TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 860b51642d94b41097e245ea0ed5c119a35ed194 / . / library / x509_crl.c
blob: 2c90582a1b666dc06e209e7557bb9236290873bc [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]2 * X.509 Certidicate Revocation List (CRL) parsing
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame^]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_CRL_PARSE_C)
40
41#include "polarssl/x509_crl.h"
42#include "polarssl/oid.h"
43#if defined(POLARSSL_PEM_PARSE_C)
44#include "polarssl/pem.h"
45#endif
46
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]47#if defined(POLARSSL_PLATFORM_C)
48#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]49#else
50#define polarssl_malloc malloc
51#define polarssl_free free
52#endif
53
54#include <string.h>
55#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]56#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
57
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58#include <windows.h>
59#else
60#include <time.h>
61#endif
62
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]63#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]64#include <stdio.h>
65#endif
66
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]67/* Implementation that should never be optimized out by the compiler */
68static void polarssl_zeroize( void *v, size_t n ) {
69 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
70}
71
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]72/*
73 * Version ::= INTEGER { v1(0), v2(1) }
74 */
75static int x509_crl_get_version( unsigned char **p,
76 const unsigned char *end,
77 int *ver )
78{
79 int ret;
80
81 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
82 {
83 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
84 {
85 *ver = 0;
86 return( 0 );
87 }
88
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]89 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]90 }
91
92 return( 0 );
93}
94
95/*
96 * X.509 CRL v2 extensions (no extensions parsed yet.)
97 */
98static int x509_get_crl_ext( unsigned char **p,
99 const unsigned char *end,
100 x509_buf *ext )
101{
102 int ret;
103 size_t len = 0;
104
105 /* Get explicit tag */
106 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
107 {
108 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
109 return( 0 );
110
111 return( ret );
112 }
113
114 while( *p < end )
115 {
116 if( ( ret = asn1_get_tag( p, end, &len,
117 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]118 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]119
120 *p += len;
121 }
122
123 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]124 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]125 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
126
127 return( 0 );
128}
129
130/*
131 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
132 */
133static int x509_get_crl_entry_ext( unsigned char **p,
134 const unsigned char *end,
135 x509_buf *ext )
136{
137 int ret;
138 size_t len = 0;
139
140 /* OPTIONAL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]141 if( end <= *p )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]142 return( 0 );
143
144 ext->tag = **p;
145 ext->p = *p;
146
147 /*
148 * Get CRL-entry extension sequence header
149 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
150 */
151 if( ( ret = asn1_get_tag( p, end, &ext->len,
152 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
153 {
154 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
155 {
156 ext->p = NULL;
157 return( 0 );
158 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]159 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]160 }
161
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]162 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]163
164 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]165 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]166 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
167
168 while( *p < end )
169 {
170 if( ( ret = asn1_get_tag( p, end, &len,
171 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]172 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]173
174 *p += len;
175 }
176
177 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]178 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]179 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
180
181 return( 0 );
182}
183
184/*
185 * X.509 CRL Entries
186 */
187static int x509_get_entries( unsigned char **p,
188 const unsigned char *end,
189 x509_crl_entry *entry )
190{
191 int ret;
192 size_t entry_len;
193 x509_crl_entry *cur_entry = entry;
194
195 if( *p == end )
196 return( 0 );
197
198 if( ( ret = asn1_get_tag( p, end, &entry_len,
199 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
200 {
201 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
202 return( 0 );
203
204 return( ret );
205 }
206
207 end = *p + entry_len;
208
209 while( *p < end )
210 {
211 size_t len2;
212 const unsigned char *end2;
213
214 if( ( ret = asn1_get_tag( p, end, &len2,
215 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
216 {
217 return( ret );
218 }
219
220 cur_entry->raw.tag = **p;
221 cur_entry->raw.p = *p;
222 cur_entry->raw.len = len2;
223 end2 = *p + len2;
224
225 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
226 return( ret );
227
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]228 if( ( ret = x509_get_time( p, end2,
229 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]230 return( ret );
231
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]232 if( ( ret = x509_get_crl_entry_ext( p, end2,
233 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]234 return( ret );
235
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]236 if( *p < end )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]237 {
238 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
239
240 if( cur_entry->next == NULL )
241 return( POLARSSL_ERR_X509_MALLOC_FAILED );
242
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]243 memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]244 cur_entry = cur_entry->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]245 }
246 }
247
248 return( 0 );
249}
250
251/*
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]252 * Parse one CRLs in DER format and append it to the chained list
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]253 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]254int x509_crl_parse_der( x509_crl *chain,
255 const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]256{
257 int ret;
258 size_t len;
259 unsigned char *p, *end;
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]260 x509_buf sig_params1, sig_params2;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]261 x509_crl *crl = chain;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]262
263 /*
264 * Check for valid input
265 */
266 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]267 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]268
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]269 memset( &sig_params1, 0, sizeof( x509_buf ) );
270 memset( &sig_params2, 0, sizeof( x509_buf ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]271
272 /*
273 * Add new CRL on the end of the chain if needed.
274 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]275 while( crl->version != 0 && crl->next != NULL )
276 crl = crl->next;
277
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]278 if( crl->version != 0 && crl->next == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]279 {
280 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
281
282 if( crl->next == NULL )
283 {
284 x509_crl_free( crl );
285 return( POLARSSL_ERR_X509_MALLOC_FAILED );
286 }
287
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]288 x509_crl_init( crl->next );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]289 crl = crl->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]290 }
291
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]292 /*
293 * Copy raw DER-encoded CRL
294 */
295 if( ( p = polarssl_malloc( buflen ) ) == NULL )
296 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]297
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]298 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]299
300 crl->raw.p = p;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]301 crl->raw.len = buflen;
302
303 end = p + buflen;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]304
305 /*
306 * CertificateList ::= SEQUENCE {
307 * tbsCertList TBSCertList,
308 * signatureAlgorithm AlgorithmIdentifier,
309 * signatureValue BIT STRING }
310 */
311 if( ( ret = asn1_get_tag( &p, end, &len,
312 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
313 {
314 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]315 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]316 }
317
318 if( len != (size_t) ( end - p ) )
319 {
320 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]321 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]322 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
323 }
324
325 /*
326 * TBSCertList ::= SEQUENCE {
327 */
328 crl->tbs.p = p;
329
330 if( ( ret = asn1_get_tag( &p, end, &len,
331 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
332 {
333 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]334 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]335 }
336
337 end = p + len;
338 crl->tbs.len = end - crl->tbs.p;
339
340 /*
341 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
342 * -- if present, MUST be v2
343 *
344 * signature AlgorithmIdentifier
345 */
346 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]347 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]348 {
349 x509_crl_free( crl );
350 return( ret );
351 }
352
353 crl->version++;
354
355 if( crl->version > 2 )
356 {
357 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]358 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]359 }
360
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]361 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]362 &crl->sig_md, &crl->sig_pk,
363 &crl->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]364 {
365 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]366 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]367 }
368
369 /*
370 * issuer Name
371 */
372 crl->issuer_raw.p = p;
373
374 if( ( ret = asn1_get_tag( &p, end, &len,
375 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
376 {
377 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]378 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]379 }
380
381 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
382 {
383 x509_crl_free( crl );
384 return( ret );
385 }
386
387 crl->issuer_raw.len = p - crl->issuer_raw.p;
388
389 /*
390 * thisUpdate Time
391 * nextUpdate Time OPTIONAL
392 */
393 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
394 {
395 x509_crl_free( crl );
396 return( ret );
397 }
398
399 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
400 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]401 if( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]402 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]403 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]404 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
405 {
406 x509_crl_free( crl );
407 return( ret );
408 }
409 }
410
411 /*
412 * revokedCertificates SEQUENCE OF SEQUENCE {
413 * userCertificate CertificateSerialNumber,
414 * revocationDate Time,
415 * crlEntryExtensions Extensions OPTIONAL
416 * -- if present, MUST be v2
417 * } OPTIONAL
418 */
419 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
420 {
421 x509_crl_free( crl );
422 return( ret );
423 }
424
425 /*
426 * crlExtensions EXPLICIT Extensions OPTIONAL
427 * -- if present, MUST be v2
428 */
429 if( crl->version == 2 )
430 {
431 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
432
433 if( ret != 0 )
434 {
435 x509_crl_free( crl );
436 return( ret );
437 }
438 }
439
440 if( p != end )
441 {
442 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]443 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]444 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
445 }
446
447 end = crl->raw.p + crl->raw.len;
448
449 /*
450 * signatureAlgorithm AlgorithmIdentifier,
451 * signatureValue BIT STRING
452 */
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]453 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]454 {
455 x509_crl_free( crl );
456 return( ret );
457 }
458
459 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]460 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ||
461 sig_params1.len != sig_params2.len ||
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]463 {
464 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]465 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]466 }
467
468 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
469 {
470 x509_crl_free( crl );
471 return( ret );
472 }
473
474 if( p != end )
475 {
476 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]477 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]478 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
479 }
480
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]481 return( 0 );
482}
483
484/*
485 * Parse one or more CRLs and add them to the chained list
486 */
487int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
488{
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]489#if defined(POLARSSL_PEM_PARSE_C)
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]490 int ret;
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]491 size_t use_len;
492 pem_context pem;
493 int is_pem = 0;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]494
495 if( chain == NULL || buf == NULL )
496 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
497
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]498 do
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]499 {
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]500 pem_init( &pem );
501 ret = pem_read_buffer( &pem,
502 "-----BEGIN X509 CRL-----",
503 "-----END X509 CRL-----",
504 buf, NULL, 0, &use_len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]505
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]506 if( ret == 0 )
507 {
508 /*
509 * Was PEM encoded
510 */
511 is_pem = 1;
512
513 buflen -= use_len;
514 buf += use_len;
515
516 if( ( ret = x509_crl_parse_der( chain,
517 pem.buf, pem.buflen ) ) != 0 )
518 {
519 return( ret );
520 }
521
522 pem_free( &pem );
523 }
524 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
525 {
526 pem_free( &pem );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]527 return( ret );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]528 }
529 }
530 while( is_pem && buflen > 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]531
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]532 if( is_pem )
533 return( 0 );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]534 else
535#endif /* POLARSSL_PEM_PARSE_C */
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]536 return( x509_crl_parse_der( chain, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]537}
538
539#if defined(POLARSSL_FS_IO)
540/*
541 * Load one or more CRLs and add them to the chained list
542 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]543int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]544{
545 int ret;
546 size_t n;
547 unsigned char *buf;
548
Manuel Pégourié-Gonnard9439f932014-11-21 09:49:43 +0100[diff] [blame]549 if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]550 return( ret );
551
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]552 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]553
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]554 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]555 polarssl_free( buf );
556
557 return( ret );
558}
559#endif /* POLARSSL_FS_IO */
560
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]561#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
562 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]563#include <stdarg.h>
564
565#if !defined vsnprintf
566#define vsnprintf _vsnprintf
567#endif // vsnprintf
568
569/*
570 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
571 * Result value is not size of buffer needed, but -1 if no fit is possible.
572 *
573 * This fuction tries to 'fix' this by at least suggesting enlarging the
574 * size by 20.
575 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]576static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]577{
578 va_list ap;
579 int res = -1;
580
581 va_start( ap, format );
582
583 res = vsnprintf( str, size, format, ap );
584
585 va_end( ap );
586
587 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]588 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]589 return( (int) size + 20 );
590
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]591 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]592}
593
594#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]595#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]596
597#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
598
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]599#define SAFE_SNPRINTF() \
600{ \
601 if( ret == -1 ) \
602 return( -1 ); \
603 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]604 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]605 p[n - 1] = '\0'; \
606 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
607 } \
608 \
609 n -= (unsigned int) ret; \
610 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]611}
612
613/*
614 * Return an informational string about the certificate.
615 */
616#define BEFORE_COLON 14
617#define BC "14"
618/*
619 * Return an informational string about the CRL.
620 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]621int x509_crl_info( char *buf, size_t size, const char *prefix,
622 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]623{
624 int ret;
625 size_t n;
626 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]627 const x509_crl_entry *entry;
628
629 p = buf;
630 n = size;
631
632 ret = snprintf( p, n, "%sCRL version : %d",
633 prefix, crl->version );
634 SAFE_SNPRINTF();
635
636 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
637 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]638 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]639 SAFE_SNPRINTF();
640
641 ret = snprintf( p, n, "\n%sthis update : " \
642 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
643 crl->this_update.year, crl->this_update.mon,
644 crl->this_update.day, crl->this_update.hour,
645 crl->this_update.min, crl->this_update.sec );
646 SAFE_SNPRINTF();
647
648 ret = snprintf( p, n, "\n%snext update : " \
649 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
650 crl->next_update.year, crl->next_update.mon,
651 crl->next_update.day, crl->next_update.hour,
652 crl->next_update.min, crl->next_update.sec );
653 SAFE_SNPRINTF();
654
655 entry = &crl->entry;
656
657 ret = snprintf( p, n, "\n%sRevoked certificates:",
658 prefix );
659 SAFE_SNPRINTF();
660
661 while( entry != NULL && entry->raw.len != 0 )
662 {
663 ret = snprintf( p, n, "\n%sserial number: ",
664 prefix );
665 SAFE_SNPRINTF();
666
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]667 ret = x509_serial_gets( p, n, &entry->serial );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]668 SAFE_SNPRINTF();
669
670 ret = snprintf( p, n, " revocation date: " \
671 "%04d-%02d-%02d %02d:%02d:%02d",
672 entry->revocation_date.year, entry->revocation_date.mon,
673 entry->revocation_date.day, entry->revocation_date.hour,
674 entry->revocation_date.min, entry->revocation_date.sec );
675 SAFE_SNPRINTF();
676
677 entry = entry->next;
678 }
679
680 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
681 SAFE_SNPRINTF();
682
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]683 ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]684 crl->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]685 SAFE_SNPRINTF();
686
687 ret = snprintf( p, n, "\n" );
688 SAFE_SNPRINTF();
689
690 return( (int) ( size - n ) );
691}
692
693/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]694 * Initialize a CRL chain
695 */
696void x509_crl_init( x509_crl *crl )
697{
698 memset( crl, 0, sizeof(x509_crl) );
699}
700
701/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]702 * Unallocate all CRL data
703 */
704void x509_crl_free( x509_crl *crl )
705{
706 x509_crl *crl_cur = crl;
707 x509_crl *crl_prv;
708 x509_name *name_cur;
709 x509_name *name_prv;
710 x509_crl_entry *entry_cur;
711 x509_crl_entry *entry_prv;
712
713 if( crl == NULL )
714 return;
715
716 do
717 {
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]718#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]719 polarssl_free( crl_cur->sig_opts );
720#endif
721
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]722 name_cur = crl_cur->issuer.next;
723 while( name_cur != NULL )
724 {
725 name_prv = name_cur;
726 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]727 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]728 polarssl_free( name_prv );
729 }
730
731 entry_cur = crl_cur->entry.next;
732 while( entry_cur != NULL )
733 {
734 entry_prv = entry_cur;
735 entry_cur = entry_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]736 polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]737 polarssl_free( entry_prv );
738 }
739
740 if( crl_cur->raw.p != NULL )
741 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]742 polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]743 polarssl_free( crl_cur->raw.p );
744 }
745
746 crl_cur = crl_cur->next;
747 }
748 while( crl_cur != NULL );
749
750 crl_cur = crl;
751 do
752 {
753 crl_prv = crl_cur;
754 crl_cur = crl_cur->next;
755
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]756 polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]757 if( crl_prv != crl )
758 polarssl_free( crl_prv );
759 }
760 while( crl_cur != NULL );
761}
762
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]763#endif /* POLARSSL_X509_CRL_PARSE_C */