TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 8e42ff6bde1f74db7808837c236d9c6ef31df7f1 / . / library / x509_crl.c
blob: 6c9ec597fab3e5a990d7e8d53f2a2dbd13116207 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]37#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]39#else
40#include POLARSSL_CONFIG_FILE
41#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]42
43#if defined(POLARSSL_X509_CRL_PARSE_C)
44
45#include "polarssl/x509_crl.h"
46#include "polarssl/oid.h"
47#if defined(POLARSSL_PEM_PARSE_C)
48#include "polarssl/pem.h"
49#endif
50
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#if defined(POLARSSL_PLATFORM_C)
52#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]53#else
54#define polarssl_malloc malloc
55#define polarssl_free free
56#endif
57
58#include <string.h>
59#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]60#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
61
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]62#include <windows.h>
63#else
64#include <time.h>
65#endif
66
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]67#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]68#include <stdio.h>
69#endif
70
71/*
72 * Version ::= INTEGER { v1(0), v2(1) }
73 */
74static int x509_crl_get_version( unsigned char **p,
75 const unsigned char *end,
76 int *ver )
77{
78 int ret;
79
80 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
81 {
82 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
83 {
84 *ver = 0;
85 return( 0 );
86 }
87
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]88 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]89 }
90
91 return( 0 );
92}
93
94/*
95 * X.509 CRL v2 extensions (no extensions parsed yet.)
96 */
97static int x509_get_crl_ext( unsigned char **p,
98 const unsigned char *end,
99 x509_buf *ext )
100{
101 int ret;
102 size_t len = 0;
103
104 /* Get explicit tag */
105 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
106 {
107 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
108 return( 0 );
109
110 return( ret );
111 }
112
113 while( *p < end )
114 {
115 if( ( ret = asn1_get_tag( p, end, &len,
116 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]117 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]118
119 *p += len;
120 }
121
122 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]123 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]124 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
125
126 return( 0 );
127}
128
129/*
130 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
131 */
132static int x509_get_crl_entry_ext( unsigned char **p,
133 const unsigned char *end,
134 x509_buf *ext )
135{
136 int ret;
137 size_t len = 0;
138
139 /* OPTIONAL */
140 if (end <= *p)
141 return( 0 );
142
143 ext->tag = **p;
144 ext->p = *p;
145
146 /*
147 * Get CRL-entry extension sequence header
148 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
149 */
150 if( ( ret = asn1_get_tag( p, end, &ext->len,
151 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
152 {
153 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
154 {
155 ext->p = NULL;
156 return( 0 );
157 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]158 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]159 }
160
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]161 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]162
163 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]164 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]165 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
166
167 while( *p < end )
168 {
169 if( ( ret = asn1_get_tag( p, end, &len,
170 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]171 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]172
173 *p += len;
174 }
175
176 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]177 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]178 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
179
180 return( 0 );
181}
182
183/*
184 * X.509 CRL Entries
185 */
186static int x509_get_entries( unsigned char **p,
187 const unsigned char *end,
188 x509_crl_entry *entry )
189{
190 int ret;
191 size_t entry_len;
192 x509_crl_entry *cur_entry = entry;
193
194 if( *p == end )
195 return( 0 );
196
197 if( ( ret = asn1_get_tag( p, end, &entry_len,
198 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
199 {
200 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
201 return( 0 );
202
203 return( ret );
204 }
205
206 end = *p + entry_len;
207
208 while( *p < end )
209 {
210 size_t len2;
211 const unsigned char *end2;
212
213 if( ( ret = asn1_get_tag( p, end, &len2,
214 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
215 {
216 return( ret );
217 }
218
219 cur_entry->raw.tag = **p;
220 cur_entry->raw.p = *p;
221 cur_entry->raw.len = len2;
222 end2 = *p + len2;
223
224 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
225 return( ret );
226
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]227 if( ( ret = x509_get_time( p, end2,
228 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]229 return( ret );
230
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]231 if( ( ret = x509_get_crl_entry_ext( p, end2,
232 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]233 return( ret );
234
235 if ( *p < end )
236 {
237 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
238
239 if( cur_entry->next == NULL )
240 return( POLARSSL_ERR_X509_MALLOC_FAILED );
241
242 cur_entry = cur_entry->next;
243 memset( cur_entry, 0, sizeof( x509_crl_entry ) );
244 }
245 }
246
247 return( 0 );
248}
249
250/*
251 * Parse one or more CRLs and add them to the chained list
252 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]253int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]254{
255 int ret;
256 size_t len;
257 unsigned char *p, *end;
258 x509_crl *crl;
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]259 x509_buf sig_params;
260
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]261#if defined(POLARSSL_PEM_PARSE_C)
262 size_t use_len;
263 pem_context pem;
264#endif
265
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]266 memset( &sig_params, 0, sizeof( x509_buf ) );
267
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]268 crl = chain;
269
270 /*
271 * Check for valid input
272 */
273 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]274 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]275
276 while( crl->version != 0 && crl->next != NULL )
277 crl = crl->next;
278
279 /*
280 * Add new CRL on the end of the chain if needed.
281 */
282 if ( crl->version != 0 && crl->next == NULL)
283 {
284 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
285
286 if( crl->next == NULL )
287 {
288 x509_crl_free( crl );
289 return( POLARSSL_ERR_X509_MALLOC_FAILED );
290 }
291
292 crl = crl->next;
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]293 x509_crl_init( crl );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]294 }
295
296#if defined(POLARSSL_PEM_PARSE_C)
297 pem_init( &pem );
298 ret = pem_read_buffer( &pem,
299 "-----BEGIN X509 CRL-----",
300 "-----END X509 CRL-----",
301 buf, NULL, 0, &use_len );
302
303 if( ret == 0 )
304 {
305 /*
306 * Was PEM encoded
307 */
308 buflen -= use_len;
309 buf += use_len;
310
311 /*
312 * Steal PEM buffer
313 */
314 p = pem.buf;
315 pem.buf = NULL;
316 len = pem.buflen;
317 pem_free( &pem );
318 }
319 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
320 {
321 pem_free( &pem );
322 return( ret );
323 }
324 else
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]325#endif /* POLARSSL_PEM_PARSE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]326 {
327 /*
328 * nope, copy the raw DER data
329 */
330 p = (unsigned char *) polarssl_malloc( len = buflen );
331
332 if( p == NULL )
333 return( POLARSSL_ERR_X509_MALLOC_FAILED );
334
335 memcpy( p, buf, buflen );
336
337 buflen = 0;
338 }
339
340 crl->raw.p = p;
341 crl->raw.len = len;
342 end = p + len;
343
344 /*
345 * CertificateList ::= SEQUENCE {
346 * tbsCertList TBSCertList,
347 * signatureAlgorithm AlgorithmIdentifier,
348 * signatureValue BIT STRING }
349 */
350 if( ( ret = asn1_get_tag( &p, end, &len,
351 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
352 {
353 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]354 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]355 }
356
357 if( len != (size_t) ( end - p ) )
358 {
359 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]360 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]361 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
362 }
363
364 /*
365 * TBSCertList ::= SEQUENCE {
366 */
367 crl->tbs.p = p;
368
369 if( ( ret = asn1_get_tag( &p, end, &len,
370 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
371 {
372 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]373 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]374 }
375
376 end = p + len;
377 crl->tbs.len = end - crl->tbs.p;
378
379 /*
380 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
381 * -- if present, MUST be v2
382 *
383 * signature AlgorithmIdentifier
384 */
385 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]386 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]387 {
388 x509_crl_free( crl );
389 return( ret );
390 }
391
392 crl->version++;
393
394 if( crl->version > 2 )
395 {
396 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]397 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]398 }
399
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]400 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md,
401 &crl->sig_pk ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]402 {
403 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]404 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]405 }
406
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]407#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
408 if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS )
409 {
410 int salt_len, trailer_field;
411 md_type_t mgf_md;
412
413 /* Make sure params are valid */
414 ret = x509_get_rsassa_pss_params( &sig_params,
415 &crl->sig_md, &mgf_md, &salt_len, &trailer_field );
416 if( ret != 0 )
417 return( ret );
418
419 memcpy( &crl->sig_params, &sig_params, sizeof( x509_buf ) );
420 }
421 else
422#endif
423 {
424 /* Make sure parameters are absent or NULL */
425 if( ( sig_params.tag != ASN1_NULL && sig_params.tag != 0 ) ||
426 sig_params.len != 0 )
427 return( POLARSSL_ERR_X509_INVALID_ALG );
428 }
429
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]430 /*
431 * issuer Name
432 */
433 crl->issuer_raw.p = p;
434
435 if( ( ret = asn1_get_tag( &p, end, &len,
436 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
437 {
438 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]439 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]440 }
441
442 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
443 {
444 x509_crl_free( crl );
445 return( ret );
446 }
447
448 crl->issuer_raw.len = p - crl->issuer_raw.p;
449
450 /*
451 * thisUpdate Time
452 * nextUpdate Time OPTIONAL
453 */
454 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
455 {
456 x509_crl_free( crl );
457 return( ret );
458 }
459
460 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
461 {
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]462 if ( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]463 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]464 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]465 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
466 {
467 x509_crl_free( crl );
468 return( ret );
469 }
470 }
471
472 /*
473 * revokedCertificates SEQUENCE OF SEQUENCE {
474 * userCertificate CertificateSerialNumber,
475 * revocationDate Time,
476 * crlEntryExtensions Extensions OPTIONAL
477 * -- if present, MUST be v2
478 * } OPTIONAL
479 */
480 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
481 {
482 x509_crl_free( crl );
483 return( ret );
484 }
485
486 /*
487 * crlExtensions EXPLICIT Extensions OPTIONAL
488 * -- if present, MUST be v2
489 */
490 if( crl->version == 2 )
491 {
492 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
493
494 if( ret != 0 )
495 {
496 x509_crl_free( crl );
497 return( ret );
498 }
499 }
500
501 if( p != end )
502 {
503 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]504 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]505 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
506 }
507
508 end = crl->raw.p + crl->raw.len;
509
510 /*
511 * signatureAlgorithm AlgorithmIdentifier,
512 * signatureValue BIT STRING
513 */
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]514 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]515 {
516 x509_crl_free( crl );
517 return( ret );
518 }
519
520 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]521 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0
522#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
523 ||
524 crl->sig_params.len != sig_params.len ||
525 memcmp( crl->sig_params.p, sig_params.p, sig_params.len ) != 0
526#endif
527 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]528 {
529 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]530 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]531 }
532
533 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
534 {
535 x509_crl_free( crl );
536 return( ret );
537 }
538
539 if( p != end )
540 {
541 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]542 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]543 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
544 }
545
546 if( buflen > 0 )
547 {
548 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
549
550 if( crl->next == NULL )
551 {
552 x509_crl_free( crl );
553 return( POLARSSL_ERR_X509_MALLOC_FAILED );
554 }
555
556 crl = crl->next;
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]557 x509_crl_init( crl );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]558
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]559 return( x509_crl_parse( crl, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]560 }
561
562 return( 0 );
563}
564
565#if defined(POLARSSL_FS_IO)
566/*
567 * Load one or more CRLs and add them to the chained list
568 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]569int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]570{
571 int ret;
572 size_t n;
573 unsigned char *buf;
574
575 if ( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
576 return( ret );
577
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]578 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]579
580 memset( buf, 0, n + 1 );
581 polarssl_free( buf );
582
583 return( ret );
584}
585#endif /* POLARSSL_FS_IO */
586
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]587#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
588 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]589#include <stdarg.h>
590
591#if !defined vsnprintf
592#define vsnprintf _vsnprintf
593#endif // vsnprintf
594
595/*
596 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
597 * Result value is not size of buffer needed, but -1 if no fit is possible.
598 *
599 * This fuction tries to 'fix' this by at least suggesting enlarging the
600 * size by 20.
601 */
602static int compat_snprintf(char *str, size_t size, const char *format, ...)
603{
604 va_list ap;
605 int res = -1;
606
607 va_start( ap, format );
608
609 res = vsnprintf( str, size, format, ap );
610
611 va_end( ap );
612
613 // No quick fix possible
614 if ( res < 0 )
615 return( (int) size + 20 );
616
617 return res;
618}
619
620#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]621#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]622
623#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
624
625#define SAFE_SNPRINTF() \
626{ \
627 if( ret == -1 ) \
628 return( -1 ); \
629 \
630 if ( (unsigned int) ret > n ) { \
631 p[n - 1] = '\0'; \
632 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
633 } \
634 \
635 n -= (unsigned int) ret; \
636 p += (unsigned int) ret; \
637}
638
639/*
640 * Return an informational string about the certificate.
641 */
642#define BEFORE_COLON 14
643#define BC "14"
644/*
645 * Return an informational string about the CRL.
646 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]647int x509_crl_info( char *buf, size_t size, const char *prefix,
648 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]649{
650 int ret;
651 size_t n;
652 char *p;
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]653 const char *desc;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]654 const x509_crl_entry *entry;
655
656 p = buf;
657 n = size;
658
659 ret = snprintf( p, n, "%sCRL version : %d",
660 prefix, crl->version );
661 SAFE_SNPRINTF();
662
663 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
664 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]665 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]666 SAFE_SNPRINTF();
667
668 ret = snprintf( p, n, "\n%sthis update : " \
669 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
670 crl->this_update.year, crl->this_update.mon,
671 crl->this_update.day, crl->this_update.hour,
672 crl->this_update.min, crl->this_update.sec );
673 SAFE_SNPRINTF();
674
675 ret = snprintf( p, n, "\n%snext update : " \
676 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
677 crl->next_update.year, crl->next_update.mon,
678 crl->next_update.day, crl->next_update.hour,
679 crl->next_update.min, crl->next_update.sec );
680 SAFE_SNPRINTF();
681
682 entry = &crl->entry;
683
684 ret = snprintf( p, n, "\n%sRevoked certificates:",
685 prefix );
686 SAFE_SNPRINTF();
687
688 while( entry != NULL && entry->raw.len != 0 )
689 {
690 ret = snprintf( p, n, "\n%sserial number: ",
691 prefix );
692 SAFE_SNPRINTF();
693
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]694 ret = x509_serial_gets( p, n, &entry->serial);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]695 SAFE_SNPRINTF();
696
697 ret = snprintf( p, n, " revocation date: " \
698 "%04d-%02d-%02d %02d:%02d:%02d",
699 entry->revocation_date.year, entry->revocation_date.mon,
700 entry->revocation_date.day, entry->revocation_date.hour,
701 entry->revocation_date.min, entry->revocation_date.sec );
702 SAFE_SNPRINTF();
703
704 entry = entry->next;
705 }
706
707 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
708 SAFE_SNPRINTF();
709
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]710 ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc );
711 if( ret != 0 )
712 ret = snprintf( p, n, "???" );
713 else
714 ret = snprintf( p, n, "%s", desc );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]715 SAFE_SNPRINTF();
716
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame^]717#if defined(POLARSSL_RSASSA_PSS_CERTIFICATES)
718 if( crl->sig_pk == POLARSSL_PK_RSASSA_PSS )
719 {
720 md_type_t md_alg, mgf_md;
721 const md_info_t *md_info, *mgf_md_info;
722 int salt_len, trailer_field;
723
724 if( ( ret = x509_get_rsassa_pss_params( &crl->sig_params,
725 &md_alg, &mgf_md, &salt_len, &trailer_field ) ) != 0 )
726 return( ret );
727
728 md_info = md_info_from_type( md_alg );
729 mgf_md_info = md_info_from_type( mgf_md );
730
731 ret = snprintf( p, n, " (%s, MGF1-%s, 0x%02X, %d)",
732 md_info ? md_info->name : "???",
733 mgf_md_info ? mgf_md_info->name : "???",
734 salt_len, trailer_field );
735 SAFE_SNPRINTF();
736 }
737#endif /* POLARSSL_RSASSA_PSS_CERTIFICATES */
738
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]739 ret = snprintf( p, n, "\n" );
740 SAFE_SNPRINTF();
741
742 return( (int) ( size - n ) );
743}
744
745/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]746 * Initialize a CRL chain
747 */
748void x509_crl_init( x509_crl *crl )
749{
750 memset( crl, 0, sizeof(x509_crl) );
751}
752
753/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]754 * Unallocate all CRL data
755 */
756void x509_crl_free( x509_crl *crl )
757{
758 x509_crl *crl_cur = crl;
759 x509_crl *crl_prv;
760 x509_name *name_cur;
761 x509_name *name_prv;
762 x509_crl_entry *entry_cur;
763 x509_crl_entry *entry_prv;
764
765 if( crl == NULL )
766 return;
767
768 do
769 {
770 name_cur = crl_cur->issuer.next;
771 while( name_cur != NULL )
772 {
773 name_prv = name_cur;
774 name_cur = name_cur->next;
775 memset( name_prv, 0, sizeof( x509_name ) );
776 polarssl_free( name_prv );
777 }
778
779 entry_cur = crl_cur->entry.next;
780 while( entry_cur != NULL )
781 {
782 entry_prv = entry_cur;
783 entry_cur = entry_cur->next;
784 memset( entry_prv, 0, sizeof( x509_crl_entry ) );
785 polarssl_free( entry_prv );
786 }
787
788 if( crl_cur->raw.p != NULL )
789 {
790 memset( crl_cur->raw.p, 0, crl_cur->raw.len );
791 polarssl_free( crl_cur->raw.p );
792 }
793
794 crl_cur = crl_cur->next;
795 }
796 while( crl_cur != NULL );
797
798 crl_cur = crl;
799 do
800 {
801 crl_prv = crl_cur;
802 crl_cur = crl_cur->next;
803
804 memset( crl_prv, 0, sizeof( x509_crl ) );
805 if( crl_prv != crl )
806 polarssl_free( crl_prv );
807 }
808 while( crl_cur != NULL );
809}
810
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]811#endif /* POLARSSL_X509_CRL_PARSE_C */