TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-1.3 / . / library / x509_crl.c
blob: 96120a97d2e6ef5794232566b39cec2dec848063 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]2 * X.509 Certidicate Revocation List (CRL) parsing
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]6 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_CRL_PARSE_C)
40
41#include "polarssl/x509_crl.h"
42#include "polarssl/oid.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]43
44#include <string.h>
45
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]46#if defined(POLARSSL_PEM_PARSE_C)
47#include "polarssl/pem.h"
48#endif
49
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#if defined(POLARSSL_PLATFORM_C)
51#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdlib.h>
Manuel Pégourié-Gonnard981732b2015-02-17 15:46:45 +0000[diff] [blame]54#include <stdio.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]55#define polarssl_free free
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]56#define polarssl_malloc malloc
57#define polarssl_snprintf snprintf
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]58#endif
59
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]60#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]61#include <windows.h>
62#else
63#include <time.h>
64#endif
65
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]66#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]67#include <stdio.h>
68#endif
69
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]70/* Implementation that should never be optimized out by the compiler */
71static void polarssl_zeroize( void *v, size_t n ) {
72 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
73}
74
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]75/*
76 * Version ::= INTEGER { v1(0), v2(1) }
77 */
78static int x509_crl_get_version( unsigned char **p,
79 const unsigned char *end,
80 int *ver )
81{
82 int ret;
83
84 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
85 {
86 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
87 {
88 *ver = 0;
89 return( 0 );
90 }
91
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]92 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]93 }
94
95 return( 0 );
96}
97
98/*
99 * X.509 CRL v2 extensions (no extensions parsed yet.)
100 */
101static int x509_get_crl_ext( unsigned char **p,
102 const unsigned char *end,
103 x509_buf *ext )
104{
105 int ret;
106 size_t len = 0;
107
108 /* Get explicit tag */
109 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
110 {
111 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
112 return( 0 );
113
114 return( ret );
115 }
116
117 while( *p < end )
118 {
119 if( ( ret = asn1_get_tag( p, end, &len,
120 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]121 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]122
123 *p += len;
124 }
125
126 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]127 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]128 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
129
130 return( 0 );
131}
132
133/*
134 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
135 */
136static int x509_get_crl_entry_ext( unsigned char **p,
137 const unsigned char *end,
138 x509_buf *ext )
139{
140 int ret;
141 size_t len = 0;
142
143 /* OPTIONAL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]144 if( end <= *p )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]145 return( 0 );
146
147 ext->tag = **p;
148 ext->p = *p;
149
150 /*
151 * Get CRL-entry extension sequence header
152 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
153 */
154 if( ( ret = asn1_get_tag( p, end, &ext->len,
155 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
156 {
157 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
158 {
159 ext->p = NULL;
160 return( 0 );
161 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]162 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]163 }
164
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]165 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]166
167 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]168 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]169 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
170
171 while( *p < end )
172 {
173 if( ( ret = asn1_get_tag( p, end, &len,
174 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]175 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]176
177 *p += len;
178 }
179
180 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]181 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]182 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
183
184 return( 0 );
185}
186
187/*
188 * X.509 CRL Entries
189 */
190static int x509_get_entries( unsigned char **p,
191 const unsigned char *end,
192 x509_crl_entry *entry )
193{
194 int ret;
195 size_t entry_len;
196 x509_crl_entry *cur_entry = entry;
197
198 if( *p == end )
199 return( 0 );
200
201 if( ( ret = asn1_get_tag( p, end, &entry_len,
202 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
203 {
204 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
205 return( 0 );
206
207 return( ret );
208 }
209
210 end = *p + entry_len;
211
212 while( *p < end )
213 {
214 size_t len2;
215 const unsigned char *end2;
216
217 if( ( ret = asn1_get_tag( p, end, &len2,
218 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
219 {
220 return( ret );
221 }
222
223 cur_entry->raw.tag = **p;
224 cur_entry->raw.p = *p;
225 cur_entry->raw.len = len2;
226 end2 = *p + len2;
227
228 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
229 return( ret );
230
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]231 if( ( ret = x509_get_time( p, end2,
232 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]233 return( ret );
234
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]235 if( ( ret = x509_get_crl_entry_ext( p, end2,
236 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]237 return( ret );
238
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]239 if( *p < end )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]240 {
241 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
242
243 if( cur_entry->next == NULL )
244 return( POLARSSL_ERR_X509_MALLOC_FAILED );
245
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]246 memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]247 cur_entry = cur_entry->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]248 }
249 }
250
251 return( 0 );
252}
253
254/*
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]255 * Parse one CRLs in DER format and append it to the chained list
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]256 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]257int x509_crl_parse_der( x509_crl *chain,
258 const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]259{
260 int ret;
261 size_t len;
262 unsigned char *p, *end;
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]263 x509_buf sig_params1, sig_params2;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]264 x509_crl *crl = chain;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]265
266 /*
267 * Check for valid input
268 */
269 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]270 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]271
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]272 memset( &sig_params1, 0, sizeof( x509_buf ) );
273 memset( &sig_params2, 0, sizeof( x509_buf ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]274
275 /*
276 * Add new CRL on the end of the chain if needed.
277 */
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]278 while( crl->version != 0 && crl->next != NULL )
279 crl = crl->next;
280
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]281 if( crl->version != 0 && crl->next == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]282 {
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500[diff] [blame]283 crl->next = polarssl_malloc( sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]284
285 if( crl->next == NULL )
286 {
287 x509_crl_free( crl );
288 return( POLARSSL_ERR_X509_MALLOC_FAILED );
289 }
290
Manuel Pégourié-Gonnarde5b0fc12014-11-12 22:27:42 +0100[diff] [blame]291 x509_crl_init( crl->next );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]292 crl = crl->next;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]293 }
294
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]295 /*
296 * Copy raw DER-encoded CRL
297 */
298 if( ( p = polarssl_malloc( buflen ) ) == NULL )
299 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]300
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]301 memcpy( p, buf, buflen );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]302
303 crl->raw.p = p;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]304 crl->raw.len = buflen;
305
306 end = p + buflen;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]307
308 /*
309 * CertificateList ::= SEQUENCE {
310 * tbsCertList TBSCertList,
311 * signatureAlgorithm AlgorithmIdentifier,
312 * signatureValue BIT STRING }
313 */
314 if( ( ret = asn1_get_tag( &p, end, &len,
315 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
316 {
317 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]318 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]319 }
320
321 if( len != (size_t) ( end - p ) )
322 {
323 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]324 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]325 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
326 }
327
328 /*
329 * TBSCertList ::= SEQUENCE {
330 */
331 crl->tbs.p = p;
332
333 if( ( ret = asn1_get_tag( &p, end, &len,
334 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
335 {
336 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]337 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]338 }
339
340 end = p + len;
341 crl->tbs.len = end - crl->tbs.p;
342
343 /*
344 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
345 * -- if present, MUST be v2
346 *
347 * signature AlgorithmIdentifier
348 */
349 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]350 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]351 {
352 x509_crl_free( crl );
353 return( ret );
354 }
355
Andres AG26124be2017-03-01 15:14:30 +0000[diff] [blame]356 if( crl->version < 0 || crl->version > 1 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]357 {
358 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]359 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]360 }
361
Andres AG26124be2017-03-01 15:14:30 +0000[diff] [blame]362 crl->version++;
363
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]364 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]365 &crl->sig_md, &crl->sig_pk,
366 &crl->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]367 {
368 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]369 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]370 }
371
372 /*
373 * issuer Name
374 */
375 crl->issuer_raw.p = p;
376
377 if( ( ret = asn1_get_tag( &p, end, &len,
378 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
379 {
380 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]381 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]382 }
383
384 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
385 {
386 x509_crl_free( crl );
387 return( ret );
388 }
389
390 crl->issuer_raw.len = p - crl->issuer_raw.p;
391
392 /*
393 * thisUpdate Time
394 * nextUpdate Time OPTIONAL
395 */
396 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
397 {
398 x509_crl_free( crl );
399 return( ret );
400 }
401
402 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
403 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]404 if( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]405 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]406 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]407 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
408 {
409 x509_crl_free( crl );
410 return( ret );
411 }
412 }
413
414 /*
415 * revokedCertificates SEQUENCE OF SEQUENCE {
416 * userCertificate CertificateSerialNumber,
417 * revocationDate Time,
418 * crlEntryExtensions Extensions OPTIONAL
419 * -- if present, MUST be v2
420 * } OPTIONAL
421 */
422 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
423 {
424 x509_crl_free( crl );
425 return( ret );
426 }
427
428 /*
429 * crlExtensions EXPLICIT Extensions OPTIONAL
430 * -- if present, MUST be v2
431 */
432 if( crl->version == 2 )
433 {
434 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
435
436 if( ret != 0 )
437 {
438 x509_crl_free( crl );
439 return( ret );
440 }
441 }
442
443 if( p != end )
444 {
445 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]446 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]447 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
448 }
449
450 end = crl->raw.p + crl->raw.len;
451
452 /*
453 * signatureAlgorithm AlgorithmIdentifier,
454 * signatureValue BIT STRING
455 */
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]456 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]457 {
458 x509_crl_free( crl );
459 return( ret );
460 }
461
462 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]463 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ||
464 sig_params1.len != sig_params2.len ||
Manuel Pégourié-Gonnard159c5242015-04-30 11:15:22 +0200[diff] [blame]465 ( sig_params1.len != 0 &&
466 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]467 {
468 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]469 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]470 }
471
472 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
473 {
474 x509_crl_free( crl );
475 return( ret );
476 }
477
478 if( p != end )
479 {
480 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]481 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]482 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
483 }
484
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]485 return( 0 );
486}
487
488/*
489 * Parse one or more CRLs and add them to the chained list
490 */
491int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
492{
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]493#if defined(POLARSSL_PEM_PARSE_C)
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]494 int ret;
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]495 size_t use_len;
496 pem_context pem;
497 int is_pem = 0;
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]498
499 if( chain == NULL || buf == NULL )
500 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
501
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]502 do
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]503 {
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]504 pem_init( &pem );
505 ret = pem_read_buffer( &pem,
506 "-----BEGIN X509 CRL-----",
507 "-----END X509 CRL-----",
508 buf, NULL, 0, &use_len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]509
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]510 if( ret == 0 )
511 {
512 /*
513 * Was PEM encoded
514 */
515 is_pem = 1;
516
517 buflen -= use_len;
518 buf += use_len;
519
520 if( ( ret = x509_crl_parse_der( chain,
521 pem.buf, pem.buflen ) ) != 0 )
522 {
Andres AG03af0e02017-01-23 14:58:27 +0000[diff] [blame]523 pem_free( &pem );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]524 return( ret );
525 }
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]526 }
Andres AGe5671012016-12-08 17:08:44 +0000[diff] [blame]527 else if( is_pem )
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]528 {
529 pem_free( &pem );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]530 return( ret );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]531 }
Andres AG03af0e02017-01-23 14:58:27 +0000[diff] [blame]532
533 pem_free( &pem );
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]534 }
535 while( is_pem && buflen > 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]536
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]537 if( is_pem )
538 return( 0 );
Manuel Pégourié-Gonnard426d4ae2014-11-19 16:58:28 +0100[diff] [blame]539 else
540#endif /* POLARSSL_PEM_PARSE_C */
Manuel Pégourié-Gonnard6ed2d922014-11-19 19:05:03 +0100[diff] [blame]541 return( x509_crl_parse_der( chain, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]542}
543
544#if defined(POLARSSL_FS_IO)
545/*
546 * Load one or more CRLs and add them to the chained list
547 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]548int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]549{
550 int ret;
551 size_t n;
552 unsigned char *buf;
553
Manuel Pégourié-Gonnard9439f932014-11-21 09:49:43 +0100[diff] [blame]554 if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]555 return( ret );
556
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]557 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]558
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]559 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]560 polarssl_free( buf );
561
562 return( ret );
563}
564#endif /* POLARSSL_FS_IO */
565
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]566#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
567 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]568#include <stdarg.h>
569
570#if !defined vsnprintf
571#define vsnprintf _vsnprintf
572#endif // vsnprintf
573
574/*
575 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
576 * Result value is not size of buffer needed, but -1 if no fit is possible.
577 *
578 * This fuction tries to 'fix' this by at least suggesting enlarging the
579 * size by 20.
580 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]581static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]582{
583 va_list ap;
584 int res = -1;
585
586 va_start( ap, format );
587
588 res = vsnprintf( str, size, format, ap );
589
590 va_end( ap );
591
592 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]593 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]594 return( (int) size + 20 );
595
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]596 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]597}
598
599#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]600#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]601
602#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
603
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]604#define SAFE_SNPRINTF() \
605{ \
606 if( ret == -1 ) \
607 return( -1 ); \
608 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]609 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]610 p[n - 1] = '\0'; \
611 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
612 } \
613 \
614 n -= (unsigned int) ret; \
615 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]616}
617
618/*
619 * Return an informational string about the certificate.
620 */
621#define BEFORE_COLON 14
622#define BC "14"
623/*
624 * Return an informational string about the CRL.
625 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]626int x509_crl_info( char *buf, size_t size, const char *prefix,
627 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]628{
629 int ret;
630 size_t n;
631 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]632 const x509_crl_entry *entry;
633
634 p = buf;
635 n = size;
636
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]637 ret = polarssl_snprintf( p, n, "%sCRL version : %d",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]638 prefix, crl->version );
639 SAFE_SNPRINTF();
640
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]641 ret = polarssl_snprintf( p, n, "\n%sissuer name : ", prefix );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]642 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]643 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]644 SAFE_SNPRINTF();
645
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]646 ret = polarssl_snprintf( p, n, "\n%sthis update : " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]647 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
648 crl->this_update.year, crl->this_update.mon,
649 crl->this_update.day, crl->this_update.hour,
650 crl->this_update.min, crl->this_update.sec );
651 SAFE_SNPRINTF();
652
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]653 ret = polarssl_snprintf( p, n, "\n%snext update : " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]654 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
655 crl->next_update.year, crl->next_update.mon,
656 crl->next_update.day, crl->next_update.hour,
657 crl->next_update.min, crl->next_update.sec );
658 SAFE_SNPRINTF();
659
660 entry = &crl->entry;
661
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]662 ret = polarssl_snprintf( p, n, "\n%sRevoked certificates:",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]663 prefix );
664 SAFE_SNPRINTF();
665
666 while( entry != NULL && entry->raw.len != 0 )
667 {
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]668 ret = polarssl_snprintf( p, n, "\n%sserial number: ",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]669 prefix );
670 SAFE_SNPRINTF();
671
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]672 ret = x509_serial_gets( p, n, &entry->serial );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]673 SAFE_SNPRINTF();
674
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]675 ret = polarssl_snprintf( p, n, " revocation date: " \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]676 "%04d-%02d-%02d %02d:%02d:%02d",
677 entry->revocation_date.year, entry->revocation_date.mon,
678 entry->revocation_date.day, entry->revocation_date.hour,
679 entry->revocation_date.min, entry->revocation_date.sec );
680 SAFE_SNPRINTF();
681
682 entry = entry->next;
683 }
684
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]685 ret = polarssl_snprintf( p, n, "\n%ssigned using : ", prefix );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]686 SAFE_SNPRINTF();
687
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]688 ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]689 crl->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]690 SAFE_SNPRINTF();
691
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]692 ret = polarssl_snprintf( p, n, "\n" );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]693 SAFE_SNPRINTF();
694
695 return( (int) ( size - n ) );
696}
697
698/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]699 * Initialize a CRL chain
700 */
701void x509_crl_init( x509_crl *crl )
702{
703 memset( crl, 0, sizeof(x509_crl) );
704}
705
706/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]707 * Unallocate all CRL data
708 */
709void x509_crl_free( x509_crl *crl )
710{
711 x509_crl *crl_cur = crl;
712 x509_crl *crl_prv;
713 x509_name *name_cur;
714 x509_name *name_prv;
715 x509_crl_entry *entry_cur;
716 x509_crl_entry *entry_prv;
717
718 if( crl == NULL )
719 return;
720
721 do
722 {
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]723#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]724 polarssl_free( crl_cur->sig_opts );
725#endif
726
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]727 name_cur = crl_cur->issuer.next;
728 while( name_cur != NULL )
729 {
730 name_prv = name_cur;
731 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]732 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]733 polarssl_free( name_prv );
734 }
735
736 entry_cur = crl_cur->entry.next;
737 while( entry_cur != NULL )
738 {
739 entry_prv = entry_cur;
740 entry_cur = entry_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]741 polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]742 polarssl_free( entry_prv );
743 }
744
745 if( crl_cur->raw.p != NULL )
746 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]747 polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]748 polarssl_free( crl_cur->raw.p );
749 }
750
751 crl_cur = crl_cur->next;
752 }
753 while( crl_cur != NULL );
754
755 crl_cur = crl;
756 do
757 {
758 crl_prv = crl_cur;
759 crl_cur = crl_cur->next;
760
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]761 polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]762 if( crl_prv != crl )
763 polarssl_free( crl_prv );
764 }
765 while( crl_cur != NULL );
766}
767
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]768#endif /* POLARSSL_X509_CRL_PARSE_C */