TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b7de86d834c8b3122a18e24627a9307f7a4c2972 / . / library / x509.c
blob: e9dc6808491d4267f328d79ab98edee333138f83 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
37#include "polarssl/config.h"
38
39#if defined(POLARSSL_X509_USE_C)
40
41#include "polarssl/x509.h"
42#include "polarssl/asn1.h"
43#include "polarssl/oid.h"
44#if defined(POLARSSL_PEM_PARSE_C)
45#include "polarssl/pem.h"
46#endif
47
48#if defined(POLARSSL_MEMORY_C)
49#include "polarssl/memory.h"
50#else
51#define polarssl_malloc malloc
52#define polarssl_free free
53#endif
54
55#include <string.h>
56#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]57#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58#include <windows.h>
59#else
60#include <time.h>
61#endif
62
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]63#if defined(EFIX64) || defined(EFI32)
64#include <stdio.h>
65#endif
66
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]67#if defined(POLARSSL_FS_IO)
68#include <stdio.h>
69#if !defined(_WIN32)
70#include <sys/types.h>
71#include <sys/stat.h>
72#include <dirent.h>
73#endif
74#endif
75
76/*
77 * CertificateSerialNumber ::= INTEGER
78 */
79int x509_get_serial( unsigned char **p, const unsigned char *end,
80 x509_buf *serial )
81{
82 int ret;
83
84 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]85 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]86 POLARSSL_ERR_ASN1_OUT_OF_DATA );
87
88 if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
89 **p != ASN1_INTEGER )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]90 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]91 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
92
93 serial->tag = *(*p)++;
94
95 if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]96 return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]97
98 serial->p = *p;
99 *p += serial->len;
100
101 return( 0 );
102}
103
104/* Get an algorithm identifier without parameters (eg for signatures)
105 *
106 * AlgorithmIdentifier ::= SEQUENCE {
107 * algorithm OBJECT IDENTIFIER,
108 * parameters ANY DEFINED BY algorithm OPTIONAL }
109 */
110int x509_get_alg_null( unsigned char **p, const unsigned char *end,
111 x509_buf *alg )
112{
113 int ret;
114
115 if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]116 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]117
118 return( 0 );
119}
120
121/*
Manuel Pégourié-Gonnardb1d4eb12014-01-22 10:12:57 +0100[diff] [blame]122 * Parse an algorithm identifier with (optional) paramaters
123 */
124int x509_get_alg( unsigned char **p, const unsigned char *end,
125 x509_buf *alg, x509_buf *params )
126{
127 int ret;
128
129 if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
130 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
131
132 return( 0 );
133}
134
135/*
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]136 * HashAlgorithm ::= AlgorithmIdentifier
137 *
138 * AlgorithmIdentifier ::= SEQUENCE {
139 * algorithm OBJECT IDENTIFIER,
140 * parameters ANY DEFINED BY algorithm OPTIONAL }
141 *
142 * For HashAlgorithm, parameters MUST be NULL or absent.
143 */
144static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg )
145{
146 int ret;
147 unsigned char *p;
148 const unsigned char *end;
149 x509_buf md_oid;
150 size_t len;
151
152 /* Make sure we got a SEQUENCE and setup bounds */
153 if( alg->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
154 return( POLARSSL_ERR_X509_INVALID_ALG +
155 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
156
157 p = (unsigned char *) alg->p;
158 end = p + alg->len;
159
160 if( p >= end )
161 return( POLARSSL_ERR_X509_INVALID_ALG +
162 POLARSSL_ERR_ASN1_OUT_OF_DATA );
163
164 /* Parse md_oid */
165 md_oid.tag = *p;
166
167 if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 )
168 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
169
170 md_oid.p = p;
171 p += md_oid.len;
172
173 /* Get md_alg from md_oid */
174 if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
175 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
176
177 /* Make sure params is absent of NULL */
178 if( p == end )
179 return( 0 );
180
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]181 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 || len != 0 )
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]182 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
183
184 if( p != end )
185 return( POLARSSL_ERR_X509_INVALID_ALG +
186 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
187
188 return( 0 );
189}
190
191/*
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]192 * RSASSA-PSS-params ::= SEQUENCE {
193 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
194 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
195 * saltLength [2] INTEGER DEFAULT 20,
196 * trailerField [3] INTEGER DEFAULT 1 }
197 * -- Note that the tags in this Sequence are explicit.
198 */
199int x509_get_rsassa_pss_params( const x509_buf *params,
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]200 md_type_t *md_alg, md_type_t *mgf_md,
201 int *salt_len, int *trailer_field )
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]202{
203 int ret;
204 unsigned char *p;
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]205 const unsigned char *end, *end2;
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]206 size_t len;
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]207 x509_buf alg_id, alg_params;
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]208
209 /* First set everything to defaults */
210 *md_alg = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]211 *mgf_md = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]212 *salt_len = 20;
213 *trailer_field = 1;
214
215 /* Make sure params is a SEQUENCE and setup bounds */
216 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
217 return( POLARSSL_ERR_X509_INVALID_ALG +
218 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
219
220 p = (unsigned char *) params->p;
221 end = p + params->len;
222
223 if( p == end )
224 return( 0 );
225
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]226 /*
227 * HashAlgorithm
228 */
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]229 if( ( ret = asn1_get_tag( &p, end, &len,
230 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
231 {
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]232 end2 = p + len;
233
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]234 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]235 if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]236 return( ret );
237
238 if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
239 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]240
241 if( p != end2 )
242 return( POLARSSL_ERR_X509_INVALID_ALG +
243 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]244 }
245 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
246 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
247
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]248 if( p == end )
249 return( 0 );
250
251 /*
252 * MaskGenAlgorithm
253 */
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]254 if( ( ret = asn1_get_tag( &p, end, &len,
255 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
256 {
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]257 end2 = p + len;
258
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]259 /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]260 if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
Manuel Pégourié-Gonnard3c1e8b52014-01-23 19:15:29 +0100[diff] [blame]261 return( ret );
262
263 /* Only MFG1 is recognised for now */
264 if( ! OID_CMP( OID_MGF1, &alg_id ) )
265 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE +
266 POLARSSL_ERR_OID_NOT_FOUND );
267
268 /* Parse HashAlgorithm */
269 if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
270 return( ret );
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]271
272 if( p != end2 )
273 return( POLARSSL_ERR_X509_INVALID_ALG +
274 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]275 }
276 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
277 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
278
279 if( p == end )
280 return( 0 );
281
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]282 /*
283 * salt_len
284 */
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]285 if( ( ret = asn1_get_tag( &p, end, &len,
286 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 )
287 {
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]288 end2 = p + len;
289
290 if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 )
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]291 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]292
293 if( p != end2 )
294 return( POLARSSL_ERR_X509_INVALID_ALG +
295 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]296 }
297 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
298 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
299
300 if( p == end )
301 return( 0 );
302
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]303 /*
304 * trailer_field
305 */
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]306 if( ( ret = asn1_get_tag( &p, end, &len,
307 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 )
308 {
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]309 end2 = p + len;
310
311 if( ( ret = asn1_get_int( &p, end2, trailer_field ) ) != 0 )
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]312 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnardb7de86d2014-01-24 14:15:20 +0100[diff] [blame^]313
314 if( p != end2 )
315 return( POLARSSL_ERR_X509_INVALID_ALG +
316 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardd9fd87b2014-01-23 16:24:44 +0100[diff] [blame]317 }
318 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
319 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
320
321 if( p != end )
322 return( POLARSSL_ERR_X509_INVALID_ALG +
323 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
324
325 return( 0 );
326}
327
328/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]329 * AttributeTypeAndValue ::= SEQUENCE {
330 * type AttributeType,
331 * value AttributeValue }
332 *
333 * AttributeType ::= OBJECT IDENTIFIER
334 *
335 * AttributeValue ::= ANY DEFINED BY AttributeType
336 */
337static int x509_get_attr_type_value( unsigned char **p,
338 const unsigned char *end,
339 x509_name *cur )
340{
341 int ret;
342 size_t len;
343 x509_buf *oid;
344 x509_buf *val;
345
346 if( ( ret = asn1_get_tag( p, end, &len,
347 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]348 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]349
350 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]351 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]352 POLARSSL_ERR_ASN1_OUT_OF_DATA );
353
354 oid = &cur->oid;
355 oid->tag = **p;
356
357 if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]358 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]359
360 oid->p = *p;
361 *p += oid->len;
362
363 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]364 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]365 POLARSSL_ERR_ASN1_OUT_OF_DATA );
366
367 if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
368 **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
369 **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]370 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]371 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
372
373 val = &cur->val;
374 val->tag = *(*p)++;
375
376 if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]377 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]378
379 val->p = *p;
380 *p += val->len;
381
382 cur->next = NULL;
383
384 return( 0 );
385}
386
387/*
388 * RelativeDistinguishedName ::=
389 * SET OF AttributeTypeAndValue
390 *
391 * AttributeTypeAndValue ::= SEQUENCE {
392 * type AttributeType,
393 * value AttributeValue }
394 *
395 * AttributeType ::= OBJECT IDENTIFIER
396 *
397 * AttributeValue ::= ANY DEFINED BY AttributeType
398 */
399int x509_get_name( unsigned char **p, const unsigned char *end,
400 x509_name *cur )
401{
402 int ret;
403 size_t len;
404 const unsigned char *end2;
405 x509_name *use;
406
407 if( ( ret = asn1_get_tag( p, end, &len,
408 ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]409 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]410
411 end2 = end;
412 end = *p + len;
413 use = cur;
414
415 do
416 {
417 if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
418 return( ret );
419
420 if( *p != end )
421 {
422 use->next = (x509_name *) polarssl_malloc(
423 sizeof( x509_name ) );
424
425 if( use->next == NULL )
426 return( POLARSSL_ERR_X509_MALLOC_FAILED );
427
428 memset( use->next, 0, sizeof( x509_name ) );
429
430 use = use->next;
431 }
432 }
433 while( *p != end );
434
435 /*
436 * recurse until end of SEQUENCE is reached
437 */
438 if( *p == end2 )
439 return( 0 );
440
441 cur->next = (x509_name *) polarssl_malloc(
442 sizeof( x509_name ) );
443
444 if( cur->next == NULL )
445 return( POLARSSL_ERR_X509_MALLOC_FAILED );
446
447 memset( cur->next, 0, sizeof( x509_name ) );
448
449 return( x509_get_name( p, end2, cur->next ) );
450}
451
452/*
453 * Time ::= CHOICE {
454 * utcTime UTCTime,
455 * generalTime GeneralizedTime }
456 */
457int x509_get_time( unsigned char **p, const unsigned char *end,
458 x509_time *time )
459{
460 int ret;
461 size_t len;
462 char date[64];
463 unsigned char tag;
464
465 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]466 return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]467 POLARSSL_ERR_ASN1_OUT_OF_DATA );
468
469 tag = **p;
470
471 if ( tag == ASN1_UTC_TIME )
472 {
473 (*p)++;
474 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]475
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]476 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]477 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]478
479 memset( date, 0, sizeof( date ) );
480 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
481 len : sizeof( date ) - 1 );
482
483 if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
484 &time->year, &time->mon, &time->day,
485 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]486 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]487
488 time->year += 100 * ( time->year < 50 );
489 time->year += 1900;
490
491 *p += len;
492
493 return( 0 );
494 }
495 else if ( tag == ASN1_GENERALIZED_TIME )
496 {
497 (*p)++;
498 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]499
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]500 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]501 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]502
503 memset( date, 0, sizeof( date ) );
504 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
505 len : sizeof( date ) - 1 );
506
507 if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
508 &time->year, &time->mon, &time->day,
509 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]510 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]511
512 *p += len;
513
514 return( 0 );
515 }
516 else
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]517 return( POLARSSL_ERR_X509_INVALID_DATE +
518 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]519}
520
521int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig )
522{
523 int ret;
524 size_t len;
525
526 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]527 return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]528 POLARSSL_ERR_ASN1_OUT_OF_DATA );
529
530 sig->tag = **p;
531
532 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]533 return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]534
535 sig->len = len;
536 sig->p = *p;
537
538 *p += len;
539
540 return( 0 );
541}
542
543int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg,
544 pk_type_t *pk_alg )
545{
546 int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg );
547
548 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]549 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]550
551 return( 0 );
552}
553
554/*
555 * X.509 Extensions (No parsing of extensions, pointer should
556 * be either manually updated or extensions should be parsed!
557 */
558int x509_get_ext( unsigned char **p, const unsigned char *end,
559 x509_buf *ext, int tag )
560{
561 int ret;
562 size_t len;
563
564 if( *p == end )
565 return( 0 );
566
567 ext->tag = **p;
568
569 if( ( ret = asn1_get_tag( p, end, &ext->len,
570 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
571 return( ret );
572
573 ext->p = *p;
574 end = *p + ext->len;
575
576 /*
577 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
578 *
579 * Extension ::= SEQUENCE {
580 * extnID OBJECT IDENTIFIER,
581 * critical BOOLEAN DEFAULT FALSE,
582 * extnValue OCTET STRING }
583 */
584 if( ( ret = asn1_get_tag( p, end, &len,
585 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]586 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]587
588 if( end != *p + len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]589 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]590 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
591
592 return( 0 );
593}
594
595#if defined(POLARSSL_FS_IO)
596/*
597 * Load all data from a file into a given buffer.
598 */
599int x509_load_file( const char *path, unsigned char **buf, size_t *n )
600{
601 FILE *f;
602 long size;
603
604 if( ( f = fopen( path, "rb" ) ) == NULL )
605 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
606
607 fseek( f, 0, SEEK_END );
608 if( ( size = ftell( f ) ) == -1 )
609 {
610 fclose( f );
611 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
612 }
613 fseek( f, 0, SEEK_SET );
614
615 *n = (size_t) size;
616
617 if( *n + 1 == 0 ||
618 ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
619 {
620 fclose( f );
621 return( POLARSSL_ERR_X509_MALLOC_FAILED );
622 }
623
624 if( fread( *buf, 1, *n, f ) != *n )
625 {
626 fclose( f );
627 polarssl_free( *buf );
628 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
629 }
630
631 fclose( f );
632
633 (*buf)[*n] = '\0';
634
635 return( 0 );
636}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]637#endif /* POLARSSL_FS_IO */
638
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]639#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
640 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]641#include <stdarg.h>
642
643#if !defined vsnprintf
644#define vsnprintf _vsnprintf
645#endif // vsnprintf
646
647/*
648 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
649 * Result value is not size of buffer needed, but -1 if no fit is possible.
650 *
651 * This fuction tries to 'fix' this by at least suggesting enlarging the
652 * size by 20.
653 */
654static int compat_snprintf(char *str, size_t size, const char *format, ...)
655{
656 va_list ap;
657 int res = -1;
658
659 va_start( ap, format );
660
661 res = vsnprintf( str, size, format, ap );
662
663 va_end( ap );
664
665 // No quick fix possible
666 if ( res < 0 )
667 return( (int) size + 20 );
668
669 return res;
670}
671
672#define snprintf compat_snprintf
673#endif
674
675#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
676
677#define SAFE_SNPRINTF() \
678{ \
679 if( ret == -1 ) \
680 return( -1 ); \
681 \
682 if ( (unsigned int) ret > n ) { \
683 p[n - 1] = '\0'; \
684 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
685 } \
686 \
687 n -= (unsigned int) ret; \
688 p += (unsigned int) ret; \
689}
690
691/*
692 * Store the name in printable form into buf; no more
693 * than size characters will be written
694 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]695int x509_dn_gets( char *buf, size_t size, const x509_name *dn )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]696{
697 int ret;
698 size_t i, n;
699 unsigned char c;
700 const x509_name *name;
701 const char *short_name = NULL;
702 char s[128], *p;
703
704 memset( s, 0, sizeof( s ) );
705
706 name = dn;
707 p = buf;
708 n = size;
709
710 while( name != NULL )
711 {
712 if( !name->oid.p )
713 {
714 name = name->next;
715 continue;
716 }
717
718 if( name != dn )
719 {
720 ret = snprintf( p, n, ", " );
721 SAFE_SNPRINTF();
722 }
723
724 ret = oid_get_attr_short_name( &name->oid, &short_name );
725
726 if( ret == 0 )
727 ret = snprintf( p, n, "%s=", short_name );
728 else
729 ret = snprintf( p, n, "\?\?=" );
730 SAFE_SNPRINTF();
731
732 for( i = 0; i < name->val.len; i++ )
733 {
734 if( i >= sizeof( s ) - 1 )
735 break;
736
737 c = name->val.p[i];
738 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
739 s[i] = '?';
740 else s[i] = c;
741 }
742 s[i] = '\0';
743 ret = snprintf( p, n, "%s", s );
744 SAFE_SNPRINTF();
745 name = name->next;
746 }
747
748 return( (int) ( size - n ) );
749}
750
751/*
752 * Store the serial in printable form into buf; no more
753 * than size characters will be written
754 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]755int x509_serial_gets( char *buf, size_t size, const x509_buf *serial )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]756{
757 int ret;
758 size_t i, n, nr;
759 char *p;
760
761 p = buf;
762 n = size;
763
764 nr = ( serial->len <= 32 )
765 ? serial->len : 28;
766
767 for( i = 0; i < nr; i++ )
768 {
769 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
770 continue;
771
772 ret = snprintf( p, n, "%02X%s",
773 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
774 SAFE_SNPRINTF();
775 }
776
777 if( nr != serial->len )
778 {
779 ret = snprintf( p, n, "...." );
780 SAFE_SNPRINTF();
781 }
782
783 return( (int) ( size - n ) );
784}
785
786/*
787 * Helper for writing "RSA key size", "EC key size", etc
788 */
789int x509_key_size_helper( char *buf, size_t size, const char *name )
790{
791 char *p = buf;
792 size_t n = size;
793 int ret;
794
795 if( strlen( name ) + sizeof( " key size" ) > size )
796 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;
797
798 ret = snprintf( p, n, "%s key size", name );
799 SAFE_SNPRINTF();
800
801 return( 0 );
802}
803
804/*
805 * Return an informational string describing the given OID
806 */
807const char *x509_oid_get_description( x509_buf *oid )
808{
809 const char *desc = NULL;
810 int ret;
811
812 ret = oid_get_extended_key_usage( oid, &desc );
813
814 if( ret != 0 )
815 return( NULL );
816
817 return( desc );
818}
819
820/* Return the x.y.z.... style numeric string for the given OID */
821int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
822{
823 return oid_get_numeric_string( buf, size, oid );
824}
825
826/*
827 * Return 0 if the x509_time is still valid, or 1 otherwise.
828 */
829#if defined(POLARSSL_HAVE_TIME)
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]830int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]831{
832 int year, mon, day;
833 int hour, min, sec;
834
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]835#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]836 SYSTEMTIME st;
837
838 GetLocalTime(&st);
839
840 year = st.wYear;
841 mon = st.wMonth;
842 day = st.wDay;
843 hour = st.wHour;
844 min = st.wMinute;
845 sec = st.wSecond;
846#else
847 struct tm *lt;
848 time_t tt;
849
850 tt = time( NULL );
851 lt = localtime( &tt );
852
853 year = lt->tm_year + 1900;
854 mon = lt->tm_mon + 1;
855 day = lt->tm_mday;
856 hour = lt->tm_hour;
857 min = lt->tm_min;
858 sec = lt->tm_sec;
859#endif
860
861 if( year > to->year )
862 return( 1 );
863
864 if( year == to->year &&
865 mon > to->mon )
866 return( 1 );
867
868 if( year == to->year &&
869 mon == to->mon &&
870 day > to->day )
871 return( 1 );
872
873 if( year == to->year &&
874 mon == to->mon &&
875 day == to->day &&
876 hour > to->hour )
877 return( 1 );
878
879 if( year == to->year &&
880 mon == to->mon &&
881 day == to->day &&
882 hour == to->hour &&
883 min > to->min )
884 return( 1 );
885
886 if( year == to->year &&
887 mon == to->mon &&
888 day == to->day &&
889 hour == to->hour &&
890 min == to->min &&
891 sec > to->sec )
892 return( 1 );
893
894 return( 0 );
895}
896#else /* POLARSSL_HAVE_TIME */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]897int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]898{
899 ((void) to);
900 return( 0 );
901}
902#endif /* POLARSSL_HAVE_TIME */
903
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]904#if defined(POLARSSL_SELF_TEST)
905
906#include "polarssl/x509_crt.h"
907#include "polarssl/certs.h"
908
909/*
910 * Checkup routine
911 */
912int x509_self_test( int verbose )
913{
914#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C)
915 int ret;
916 int flags;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]917 x509_crt cacert;
918 x509_crt clicert;
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]919
920 if( verbose != 0 )
921 printf( " X.509 certificate load: " );
922
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]923 x509_crt_init( &clicert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]924
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]925 ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
926 strlen( test_cli_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]927 if( ret != 0 )
928 {
929 if( verbose != 0 )
930 printf( "failed\n" );
931
932 return( ret );
933 }
934
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]935 x509_crt_init( &cacert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]936
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]937 ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
938 strlen( test_ca_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]939 if( ret != 0 )
940 {
941 if( verbose != 0 )
942 printf( "failed\n" );
943
944 return( ret );
945 }
946
947 if( verbose != 0 )
948 printf( "passed\n X.509 signature verify: ");
949
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]950 ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]951 if( ret != 0 )
952 {
953 if( verbose != 0 )
954 printf( "failed\n" );
955
956 printf("ret = %d, &flags = %04x\n", ret, flags);
957
958 return( ret );
959 }
960
961 if( verbose != 0 )
962 printf( "passed\n\n");
963
964 x509_crt_free( &cacert );
965 x509_crt_free( &clicert );
966
967 return( 0 );
968#else
969 ((void) verbose);
970 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
971#endif
972}
973
974#endif
975
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]976#endif /* POLARSSL_X509_USE_C */