash[POLARSSL_MD_MAX_SIZE];
				1588	const md_info_t *md_info;
				1589
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1590	if( x509_time_expired( &child->valid_to ) )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1591	*flags \|= BADCERT_EXPIRED;
				1592
Manuel Pégourié-Gonnard	9533765	2014-03-10 13:15:18 +0100	[diff] [blame]	1593	if( x509_time_future( &child->valid_from ) )
				1594	*flags \|= BADCERT_FUTURE;
				1595
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1596	/*
				1597	* Child is the top of the chain. Check against the trust_ca list.
				1598	*/
				1599	*flags \|= BADCERT_NOT_TRUSTED;
				1600
				1601	md_info = md_info_from_type( child->sig_md );
				1602	if( md_info == NULL )
				1603	{
				1604	/*
				1605	* Cannot check 'unknown', no need to try any CA
				1606	*/
				1607	trust_ca = NULL;
				1608	}
				1609	else
				1610	md( md_info, child->tbs.p, child->tbs.len, hash );
				1611
				1612	while( trust_ca != NULL )
				1613	{
				1614	if( trust_ca->version == 0 \|\|
				1615	child->issuer_raw.len != trust_ca->subject_raw.len \|\|
				1616	memcmp( child->issuer_raw.p, trust_ca->subject_raw.p,
				1617	child->issuer_raw.len ) != 0 )
				1618	{
				1619	trust_ca = trust_ca->next;
				1620	continue;
				1621	}
				1622
				1623	/*
				1624	* Reduce path_len to check against if top of the chain is
				1625	* the same as the trusted CA
				1626	*/
				1627	if( child->subject_raw.len == trust_ca->subject_raw.len &&
				1628	memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
				1629	child->issuer_raw.len ) == 0 )
				1630	{
				1631	check_path_cnt--;
				1632	}
				1633
				1634	if( trust_ca->max_pathlen > 0 &&
				1635	trust_ca->max_pathlen < check_path_cnt )
				1636	{
				1637	trust_ca = trust_ca->next;
				1638	continue;
				1639	}
				1640
				1641	if( pk_can_do( &trust_ca->pk, child->sig_pk ) == 0 \|\|
				1642	pk_verify( &trust_ca->pk, child->sig_md, hash, md_info->size,
				1643	child->sig.p, child->sig.len ) != 0 )
				1644	{
				1645	trust_ca = trust_ca->next;
				1646	continue;
				1647	}
				1648
				1649	/*
				1650	* Top of chain is signed by a trusted CA
				1651	*/
				1652	*flags &= ~BADCERT_NOT_TRUSTED;
				1653	break;
				1654	}
				1655
				1656	/*
				1657	* If top of chain is not the same as the trusted CA send a verify request
				1658	* to the callback for any issues with validity and CRL presence for the
				1659	* trusted CA certificate.
				1660	*/
				1661	if( trust_ca != NULL &&
				1662	( child->subject_raw.len != trust_ca->subject_raw.len \|\|
				1663	memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
				1664	child->issuer_raw.len ) != 0 ) )
				1665	{
				1666	#if defined(POLARSSL_X509_CRL_PARSE_C)
				1667	/* Check trusted CA's CRL for the chain's top crt */
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1668	*flags \|= x509_crt_verifycrl( child, trust_ca, ca_crl );
Manuel Pégourié-Gonnard	cbf3ef3	2013-09-23 12:20:02 +0200	[diff] [blame]	1669	#else
				1670	((void) ca_crl);
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1671	#endif
				1672
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1673	if( x509_time_expired( &trust_ca->valid_to ) )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1674	ca_flags \|= BADCERT_EXPIRED;
				1675
Manuel Pégourié-Gonnard	9533765	2014-03-10 13:15:18 +0100	[diff] [blame]	1676	if( x509_time_future( &trust_ca->valid_from ) )
				1677	ca_flags \|= BADCERT_FUTURE;
				1678
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1679	if( NULL != f_vrfy )
				1680	{
				1681	if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
				1682	return( ret );
				1683	}
				1684	}
				1685
				1686	/* Call callback on top cert */
				1687	if( NULL != f_vrfy )
				1688	{
				1689	if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 )
				1690	return( ret );
				1691	}
				1692
				1693	*flags \|= ca_flags;
				1694
				1695	return( 0 );
				1696	}
				1697
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1698	static int x509_crt_verify_child(
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1699	x509_crt child, x509_crt parent, x509_crt *trust_ca,
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1700	x509_crl ca_crl, int path_cnt, int flags,
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1701	int (f_vrfy)(void , x509_crt , int, int ),
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1702	void *p_vrfy )
				1703	{
				1704	int ret;
				1705	int parent_flags = 0;
				1706	unsigned char hash[POLARSSL_MD_MAX_SIZE];
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1707	x509_crt *grandparent;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1708	const md_info_t *md_info;
				1709
Manuel Pégourié-Gonnard	9533765	2014-03-10 13:15:18 +0100	[diff] [blame]	1710	if( x509_time_future( &child->valid_from ) )
				1711	*flags \|= BADCERT_FUTURE;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1712
				1713	md_info = md_info_from_type( child->sig_md );
				1714	if( md_info == NULL )
				1715	{
				1716	/*
				1717	* Cannot check 'unknown' hash
				1718	*/
				1719	*flags \|= BADCERT_NOT_TRUSTED;
				1720	}
				1721	else
				1722	{
				1723	md( md_info, child->tbs.p, child->tbs.len, hash );
				1724
				1725	if( pk_can_do( &parent->pk, child->sig_pk ) == 0 \|\|
				1726	pk_verify( &parent->pk, child->sig_md, hash, md_info->size,
				1727	child->sig.p, child->sig.len ) != 0 )
				1728	{
				1729	*flags \|= BADCERT_NOT_TRUSTED;
				1730	}
				1731	}
				1732
				1733	#if defined(POLARSSL_X509_CRL_PARSE_C)
				1734	/* Check trusted CA's CRL for the given crt */
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1735	*flags \|= x509_crt_verifycrl(child, parent, ca_crl);
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1736	#endif
				1737
				1738	grandparent = parent->next;
				1739
				1740	while( grandparent != NULL )
				1741	{
				1742	if( grandparent->version == 0 \|\|
				1743	grandparent->ca_istrue == 0 \|\|
				1744	parent->issuer_raw.len != grandparent->subject_raw.len \|\|
				1745	memcmp( parent->issuer_raw.p, grandparent->subject_raw.p,
				1746	parent->issuer_raw.len ) != 0 )
				1747	{
				1748	grandparent = grandparent->next;
				1749	continue;
				1750	}
				1751	break;
				1752	}
				1753
				1754	if( grandparent != NULL )
				1755	{
				1756	/*
				1757	* Part of the chain
				1758	*/
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1759	ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1760	if( ret != 0 )
				1761	return( ret );
				1762	}
				1763	else
				1764	{
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1765	ret = x509_crt_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1766	if( ret != 0 )
				1767	return( ret );
				1768	}
				1769
				1770	/* child is verified to be a child of the parent, call verify callback */
				1771	if( NULL != f_vrfy )
				1772	if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
				1773	return( ret );
				1774
				1775	*flags \|= parent_flags;
				1776
				1777	return( 0 );
				1778	}
				1779
				1780	/*
				1781	* Verify the certificate validity
				1782	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1783	int x509_crt_verify( x509_crt *crt,
				1784	x509_crt *trust_ca,
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1785	x509_crl *ca_crl,
				1786	const char cn, int flags,
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1787	int (f_vrfy)(void , x509_crt , int, int ),
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1788	void *p_vrfy )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1789	{
				1790	size_t cn_len;
				1791	int ret;
				1792	int pathlen = 0;
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1793	x509_crt *parent;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1794	x509_name *name;
				1795	x509_sequence *cur = NULL;
				1796
				1797	*flags = 0;
				1798
				1799	if( cn != NULL )
				1800	{
				1801	name = &crt->subject;
				1802	cn_len = strlen( cn );
				1803
				1804	if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
				1805	{
				1806	cur = &crt->subject_alt_names;
				1807
				1808	while( cur != NULL )
				1809	{
				1810	if( cur->buf.len == cn_len &&
				1811	x509_name_cmp( cn, cur->buf.p, cn_len ) == 0 )
				1812	break;
				1813
				1814	if( cur->buf.len > 2 &&
				1815	memcmp( cur->buf.p, "*.", 2 ) == 0 &&
				1816	x509_wildcard_verify( cn, &cur->buf ) )
				1817	break;
				1818
				1819	cur = cur->next;
				1820	}
				1821
				1822	if( cur == NULL )
				1823	*flags \|= BADCERT_CN_MISMATCH;
				1824	}
				1825	else
				1826	{
				1827	while( name != NULL )
				1828	{
				1829	if( OID_CMP( OID_AT_CN, &name->oid ) )
				1830	{
				1831	if( name->val.len == cn_len &&
				1832	x509_name_cmp( name->val.p, cn, cn_len ) == 0 )
				1833	break;
				1834
				1835	if( name->val.len > 2 &&
				1836	memcmp( name->val.p, "*.", 2 ) == 0 &&
				1837	x509_wildcard_verify( cn, &name->val ) )
				1838	break;
				1839	}
				1840
				1841	name = name->next;
				1842	}
				1843
				1844	if( name == NULL )
				1845	*flags \|= BADCERT_CN_MISMATCH;
				1846	}
				1847	}
				1848
				1849	/*
				1850	* Iterate upwards in the given cert chain, to find our crt parent.
				1851	* Ignore any upper cert with CA != TRUE.
				1852	*/
				1853	parent = crt->next;
				1854
				1855	while( parent != NULL && parent->version != 0 )
				1856	{
				1857	if( parent->ca_istrue == 0 \|\|
				1858	crt->issuer_raw.len != parent->subject_raw.len \|\|
				1859	memcmp( crt->issuer_raw.p, parent->subject_raw.p,
				1860	crt->issuer_raw.len ) != 0 )
				1861	{
				1862	parent = parent->next;
				1863	continue;
				1864	}
				1865	break;
				1866	}
				1867
				1868	if( parent != NULL )
				1869	{
				1870	/*
				1871	* Part of the chain
				1872	*/
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1873	ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1874	if( ret != 0 )
				1875	return( ret );
				1876	}
				1877	else
				1878	{
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1879	ret = x509_crt_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1880	if( ret != 0 )
				1881	return( ret );
				1882	}
				1883
				1884	if( *flags != 0 )
				1885	return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
				1886
				1887	return( 0 );
				1888	}
				1889
				1890	/*
Paul Bakker	369d2eb	2013-09-18 11:58:25 +0200	[diff] [blame]	1891	* Initialize a certificate chain
				1892	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1893	void x509_crt_init( x509_crt *crt )
Paul Bakker	369d2eb	2013-09-18 11:58:25 +0200	[diff] [blame]	1894	{
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1895	memset( crt, 0, sizeof(x509_crt) );
Paul Bakker	369d2eb	2013-09-18 11:58:25 +0200	[diff] [blame]	1896	}
				1897
				1898	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1899	* Unallocate all certificate data
				1900	*/
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1901	void x509_crt_free( x509_crt *crt )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1902	{
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1903	x509_crt *cert_cur = crt;
				1904	x509_crt *cert_prv;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1905	x509_name *name_cur;
				1906	x509_name *name_prv;
				1907	x509_sequence *seq_cur;
				1908	x509_sequence *seq_prv;
				1909
				1910	if( crt == NULL )
				1911	return;
				1912
				1913	do
				1914	{
				1915	pk_free( &cert_cur->pk );
				1916
				1917	name_cur = cert_cur->issuer.next;
				1918	while( name_cur != NULL )
				1919	{
				1920	name_prv = name_cur;
				1921	name_cur = name_cur->next;
				1922	memset( name_prv, 0, sizeof( x509_name ) );
				1923	polarssl_free( name_prv );
				1924	}
				1925
				1926	name_cur = cert_cur->subject.next;
				1927	while( name_cur != NULL )
				1928	{
				1929	name_prv = name_cur;
				1930	name_cur = name_cur->next;
				1931	memset( name_prv, 0, sizeof( x509_name ) );
				1932	polarssl_free( name_prv );
				1933	}
				1934
				1935	seq_cur = cert_cur->ext_key_usage.next;
				1936	while( seq_cur != NULL )
				1937	{
				1938	seq_prv = seq_cur;
				1939	seq_cur = seq_cur->next;
				1940	memset( seq_prv, 0, sizeof( x509_sequence ) );
				1941	polarssl_free( seq_prv );
				1942	}
				1943
				1944	seq_cur = cert_cur->subject_alt_names.next;
				1945	while( seq_cur != NULL )
				1946	{
				1947	seq_prv = seq_cur;
				1948	seq_cur = seq_cur->next;
				1949	memset( seq_prv, 0, sizeof( x509_sequence ) );
				1950	polarssl_free( seq_prv );
				1951	}
				1952
				1953	if( cert_cur->raw.p != NULL )
				1954	{
				1955	memset( cert_cur->raw.p, 0, cert_cur->raw.len );
				1956	polarssl_free( cert_cur->raw.p );
				1957	}
				1958
				1959	cert_cur = cert_cur->next;
				1960	}
				1961	while( cert_cur != NULL );
				1962
				1963	cert_cur = crt;
				1964	do
				1965	{
				1966	cert_prv = cert_cur;
				1967	cert_cur = cert_cur->next;
				1968
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1969	memset( cert_prv, 0, sizeof( x509_crt ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1970	if( cert_prv != crt )
				1971	polarssl_free( cert_prv );
				1972	}
				1973	while( cert_cur != NULL );
				1974	}
				1975
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1976	#endif