TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fac657fd5249f09bc7c69ff728edb9f9b0fd39ee / . / library / x509_crl.c
blob: ce6df6eaed6a2df7370a229b26785b8ef4b4a405 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]2 * X.509 Certidicate Revocation List (CRL) parsing
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_CRL_PARSE_C)
40
41#include "polarssl/x509_crl.h"
42#include "polarssl/oid.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]43
44#include <string.h>
45
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]46#if defined(POLARSSL_PEM_PARSE_C)
47#include "polarssl/pem.h"
48#endif
49
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdlib.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54#define polarssl_free free
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]55#define polarssl_malloc malloc
56#define polarssl_snprintf snprintf
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]57#endif
58
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]59#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]60#include <windows.h>
61#else
62#include <time.h>
63#endif
64
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]65#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]66#include <stdio.h>
67#endif
68
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]69/* Implementation that should never be optimized out by the compiler */
70static void polarssl_zeroize( void *v, size_t n ) {
71 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
72}
73
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]74/*
75 * Version ::= INTEGER { v1(0), v2(1) }
76 */
77static int x509_crl_get_version( unsigned char **p,
78 const unsigned char *end,
79 int *ver )
80{
81 int ret;
82
83 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
84 {
85 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
86 {
87 *ver = 0;
88 return( 0 );
89 }
90
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]91 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]92 }
93
94 return( 0 );
95}
96
97/*
98 * X.509 CRL v2 extensions (no extensions parsed yet.)
99 */
100static int x509_get_crl_ext( unsigned char **p,
101 const unsigned char *end,
102 x509_buf *ext )
103{
104 int ret;
105 size_t len = 0;
106
107 /* Get explicit tag */
108 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
109 {
110 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
111 return( 0 );
112
113 return( ret );
114 }
115
116 while( *p < end )
117 {
118 if( ( ret = asn1_get_tag( p, end, &len,
119 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]120 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]121
122 *p += len;
123 }
124
125 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]126 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]127 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
128
129 return( 0 );
130}
131
132/*
133 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
134 */
135static int x509_get_crl_entry_ext( unsigned char **p,
136 const unsigned char *end,
137 x509_buf *ext )
138{
139 int ret;
140 size_t len = 0;
141
142 /* OPTIONAL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]143 if( end <= *p )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]144 return( 0 );
145
146 ext->tag = **p;
147 ext->p = *p;
148
149 /*
150 * Get CRL-entry extension sequence header
151 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
152 */
153 if( ( ret = asn1_get_tag( p, end, &ext->len,
154 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
155 {
156 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
157 {
158 ext->p = NULL;
159 return( 0 );
160 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]161 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]162 }
163
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]164 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]165
166 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]167 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]168 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
169
170 while( *p < end )
171 {
172 if( ( ret = asn1_get_tag( p, end, &len,
173 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]174 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]175
176 *p += len;
177 }
178
179 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]180 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]181 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
182
183 return( 0 );
184}
185
186/*
187 * X.509 CRL Entries
188 */
189static int x509_get_entries( unsigned char **p,
190 const unsigned char *end,
191 x509_crl_entry *entry )
192{
193 int ret;
194 size_t entry_len;
195 x509_crl_entry *cur_entry = entry;
196
197 if( *p == end )
198 return( 0 );
199
200 if( ( ret = asn1_get_tag( p, end, &entry_len,
201 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
202 {
203 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
204 return( 0 );
205
206 return( ret );
207 }
208
209 end = *p + entry_len;
210
211 while( *p < end )
212 {
213 size_t len2;
214 const unsigned char *end2;
215
216 if( ( ret = asn1_get_tag( p, end, &len2,
217 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
218 {
219 return( ret );
220 }
221
222 cur_entry->raw.tag = **p;
223 cur_entry->raw.p = *p;
224 cur_entry->raw.len = len2;
225 end2 = *p + len2;
226
227 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
228 return( ret );
229
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]230 if( ( ret = x509_get_time( p, end2,
231 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]232 return( ret );
233
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]234 if( ( ret = x509_get_crl_entry_ext( p, end2,
235 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]236 return( ret );
237
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]238 if( *p < end )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]239 {
240 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
241
242 if( cur_entry->next == NULL )
243 return( POLARSSL_ERR_X509_MALLOC_FAILED );
244
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]245 memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]246 cur_entry = cur_entry->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]247 }
248 }
249
250 return( 0 );
251}
252
253/*
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]254 * Parse one CRLs in DER format and append it to the chained list
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]255 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]256int x509_crl_parse_der( x509_crl *chain,
257 const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]258{
259 int ret;
260 size_t len;
261 unsigned char *p, *end;
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]262 x509_buf sig_params1, sig_params2;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]263 x509_crl *crl = chain;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]264
265 /*
266 * Check for valid input
267 */
268 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]269 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]270
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]271 memset( &sig_params1, 0, sizeof( x509_buf ) );
272 memset( &sig_params2, 0, sizeof( x509_buf ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]273
274 /*
275 * Add new CRL on the end of the chain if needed.
276 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]277 while( crl->version != 0 && crl->next != NULL )
278 crl = crl->next;
279
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]280 if( crl->version != 0 && crl->next == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]281 {
282 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
283
284 if( crl->next == NULL )
285 {
286 x509_crl_free( crl );
287 return( POLARSSL_ERR_X509_MALLOC_FAILED );
288 }
289
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]290 x509_crl_init( crl->next );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]291 crl = crl->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]292 }
293
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]294 /*
295 * Copy raw DER-encoded CRL
296 */
297 if( ( p = polarssl_malloc( buflen ) ) == NULL )
298 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]299
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]300 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]301
302 crl->raw.p = p;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]303 crl->raw.len = buflen;
304
305 end = p + buflen;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]306
307 /*
308 * CertificateList ::= SEQUENCE {
309 * tbsCertList TBSCertList,
310 * signatureAlgorithm AlgorithmIdentifier,
311 * signatureValue BIT STRING }
312 */
313 if( ( ret = asn1_get_tag( &p, end, &len,
314 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
315 {
316 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]317 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]318 }
319
320 if( len != (size_t) ( end - p ) )
321 {
322 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]323 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]324 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
325 }
326
327 /*
328 * TBSCertList ::= SEQUENCE {
329 */
330 crl->tbs.p = p;
331
332 if( ( ret = asn1_get_tag( &p, end, &len,
333 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
334 {
335 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]336 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]337 }
338
339 end = p + len;
340 crl->tbs.len = end - crl->tbs.p;
341
342 /*
343 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
344 * -- if present, MUST be v2
345 *
346 * signature AlgorithmIdentifier
347 */
348 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]349 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]350 {
351 x509_crl_free( crl );
352 return( ret );
353 }
354
355 crl->version++;
356
357 if( crl->version > 2 )
358 {
359 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]360 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]361 }
362
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]363 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]364 &crl->sig_md, &crl->sig_pk,
365 &crl->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]366 {
367 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]368 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]369 }
370
371 /*
372 * issuer Name
373 */
374 crl->issuer_raw.p = p;
375
376 if( ( ret = asn1_get_tag( &p, end, &len,
377 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
378 {
379 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]380 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]381 }
382
383 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
384 {
385 x509_crl_free( crl );
386 return( ret );
387 }
388
389 crl->issuer_raw.len = p - crl->issuer_raw.p;
390
391 /*
392 * thisUpdate Time
393 * nextUpdate Time OPTIONAL
394 */
395 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
396 {
397 x509_crl_free( crl );
398 return( ret );
399 }
400
401 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
402 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]403 if( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]404 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]405 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]406 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
407 {
408 x509_crl_free( crl );
409 return( ret );
410 }
411 }
412
413 /*
414 * revokedCertificates SEQUENCE OF SEQUENCE {
415 * userCertificate CertificateSerialNumber,
416 * revocationDate Time,
417 * crlEntryExtensions Extensions OPTIONAL
418 * -- if present, MUST be v2
419 * } OPTIONAL
420 */
421 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
422 {
423 x509_crl_free( crl );
424 return( ret );
425 }
426
427 /*
428 * crlExtensions EXPLICIT Extensions OPTIONAL
429 * -- if present, MUST be v2
430 */
431 if( crl->version == 2 )
432 {
433 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
434
435 if( ret != 0 )
436 {
437 x509_crl_free( crl );
438 return( ret );
439 }
440 }
441
442 if( p != end )
443 {
444 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]445 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]446 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
447 }
448
449 end = crl->raw.p + crl->raw.len;
450
451 /*
452 * signatureAlgorithm AlgorithmIdentifier,
453 * signatureValue BIT STRING
454 */
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]455 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]456 {
457 x509_crl_free( crl );
458 return( ret );
459 }
460
461 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]462 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ||
463 sig_params1.len != sig_params2.len ||
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]465 {
466 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]467 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]468 }
469
470 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
471 {
472 x509_crl_free( crl );
473 return( ret );
474 }
475
476 if( p != end )
477 {
478 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]479 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]480 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
481 }
482
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]483 return( 0 );
484}
485
486/*
487 * Parse one or more CRLs and add them to the chained list
488 */
489int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
490{
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]491#if defined(POLARSSL_PEM_PARSE_C)
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]492 int ret;
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]493 size_t use_len;
494 pem_context pem;
495 int is_pem = 0;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]496
497 if( chain == NULL || buf == NULL )
498 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
499
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]500 do
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]501 {
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]502 pem_init( &pem );
503 ret = pem_read_buffer( &pem,
504 "-----BEGIN X509 CRL-----",
505 "-----END X509 CRL-----",
506 buf, NULL, 0, &use_len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]507
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]508 if( ret == 0 )
509 {
510 /*
511 * Was PEM encoded
512 */
513 is_pem = 1;
514
515 buflen -= use_len;
516 buf += use_len;
517
518 if( ( ret = x509_crl_parse_der( chain,
519 pem.buf, pem.buflen ) ) != 0 )
520 {
521 return( ret );
522 }
523
524 pem_free( &pem );
525 }
526 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
527 {
528 pem_free( &pem );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]529 return( ret );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]530 }
531 }
532 while( is_pem && buflen > 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]533
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]534 if( is_pem )
535 return( 0 );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]536 else
537#endif /* POLARSSL_PEM_PARSE_C */
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]538 return( x509_crl_parse_der( chain, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]539}
540
541#if defined(POLARSSL_FS_IO)
542/*
543 * Load one or more CRLs and add them to the chained list
544 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]545int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]546{
547 int ret;
548 size_t n;
549 unsigned char *buf;
550
Manuel Pégourié-Gonnard9439f932014-11-21 09:49:43 +0100[diff] [blame]551 if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]552 return( ret );
553
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]554 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]555
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]556 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]557 polarssl_free( buf );
558
559 return( ret );
560}
561#endif /* POLARSSL_FS_IO */
562
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]563#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
564 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]565#include <stdarg.h>
566
567#if !defined vsnprintf
568#define vsnprintf _vsnprintf
569#endif // vsnprintf
570
571/*
572 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
573 * Result value is not size of buffer needed, but -1 if no fit is possible.
574 *
575 * This fuction tries to 'fix' this by at least suggesting enlarging the
576 * size by 20.
577 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]578static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]579{
580 va_list ap;
581 int res = -1;
582
583 va_start( ap, format );
584
585 res = vsnprintf( str, size, format, ap );
586
587 va_end( ap );
588
589 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]590 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]591 return( (int) size + 20 );
592
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]593 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]594}
595
596#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]597#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]598
599#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
600
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]601#define SAFE_SNPRINTF() \
602{ \
603 if( ret == -1 ) \
604 return( -1 ); \
605 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]606 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]607 p[n - 1] = '\0'; \
608 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
609 } \
610 \
611 n -= (unsigned int) ret; \
612 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]613}
614
615/*
616 * Return an informational string about the certificate.
617 */
618#define BEFORE_COLON 14
619#define BC "14"
620/*
621 * Return an informational string about the CRL.
622 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]623int x509_crl_info( char *buf, size_t size, const char *prefix,
624 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]625{
626 int ret;
627 size_t n;
628 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]629 const x509_crl_entry *entry;
630
631 p = buf;
632 n = size;
633
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]634 ret = polarssl_snprintf( p, n, "%sCRL version : %d",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]635 prefix, crl->version );
636 SAFE_SNPRINTF();
637
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]638 ret = polarssl_snprintf( p, n, "\n%sissuer name : ", prefix );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]639 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]640 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]641 SAFE_SNPRINTF();
642
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]643 ret = polarssl_snprintf( p, n, "\n%sthis update : " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]644 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
645 crl->this_update.year, crl->this_update.mon,
646 crl->this_update.day, crl->this_update.hour,
647 crl->this_update.min, crl->this_update.sec );
648 SAFE_SNPRINTF();
649
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]650 ret = polarssl_snprintf( p, n, "\n%snext update : " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]651 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
652 crl->next_update.year, crl->next_update.mon,
653 crl->next_update.day, crl->next_update.hour,
654 crl->next_update.min, crl->next_update.sec );
655 SAFE_SNPRINTF();
656
657 entry = &crl->entry;
658
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]659 ret = polarssl_snprintf( p, n, "\n%sRevoked certificates:",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]660 prefix );
661 SAFE_SNPRINTF();
662
663 while( entry != NULL && entry->raw.len != 0 )
664 {
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]665 ret = polarssl_snprintf( p, n, "\n%sserial number: ",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]666 prefix );
667 SAFE_SNPRINTF();
668
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]669 ret = x509_serial_gets( p, n, &entry->serial );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]670 SAFE_SNPRINTF();
671
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]672 ret = polarssl_snprintf( p, n, " revocation date: " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]673 "%04d-%02d-%02d %02d:%02d:%02d",
674 entry->revocation_date.year, entry->revocation_date.mon,
675 entry->revocation_date.day, entry->revocation_date.hour,
676 entry->revocation_date.min, entry->revocation_date.sec );
677 SAFE_SNPRINTF();
678
679 entry = entry->next;
680 }
681
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]682 ret = polarssl_snprintf( p, n, "\n%ssigned using : ", prefix );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]683 SAFE_SNPRINTF();
684
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]685 ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]686 crl->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]687 SAFE_SNPRINTF();
688
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame^]689 ret = polarssl_snprintf( p, n, "\n" );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]690 SAFE_SNPRINTF();
691
692 return( (int) ( size - n ) );
693}
694
695/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]696 * Initialize a CRL chain
697 */
698void x509_crl_init( x509_crl *crl )
699{
700 memset( crl, 0, sizeof(x509_crl) );
701}
702
703/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]704 * Unallocate all CRL data
705 */
706void x509_crl_free( x509_crl *crl )
707{
708 x509_crl *crl_cur = crl;
709 x509_crl *crl_prv;
710 x509_name *name_cur;
711 x509_name *name_prv;
712 x509_crl_entry *entry_cur;
713 x509_crl_entry *entry_prv;
714
715 if( crl == NULL )
716 return;
717
718 do
719 {
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]720#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]721 polarssl_free( crl_cur->sig_opts );
722#endif
723
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]724 name_cur = crl_cur->issuer.next;
725 while( name_cur != NULL )
726 {
727 name_prv = name_cur;
728 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]729 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]730 polarssl_free( name_prv );
731 }
732
733 entry_cur = crl_cur->entry.next;
734 while( entry_cur != NULL )
735 {
736 entry_prv = entry_cur;
737 entry_cur = entry_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]738 polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]739 polarssl_free( entry_prv );
740 }
741
742 if( crl_cur->raw.p != NULL )
743 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]744 polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]745 polarssl_free( crl_cur->raw.p );
746 }
747
748 crl_cur = crl_cur->next;
749 }
750 while( crl_cur != NULL );
751
752 crl_cur = crl;
753 do
754 {
755 crl_prv = crl_cur;
756 crl_cur = crl_cur->next;
757
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]758 polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]759 if( crl_prv != crl )
760 polarssl_free( crl_prv );
761 }
762 while( crl_cur != NULL );
763}
764
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]765#endif /* POLARSSL_X509_CRL_PARSE_C */