Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| 2 | * X.509 certificate and private key decoding |
| 3 | * |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 4 | * Copyright (C) 2006-2011, Brainspark B.V. |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 5 | * |
| 6 | * This file is part of PolarSSL (http://www.polarssl.org) |
Paul Bakker | 84f12b7 | 2010-07-18 10:13:04 +0000 | [diff] [blame] | 7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 8 | * |
Paul Bakker | 77b385e | 2009-07-28 17:23:11 +0000 | [diff] [blame] | 9 | * All rights reserved. |
Paul Bakker | e0ccd0a | 2009-01-04 16:27:10 +0000 | [diff] [blame] | 10 | * |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 11 | * This program is free software; you can redistribute it and/or modify |
| 12 | * it under the terms of the GNU General Public License as published by |
| 13 | * the Free Software Foundation; either version 2 of the License, or |
| 14 | * (at your option) any later version. |
| 15 | * |
| 16 | * This program is distributed in the hope that it will be useful, |
| 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 19 | * GNU General Public License for more details. |
| 20 | * |
| 21 | * You should have received a copy of the GNU General Public License along |
| 22 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 24 | */ |
| 25 | /* |
| 26 | * The ITU-T X.509 standard defines a certificat format for PKI. |
| 27 | * |
| 28 | * http://www.ietf.org/rfc/rfc2459.txt |
| 29 | * http://www.ietf.org/rfc/rfc3279.txt |
| 30 | * |
| 31 | * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc |
| 32 | * |
| 33 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf |
| 34 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf |
| 35 | */ |
| 36 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 37 | #include "polarssl/config.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 38 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 39 | #if defined(POLARSSL_X509_PARSE_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 40 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 41 | #include "polarssl/x509.h" |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 42 | #include "polarssl/asn1.h" |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 43 | #include "polarssl/pem.h" |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 44 | #include "polarssl/des.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 45 | #if defined(POLARSSL_MD2_C) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 46 | #include "polarssl/md2.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 47 | #endif |
| 48 | #if defined(POLARSSL_MD4_C) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 49 | #include "polarssl/md4.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 50 | #endif |
| 51 | #if defined(POLARSSL_MD5_C) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 52 | #include "polarssl/md5.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 53 | #endif |
| 54 | #if defined(POLARSSL_SHA1_C) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 55 | #include "polarssl/sha1.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 56 | #endif |
| 57 | #if defined(POLARSSL_SHA2_C) |
Paul Bakker | 026c03b | 2009-03-28 17:53:03 +0000 | [diff] [blame] | 58 | #include "polarssl/sha2.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 59 | #endif |
| 60 | #if defined(POLARSSL_SHA4_C) |
Paul Bakker | 026c03b | 2009-03-28 17:53:03 +0000 | [diff] [blame] | 61 | #include "polarssl/sha4.h" |
Paul Bakker | f6bff2a | 2013-03-11 16:05:32 +0100 | [diff] [blame^] | 62 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 63 | #include "polarssl/dhm.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 64 | |
| 65 | #include <string.h> |
| 66 | #include <stdlib.h> |
Paul Bakker | 4f229e5 | 2011-12-04 22:11:35 +0000 | [diff] [blame] | 67 | #if defined(_WIN32) |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 68 | #include <windows.h> |
| 69 | #else |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 70 | #include <time.h> |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 71 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 72 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 73 | #if defined(POLARSSL_FS_IO) |
| 74 | #include <stdio.h> |
| 75 | #endif |
| 76 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 77 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 78 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| 79 | */ |
| 80 | static int x509_get_version( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 81 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 82 | int *ver ) |
| 83 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 84 | int ret; |
| 85 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 86 | |
| 87 | if( ( ret = asn1_get_tag( p, end, &len, |
| 88 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) != 0 ) |
| 89 | { |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 90 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 2a1c5f5 | 2011-10-19 14:15:17 +0000 | [diff] [blame] | 91 | { |
| 92 | *ver = 0; |
| 93 | return( 0 ); |
| 94 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 95 | |
| 96 | return( ret ); |
| 97 | } |
| 98 | |
| 99 | end = *p + len; |
| 100 | |
| 101 | if( ( ret = asn1_get_int( p, end, ver ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 102 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 103 | |
| 104 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 105 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 106 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 107 | |
| 108 | return( 0 ); |
| 109 | } |
| 110 | |
| 111 | /* |
Paul Bakker | fae618f | 2011-10-12 11:53:52 +0000 | [diff] [blame] | 112 | * Version ::= INTEGER { v1(0), v2(1) } |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 113 | */ |
| 114 | static int x509_crl_get_version( unsigned char **p, |
| 115 | const unsigned char *end, |
| 116 | int *ver ) |
| 117 | { |
| 118 | int ret; |
| 119 | |
| 120 | if( ( ret = asn1_get_int( p, end, ver ) ) != 0 ) |
| 121 | { |
| 122 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 2a1c5f5 | 2011-10-19 14:15:17 +0000 | [diff] [blame] | 123 | { |
| 124 | *ver = 0; |
| 125 | return( 0 ); |
| 126 | } |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 127 | |
| 128 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret ); |
| 129 | } |
| 130 | |
| 131 | return( 0 ); |
| 132 | } |
| 133 | |
| 134 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 135 | * CertificateSerialNumber ::= INTEGER |
| 136 | */ |
| 137 | static int x509_get_serial( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 138 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 139 | x509_buf *serial ) |
| 140 | { |
| 141 | int ret; |
| 142 | |
| 143 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 144 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 145 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 146 | |
| 147 | if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) && |
| 148 | **p != ASN1_INTEGER ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 149 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 150 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 151 | |
| 152 | serial->tag = *(*p)++; |
| 153 | |
| 154 | if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 155 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 156 | |
| 157 | serial->p = *p; |
| 158 | *p += serial->len; |
| 159 | |
| 160 | return( 0 ); |
| 161 | } |
| 162 | |
| 163 | /* |
| 164 | * AlgorithmIdentifier ::= SEQUENCE { |
| 165 | * algorithm OBJECT IDENTIFIER, |
| 166 | * parameters ANY DEFINED BY algorithm OPTIONAL } |
| 167 | */ |
| 168 | static int x509_get_alg( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 169 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 170 | x509_buf *alg ) |
| 171 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 172 | int ret; |
| 173 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 174 | |
| 175 | if( ( ret = asn1_get_tag( p, end, &len, |
| 176 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 177 | return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 178 | |
| 179 | end = *p + len; |
| 180 | alg->tag = **p; |
| 181 | |
| 182 | if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 183 | return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 184 | |
| 185 | alg->p = *p; |
| 186 | *p += alg->len; |
| 187 | |
| 188 | if( *p == end ) |
| 189 | return( 0 ); |
| 190 | |
| 191 | /* |
| 192 | * assume the algorithm parameters must be NULL |
| 193 | */ |
| 194 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_NULL ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 195 | return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 196 | |
| 197 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 198 | return( POLARSSL_ERR_X509_CERT_INVALID_ALG + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 199 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 200 | |
| 201 | return( 0 ); |
| 202 | } |
| 203 | |
| 204 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 205 | * AttributeTypeAndValue ::= SEQUENCE { |
| 206 | * type AttributeType, |
| 207 | * value AttributeValue } |
| 208 | * |
| 209 | * AttributeType ::= OBJECT IDENTIFIER |
| 210 | * |
| 211 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| 212 | */ |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 213 | static int x509_get_attr_type_value( unsigned char **p, |
| 214 | const unsigned char *end, |
| 215 | x509_name *cur ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 216 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 217 | int ret; |
| 218 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 219 | x509_buf *oid; |
| 220 | x509_buf *val; |
| 221 | |
| 222 | if( ( ret = asn1_get_tag( p, end, &len, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 223 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 224 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 225 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 226 | oid = &cur->oid; |
| 227 | oid->tag = **p; |
| 228 | |
| 229 | if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 230 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 231 | |
| 232 | oid->p = *p; |
| 233 | *p += oid->len; |
| 234 | |
| 235 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 236 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 237 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 238 | |
| 239 | if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING && |
| 240 | **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING && |
| 241 | **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 242 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 243 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 244 | |
| 245 | val = &cur->val; |
| 246 | val->tag = *(*p)++; |
| 247 | |
| 248 | if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 249 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 250 | |
| 251 | val->p = *p; |
| 252 | *p += val->len; |
| 253 | |
| 254 | cur->next = NULL; |
| 255 | |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 256 | return( 0 ); |
| 257 | } |
| 258 | |
| 259 | /* |
| 260 | * RelativeDistinguishedName ::= |
| 261 | * SET OF AttributeTypeAndValue |
| 262 | * |
| 263 | * AttributeTypeAndValue ::= SEQUENCE { |
| 264 | * type AttributeType, |
| 265 | * value AttributeValue } |
| 266 | * |
| 267 | * AttributeType ::= OBJECT IDENTIFIER |
| 268 | * |
| 269 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| 270 | */ |
| 271 | static int x509_get_name( unsigned char **p, |
| 272 | const unsigned char *end, |
| 273 | x509_name *cur ) |
| 274 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 275 | int ret; |
| 276 | size_t len; |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 277 | const unsigned char *end2; |
| 278 | x509_name *use; |
| 279 | |
| 280 | if( ( ret = asn1_get_tag( p, end, &len, |
| 281 | ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 282 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 283 | |
| 284 | end2 = end; |
| 285 | end = *p + len; |
| 286 | use = cur; |
| 287 | |
| 288 | do |
| 289 | { |
| 290 | if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 ) |
| 291 | return( ret ); |
| 292 | |
| 293 | if( *p != end ) |
| 294 | { |
| 295 | use->next = (x509_name *) malloc( |
| 296 | sizeof( x509_name ) ); |
| 297 | |
| 298 | if( use->next == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 299 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 300 | |
| 301 | memset( use->next, 0, sizeof( x509_name ) ); |
| 302 | |
| 303 | use = use->next; |
| 304 | } |
| 305 | } |
| 306 | while( *p != end ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 307 | |
| 308 | /* |
| 309 | * recurse until end of SEQUENCE is reached |
| 310 | */ |
| 311 | if( *p == end2 ) |
| 312 | return( 0 ); |
| 313 | |
| 314 | cur->next = (x509_name *) malloc( |
| 315 | sizeof( x509_name ) ); |
| 316 | |
| 317 | if( cur->next == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 318 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 319 | |
Paul Bakker | 0715668 | 2012-05-30 07:33:30 +0000 | [diff] [blame] | 320 | memset( cur->next, 0, sizeof( x509_name ) ); |
| 321 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 322 | return( x509_get_name( p, end2, cur->next ) ); |
| 323 | } |
| 324 | |
| 325 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 326 | * Time ::= CHOICE { |
| 327 | * utcTime UTCTime, |
| 328 | * generalTime GeneralizedTime } |
| 329 | */ |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 330 | static int x509_get_time( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 331 | const unsigned char *end, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 332 | x509_time *time ) |
| 333 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 334 | int ret; |
| 335 | size_t len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 336 | char date[64]; |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 337 | unsigned char tag; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 338 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 339 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 340 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
| 341 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 342 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 343 | tag = **p; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 344 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 345 | if ( tag == ASN1_UTC_TIME ) |
| 346 | { |
| 347 | (*p)++; |
| 348 | ret = asn1_get_len( p, end, &len ); |
| 349 | |
| 350 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 351 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 352 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 353 | memset( date, 0, sizeof( date ) ); |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 354 | memcpy( date, *p, ( len < sizeof( date ) - 1 ) ? |
| 355 | len : sizeof( date ) - 1 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 356 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 357 | if( sscanf( date, "%2d%2d%2d%2d%2d%2d", |
| 358 | &time->year, &time->mon, &time->day, |
| 359 | &time->hour, &time->min, &time->sec ) < 5 ) |
| 360 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 361 | |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 362 | time->year += 100 * ( time->year < 50 ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 363 | time->year += 1900; |
| 364 | |
| 365 | *p += len; |
| 366 | |
| 367 | return( 0 ); |
| 368 | } |
| 369 | else if ( tag == ASN1_GENERALIZED_TIME ) |
| 370 | { |
| 371 | (*p)++; |
| 372 | ret = asn1_get_len( p, end, &len ); |
| 373 | |
| 374 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 375 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 376 | |
| 377 | memset( date, 0, sizeof( date ) ); |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 378 | memcpy( date, *p, ( len < sizeof( date ) - 1 ) ? |
| 379 | len : sizeof( date ) - 1 ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 380 | |
| 381 | if( sscanf( date, "%4d%2d%2d%2d%2d%2d", |
| 382 | &time->year, &time->mon, &time->day, |
| 383 | &time->hour, &time->min, &time->sec ) < 5 ) |
| 384 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE ); |
| 385 | |
| 386 | *p += len; |
| 387 | |
| 388 | return( 0 ); |
| 389 | } |
| 390 | else |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 391 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 392 | } |
| 393 | |
| 394 | |
| 395 | /* |
| 396 | * Validity ::= SEQUENCE { |
| 397 | * notBefore Time, |
| 398 | * notAfter Time } |
| 399 | */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 400 | static int x509_get_dates( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 401 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 402 | x509_time *from, |
| 403 | x509_time *to ) |
| 404 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 405 | int ret; |
| 406 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 407 | |
| 408 | if( ( ret = asn1_get_tag( p, end, &len, |
| 409 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 410 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 411 | |
| 412 | end = *p + len; |
| 413 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 414 | if( ( ret = x509_get_time( p, end, from ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 415 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 416 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 417 | if( ( ret = x509_get_time( p, end, to ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 418 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 419 | |
| 420 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 421 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 422 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 423 | |
| 424 | return( 0 ); |
| 425 | } |
| 426 | |
| 427 | /* |
| 428 | * SubjectPublicKeyInfo ::= SEQUENCE { |
| 429 | * algorithm AlgorithmIdentifier, |
| 430 | * subjectPublicKey BIT STRING } |
| 431 | */ |
| 432 | static int x509_get_pubkey( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 433 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 434 | x509_buf *pk_alg_oid, |
| 435 | mpi *N, mpi *E ) |
| 436 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 437 | int ret, can_handle; |
| 438 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 439 | unsigned char *end2; |
| 440 | |
| 441 | if( ( ret = x509_get_alg( p, end, pk_alg_oid ) ) != 0 ) |
| 442 | return( ret ); |
| 443 | |
| 444 | /* |
| 445 | * only RSA public keys handled at this time |
| 446 | */ |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 447 | can_handle = 0; |
| 448 | |
| 449 | if( pk_alg_oid->len == 9 && |
| 450 | memcmp( pk_alg_oid->p, OID_PKCS1_RSA, 9 ) == 0 ) |
| 451 | can_handle = 1; |
| 452 | |
| 453 | if( pk_alg_oid->len == 9 && |
| 454 | memcmp( pk_alg_oid->p, OID_PKCS1, 8 ) == 0 ) |
| 455 | { |
| 456 | if( pk_alg_oid->p[8] >= 2 && pk_alg_oid->p[8] <= 5 ) |
| 457 | can_handle = 1; |
| 458 | |
| 459 | if ( pk_alg_oid->p[8] >= 11 && pk_alg_oid->p[8] <= 14 ) |
| 460 | can_handle = 1; |
| 461 | } |
| 462 | |
| 463 | if( pk_alg_oid->len == 5 && |
| 464 | memcmp( pk_alg_oid->p, OID_RSA_SHA_OBS, 5 ) == 0 ) |
| 465 | can_handle = 1; |
| 466 | |
| 467 | if( can_handle == 0 ) |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 468 | return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 469 | |
| 470 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 471 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 472 | |
| 473 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 474 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 475 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 476 | |
| 477 | end2 = *p + len; |
| 478 | |
| 479 | if( *(*p)++ != 0 ) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 480 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 481 | |
| 482 | /* |
| 483 | * RSAPublicKey ::= SEQUENCE { |
| 484 | * modulus INTEGER, -- n |
| 485 | * publicExponent INTEGER -- e |
| 486 | * } |
| 487 | */ |
| 488 | if( ( ret = asn1_get_tag( p, end2, &len, |
| 489 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 490 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 491 | |
| 492 | if( *p + len != end2 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 493 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 494 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 495 | |
| 496 | if( ( ret = asn1_get_mpi( p, end2, N ) ) != 0 || |
| 497 | ( ret = asn1_get_mpi( p, end2, E ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 498 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 499 | |
| 500 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 501 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 502 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 503 | |
| 504 | return( 0 ); |
| 505 | } |
| 506 | |
| 507 | static int x509_get_sig( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 508 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 509 | x509_buf *sig ) |
| 510 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 511 | int ret; |
| 512 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 513 | |
| 514 | sig->tag = **p; |
| 515 | |
| 516 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 517 | return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 518 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 519 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 520 | if( --len < 1 || *(*p)++ != 0 ) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 521 | return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 522 | |
| 523 | sig->len = len; |
| 524 | sig->p = *p; |
| 525 | |
| 526 | *p += len; |
| 527 | |
| 528 | return( 0 ); |
| 529 | } |
| 530 | |
| 531 | /* |
| 532 | * X.509 v2/v3 unique identifier (not parsed) |
| 533 | */ |
| 534 | static int x509_get_uid( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 535 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 536 | x509_buf *uid, int n ) |
| 537 | { |
| 538 | int ret; |
| 539 | |
| 540 | if( *p == end ) |
| 541 | return( 0 ); |
| 542 | |
| 543 | uid->tag = **p; |
| 544 | |
| 545 | if( ( ret = asn1_get_tag( p, end, &uid->len, |
| 546 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n ) ) != 0 ) |
| 547 | { |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 548 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 549 | return( 0 ); |
| 550 | |
| 551 | return( ret ); |
| 552 | } |
| 553 | |
| 554 | uid->p = *p; |
| 555 | *p += uid->len; |
| 556 | |
| 557 | return( 0 ); |
| 558 | } |
| 559 | |
| 560 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 561 | * X.509 Extensions (No parsing of extensions, pointer should |
| 562 | * be either manually updated or extensions should be parsed! |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 563 | */ |
| 564 | static int x509_get_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 565 | const unsigned char *end, |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 566 | x509_buf *ext, int tag ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 567 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 568 | int ret; |
| 569 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 570 | |
| 571 | if( *p == end ) |
| 572 | return( 0 ); |
| 573 | |
| 574 | ext->tag = **p; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 575 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 576 | if( ( ret = asn1_get_tag( p, end, &ext->len, |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 577 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 578 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 579 | |
| 580 | ext->p = *p; |
| 581 | end = *p + ext->len; |
| 582 | |
| 583 | /* |
| 584 | * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
| 585 | * |
| 586 | * Extension ::= SEQUENCE { |
| 587 | * extnID OBJECT IDENTIFIER, |
| 588 | * critical BOOLEAN DEFAULT FALSE, |
| 589 | * extnValue OCTET STRING } |
| 590 | */ |
| 591 | if( ( ret = asn1_get_tag( p, end, &len, |
| 592 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 593 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 594 | |
| 595 | if( end != *p + len ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 596 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 597 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 598 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 599 | return( 0 ); |
| 600 | } |
| 601 | |
| 602 | /* |
| 603 | * X.509 CRL v2 extensions (no extensions parsed yet.) |
| 604 | */ |
| 605 | static int x509_get_crl_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 606 | const unsigned char *end, |
| 607 | x509_buf *ext ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 608 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 609 | int ret; |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 610 | size_t len = 0; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 611 | |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 612 | /* Get explicit tag */ |
| 613 | if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 614 | { |
| 615 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 616 | return( 0 ); |
| 617 | |
| 618 | return( ret ); |
| 619 | } |
| 620 | |
| 621 | while( *p < end ) |
| 622 | { |
| 623 | if( ( ret = asn1_get_tag( p, end, &len, |
| 624 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 625 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 626 | |
| 627 | *p += len; |
| 628 | } |
| 629 | |
| 630 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 631 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 632 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 633 | |
| 634 | return( 0 ); |
| 635 | } |
| 636 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 637 | /* |
| 638 | * X.509 CRL v2 entry extensions (no extensions parsed yet.) |
| 639 | */ |
| 640 | static int x509_get_crl_entry_ext( unsigned char **p, |
| 641 | const unsigned char *end, |
| 642 | x509_buf *ext ) |
| 643 | { |
| 644 | int ret; |
| 645 | size_t len = 0; |
| 646 | |
| 647 | /* OPTIONAL */ |
| 648 | if (end <= *p) |
| 649 | return( 0 ); |
| 650 | |
| 651 | ext->tag = **p; |
| 652 | ext->p = *p; |
| 653 | |
| 654 | /* |
| 655 | * Get CRL-entry extension sequence header |
| 656 | * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 |
| 657 | */ |
| 658 | if( ( ret = asn1_get_tag( p, end, &ext->len, |
| 659 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 660 | { |
| 661 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 662 | { |
| 663 | ext->p = NULL; |
| 664 | return( 0 ); |
| 665 | } |
| 666 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 667 | } |
| 668 | |
| 669 | end = *p + ext->len; |
| 670 | |
| 671 | if( end != *p + ext->len ) |
| 672 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 673 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 674 | |
| 675 | while( *p < end ) |
| 676 | { |
| 677 | if( ( ret = asn1_get_tag( p, end, &len, |
| 678 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 679 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 680 | |
| 681 | *p += len; |
| 682 | } |
| 683 | |
| 684 | if( *p != end ) |
| 685 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 686 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 687 | |
| 688 | return( 0 ); |
| 689 | } |
| 690 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 691 | static int x509_get_basic_constraints( unsigned char **p, |
| 692 | const unsigned char *end, |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 693 | int *ca_istrue, |
| 694 | int *max_pathlen ) |
| 695 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 696 | int ret; |
| 697 | size_t len; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 698 | |
| 699 | /* |
| 700 | * BasicConstraints ::= SEQUENCE { |
| 701 | * cA BOOLEAN DEFAULT FALSE, |
| 702 | * pathLenConstraint INTEGER (0..MAX) OPTIONAL } |
| 703 | */ |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 704 | *ca_istrue = 0; /* DEFAULT FALSE */ |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 705 | *max_pathlen = 0; /* endless */ |
| 706 | |
| 707 | if( ( ret = asn1_get_tag( p, end, &len, |
| 708 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 709 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 710 | |
| 711 | if( *p == end ) |
| 712 | return 0; |
| 713 | |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 714 | if( ( ret = asn1_get_bool( p, end, ca_istrue ) ) != 0 ) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 715 | { |
| 716 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 717 | ret = asn1_get_int( p, end, ca_istrue ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 718 | |
| 719 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 720 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 721 | |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 722 | if( *ca_istrue != 0 ) |
| 723 | *ca_istrue = 1; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 724 | } |
| 725 | |
| 726 | if( *p == end ) |
| 727 | return 0; |
| 728 | |
| 729 | if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 730 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 731 | |
| 732 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 733 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 734 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 735 | |
| 736 | (*max_pathlen)++; |
| 737 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 738 | return 0; |
| 739 | } |
| 740 | |
| 741 | static int x509_get_ns_cert_type( unsigned char **p, |
| 742 | const unsigned char *end, |
| 743 | unsigned char *ns_cert_type) |
| 744 | { |
| 745 | int ret; |
Paul Bakker | d61e7d9 | 2011-01-18 16:17:47 +0000 | [diff] [blame] | 746 | x509_bitstring bs = { 0, 0, NULL }; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 747 | |
| 748 | if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 749 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 750 | |
| 751 | if( bs.len != 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 752 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 753 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 754 | |
| 755 | /* Get actual bitstring */ |
| 756 | *ns_cert_type = *bs.p; |
| 757 | return 0; |
| 758 | } |
| 759 | |
| 760 | static int x509_get_key_usage( unsigned char **p, |
| 761 | const unsigned char *end, |
| 762 | unsigned char *key_usage) |
| 763 | { |
| 764 | int ret; |
Paul Bakker | d61e7d9 | 2011-01-18 16:17:47 +0000 | [diff] [blame] | 765 | x509_bitstring bs = { 0, 0, NULL }; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 766 | |
| 767 | if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 768 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 769 | |
Paul Bakker | cebdf17 | 2011-11-11 15:01:31 +0000 | [diff] [blame] | 770 | if( bs.len > 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 771 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 772 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 773 | |
| 774 | /* Get actual bitstring */ |
| 775 | *key_usage = *bs.p; |
| 776 | return 0; |
| 777 | } |
| 778 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 779 | /* |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 780 | * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId |
| 781 | * |
| 782 | * KeyPurposeId ::= OBJECT IDENTIFIER |
| 783 | */ |
| 784 | static int x509_get_ext_key_usage( unsigned char **p, |
| 785 | const unsigned char *end, |
| 786 | x509_sequence *ext_key_usage) |
| 787 | { |
| 788 | int ret; |
| 789 | |
| 790 | if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 791 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 792 | |
| 793 | /* Sequence length must be >= 1 */ |
| 794 | if( ext_key_usage->buf.p == NULL ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 795 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 796 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 797 | |
| 798 | return 0; |
| 799 | } |
| 800 | |
| 801 | /* |
| 802 | * X.509 v3 extensions |
| 803 | * |
| 804 | * TODO: Perform all of the basic constraints tests required by the RFC |
| 805 | * TODO: Set values for undetected extensions to a sane default? |
| 806 | * |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 807 | */ |
| 808 | static int x509_get_crt_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 809 | const unsigned char *end, |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 810 | x509_cert *crt ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 811 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 812 | int ret; |
| 813 | size_t len; |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 814 | unsigned char *end_ext_data, *end_ext_octet; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 815 | |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 816 | if( ( ret = x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 817 | { |
| 818 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 819 | return( 0 ); |
| 820 | |
| 821 | return( ret ); |
| 822 | } |
| 823 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 824 | while( *p < end ) |
| 825 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 826 | /* |
| 827 | * Extension ::= SEQUENCE { |
| 828 | * extnID OBJECT IDENTIFIER, |
| 829 | * critical BOOLEAN DEFAULT FALSE, |
| 830 | * extnValue OCTET STRING } |
| 831 | */ |
| 832 | x509_buf extn_oid = {0, 0, NULL}; |
| 833 | int is_critical = 0; /* DEFAULT FALSE */ |
| 834 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 835 | if( ( ret = asn1_get_tag( p, end, &len, |
| 836 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 837 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 838 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 839 | end_ext_data = *p + len; |
| 840 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 841 | /* Get extension ID */ |
| 842 | extn_oid.tag = **p; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 843 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 844 | if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 845 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 846 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 847 | extn_oid.p = *p; |
| 848 | *p += extn_oid.len; |
| 849 | |
| 850 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 851 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 852 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 853 | |
| 854 | /* Get optional critical */ |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 855 | if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 856 | ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 857 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 858 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 859 | /* Data should be octet string type */ |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 860 | if( ( ret = asn1_get_tag( p, end_ext_data, &len, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 861 | ASN1_OCTET_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 862 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 863 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 864 | end_ext_octet = *p + len; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 865 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 866 | if( end_ext_octet != end_ext_data ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 867 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 868 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 869 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 870 | /* |
| 871 | * Detect supported extensions |
| 872 | */ |
| 873 | if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) && |
| 874 | memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 875 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 876 | /* Parse basic constraints */ |
| 877 | if( ( ret = x509_get_basic_constraints( p, end_ext_octet, |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 878 | &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 879 | return ( ret ); |
| 880 | crt->ext_types |= EXT_BASIC_CONSTRAINTS; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 881 | } |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 882 | else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) && |
| 883 | memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 ) |
| 884 | { |
| 885 | /* Parse netscape certificate type */ |
| 886 | if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, |
| 887 | &crt->ns_cert_type ) ) != 0 ) |
| 888 | return ( ret ); |
| 889 | crt->ext_types |= EXT_NS_CERT_TYPE; |
| 890 | } |
| 891 | else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) && |
| 892 | memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 ) |
| 893 | { |
| 894 | /* Parse key usage */ |
| 895 | if( ( ret = x509_get_key_usage( p, end_ext_octet, |
| 896 | &crt->key_usage ) ) != 0 ) |
| 897 | return ( ret ); |
| 898 | crt->ext_types |= EXT_KEY_USAGE; |
| 899 | } |
| 900 | else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) && |
| 901 | memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 ) |
| 902 | { |
| 903 | /* Parse extended key usage */ |
| 904 | if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, |
| 905 | &crt->ext_key_usage ) ) != 0 ) |
| 906 | return ( ret ); |
| 907 | crt->ext_types |= EXT_EXTENDED_KEY_USAGE; |
| 908 | } |
| 909 | else |
| 910 | { |
| 911 | /* No parser found, skip extension */ |
| 912 | *p = end_ext_octet; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 913 | |
Paul Bakker | 5c721f9 | 2011-07-27 16:51:09 +0000 | [diff] [blame] | 914 | #if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 915 | if( is_critical ) |
| 916 | { |
| 917 | /* Data is marked as critical: fail */ |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 918 | return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 919 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| 920 | } |
Paul Bakker | 5c721f9 | 2011-07-27 16:51:09 +0000 | [diff] [blame] | 921 | #endif |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 922 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 923 | } |
| 924 | |
| 925 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 926 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 927 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 928 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 929 | return( 0 ); |
| 930 | } |
| 931 | |
| 932 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 933 | * X.509 CRL Entries |
| 934 | */ |
| 935 | static int x509_get_entries( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 936 | const unsigned char *end, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 937 | x509_crl_entry *entry ) |
| 938 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 939 | int ret; |
| 940 | size_t entry_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 941 | x509_crl_entry *cur_entry = entry; |
| 942 | |
| 943 | if( *p == end ) |
| 944 | return( 0 ); |
| 945 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 946 | if( ( ret = asn1_get_tag( p, end, &entry_len, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 947 | ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 ) |
| 948 | { |
| 949 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 950 | return( 0 ); |
| 951 | |
| 952 | return( ret ); |
| 953 | } |
| 954 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 955 | end = *p + entry_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 956 | |
| 957 | while( *p < end ) |
| 958 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 959 | size_t len2; |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 960 | const unsigned char *end2; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 961 | |
| 962 | if( ( ret = asn1_get_tag( p, end, &len2, |
| 963 | ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 ) |
| 964 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 965 | return( ret ); |
| 966 | } |
| 967 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 968 | cur_entry->raw.tag = **p; |
| 969 | cur_entry->raw.p = *p; |
| 970 | cur_entry->raw.len = len2; |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 971 | end2 = *p + len2; |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 972 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 973 | if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 974 | return( ret ); |
| 975 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 976 | if( ( ret = x509_get_time( p, end2, &cur_entry->revocation_date ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 977 | return( ret ); |
| 978 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 979 | if( ( ret = x509_get_crl_entry_ext( p, end2, &cur_entry->entry_ext ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 980 | return( ret ); |
| 981 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 982 | if ( *p < end ) |
| 983 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 984 | cur_entry->next = malloc( sizeof( x509_crl_entry ) ); |
Paul Bakker | e2e36d3 | 2012-01-23 09:56:51 +0000 | [diff] [blame] | 985 | |
| 986 | if( cur_entry->next == NULL ) |
| 987 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
| 988 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 989 | cur_entry = cur_entry->next; |
| 990 | memset( cur_entry, 0, sizeof( x509_crl_entry ) ); |
| 991 | } |
| 992 | } |
| 993 | |
| 994 | return( 0 ); |
| 995 | } |
| 996 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 997 | static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg ) |
| 998 | { |
| 999 | if( sig_oid->len == 9 && |
| 1000 | memcmp( sig_oid->p, OID_PKCS1, 8 ) == 0 ) |
| 1001 | { |
| 1002 | if( sig_oid->p[8] >= 2 && sig_oid->p[8] <= 5 ) |
| 1003 | { |
| 1004 | *sig_alg = sig_oid->p[8]; |
| 1005 | return( 0 ); |
| 1006 | } |
| 1007 | |
| 1008 | if ( sig_oid->p[8] >= 11 && sig_oid->p[8] <= 14 ) |
| 1009 | { |
| 1010 | *sig_alg = sig_oid->p[8]; |
| 1011 | return( 0 ); |
| 1012 | } |
| 1013 | |
| 1014 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG ); |
| 1015 | } |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 1016 | if( sig_oid->len == 5 && |
| 1017 | memcmp( sig_oid->p, OID_RSA_SHA_OBS, 5 ) == 0 ) |
| 1018 | { |
| 1019 | *sig_alg = SIG_RSA_SHA1; |
| 1020 | return( 0 ); |
| 1021 | } |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1022 | |
| 1023 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG ); |
| 1024 | } |
| 1025 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1026 | /* |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1027 | * Parse and fill a single X.509 certificate in DER format |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1028 | */ |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1029 | int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1030 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1031 | int ret; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1032 | size_t len; |
Paul Bakker | 47f6261 | 2013-01-14 16:40:55 +0100 | [diff] [blame] | 1033 | unsigned char *p, *end, *crt_end; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1034 | |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1035 | /* |
| 1036 | * Check for valid input |
| 1037 | */ |
| 1038 | if( crt == NULL || buf == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1039 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1040 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1041 | p = (unsigned char *) malloc( len = buflen ); |
| 1042 | |
| 1043 | if( p == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1044 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1045 | |
| 1046 | memcpy( p, buf, buflen ); |
| 1047 | |
| 1048 | buflen = 0; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1049 | |
| 1050 | crt->raw.p = p; |
| 1051 | crt->raw.len = len; |
| 1052 | end = p + len; |
| 1053 | |
| 1054 | /* |
| 1055 | * Certificate ::= SEQUENCE { |
| 1056 | * tbsCertificate TBSCertificate, |
| 1057 | * signatureAlgorithm AlgorithmIdentifier, |
| 1058 | * signatureValue BIT STRING } |
| 1059 | */ |
| 1060 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1061 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1062 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1063 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1064 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1065 | } |
| 1066 | |
Paul Bakker | 47f6261 | 2013-01-14 16:40:55 +0100 | [diff] [blame] | 1067 | if( len > (size_t) ( end - p ) ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1068 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1069 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1070 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1071 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1072 | } |
Paul Bakker | 47f6261 | 2013-01-14 16:40:55 +0100 | [diff] [blame] | 1073 | crt_end = p + len; |
| 1074 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1075 | /* |
| 1076 | * TBSCertificate ::= SEQUENCE { |
| 1077 | */ |
| 1078 | crt->tbs.p = p; |
| 1079 | |
| 1080 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1081 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1082 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1083 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1084 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1085 | } |
| 1086 | |
| 1087 | end = p + len; |
| 1088 | crt->tbs.len = end - crt->tbs.p; |
| 1089 | |
| 1090 | /* |
| 1091 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| 1092 | * |
| 1093 | * CertificateSerialNumber ::= INTEGER |
| 1094 | * |
| 1095 | * signature AlgorithmIdentifier |
| 1096 | */ |
| 1097 | if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || |
| 1098 | ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || |
| 1099 | ( ret = x509_get_alg( &p, end, &crt->sig_oid1 ) ) != 0 ) |
| 1100 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1101 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1102 | return( ret ); |
| 1103 | } |
| 1104 | |
| 1105 | crt->version++; |
| 1106 | |
| 1107 | if( crt->version > 3 ) |
| 1108 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1109 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1110 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1111 | } |
| 1112 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1113 | if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_alg ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1114 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1115 | x509_free( crt ); |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1116 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1117 | } |
| 1118 | |
| 1119 | /* |
| 1120 | * issuer Name |
| 1121 | */ |
| 1122 | crt->issuer_raw.p = p; |
| 1123 | |
| 1124 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1125 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1126 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1127 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1128 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1129 | } |
| 1130 | |
| 1131 | if( ( ret = x509_get_name( &p, p + len, &crt->issuer ) ) != 0 ) |
| 1132 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1133 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1134 | return( ret ); |
| 1135 | } |
| 1136 | |
| 1137 | crt->issuer_raw.len = p - crt->issuer_raw.p; |
| 1138 | |
| 1139 | /* |
| 1140 | * Validity ::= SEQUENCE { |
| 1141 | * notBefore Time, |
| 1142 | * notAfter Time } |
| 1143 | * |
| 1144 | */ |
| 1145 | if( ( ret = x509_get_dates( &p, end, &crt->valid_from, |
| 1146 | &crt->valid_to ) ) != 0 ) |
| 1147 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1148 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1149 | return( ret ); |
| 1150 | } |
| 1151 | |
| 1152 | /* |
| 1153 | * subject Name |
| 1154 | */ |
| 1155 | crt->subject_raw.p = p; |
| 1156 | |
| 1157 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1158 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1159 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1160 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1161 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1162 | } |
| 1163 | |
| 1164 | if( ( ret = x509_get_name( &p, p + len, &crt->subject ) ) != 0 ) |
| 1165 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1166 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1167 | return( ret ); |
| 1168 | } |
| 1169 | |
| 1170 | crt->subject_raw.len = p - crt->subject_raw.p; |
| 1171 | |
| 1172 | /* |
| 1173 | * SubjectPublicKeyInfo ::= SEQUENCE |
| 1174 | * algorithm AlgorithmIdentifier, |
| 1175 | * subjectPublicKey BIT STRING } |
| 1176 | */ |
| 1177 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1178 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1179 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1180 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1181 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1182 | } |
| 1183 | |
| 1184 | if( ( ret = x509_get_pubkey( &p, p + len, &crt->pk_oid, |
| 1185 | &crt->rsa.N, &crt->rsa.E ) ) != 0 ) |
| 1186 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1187 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1188 | return( ret ); |
| 1189 | } |
| 1190 | |
| 1191 | if( ( ret = rsa_check_pubkey( &crt->rsa ) ) != 0 ) |
| 1192 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1193 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1194 | return( ret ); |
| 1195 | } |
| 1196 | |
| 1197 | crt->rsa.len = mpi_size( &crt->rsa.N ); |
| 1198 | |
| 1199 | /* |
| 1200 | * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| 1201 | * -- If present, version shall be v2 or v3 |
| 1202 | * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| 1203 | * -- If present, version shall be v2 or v3 |
| 1204 | * extensions [3] EXPLICIT Extensions OPTIONAL |
| 1205 | * -- If present, version shall be v3 |
| 1206 | */ |
| 1207 | if( crt->version == 2 || crt->version == 3 ) |
| 1208 | { |
| 1209 | ret = x509_get_uid( &p, end, &crt->issuer_id, 1 ); |
| 1210 | if( ret != 0 ) |
| 1211 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1212 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1213 | return( ret ); |
| 1214 | } |
| 1215 | } |
| 1216 | |
| 1217 | if( crt->version == 2 || crt->version == 3 ) |
| 1218 | { |
| 1219 | ret = x509_get_uid( &p, end, &crt->subject_id, 2 ); |
| 1220 | if( ret != 0 ) |
| 1221 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1222 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1223 | return( ret ); |
| 1224 | } |
| 1225 | } |
| 1226 | |
| 1227 | if( crt->version == 3 ) |
| 1228 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 1229 | ret = x509_get_crt_ext( &p, end, crt); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1230 | if( ret != 0 ) |
| 1231 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1232 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1233 | return( ret ); |
| 1234 | } |
| 1235 | } |
| 1236 | |
| 1237 | if( p != end ) |
| 1238 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1239 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1240 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1241 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1242 | } |
| 1243 | |
Paul Bakker | 47f6261 | 2013-01-14 16:40:55 +0100 | [diff] [blame] | 1244 | end = crt_end; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1245 | |
| 1246 | /* |
| 1247 | * signatureAlgorithm AlgorithmIdentifier, |
| 1248 | * signatureValue BIT STRING |
| 1249 | */ |
| 1250 | if( ( ret = x509_get_alg( &p, end, &crt->sig_oid2 ) ) != 0 ) |
| 1251 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1252 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1253 | return( ret ); |
| 1254 | } |
| 1255 | |
Paul Bakker | 7261cba | 2013-01-16 12:39:54 +0100 | [diff] [blame] | 1256 | if( crt->sig_oid1.len != crt->sig_oid2.len || |
| 1257 | memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1258 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1259 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1260 | return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1261 | } |
| 1262 | |
| 1263 | if( ( ret = x509_get_sig( &p, end, &crt->sig ) ) != 0 ) |
| 1264 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1265 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1266 | return( ret ); |
| 1267 | } |
| 1268 | |
| 1269 | if( p != end ) |
| 1270 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1271 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1272 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1273 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1274 | } |
| 1275 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1276 | return( 0 ); |
| 1277 | } |
| 1278 | |
| 1279 | /* |
| 1280 | * Parse one or more PEM certificates from a buffer and add them to the chained list |
| 1281 | */ |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1282 | int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1283 | { |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1284 | int ret, success = 0, first_error = 0, total_failed = 0; |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1285 | x509_cert *crt, *prev = NULL; |
| 1286 | int buf_format = X509_FORMAT_DER; |
| 1287 | |
| 1288 | crt = chain; |
| 1289 | |
| 1290 | /* |
| 1291 | * Check for valid input |
| 1292 | */ |
| 1293 | if( crt == NULL || buf == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1294 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1295 | |
| 1296 | while( crt->version != 0 && crt->next != NULL ) |
| 1297 | { |
| 1298 | prev = crt; |
| 1299 | crt = crt->next; |
| 1300 | } |
| 1301 | |
| 1302 | /* |
| 1303 | * Add new certificate on the end of the chain if needed. |
| 1304 | */ |
| 1305 | if ( crt->version != 0 && crt->next == NULL) |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1306 | { |
| 1307 | crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); |
| 1308 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1309 | if( crt->next == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1310 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1311 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1312 | prev = crt; |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1313 | crt = crt->next; |
| 1314 | memset( crt, 0, sizeof( x509_cert ) ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1315 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1316 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1317 | /* |
| 1318 | * Determine buffer content. Buffer contains either one DER certificate or |
| 1319 | * one or more PEM certificates. |
| 1320 | */ |
| 1321 | #if defined(POLARSSL_PEM_C) |
| 1322 | if( strstr( (char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) |
| 1323 | buf_format = X509_FORMAT_PEM; |
| 1324 | #endif |
| 1325 | |
| 1326 | if( buf_format == X509_FORMAT_DER ) |
| 1327 | return x509parse_crt_der( crt, buf, buflen ); |
| 1328 | |
| 1329 | #if defined(POLARSSL_PEM_C) |
| 1330 | if( buf_format == X509_FORMAT_PEM ) |
| 1331 | { |
| 1332 | pem_context pem; |
| 1333 | |
| 1334 | while( buflen > 0 ) |
| 1335 | { |
| 1336 | size_t use_len; |
| 1337 | pem_init( &pem ); |
| 1338 | |
| 1339 | ret = pem_read_buffer( &pem, |
| 1340 | "-----BEGIN CERTIFICATE-----", |
| 1341 | "-----END CERTIFICATE-----", |
| 1342 | buf, NULL, 0, &use_len ); |
| 1343 | |
| 1344 | if( ret == 0 ) |
| 1345 | { |
| 1346 | /* |
| 1347 | * Was PEM encoded |
| 1348 | */ |
| 1349 | buflen -= use_len; |
| 1350 | buf += use_len; |
| 1351 | } |
| 1352 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
| 1353 | { |
| 1354 | pem_free( &pem ); |
| 1355 | |
| 1356 | if( first_error == 0 ) |
| 1357 | first_error = ret; |
| 1358 | |
| 1359 | continue; |
| 1360 | } |
| 1361 | else |
| 1362 | break; |
| 1363 | |
| 1364 | ret = x509parse_crt_der( crt, pem.buf, pem.buflen ); |
| 1365 | |
| 1366 | pem_free( &pem ); |
| 1367 | |
| 1368 | if( ret != 0 ) |
| 1369 | { |
| 1370 | /* |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1371 | * quit parsing on a memory error |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1372 | */ |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1373 | if( ret == POLARSSL_ERR_X509_MALLOC_FAILED ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1374 | { |
| 1375 | if( prev ) |
| 1376 | prev->next = NULL; |
| 1377 | |
| 1378 | if( crt != chain ) |
| 1379 | free( crt ); |
| 1380 | |
| 1381 | return( ret ); |
| 1382 | } |
| 1383 | |
| 1384 | if( first_error == 0 ) |
| 1385 | first_error = ret; |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1386 | |
| 1387 | total_failed++; |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1388 | |
| 1389 | memset( crt, 0, sizeof( x509_cert ) ); |
| 1390 | continue; |
| 1391 | } |
| 1392 | |
| 1393 | success = 1; |
| 1394 | |
| 1395 | /* |
| 1396 | * Add new certificate to the list |
| 1397 | */ |
| 1398 | crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); |
| 1399 | |
| 1400 | if( crt->next == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1401 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1402 | |
| 1403 | prev = crt; |
| 1404 | crt = crt->next; |
| 1405 | memset( crt, 0, sizeof( x509_cert ) ); |
| 1406 | } |
| 1407 | } |
| 1408 | #endif |
| 1409 | |
| 1410 | if( crt->version == 0 ) |
| 1411 | { |
| 1412 | if( prev ) |
| 1413 | prev->next = NULL; |
| 1414 | |
| 1415 | if( crt != chain ) |
| 1416 | free( crt ); |
| 1417 | } |
| 1418 | |
| 1419 | if( success ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1420 | return( total_failed ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1421 | else if( first_error ) |
| 1422 | return( first_error ); |
| 1423 | else |
| 1424 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1425 | } |
| 1426 | |
| 1427 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1428 | * Parse one or more CRLs and add them to the chained list |
| 1429 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1430 | int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1431 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1432 | int ret; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1433 | size_t len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1434 | unsigned char *p, *end; |
| 1435 | x509_crl *crl; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1436 | #if defined(POLARSSL_PEM_C) |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1437 | size_t use_len; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1438 | pem_context pem; |
| 1439 | #endif |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1440 | |
| 1441 | crl = chain; |
| 1442 | |
| 1443 | /* |
| 1444 | * Check for valid input |
| 1445 | */ |
| 1446 | if( crl == NULL || buf == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1447 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1448 | |
| 1449 | while( crl->version != 0 && crl->next != NULL ) |
| 1450 | crl = crl->next; |
| 1451 | |
| 1452 | /* |
| 1453 | * Add new CRL on the end of the chain if needed. |
| 1454 | */ |
| 1455 | if ( crl->version != 0 && crl->next == NULL) |
| 1456 | { |
| 1457 | crl->next = (x509_crl *) malloc( sizeof( x509_crl ) ); |
| 1458 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1459 | if( crl->next == NULL ) |
| 1460 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1461 | x509_crl_free( crl ); |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1462 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1463 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1464 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1465 | crl = crl->next; |
| 1466 | memset( crl, 0, sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1467 | } |
| 1468 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1469 | #if defined(POLARSSL_PEM_C) |
| 1470 | pem_init( &pem ); |
| 1471 | ret = pem_read_buffer( &pem, |
| 1472 | "-----BEGIN X509 CRL-----", |
| 1473 | "-----END X509 CRL-----", |
| 1474 | buf, NULL, 0, &use_len ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1475 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1476 | if( ret == 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1477 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1478 | /* |
| 1479 | * Was PEM encoded |
| 1480 | */ |
| 1481 | buflen -= use_len; |
| 1482 | buf += use_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1483 | |
| 1484 | /* |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1485 | * Steal PEM buffer |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1486 | */ |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1487 | p = pem.buf; |
| 1488 | pem.buf = NULL; |
| 1489 | len = pem.buflen; |
| 1490 | pem_free( &pem ); |
| 1491 | } |
| 1492 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
| 1493 | { |
| 1494 | pem_free( &pem ); |
| 1495 | return( ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1496 | } |
| 1497 | else |
| 1498 | { |
| 1499 | /* |
| 1500 | * nope, copy the raw DER data |
| 1501 | */ |
| 1502 | p = (unsigned char *) malloc( len = buflen ); |
| 1503 | |
| 1504 | if( p == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1505 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1506 | |
| 1507 | memcpy( p, buf, buflen ); |
| 1508 | |
| 1509 | buflen = 0; |
| 1510 | } |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1511 | #else |
| 1512 | p = (unsigned char *) malloc( len = buflen ); |
| 1513 | |
| 1514 | if( p == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1515 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1516 | |
| 1517 | memcpy( p, buf, buflen ); |
| 1518 | |
| 1519 | buflen = 0; |
| 1520 | #endif |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1521 | |
| 1522 | crl->raw.p = p; |
| 1523 | crl->raw.len = len; |
| 1524 | end = p + len; |
| 1525 | |
| 1526 | /* |
| 1527 | * CertificateList ::= SEQUENCE { |
| 1528 | * tbsCertList TBSCertList, |
| 1529 | * signatureAlgorithm AlgorithmIdentifier, |
| 1530 | * signatureValue BIT STRING } |
| 1531 | */ |
| 1532 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1533 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1534 | { |
| 1535 | x509_crl_free( crl ); |
| 1536 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT ); |
| 1537 | } |
| 1538 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1539 | if( len != (size_t) ( end - p ) ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1540 | { |
| 1541 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1542 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1543 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1544 | } |
| 1545 | |
| 1546 | /* |
| 1547 | * TBSCertList ::= SEQUENCE { |
| 1548 | */ |
| 1549 | crl->tbs.p = p; |
| 1550 | |
| 1551 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1552 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1553 | { |
| 1554 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1555 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1556 | } |
| 1557 | |
| 1558 | end = p + len; |
| 1559 | crl->tbs.len = end - crl->tbs.p; |
| 1560 | |
| 1561 | /* |
| 1562 | * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } |
| 1563 | * -- if present, MUST be v2 |
| 1564 | * |
| 1565 | * signature AlgorithmIdentifier |
| 1566 | */ |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 1567 | if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1568 | ( ret = x509_get_alg( &p, end, &crl->sig_oid1 ) ) != 0 ) |
| 1569 | { |
| 1570 | x509_crl_free( crl ); |
| 1571 | return( ret ); |
| 1572 | } |
| 1573 | |
| 1574 | crl->version++; |
| 1575 | |
| 1576 | if( crl->version > 2 ) |
| 1577 | { |
| 1578 | x509_crl_free( crl ); |
| 1579 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION ); |
| 1580 | } |
| 1581 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1582 | if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_alg ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1583 | { |
| 1584 | x509_crl_free( crl ); |
| 1585 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG ); |
| 1586 | } |
| 1587 | |
| 1588 | /* |
| 1589 | * issuer Name |
| 1590 | */ |
| 1591 | crl->issuer_raw.p = p; |
| 1592 | |
| 1593 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1594 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1595 | { |
| 1596 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1597 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1598 | } |
| 1599 | |
| 1600 | if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 ) |
| 1601 | { |
| 1602 | x509_crl_free( crl ); |
| 1603 | return( ret ); |
| 1604 | } |
| 1605 | |
| 1606 | crl->issuer_raw.len = p - crl->issuer_raw.p; |
| 1607 | |
| 1608 | /* |
| 1609 | * thisUpdate Time |
| 1610 | * nextUpdate Time OPTIONAL |
| 1611 | */ |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 1612 | if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1613 | { |
| 1614 | x509_crl_free( crl ); |
| 1615 | return( ret ); |
| 1616 | } |
| 1617 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 1618 | if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1619 | { |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1620 | if ( ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1621 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) && |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1622 | ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1623 | POLARSSL_ERR_ASN1_OUT_OF_DATA ) ) |
Paul Bakker | 635f4b4 | 2009-07-20 20:34:41 +0000 | [diff] [blame] | 1624 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1625 | x509_crl_free( crl ); |
| 1626 | return( ret ); |
| 1627 | } |
| 1628 | } |
| 1629 | |
| 1630 | /* |
| 1631 | * revokedCertificates SEQUENCE OF SEQUENCE { |
| 1632 | * userCertificate CertificateSerialNumber, |
| 1633 | * revocationDate Time, |
| 1634 | * crlEntryExtensions Extensions OPTIONAL |
| 1635 | * -- if present, MUST be v2 |
| 1636 | * } OPTIONAL |
| 1637 | */ |
| 1638 | if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 ) |
| 1639 | { |
| 1640 | x509_crl_free( crl ); |
| 1641 | return( ret ); |
| 1642 | } |
| 1643 | |
| 1644 | /* |
| 1645 | * crlExtensions EXPLICIT Extensions OPTIONAL |
| 1646 | * -- if present, MUST be v2 |
| 1647 | */ |
| 1648 | if( crl->version == 2 ) |
| 1649 | { |
| 1650 | ret = x509_get_crl_ext( &p, end, &crl->crl_ext ); |
| 1651 | |
| 1652 | if( ret != 0 ) |
| 1653 | { |
| 1654 | x509_crl_free( crl ); |
| 1655 | return( ret ); |
| 1656 | } |
| 1657 | } |
| 1658 | |
| 1659 | if( p != end ) |
| 1660 | { |
| 1661 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1662 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1663 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1664 | } |
| 1665 | |
| 1666 | end = crl->raw.p + crl->raw.len; |
| 1667 | |
| 1668 | /* |
| 1669 | * signatureAlgorithm AlgorithmIdentifier, |
| 1670 | * signatureValue BIT STRING |
| 1671 | */ |
| 1672 | if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2 ) ) != 0 ) |
| 1673 | { |
| 1674 | x509_crl_free( crl ); |
| 1675 | return( ret ); |
| 1676 | } |
| 1677 | |
Paul Bakker | 7261cba | 2013-01-16 12:39:54 +0100 | [diff] [blame] | 1678 | if( crl->sig_oid1.len != crl->sig_oid2.len || |
| 1679 | memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1680 | { |
| 1681 | x509_crl_free( crl ); |
| 1682 | return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); |
| 1683 | } |
| 1684 | |
| 1685 | if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 ) |
| 1686 | { |
| 1687 | x509_crl_free( crl ); |
| 1688 | return( ret ); |
| 1689 | } |
| 1690 | |
| 1691 | if( p != end ) |
| 1692 | { |
| 1693 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1694 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1695 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1696 | } |
| 1697 | |
| 1698 | if( buflen > 0 ) |
| 1699 | { |
| 1700 | crl->next = (x509_crl *) malloc( sizeof( x509_crl ) ); |
| 1701 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1702 | if( crl->next == NULL ) |
| 1703 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1704 | x509_crl_free( crl ); |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1705 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1706 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1707 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1708 | crl = crl->next; |
| 1709 | memset( crl, 0, sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1710 | |
| 1711 | return( x509parse_crl( crl, buf, buflen ) ); |
| 1712 | } |
| 1713 | |
| 1714 | return( 0 ); |
| 1715 | } |
| 1716 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1717 | #if defined(POLARSSL_FS_IO) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1718 | /* |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1719 | * Load all data from a file into a given buffer. |
| 1720 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1721 | int load_file( const char *path, unsigned char **buf, size_t *n ) |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1722 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1723 | FILE *f; |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1724 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1725 | if( ( f = fopen( path, "rb" ) ) == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1726 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1727 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1728 | fseek( f, 0, SEEK_END ); |
| 1729 | *n = (size_t) ftell( f ); |
| 1730 | fseek( f, 0, SEEK_SET ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1731 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1732 | if( ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL ) |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1733 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1734 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1735 | if( fread( *buf, 1, *n, f ) != *n ) |
| 1736 | { |
| 1737 | fclose( f ); |
| 1738 | free( *buf ); |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1739 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1740 | } |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1741 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1742 | fclose( f ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1743 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1744 | (*buf)[*n] = '\0'; |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1745 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1746 | return( 0 ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1747 | } |
| 1748 | |
| 1749 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1750 | * Load one or more certificates and add them to the chained list |
| 1751 | */ |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1752 | int x509parse_crtfile( x509_cert *chain, const char *path ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1753 | { |
| 1754 | int ret; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1755 | size_t n; |
| 1756 | unsigned char *buf; |
| 1757 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1758 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 1759 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1760 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1761 | ret = x509parse_crt( chain, buf, n ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1762 | |
| 1763 | memset( buf, 0, n + 1 ); |
| 1764 | free( buf ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1765 | |
| 1766 | return( ret ); |
| 1767 | } |
| 1768 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1769 | /* |
| 1770 | * Load one or more CRLs and add them to the chained list |
| 1771 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1772 | int x509parse_crlfile( x509_crl *chain, const char *path ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1773 | { |
| 1774 | int ret; |
| 1775 | size_t n; |
| 1776 | unsigned char *buf; |
| 1777 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1778 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 1779 | return( ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1780 | |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 1781 | ret = x509parse_crl( chain, buf, n ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1782 | |
| 1783 | memset( buf, 0, n + 1 ); |
| 1784 | free( buf ); |
| 1785 | |
| 1786 | return( ret ); |
| 1787 | } |
| 1788 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1789 | /* |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1790 | * Load and parse a private RSA key |
| 1791 | */ |
| 1792 | int x509parse_keyfile( rsa_context *rsa, const char *path, const char *pwd ) |
| 1793 | { |
| 1794 | int ret; |
| 1795 | size_t n; |
| 1796 | unsigned char *buf; |
| 1797 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1798 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 1799 | return( ret ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1800 | |
| 1801 | if( pwd == NULL ) |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 1802 | ret = x509parse_key( rsa, buf, n, NULL, 0 ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1803 | else |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 1804 | ret = x509parse_key( rsa, buf, n, |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1805 | (unsigned char *) pwd, strlen( pwd ) ); |
| 1806 | |
| 1807 | memset( buf, 0, n + 1 ); |
| 1808 | free( buf ); |
| 1809 | |
| 1810 | return( ret ); |
| 1811 | } |
| 1812 | |
| 1813 | /* |
| 1814 | * Load and parse a public RSA key |
| 1815 | */ |
| 1816 | int x509parse_public_keyfile( rsa_context *rsa, const char *path ) |
| 1817 | { |
| 1818 | int ret; |
| 1819 | size_t n; |
| 1820 | unsigned char *buf; |
| 1821 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 1822 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 1823 | return( ret ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1824 | |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 1825 | ret = x509parse_public_key( rsa, buf, n ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1826 | |
| 1827 | memset( buf, 0, n + 1 ); |
| 1828 | free( buf ); |
| 1829 | |
| 1830 | return( ret ); |
| 1831 | } |
| 1832 | #endif /* POLARSSL_FS_IO */ |
| 1833 | |
| 1834 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1835 | * Parse a private RSA key |
| 1836 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1837 | int x509parse_key( rsa_context *rsa, const unsigned char *key, size_t keylen, |
| 1838 | const unsigned char *pwd, size_t pwdlen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1839 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1840 | int ret; |
| 1841 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1842 | unsigned char *p, *end; |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 1843 | unsigned char *p_alt; |
| 1844 | x509_buf pk_alg_oid; |
| 1845 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1846 | #if defined(POLARSSL_PEM_C) |
| 1847 | pem_context pem; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1848 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1849 | pem_init( &pem ); |
| 1850 | ret = pem_read_buffer( &pem, |
| 1851 | "-----BEGIN RSA PRIVATE KEY-----", |
| 1852 | "-----END RSA PRIVATE KEY-----", |
| 1853 | key, pwd, pwdlen, &len ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1854 | |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 1855 | if( ret == POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
| 1856 | { |
| 1857 | ret = pem_read_buffer( &pem, |
| 1858 | "-----BEGIN PRIVATE KEY-----", |
| 1859 | "-----END PRIVATE KEY-----", |
| 1860 | key, pwd, pwdlen, &len ); |
| 1861 | } |
| 1862 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1863 | if( ret == 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1864 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1865 | /* |
| 1866 | * Was PEM encoded |
| 1867 | */ |
| 1868 | keylen = pem.buflen; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1869 | } |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1870 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1871 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1872 | pem_free( &pem ); |
| 1873 | return( ret ); |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1874 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1875 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1876 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) key; |
| 1877 | #else |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1878 | ((void) pwd); |
| 1879 | ((void) pwdlen); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1880 | p = (unsigned char *) key; |
| 1881 | #endif |
| 1882 | end = p + keylen; |
| 1883 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1884 | /* |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 1885 | * Note: Depending on the type of private key file one can expect either a |
| 1886 | * PrivatKeyInfo object (PKCS#8) or a RSAPrivateKey (PKCS#1) directly. |
| 1887 | * |
| 1888 | * PrivateKeyInfo ::= SEQUENCE { |
Paul Bakker | 5c721f9 | 2011-07-27 16:51:09 +0000 | [diff] [blame] | 1889 | * version Version, |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 1890 | * algorithm AlgorithmIdentifier, |
| 1891 | * PrivateKey BIT STRING |
| 1892 | * } |
| 1893 | * |
| 1894 | * AlgorithmIdentifier ::= SEQUENCE { |
| 1895 | * algorithm OBJECT IDENTIFIER, |
| 1896 | * parameters ANY DEFINED BY algorithm OPTIONAL |
| 1897 | * } |
| 1898 | * |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1899 | * RSAPrivateKey ::= SEQUENCE { |
| 1900 | * version Version, |
| 1901 | * modulus INTEGER, -- n |
| 1902 | * publicExponent INTEGER, -- e |
| 1903 | * privateExponent INTEGER, -- d |
| 1904 | * prime1 INTEGER, -- p |
| 1905 | * prime2 INTEGER, -- q |
| 1906 | * exponent1 INTEGER, -- d mod (p-1) |
| 1907 | * exponent2 INTEGER, -- d mod (q-1) |
| 1908 | * coefficient INTEGER, -- (inverse of q) mod p |
| 1909 | * otherPrimeInfos OtherPrimeInfos OPTIONAL |
| 1910 | * } |
| 1911 | */ |
| 1912 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1913 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1914 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1915 | #if defined(POLARSSL_PEM_C) |
| 1916 | pem_free( &pem ); |
| 1917 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1918 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1919 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1920 | } |
| 1921 | |
| 1922 | end = p + len; |
| 1923 | |
| 1924 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) |
| 1925 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1926 | #if defined(POLARSSL_PEM_C) |
| 1927 | pem_free( &pem ); |
| 1928 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1929 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1930 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1931 | } |
| 1932 | |
| 1933 | if( rsa->ver != 0 ) |
| 1934 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1935 | #if defined(POLARSSL_PEM_C) |
| 1936 | pem_free( &pem ); |
| 1937 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1938 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1939 | return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1940 | } |
| 1941 | |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 1942 | p_alt = p; |
| 1943 | |
| 1944 | if( ( ret = x509_get_alg( &p_alt, end, &pk_alg_oid ) ) != 0 ) |
| 1945 | { |
| 1946 | // Assume that we have the PKCS#1 format if wrong |
| 1947 | // tag was encountered |
| 1948 | // |
| 1949 | if( ret != POLARSSL_ERR_X509_CERT_INVALID_ALG + |
| 1950 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 1951 | { |
| 1952 | #if defined(POLARSSL_PEM_C) |
| 1953 | pem_free( &pem ); |
| 1954 | #endif |
| 1955 | rsa_free( rsa ); |
| 1956 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT ); |
| 1957 | } |
| 1958 | } |
| 1959 | else |
| 1960 | { |
| 1961 | int can_handle; |
| 1962 | |
| 1963 | /* |
| 1964 | * only RSA keys handled at this time |
| 1965 | */ |
| 1966 | can_handle = 0; |
| 1967 | |
| 1968 | if( pk_alg_oid.len == 9 && |
| 1969 | memcmp( pk_alg_oid.p, OID_PKCS1_RSA, 9 ) == 0 ) |
| 1970 | can_handle = 1; |
| 1971 | |
| 1972 | if( pk_alg_oid.len == 9 && |
| 1973 | memcmp( pk_alg_oid.p, OID_PKCS1, 8 ) == 0 ) |
| 1974 | { |
| 1975 | if( pk_alg_oid.p[8] >= 2 && pk_alg_oid.p[8] <= 5 ) |
| 1976 | can_handle = 1; |
| 1977 | |
| 1978 | if ( pk_alg_oid.p[8] >= 11 && pk_alg_oid.p[8] <= 14 ) |
| 1979 | can_handle = 1; |
| 1980 | } |
| 1981 | |
| 1982 | if( pk_alg_oid.len == 5 && |
| 1983 | memcmp( pk_alg_oid.p, OID_RSA_SHA_OBS, 5 ) == 0 ) |
| 1984 | can_handle = 1; |
| 1985 | |
| 1986 | if( can_handle == 0 ) |
| 1987 | return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); |
| 1988 | |
| 1989 | /* |
| 1990 | * Parse the PKCS#8 format |
| 1991 | */ |
| 1992 | |
| 1993 | p = p_alt; |
| 1994 | if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 ) |
| 1995 | { |
| 1996 | #if defined(POLARSSL_PEM_C) |
| 1997 | pem_free( &pem ); |
| 1998 | #endif |
| 1999 | rsa_free( rsa ); |
| 2000 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2001 | } |
| 2002 | |
| 2003 | if( ( end - p ) < 1 ) |
| 2004 | { |
| 2005 | #if defined(POLARSSL_PEM_C) |
| 2006 | pem_free( &pem ); |
| 2007 | #endif |
| 2008 | rsa_free( rsa ); |
| 2009 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
| 2010 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 2011 | } |
| 2012 | |
| 2013 | end = p + len; |
| 2014 | |
| 2015 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2016 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2017 | { |
| 2018 | #if defined(POLARSSL_PEM_C) |
| 2019 | pem_free( &pem ); |
| 2020 | #endif |
| 2021 | rsa_free( rsa ); |
| 2022 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2023 | } |
| 2024 | |
| 2025 | end = p + len; |
| 2026 | |
| 2027 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) |
| 2028 | { |
| 2029 | #if defined(POLARSSL_PEM_C) |
| 2030 | pem_free( &pem ); |
| 2031 | #endif |
| 2032 | rsa_free( rsa ); |
| 2033 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2034 | } |
| 2035 | |
| 2036 | if( rsa->ver != 0 ) |
| 2037 | { |
| 2038 | #if defined(POLARSSL_PEM_C) |
| 2039 | pem_free( &pem ); |
| 2040 | #endif |
| 2041 | rsa_free( rsa ); |
| 2042 | return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret ); |
| 2043 | } |
| 2044 | } |
| 2045 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2046 | if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 || |
| 2047 | ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 || |
| 2048 | ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 || |
| 2049 | ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 || |
| 2050 | ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 || |
| 2051 | ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 || |
| 2052 | ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 || |
| 2053 | ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 ) |
| 2054 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2055 | #if defined(POLARSSL_PEM_C) |
| 2056 | pem_free( &pem ); |
| 2057 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2058 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2059 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2060 | } |
| 2061 | |
| 2062 | rsa->len = mpi_size( &rsa->N ); |
| 2063 | |
| 2064 | if( p != end ) |
| 2065 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2066 | #if defined(POLARSSL_PEM_C) |
| 2067 | pem_free( &pem ); |
| 2068 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2069 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2070 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 2071 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2072 | } |
| 2073 | |
| 2074 | if( ( ret = rsa_check_privkey( rsa ) ) != 0 ) |
| 2075 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2076 | #if defined(POLARSSL_PEM_C) |
| 2077 | pem_free( &pem ); |
| 2078 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2079 | rsa_free( rsa ); |
| 2080 | return( ret ); |
| 2081 | } |
| 2082 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2083 | #if defined(POLARSSL_PEM_C) |
| 2084 | pem_free( &pem ); |
| 2085 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2086 | |
| 2087 | return( 0 ); |
| 2088 | } |
| 2089 | |
| 2090 | /* |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2091 | * Parse a public RSA key |
| 2092 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2093 | int x509parse_public_key( rsa_context *rsa, const unsigned char *key, size_t keylen ) |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2094 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2095 | int ret; |
| 2096 | size_t len; |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2097 | unsigned char *p, *end; |
| 2098 | x509_buf alg_oid; |
| 2099 | #if defined(POLARSSL_PEM_C) |
| 2100 | pem_context pem; |
| 2101 | |
| 2102 | pem_init( &pem ); |
| 2103 | ret = pem_read_buffer( &pem, |
| 2104 | "-----BEGIN PUBLIC KEY-----", |
| 2105 | "-----END PUBLIC KEY-----", |
| 2106 | key, NULL, 0, &len ); |
| 2107 | |
| 2108 | if( ret == 0 ) |
| 2109 | { |
| 2110 | /* |
| 2111 | * Was PEM encoded |
| 2112 | */ |
| 2113 | keylen = pem.buflen; |
| 2114 | } |
| 2115 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
| 2116 | { |
| 2117 | pem_free( &pem ); |
| 2118 | return( ret ); |
| 2119 | } |
| 2120 | |
| 2121 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) key; |
| 2122 | #else |
| 2123 | p = (unsigned char *) key; |
| 2124 | #endif |
| 2125 | end = p + keylen; |
| 2126 | |
| 2127 | /* |
| 2128 | * PublicKeyInfo ::= SEQUENCE { |
| 2129 | * algorithm AlgorithmIdentifier, |
| 2130 | * PublicKey BIT STRING |
| 2131 | * } |
| 2132 | * |
| 2133 | * AlgorithmIdentifier ::= SEQUENCE { |
| 2134 | * algorithm OBJECT IDENTIFIER, |
| 2135 | * parameters ANY DEFINED BY algorithm OPTIONAL |
| 2136 | * } |
| 2137 | * |
| 2138 | * RSAPublicKey ::= SEQUENCE { |
| 2139 | * modulus INTEGER, -- n |
| 2140 | * publicExponent INTEGER -- e |
| 2141 | * } |
| 2142 | */ |
| 2143 | |
| 2144 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2145 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2146 | { |
| 2147 | #if defined(POLARSSL_PEM_C) |
| 2148 | pem_free( &pem ); |
| 2149 | #endif |
| 2150 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2151 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2152 | } |
| 2153 | |
| 2154 | if( ( ret = x509_get_pubkey( &p, end, &alg_oid, &rsa->N, &rsa->E ) ) != 0 ) |
| 2155 | { |
| 2156 | #if defined(POLARSSL_PEM_C) |
| 2157 | pem_free( &pem ); |
| 2158 | #endif |
| 2159 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2160 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2161 | } |
| 2162 | |
| 2163 | if( ( ret = rsa_check_pubkey( rsa ) ) != 0 ) |
| 2164 | { |
| 2165 | #if defined(POLARSSL_PEM_C) |
| 2166 | pem_free( &pem ); |
| 2167 | #endif |
| 2168 | rsa_free( rsa ); |
| 2169 | return( ret ); |
| 2170 | } |
| 2171 | |
| 2172 | rsa->len = mpi_size( &rsa->N ); |
| 2173 | |
| 2174 | #if defined(POLARSSL_PEM_C) |
| 2175 | pem_free( &pem ); |
| 2176 | #endif |
| 2177 | |
| 2178 | return( 0 ); |
| 2179 | } |
| 2180 | |
Paul Bakker | eaa89f8 | 2011-04-04 21:36:15 +0000 | [diff] [blame] | 2181 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2182 | /* |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2183 | * Parse DHM parameters |
| 2184 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2185 | int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2186 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2187 | int ret; |
| 2188 | size_t len; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2189 | unsigned char *p, *end; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2190 | #if defined(POLARSSL_PEM_C) |
| 2191 | pem_context pem; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2192 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2193 | pem_init( &pem ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2194 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2195 | ret = pem_read_buffer( &pem, |
| 2196 | "-----BEGIN DH PARAMETERS-----", |
| 2197 | "-----END DH PARAMETERS-----", |
| 2198 | dhmin, NULL, 0, &dhminlen ); |
| 2199 | |
| 2200 | if( ret == 0 ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2201 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2202 | /* |
| 2203 | * Was PEM encoded |
| 2204 | */ |
| 2205 | dhminlen = pem.buflen; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2206 | } |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2207 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2208 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2209 | pem_free( &pem ); |
| 2210 | return( ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2211 | } |
| 2212 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2213 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin; |
| 2214 | #else |
| 2215 | p = (unsigned char *) dhmin; |
| 2216 | #endif |
| 2217 | end = p + dhminlen; |
| 2218 | |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2219 | memset( dhm, 0, sizeof( dhm_context ) ); |
| 2220 | |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2221 | /* |
| 2222 | * DHParams ::= SEQUENCE { |
| 2223 | * prime INTEGER, -- P |
| 2224 | * generator INTEGER, -- g |
| 2225 | * } |
| 2226 | */ |
| 2227 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2228 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2229 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2230 | #if defined(POLARSSL_PEM_C) |
| 2231 | pem_free( &pem ); |
| 2232 | #endif |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2233 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2234 | } |
| 2235 | |
| 2236 | end = p + len; |
| 2237 | |
| 2238 | if( ( ret = asn1_get_mpi( &p, end, &dhm->P ) ) != 0 || |
| 2239 | ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 ) |
| 2240 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2241 | #if defined(POLARSSL_PEM_C) |
| 2242 | pem_free( &pem ); |
| 2243 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2244 | dhm_free( dhm ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2245 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2246 | } |
| 2247 | |
| 2248 | if( p != end ) |
| 2249 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2250 | #if defined(POLARSSL_PEM_C) |
| 2251 | pem_free( &pem ); |
| 2252 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2253 | dhm_free( dhm ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2254 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2255 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 2256 | } |
| 2257 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2258 | #if defined(POLARSSL_PEM_C) |
| 2259 | pem_free( &pem ); |
| 2260 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2261 | |
| 2262 | return( 0 ); |
| 2263 | } |
| 2264 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 2265 | #if defined(POLARSSL_FS_IO) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2266 | /* |
| 2267 | * Load and parse a private RSA key |
| 2268 | */ |
| 2269 | int x509parse_dhmfile( dhm_context *dhm, const char *path ) |
| 2270 | { |
| 2271 | int ret; |
| 2272 | size_t n; |
| 2273 | unsigned char *buf; |
| 2274 | |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 2275 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
| 2276 | return( ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2277 | |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 2278 | ret = x509parse_dhm( dhm, buf, n ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2279 | |
| 2280 | memset( buf, 0, n + 1 ); |
| 2281 | free( buf ); |
| 2282 | |
| 2283 | return( ret ); |
| 2284 | } |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 2285 | #endif /* POLARSSL_FS_IO */ |
Paul Bakker | eaa89f8 | 2011-04-04 21:36:15 +0000 | [diff] [blame] | 2286 | #endif /* POLARSSL_DHM_C */ |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2287 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2288 | #if defined _MSC_VER && !defined snprintf |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2289 | #include <stdarg.h> |
| 2290 | |
| 2291 | #if !defined vsnprintf |
| 2292 | #define vsnprintf _vsnprintf |
| 2293 | #endif // vsnprintf |
| 2294 | |
| 2295 | /* |
| 2296 | * Windows _snprintf and _vsnprintf are not compatible to linux versions. |
| 2297 | * Result value is not size of buffer needed, but -1 if no fit is possible. |
| 2298 | * |
| 2299 | * This fuction tries to 'fix' this by at least suggesting enlarging the |
| 2300 | * size by 20. |
| 2301 | */ |
| 2302 | int compat_snprintf(char *str, size_t size, const char *format, ...) |
| 2303 | { |
| 2304 | va_list ap; |
| 2305 | int res = -1; |
| 2306 | |
| 2307 | va_start( ap, format ); |
| 2308 | |
| 2309 | res = vsnprintf( str, size, format, ap ); |
| 2310 | |
| 2311 | va_end( ap ); |
| 2312 | |
| 2313 | // No quick fix possible |
| 2314 | if ( res < 0 ) |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2315 | return( (int) size + 20 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2316 | |
| 2317 | return res; |
| 2318 | } |
| 2319 | |
| 2320 | #define snprintf compat_snprintf |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2321 | #endif |
| 2322 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2323 | #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2 |
| 2324 | |
| 2325 | #define SAFE_SNPRINTF() \ |
| 2326 | { \ |
| 2327 | if( ret == -1 ) \ |
| 2328 | return( -1 ); \ |
| 2329 | \ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2330 | if ( (unsigned int) ret > n ) { \ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2331 | p[n - 1] = '\0'; \ |
| 2332 | return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\ |
| 2333 | } \ |
| 2334 | \ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2335 | n -= (unsigned int) ret; \ |
| 2336 | p += (unsigned int) ret; \ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2337 | } |
| 2338 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2339 | /* |
| 2340 | * Store the name in printable form into buf; no more |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2341 | * than size characters will be written |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2342 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2343 | int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2344 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2345 | int ret; |
| 2346 | size_t i, n; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2347 | unsigned char c; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2348 | const x509_name *name; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2349 | char s[128], *p; |
| 2350 | |
| 2351 | memset( s, 0, sizeof( s ) ); |
| 2352 | |
| 2353 | name = dn; |
| 2354 | p = buf; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2355 | n = size; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2356 | |
| 2357 | while( name != NULL ) |
| 2358 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2359 | if( name != dn ) |
| 2360 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2361 | ret = snprintf( p, n, ", " ); |
| 2362 | SAFE_SNPRINTF(); |
| 2363 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2364 | |
Paul Bakker | 7261cba | 2013-01-16 12:39:54 +0100 | [diff] [blame] | 2365 | if( name->oid.len == 3 && |
| 2366 | memcmp( name->oid.p, OID_X520, 2 ) == 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2367 | { |
| 2368 | switch( name->oid.p[2] ) |
| 2369 | { |
| 2370 | case X520_COMMON_NAME: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2371 | ret = snprintf( p, n, "CN=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2372 | |
| 2373 | case X520_COUNTRY: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2374 | ret = snprintf( p, n, "C=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2375 | |
| 2376 | case X520_LOCALITY: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2377 | ret = snprintf( p, n, "L=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2378 | |
| 2379 | case X520_STATE: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2380 | ret = snprintf( p, n, "ST=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2381 | |
| 2382 | case X520_ORGANIZATION: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2383 | ret = snprintf( p, n, "O=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2384 | |
| 2385 | case X520_ORG_UNIT: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2386 | ret = snprintf( p, n, "OU=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2387 | |
| 2388 | default: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2389 | ret = snprintf( p, n, "0x%02X=", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2390 | name->oid.p[2] ); |
| 2391 | break; |
| 2392 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2393 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2394 | } |
Paul Bakker | 7261cba | 2013-01-16 12:39:54 +0100 | [diff] [blame] | 2395 | else if( name->oid.len == 9 && |
| 2396 | memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2397 | { |
| 2398 | switch( name->oid.p[8] ) |
| 2399 | { |
| 2400 | case PKCS9_EMAIL: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2401 | ret = snprintf( p, n, "emailAddress=" ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2402 | |
| 2403 | default: |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2404 | ret = snprintf( p, n, "0x%02X=", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2405 | name->oid.p[8] ); |
| 2406 | break; |
| 2407 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2408 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2409 | } |
| 2410 | else |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2411 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2412 | ret = snprintf( p, n, "\?\?=" ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2413 | SAFE_SNPRINTF(); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2414 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2415 | |
| 2416 | for( i = 0; i < name->val.len; i++ ) |
| 2417 | { |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 2418 | if( i >= sizeof( s ) - 1 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2419 | break; |
| 2420 | |
| 2421 | c = name->val.p[i]; |
| 2422 | if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) |
| 2423 | s[i] = '?'; |
| 2424 | else s[i] = c; |
| 2425 | } |
| 2426 | s[i] = '\0'; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2427 | ret = snprintf( p, n, "%s", s ); |
| 2428 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2429 | name = name->next; |
| 2430 | } |
| 2431 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2432 | return( (int) ( size - n ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2433 | } |
| 2434 | |
| 2435 | /* |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2436 | * Store the serial in printable form into buf; no more |
| 2437 | * than size characters will be written |
| 2438 | */ |
| 2439 | int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ) |
| 2440 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2441 | int ret; |
| 2442 | size_t i, n, nr; |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2443 | char *p; |
| 2444 | |
| 2445 | p = buf; |
| 2446 | n = size; |
| 2447 | |
| 2448 | nr = ( serial->len <= 32 ) |
Paul Bakker | 03c7c25 | 2011-11-25 12:37:37 +0000 | [diff] [blame] | 2449 | ? serial->len : 28; |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2450 | |
| 2451 | for( i = 0; i < nr; i++ ) |
| 2452 | { |
Paul Bakker | 9304880 | 2011-12-05 14:38:06 +0000 | [diff] [blame] | 2453 | if( i == 0 && nr > 1 && serial->p[i] == 0x0 ) |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2454 | continue; |
| 2455 | |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2456 | ret = snprintf( p, n, "%02X%s", |
| 2457 | serial->p[i], ( i < nr - 1 ) ? ":" : "" ); |
| 2458 | SAFE_SNPRINTF(); |
| 2459 | } |
| 2460 | |
Paul Bakker | 03c7c25 | 2011-11-25 12:37:37 +0000 | [diff] [blame] | 2461 | if( nr != serial->len ) |
| 2462 | { |
| 2463 | ret = snprintf( p, n, "...." ); |
| 2464 | SAFE_SNPRINTF(); |
| 2465 | } |
| 2466 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2467 | return( (int) ( size - n ) ); |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2468 | } |
| 2469 | |
| 2470 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2471 | * Return an informational string about the certificate. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2472 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2473 | int x509parse_cert_info( char *buf, size_t size, const char *prefix, |
| 2474 | const x509_cert *crt ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2475 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2476 | int ret; |
| 2477 | size_t n; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2478 | char *p; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2479 | |
| 2480 | p = buf; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2481 | n = size; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2482 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2483 | ret = snprintf( p, n, "%scert. version : %d\n", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2484 | prefix, crt->version ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2485 | SAFE_SNPRINTF(); |
| 2486 | ret = snprintf( p, n, "%sserial number : ", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2487 | prefix ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2488 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2489 | |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2490 | ret = x509parse_serial_gets( p, n, &crt->serial); |
| 2491 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2492 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2493 | ret = snprintf( p, n, "\n%sissuer name : ", prefix ); |
| 2494 | SAFE_SNPRINTF(); |
| 2495 | ret = x509parse_dn_gets( p, n, &crt->issuer ); |
| 2496 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2497 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2498 | ret = snprintf( p, n, "\n%ssubject name : ", prefix ); |
| 2499 | SAFE_SNPRINTF(); |
| 2500 | ret = x509parse_dn_gets( p, n, &crt->subject ); |
| 2501 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2502 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2503 | ret = snprintf( p, n, "\n%sissued on : " \ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2504 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2505 | crt->valid_from.year, crt->valid_from.mon, |
| 2506 | crt->valid_from.day, crt->valid_from.hour, |
| 2507 | crt->valid_from.min, crt->valid_from.sec ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2508 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2509 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2510 | ret = snprintf( p, n, "\n%sexpires on : " \ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2511 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2512 | crt->valid_to.year, crt->valid_to.mon, |
| 2513 | crt->valid_to.day, crt->valid_to.hour, |
| 2514 | crt->valid_to.min, crt->valid_to.sec ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2515 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2516 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2517 | ret = snprintf( p, n, "\n%ssigned using : RSA+", prefix ); |
| 2518 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2519 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 2520 | switch( crt->sig_alg ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2521 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2522 | case SIG_RSA_MD2 : ret = snprintf( p, n, "MD2" ); break; |
| 2523 | case SIG_RSA_MD4 : ret = snprintf( p, n, "MD4" ); break; |
| 2524 | case SIG_RSA_MD5 : ret = snprintf( p, n, "MD5" ); break; |
| 2525 | case SIG_RSA_SHA1 : ret = snprintf( p, n, "SHA1" ); break; |
| 2526 | case SIG_RSA_SHA224 : ret = snprintf( p, n, "SHA224" ); break; |
| 2527 | case SIG_RSA_SHA256 : ret = snprintf( p, n, "SHA256" ); break; |
| 2528 | case SIG_RSA_SHA384 : ret = snprintf( p, n, "SHA384" ); break; |
| 2529 | case SIG_RSA_SHA512 : ret = snprintf( p, n, "SHA512" ); break; |
| 2530 | default: ret = snprintf( p, n, "???" ); break; |
| 2531 | } |
| 2532 | SAFE_SNPRINTF(); |
| 2533 | |
| 2534 | ret = snprintf( p, n, "\n%sRSA key size : %d bits\n", prefix, |
Paul Bakker | f4f6968 | 2011-04-24 16:08:12 +0000 | [diff] [blame] | 2535 | (int) crt->rsa.N.n * (int) sizeof( unsigned long ) * 8 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2536 | SAFE_SNPRINTF(); |
| 2537 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2538 | return( (int) ( size - n ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2539 | } |
| 2540 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2541 | /* Compare a given OID string with an OID x509_buf * */ |
| 2542 | #define OID_CMP(oid_str, oid_buf) \ |
| 2543 | ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \ |
| 2544 | memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0) |
| 2545 | |
| 2546 | /* |
| 2547 | * Return an informational string describing the given OID |
| 2548 | */ |
| 2549 | const char *x509_oid_get_description( x509_buf *oid ) |
| 2550 | { |
| 2551 | if ( oid == NULL ) |
| 2552 | return ( NULL ); |
| 2553 | |
| 2554 | else if( OID_CMP( OID_SERVER_AUTH, oid ) ) |
| 2555 | return( STRING_SERVER_AUTH ); |
| 2556 | |
| 2557 | else if( OID_CMP( OID_CLIENT_AUTH, oid ) ) |
| 2558 | return( STRING_CLIENT_AUTH ); |
| 2559 | |
| 2560 | else if( OID_CMP( OID_CODE_SIGNING, oid ) ) |
| 2561 | return( STRING_CODE_SIGNING ); |
| 2562 | |
| 2563 | else if( OID_CMP( OID_EMAIL_PROTECTION, oid ) ) |
| 2564 | return( STRING_EMAIL_PROTECTION ); |
| 2565 | |
| 2566 | else if( OID_CMP( OID_TIME_STAMPING, oid ) ) |
| 2567 | return( STRING_TIME_STAMPING ); |
| 2568 | |
| 2569 | else if( OID_CMP( OID_OCSP_SIGNING, oid ) ) |
| 2570 | return( STRING_OCSP_SIGNING ); |
| 2571 | |
| 2572 | return( NULL ); |
| 2573 | } |
| 2574 | |
| 2575 | /* Return the x.y.z.... style numeric string for the given OID */ |
| 2576 | int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ) |
| 2577 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2578 | int ret; |
| 2579 | size_t i, n; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2580 | unsigned int value; |
| 2581 | char *p; |
| 2582 | |
| 2583 | p = buf; |
| 2584 | n = size; |
| 2585 | |
| 2586 | /* First byte contains first two dots */ |
| 2587 | if( oid->len > 0 ) |
| 2588 | { |
| 2589 | ret = snprintf( p, n, "%d.%d", oid->p[0]/40, oid->p[0]%40 ); |
| 2590 | SAFE_SNPRINTF(); |
| 2591 | } |
| 2592 | |
| 2593 | /* TODO: value can overflow in value. */ |
| 2594 | value = 0; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2595 | for( i = 1; i < oid->len; i++ ) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2596 | { |
| 2597 | value <<= 7; |
| 2598 | value += oid->p[i] & 0x7F; |
| 2599 | |
| 2600 | if( !( oid->p[i] & 0x80 ) ) |
| 2601 | { |
| 2602 | /* Last byte */ |
| 2603 | ret = snprintf( p, n, ".%d", value ); |
| 2604 | SAFE_SNPRINTF(); |
| 2605 | value = 0; |
| 2606 | } |
| 2607 | } |
| 2608 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2609 | return( (int) ( size - n ) ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2610 | } |
| 2611 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2612 | /* |
| 2613 | * Return an informational string about the CRL. |
| 2614 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2615 | int x509parse_crl_info( char *buf, size_t size, const char *prefix, |
| 2616 | const x509_crl *crl ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2617 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2618 | int ret; |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2619 | size_t n; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2620 | char *p; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2621 | const x509_crl_entry *entry; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2622 | |
| 2623 | p = buf; |
| 2624 | n = size; |
| 2625 | |
| 2626 | ret = snprintf( p, n, "%sCRL version : %d", |
| 2627 | prefix, crl->version ); |
| 2628 | SAFE_SNPRINTF(); |
| 2629 | |
| 2630 | ret = snprintf( p, n, "\n%sissuer name : ", prefix ); |
| 2631 | SAFE_SNPRINTF(); |
| 2632 | ret = x509parse_dn_gets( p, n, &crl->issuer ); |
| 2633 | SAFE_SNPRINTF(); |
| 2634 | |
| 2635 | ret = snprintf( p, n, "\n%sthis update : " \ |
| 2636 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2637 | crl->this_update.year, crl->this_update.mon, |
| 2638 | crl->this_update.day, crl->this_update.hour, |
| 2639 | crl->this_update.min, crl->this_update.sec ); |
| 2640 | SAFE_SNPRINTF(); |
| 2641 | |
| 2642 | ret = snprintf( p, n, "\n%snext update : " \ |
| 2643 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2644 | crl->next_update.year, crl->next_update.mon, |
| 2645 | crl->next_update.day, crl->next_update.hour, |
| 2646 | crl->next_update.min, crl->next_update.sec ); |
| 2647 | SAFE_SNPRINTF(); |
| 2648 | |
| 2649 | entry = &crl->entry; |
| 2650 | |
| 2651 | ret = snprintf( p, n, "\n%sRevoked certificates:", |
| 2652 | prefix ); |
| 2653 | SAFE_SNPRINTF(); |
| 2654 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 2655 | while( entry != NULL && entry->raw.len != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2656 | { |
| 2657 | ret = snprintf( p, n, "\n%sserial number: ", |
| 2658 | prefix ); |
| 2659 | SAFE_SNPRINTF(); |
| 2660 | |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2661 | ret = x509parse_serial_gets( p, n, &entry->serial); |
| 2662 | SAFE_SNPRINTF(); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2663 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2664 | ret = snprintf( p, n, " revocation date: " \ |
| 2665 | "%04d-%02d-%02d %02d:%02d:%02d", |
| 2666 | entry->revocation_date.year, entry->revocation_date.mon, |
| 2667 | entry->revocation_date.day, entry->revocation_date.hour, |
| 2668 | entry->revocation_date.min, entry->revocation_date.sec ); |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2669 | SAFE_SNPRINTF(); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2670 | |
| 2671 | entry = entry->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2672 | } |
| 2673 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2674 | ret = snprintf( p, n, "\n%ssigned using : RSA+", prefix ); |
| 2675 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2676 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 2677 | switch( crl->sig_alg ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2678 | { |
| 2679 | case SIG_RSA_MD2 : ret = snprintf( p, n, "MD2" ); break; |
| 2680 | case SIG_RSA_MD4 : ret = snprintf( p, n, "MD4" ); break; |
| 2681 | case SIG_RSA_MD5 : ret = snprintf( p, n, "MD5" ); break; |
| 2682 | case SIG_RSA_SHA1 : ret = snprintf( p, n, "SHA1" ); break; |
| 2683 | case SIG_RSA_SHA224 : ret = snprintf( p, n, "SHA224" ); break; |
| 2684 | case SIG_RSA_SHA256 : ret = snprintf( p, n, "SHA256" ); break; |
| 2685 | case SIG_RSA_SHA384 : ret = snprintf( p, n, "SHA384" ); break; |
| 2686 | case SIG_RSA_SHA512 : ret = snprintf( p, n, "SHA512" ); break; |
| 2687 | default: ret = snprintf( p, n, "???" ); break; |
| 2688 | } |
| 2689 | SAFE_SNPRINTF(); |
| 2690 | |
Paul Bakker | 1e27bb2 | 2009-07-19 20:25:25 +0000 | [diff] [blame] | 2691 | ret = snprintf( p, n, "\n" ); |
| 2692 | SAFE_SNPRINTF(); |
| 2693 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2694 | return( (int) ( size - n ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2695 | } |
| 2696 | |
| 2697 | /* |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2698 | * Return 0 if the x509_time is still valid, or 1 otherwise. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2699 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2700 | int x509parse_time_expired( const x509_time *to ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2701 | { |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2702 | int year, mon, day; |
| 2703 | int hour, min, sec; |
| 2704 | |
| 2705 | #if defined(_WIN32) |
| 2706 | SYSTEMTIME st; |
| 2707 | |
| 2708 | GetLocalTime(&st); |
| 2709 | |
| 2710 | year = st.wYear; |
| 2711 | mon = st.wMonth; |
| 2712 | day = st.wDay; |
| 2713 | hour = st.wHour; |
| 2714 | min = st.wMinute; |
| 2715 | sec = st.wSecond; |
| 2716 | #else |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2717 | struct tm *lt; |
| 2718 | time_t tt; |
| 2719 | |
| 2720 | tt = time( NULL ); |
| 2721 | lt = localtime( &tt ); |
| 2722 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2723 | year = lt->tm_year + 1900; |
| 2724 | mon = lt->tm_mon + 1; |
| 2725 | day = lt->tm_mday; |
| 2726 | hour = lt->tm_hour; |
| 2727 | min = lt->tm_min; |
| 2728 | sec = lt->tm_sec; |
| 2729 | #endif |
| 2730 | |
| 2731 | if( year > to->year ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2732 | return( 1 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2733 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2734 | if( year == to->year && |
| 2735 | mon > to->mon ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2736 | return( 1 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2737 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2738 | if( year == to->year && |
| 2739 | mon == to->mon && |
| 2740 | day > to->day ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2741 | return( 1 ); |
| 2742 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2743 | if( year == to->year && |
| 2744 | mon == to->mon && |
| 2745 | day == to->day && |
| 2746 | hour > to->hour ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 2747 | return( 1 ); |
| 2748 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2749 | if( year == to->year && |
| 2750 | mon == to->mon && |
| 2751 | day == to->day && |
| 2752 | hour == to->hour && |
| 2753 | min > to->min ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 2754 | return( 1 ); |
| 2755 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 2756 | if( year == to->year && |
| 2757 | mon == to->mon && |
| 2758 | day == to->day && |
| 2759 | hour == to->hour && |
| 2760 | min == to->min && |
| 2761 | sec > to->sec ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 2762 | return( 1 ); |
| 2763 | |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2764 | return( 0 ); |
| 2765 | } |
| 2766 | |
| 2767 | /* |
| 2768 | * Return 1 if the certificate is revoked, or 0 otherwise. |
| 2769 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2770 | int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2771 | { |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2772 | const x509_crl_entry *cur = &crl->entry; |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2773 | |
| 2774 | while( cur != NULL && cur->serial.len != 0 ) |
| 2775 | { |
Paul Bakker | a056efc | 2011-01-16 21:38:35 +0000 | [diff] [blame] | 2776 | if( crt->serial.len == cur->serial.len && |
| 2777 | memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2778 | { |
| 2779 | if( x509parse_time_expired( &cur->revocation_date ) ) |
| 2780 | return( 1 ); |
| 2781 | } |
| 2782 | |
| 2783 | cur = cur->next; |
| 2784 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2785 | |
| 2786 | return( 0 ); |
| 2787 | } |
| 2788 | |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2789 | /* |
| 2790 | * Wrapper for x509 hashes. |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2791 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2792 | static void x509_hash( const unsigned char *in, size_t len, int alg, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2793 | unsigned char *out ) |
| 2794 | { |
| 2795 | switch( alg ) |
| 2796 | { |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 2797 | #if defined(POLARSSL_MD2_C) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2798 | case SIG_RSA_MD2 : md2( in, len, out ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2799 | #endif |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 2800 | #if defined(POLARSSL_MD4_C) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2801 | case SIG_RSA_MD4 : md4( in, len, out ); break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2802 | #endif |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2803 | #if defined(POLARSSL_MD5_C) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2804 | case SIG_RSA_MD5 : md5( in, len, out ); break; |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2805 | #endif |
| 2806 | #if defined(POLARSSL_SHA1_C) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2807 | case SIG_RSA_SHA1 : sha1( in, len, out ); break; |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2808 | #endif |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2809 | #if defined(POLARSSL_SHA2_C) |
| 2810 | case SIG_RSA_SHA224 : sha2( in, len, out, 1 ); break; |
| 2811 | case SIG_RSA_SHA256 : sha2( in, len, out, 0 ); break; |
| 2812 | #endif |
Paul Bakker | fe1aea7 | 2009-10-03 20:09:14 +0000 | [diff] [blame] | 2813 | #if defined(POLARSSL_SHA4_C) |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2814 | case SIG_RSA_SHA384 : sha4( in, len, out, 1 ); break; |
| 2815 | case SIG_RSA_SHA512 : sha4( in, len, out, 0 ); break; |
| 2816 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2817 | default: |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 2818 | memset( out, '\xFF', 64 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2819 | break; |
| 2820 | } |
| 2821 | } |
| 2822 | |
| 2823 | /* |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2824 | * Check that the given certificate is valid accoring to the CRL. |
| 2825 | */ |
| 2826 | static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, |
| 2827 | x509_crl *crl_list) |
| 2828 | { |
| 2829 | int flags = 0; |
| 2830 | int hash_id; |
| 2831 | unsigned char hash[64]; |
| 2832 | |
| 2833 | /* |
| 2834 | * TODO: What happens if no CRL is present? |
| 2835 | * Suggestion: Revocation state should be unknown if no CRL is present. |
| 2836 | * For backwards compatibility this is not yet implemented. |
| 2837 | */ |
| 2838 | |
| 2839 | while( ca != NULL && crl_list != NULL && crl_list->version != 0 ) |
| 2840 | { |
| 2841 | if( crl_list->issuer_raw.len != ca->subject_raw.len || |
| 2842 | memcmp( crl_list->issuer_raw.p, ca->subject_raw.p, |
| 2843 | crl_list->issuer_raw.len ) != 0 ) |
| 2844 | { |
| 2845 | crl_list = crl_list->next; |
| 2846 | continue; |
| 2847 | } |
| 2848 | |
| 2849 | /* |
| 2850 | * Check if CRL is correctly signed by the trusted CA |
| 2851 | */ |
| 2852 | hash_id = crl_list->sig_alg; |
| 2853 | |
| 2854 | x509_hash( crl_list->tbs.p, crl_list->tbs.len, hash_id, hash ); |
| 2855 | |
| 2856 | if( !rsa_pkcs1_verify( &ca->rsa, RSA_PUBLIC, hash_id, |
| 2857 | 0, hash, crl_list->sig.p ) == 0 ) |
| 2858 | { |
| 2859 | /* |
| 2860 | * CRL is not trusted |
| 2861 | */ |
| 2862 | flags |= BADCRL_NOT_TRUSTED; |
| 2863 | break; |
| 2864 | } |
| 2865 | |
| 2866 | /* |
| 2867 | * Check for validity of CRL (Do not drop out) |
| 2868 | */ |
| 2869 | if( x509parse_time_expired( &crl_list->next_update ) ) |
| 2870 | flags |= BADCRL_EXPIRED; |
| 2871 | |
| 2872 | /* |
| 2873 | * Check if certificate is revoked |
| 2874 | */ |
| 2875 | if( x509parse_revoked(crt, crl_list) ) |
| 2876 | { |
| 2877 | flags |= BADCERT_REVOKED; |
| 2878 | break; |
| 2879 | } |
| 2880 | |
| 2881 | crl_list = crl_list->next; |
| 2882 | } |
| 2883 | return flags; |
| 2884 | } |
| 2885 | |
| 2886 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2887 | * Verify the certificate validity |
| 2888 | */ |
| 2889 | int x509parse_verify( x509_cert *crt, |
| 2890 | x509_cert *trust_ca, |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2891 | x509_crl *ca_crl, |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 2892 | const char *cn, int *flags, |
| 2893 | int (*f_vrfy)(void *, x509_cert *, int, int), |
| 2894 | void *p_vrfy ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2895 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2896 | size_t cn_len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2897 | int hash_id; |
| 2898 | int pathlen; |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2899 | x509_cert *parent; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2900 | x509_name *name; |
Paul Bakker | 4593aea | 2009-02-09 22:32:35 +0000 | [diff] [blame] | 2901 | unsigned char hash[64]; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2902 | |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 2903 | *flags = 0; |
| 2904 | |
| 2905 | if( x509parse_time_expired( &crt->valid_to ) ) |
| 2906 | *flags = BADCERT_EXPIRED; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2907 | |
| 2908 | if( cn != NULL ) |
| 2909 | { |
| 2910 | name = &crt->subject; |
| 2911 | cn_len = strlen( cn ); |
| 2912 | |
| 2913 | while( name != NULL ) |
| 2914 | { |
Paul Bakker | 7261cba | 2013-01-16 12:39:54 +0100 | [diff] [blame] | 2915 | if( name->oid.len == 3 && |
| 2916 | memcmp( name->oid.p, OID_CN, 3 ) == 0 && |
| 2917 | name->val.len == cn_len && |
| 2918 | memcmp( name->val.p, cn, cn_len ) == 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2919 | break; |
| 2920 | |
| 2921 | name = name->next; |
| 2922 | } |
| 2923 | |
| 2924 | if( name == NULL ) |
| 2925 | *flags |= BADCERT_CN_MISMATCH; |
| 2926 | } |
| 2927 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2928 | /* |
| 2929 | * Iterate upwards in the given cert chain, |
| 2930 | * ignoring any upper cert with CA != TRUE. |
| 2931 | */ |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2932 | parent = crt->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2933 | |
| 2934 | pathlen = 1; |
| 2935 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2936 | while( parent != NULL && parent->version != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2937 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2938 | if( parent->ca_istrue == 0 || |
| 2939 | crt->issuer_raw.len != parent->subject_raw.len || |
| 2940 | memcmp( crt->issuer_raw.p, parent->subject_raw.p, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2941 | crt->issuer_raw.len ) != 0 ) |
| 2942 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2943 | parent = parent->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2944 | continue; |
| 2945 | } |
| 2946 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 2947 | hash_id = crt->sig_alg; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2948 | |
| 2949 | x509_hash( crt->tbs.p, crt->tbs.len, hash_id, hash ); |
| 2950 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2951 | if( rsa_pkcs1_verify( &parent->rsa, RSA_PUBLIC, hash_id, 0, hash, |
| 2952 | crt->sig.p ) != 0 ) |
| 2953 | *flags |= BADCERT_NOT_TRUSTED; |
| 2954 | |
| 2955 | /* Check trusted CA's CRL for the given crt */ |
| 2956 | *flags |= x509parse_verifycrl(crt, parent, ca_crl); |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 2957 | |
| 2958 | /* crt is verified to be a child of the parent cur, call verify callback */ |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2959 | if( NULL != f_vrfy ) |
| 2960 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2961 | if( f_vrfy( p_vrfy, crt, pathlen - 1, ( *flags == 0 ) ) != 0 ) |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 2962 | return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2963 | else |
| 2964 | *flags = 0; |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 2965 | } |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2966 | else if( *flags != 0 ) |
| 2967 | return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2968 | |
| 2969 | pathlen++; |
| 2970 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2971 | crt = parent; |
| 2972 | parent = crt->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2973 | } |
| 2974 | |
| 2975 | /* |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2976 | * Attempt to validate topmost cert with our CA chain. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2977 | */ |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 2978 | *flags |= BADCERT_NOT_TRUSTED; |
| 2979 | |
Paul Bakker | 7c6d4a4 | 2009-03-28 20:35:47 +0000 | [diff] [blame] | 2980 | while( trust_ca != NULL && trust_ca->version != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2981 | { |
| 2982 | if( crt->issuer_raw.len != trust_ca->subject_raw.len || |
| 2983 | memcmp( crt->issuer_raw.p, trust_ca->subject_raw.p, |
| 2984 | crt->issuer_raw.len ) != 0 ) |
| 2985 | { |
| 2986 | trust_ca = trust_ca->next; |
| 2987 | continue; |
| 2988 | } |
| 2989 | |
| 2990 | if( trust_ca->max_pathlen > 0 && |
| 2991 | trust_ca->max_pathlen < pathlen ) |
| 2992 | break; |
| 2993 | |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 2994 | hash_id = crt->sig_alg; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2995 | |
| 2996 | x509_hash( crt->tbs.p, crt->tbs.len, hash_id, hash ); |
| 2997 | |
| 2998 | if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, hash_id, |
| 2999 | 0, hash, crt->sig.p ) == 0 ) |
| 3000 | { |
| 3001 | /* |
| 3002 | * cert. is signed by a trusted CA |
| 3003 | */ |
| 3004 | *flags &= ~BADCERT_NOT_TRUSTED; |
| 3005 | break; |
| 3006 | } |
| 3007 | |
| 3008 | trust_ca = trust_ca->next; |
| 3009 | } |
| 3010 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3011 | /* Check trusted CA's CRL for the given crt */ |
| 3012 | *flags |= x509parse_verifycrl( crt, trust_ca, ca_crl ); |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3013 | |
| 3014 | /* Verification succeeded, call callback on top cert */ |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3015 | if( NULL != f_vrfy ) |
| 3016 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3017 | if( f_vrfy(p_vrfy, crt, pathlen-1, ( *flags == 0 ) ) != 0 ) |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3018 | return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3019 | else |
| 3020 | *flags = 0; |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3021 | } |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3022 | else if( *flags != 0 ) |
| 3023 | return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3024 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3025 | return( 0 ); |
| 3026 | } |
| 3027 | |
| 3028 | /* |
| 3029 | * Unallocate all certificate data |
| 3030 | */ |
| 3031 | void x509_free( x509_cert *crt ) |
| 3032 | { |
| 3033 | x509_cert *cert_cur = crt; |
| 3034 | x509_cert *cert_prv; |
| 3035 | x509_name *name_cur; |
| 3036 | x509_name *name_prv; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3037 | x509_sequence *seq_cur; |
| 3038 | x509_sequence *seq_prv; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3039 | |
| 3040 | if( crt == NULL ) |
| 3041 | return; |
| 3042 | |
| 3043 | do |
| 3044 | { |
| 3045 | rsa_free( &cert_cur->rsa ); |
| 3046 | |
| 3047 | name_cur = cert_cur->issuer.next; |
| 3048 | while( name_cur != NULL ) |
| 3049 | { |
| 3050 | name_prv = name_cur; |
| 3051 | name_cur = name_cur->next; |
| 3052 | memset( name_prv, 0, sizeof( x509_name ) ); |
| 3053 | free( name_prv ); |
| 3054 | } |
| 3055 | |
| 3056 | name_cur = cert_cur->subject.next; |
| 3057 | while( name_cur != NULL ) |
| 3058 | { |
| 3059 | name_prv = name_cur; |
| 3060 | name_cur = name_cur->next; |
| 3061 | memset( name_prv, 0, sizeof( x509_name ) ); |
| 3062 | free( name_prv ); |
| 3063 | } |
| 3064 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3065 | seq_cur = cert_cur->ext_key_usage.next; |
| 3066 | while( seq_cur != NULL ) |
| 3067 | { |
| 3068 | seq_prv = seq_cur; |
| 3069 | seq_cur = seq_cur->next; |
| 3070 | memset( seq_prv, 0, sizeof( x509_sequence ) ); |
| 3071 | free( seq_prv ); |
| 3072 | } |
| 3073 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3074 | if( cert_cur->raw.p != NULL ) |
| 3075 | { |
| 3076 | memset( cert_cur->raw.p, 0, cert_cur->raw.len ); |
| 3077 | free( cert_cur->raw.p ); |
| 3078 | } |
| 3079 | |
| 3080 | cert_cur = cert_cur->next; |
| 3081 | } |
| 3082 | while( cert_cur != NULL ); |
| 3083 | |
| 3084 | cert_cur = crt; |
| 3085 | do |
| 3086 | { |
| 3087 | cert_prv = cert_cur; |
| 3088 | cert_cur = cert_cur->next; |
| 3089 | |
| 3090 | memset( cert_prv, 0, sizeof( x509_cert ) ); |
| 3091 | if( cert_prv != crt ) |
| 3092 | free( cert_prv ); |
| 3093 | } |
| 3094 | while( cert_cur != NULL ); |
| 3095 | } |
| 3096 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3097 | /* |
| 3098 | * Unallocate all CRL data |
| 3099 | */ |
| 3100 | void x509_crl_free( x509_crl *crl ) |
| 3101 | { |
| 3102 | x509_crl *crl_cur = crl; |
| 3103 | x509_crl *crl_prv; |
| 3104 | x509_name *name_cur; |
| 3105 | x509_name *name_prv; |
| 3106 | x509_crl_entry *entry_cur; |
| 3107 | x509_crl_entry *entry_prv; |
| 3108 | |
| 3109 | if( crl == NULL ) |
| 3110 | return; |
| 3111 | |
| 3112 | do |
| 3113 | { |
| 3114 | name_cur = crl_cur->issuer.next; |
| 3115 | while( name_cur != NULL ) |
| 3116 | { |
| 3117 | name_prv = name_cur; |
| 3118 | name_cur = name_cur->next; |
| 3119 | memset( name_prv, 0, sizeof( x509_name ) ); |
| 3120 | free( name_prv ); |
| 3121 | } |
| 3122 | |
| 3123 | entry_cur = crl_cur->entry.next; |
| 3124 | while( entry_cur != NULL ) |
| 3125 | { |
| 3126 | entry_prv = entry_cur; |
| 3127 | entry_cur = entry_cur->next; |
| 3128 | memset( entry_prv, 0, sizeof( x509_crl_entry ) ); |
| 3129 | free( entry_prv ); |
| 3130 | } |
| 3131 | |
| 3132 | if( crl_cur->raw.p != NULL ) |
| 3133 | { |
| 3134 | memset( crl_cur->raw.p, 0, crl_cur->raw.len ); |
| 3135 | free( crl_cur->raw.p ); |
| 3136 | } |
| 3137 | |
| 3138 | crl_cur = crl_cur->next; |
| 3139 | } |
| 3140 | while( crl_cur != NULL ); |
| 3141 | |
| 3142 | crl_cur = crl; |
| 3143 | do |
| 3144 | { |
| 3145 | crl_prv = crl_cur; |
| 3146 | crl_cur = crl_cur->next; |
| 3147 | |
| 3148 | memset( crl_prv, 0, sizeof( x509_crl ) ); |
| 3149 | if( crl_prv != crl ) |
| 3150 | free( crl_prv ); |
| 3151 | } |
| 3152 | while( crl_cur != NULL ); |
| 3153 | } |
| 3154 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3155 | #if defined(POLARSSL_SELF_TEST) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3156 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3157 | #include "polarssl/certs.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3158 | |
| 3159 | /* |
| 3160 | * Checkup routine |
| 3161 | */ |
| 3162 | int x509_self_test( int verbose ) |
| 3163 | { |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3164 | #if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C) |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3165 | int ret; |
| 3166 | int flags; |
| 3167 | size_t i, j; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3168 | x509_cert cacert; |
| 3169 | x509_cert clicert; |
| 3170 | rsa_context rsa; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3171 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3172 | dhm_context dhm; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3173 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3174 | |
| 3175 | if( verbose != 0 ) |
| 3176 | printf( " X.509 certificate load: " ); |
| 3177 | |
| 3178 | memset( &clicert, 0, sizeof( x509_cert ) ); |
| 3179 | |
| 3180 | ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 3181 | strlen( test_cli_crt ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3182 | if( ret != 0 ) |
| 3183 | { |
| 3184 | if( verbose != 0 ) |
| 3185 | printf( "failed\n" ); |
| 3186 | |
| 3187 | return( ret ); |
| 3188 | } |
| 3189 | |
| 3190 | memset( &cacert, 0, sizeof( x509_cert ) ); |
| 3191 | |
| 3192 | ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, |
Paul Bakker | 732e1a8 | 2011-12-11 16:35:09 +0000 | [diff] [blame] | 3193 | strlen( test_ca_crt ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3194 | if( ret != 0 ) |
| 3195 | { |
| 3196 | if( verbose != 0 ) |
| 3197 | printf( "failed\n" ); |
| 3198 | |
| 3199 | return( ret ); |
| 3200 | } |
| 3201 | |
| 3202 | if( verbose != 0 ) |
| 3203 | printf( "passed\n X.509 private key load: " ); |
| 3204 | |
| 3205 | i = strlen( test_ca_key ); |
| 3206 | j = strlen( test_ca_pwd ); |
| 3207 | |
Paul Bakker | 66b78b2 | 2011-03-25 14:22:50 +0000 | [diff] [blame] | 3208 | rsa_init( &rsa, RSA_PKCS_V15, 0 ); |
| 3209 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3210 | if( ( ret = x509parse_key( &rsa, |
| 3211 | (unsigned char *) test_ca_key, i, |
| 3212 | (unsigned char *) test_ca_pwd, j ) ) != 0 ) |
| 3213 | { |
| 3214 | if( verbose != 0 ) |
| 3215 | printf( "failed\n" ); |
| 3216 | |
| 3217 | return( ret ); |
| 3218 | } |
| 3219 | |
| 3220 | if( verbose != 0 ) |
| 3221 | printf( "passed\n X.509 signature verify: "); |
| 3222 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3223 | ret = x509parse_verify( &clicert, &cacert, NULL, "PolarSSL Client 2", &flags, NULL, NULL ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3224 | if( ret != 0 ) |
| 3225 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3226 | printf("%02x", flags); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3227 | if( verbose != 0 ) |
| 3228 | printf( "failed\n" ); |
| 3229 | |
| 3230 | return( ret ); |
| 3231 | } |
| 3232 | |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3233 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3234 | if( verbose != 0 ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3235 | printf( "passed\n X.509 DHM parameter load: " ); |
| 3236 | |
| 3237 | i = strlen( test_dhm_params ); |
| 3238 | j = strlen( test_ca_pwd ); |
| 3239 | |
| 3240 | if( ( ret = x509parse_dhm( &dhm, (unsigned char *) test_dhm_params, i ) ) != 0 ) |
| 3241 | { |
| 3242 | if( verbose != 0 ) |
| 3243 | printf( "failed\n" ); |
| 3244 | |
| 3245 | return( ret ); |
| 3246 | } |
| 3247 | |
| 3248 | if( verbose != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3249 | printf( "passed\n\n" ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3250 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3251 | |
| 3252 | x509_free( &cacert ); |
| 3253 | x509_free( &clicert ); |
| 3254 | rsa_free( &rsa ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3255 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3256 | dhm_free( &dhm ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3257 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3258 | |
| 3259 | return( 0 ); |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 3260 | #else |
| 3261 | ((void) verbose); |
| 3262 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); |
| 3263 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3264 | } |
| 3265 | |
| 3266 | #endif |
| 3267 | |
| 3268 | #endif |