Doug Anson
mbed TLS library
Dependents: HTTPClient-SSL WS_SERVER
polarssl/x509.c@0:137634ff4186, 2015-06-11 (annotated)
- Committer:
- ansond
- Date:
- Thu Jun 11 03:27:03 2015 +0000
- Revision:
- 0:137634ff4186
initial commit
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| ansond | 0:137634ff4186 | 1 | /* |
| ansond | 0:137634ff4186 | 2 | * X.509 common functions for parsing and verification |
| ansond | 0:137634ff4186 | 3 | * |
| ansond | 0:137634ff4186 | 4 | * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved |
| ansond | 0:137634ff4186 | 5 | * |
| ansond | 0:137634ff4186 | 6 | * This file is part of mbed TLS (https://tls.mbed.org) |
| ansond | 0:137634ff4186 | 7 | * |
| ansond | 0:137634ff4186 | 8 | * This program is free software; you can redistribute it and/or modify |
| ansond | 0:137634ff4186 | 9 | * it under the terms of the GNU General Public License as published by |
| ansond | 0:137634ff4186 | 10 | * the Free Software Foundation; either version 2 of the License, or |
| ansond | 0:137634ff4186 | 11 | * (at your option) any later version. |
| ansond | 0:137634ff4186 | 12 | * |
| ansond | 0:137634ff4186 | 13 | * This program is distributed in the hope that it will be useful, |
| ansond | 0:137634ff4186 | 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| ansond | 0:137634ff4186 | 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| ansond | 0:137634ff4186 | 16 | * GNU General Public License for more details. |
| ansond | 0:137634ff4186 | 17 | * |
| ansond | 0:137634ff4186 | 18 | * You should have received a copy of the GNU General Public License along |
| ansond | 0:137634ff4186 | 19 | * with this program; if not, write to the Free Software Foundation, Inc., |
| ansond | 0:137634ff4186 | 20 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| ansond | 0:137634ff4186 | 21 | */ |
| ansond | 0:137634ff4186 | 22 | /* |
| ansond | 0:137634ff4186 | 23 | * The ITU-T X.509 standard defines a certificate format for PKI. |
| ansond | 0:137634ff4186 | 24 | * |
| ansond | 0:137634ff4186 | 25 | * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) |
| ansond | 0:137634ff4186 | 26 | * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) |
| ansond | 0:137634ff4186 | 27 | * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) |
| ansond | 0:137634ff4186 | 28 | * |
| ansond | 0:137634ff4186 | 29 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf |
| ansond | 0:137634ff4186 | 30 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf |
| ansond | 0:137634ff4186 | 31 | */ |
| ansond | 0:137634ff4186 | 32 | |
| ansond | 0:137634ff4186 | 33 | #if !defined(POLARSSL_CONFIG_FILE) |
| ansond | 0:137634ff4186 | 34 | #include "polarssl/config.h" |
| ansond | 0:137634ff4186 | 35 | #else |
| ansond | 0:137634ff4186 | 36 | #include POLARSSL_CONFIG_FILE |
| ansond | 0:137634ff4186 | 37 | #endif |
| ansond | 0:137634ff4186 | 38 | |
| ansond | 0:137634ff4186 | 39 | #if defined(POLARSSL_X509_USE_C) |
| ansond | 0:137634ff4186 | 40 | |
| ansond | 0:137634ff4186 | 41 | #include "polarssl/x509.h" |
| ansond | 0:137634ff4186 | 42 | #include "polarssl/asn1.h" |
| ansond | 0:137634ff4186 | 43 | #include "polarssl/oid.h" |
| ansond | 0:137634ff4186 | 44 | |
| ansond | 0:137634ff4186 | 45 | #include <stdio.h> |
| ansond | 0:137634ff4186 | 46 | #include <string.h> |
| ansond | 0:137634ff4186 | 47 | |
| ansond | 0:137634ff4186 | 48 | #if defined(POLARSSL_PEM_PARSE_C) |
| ansond | 0:137634ff4186 | 49 | #include "polarssl/pem.h" |
| ansond | 0:137634ff4186 | 50 | #endif |
| ansond | 0:137634ff4186 | 51 | |
| ansond | 0:137634ff4186 | 52 | #if defined(POLARSSL_PLATFORM_C) |
| ansond | 0:137634ff4186 | 53 | #include "polarssl/platform.h" |
| ansond | 0:137634ff4186 | 54 | #else |
| ansond | 0:137634ff4186 | 55 | #include <stdio.h> |
| ansond | 0:137634ff4186 | 56 | #include <stdlib.h> |
| ansond | 0:137634ff4186 | 57 | #define polarssl_free free |
| ansond | 0:137634ff4186 | 58 | #define polarssl_malloc malloc |
| ansond | 0:137634ff4186 | 59 | #define polarssl_printf printf |
| ansond | 0:137634ff4186 | 60 | #define polarssl_snprintf snprintf |
| ansond | 0:137634ff4186 | 61 | #endif |
| ansond | 0:137634ff4186 | 62 | |
| ansond | 0:137634ff4186 | 63 | #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) |
| ansond | 0:137634ff4186 | 64 | #include <windows.h> |
| ansond | 0:137634ff4186 | 65 | #else |
| ansond | 0:137634ff4186 | 66 | #include <time.h> |
| ansond | 0:137634ff4186 | 67 | #endif |
| ansond | 0:137634ff4186 | 68 | |
| ansond | 0:137634ff4186 | 69 | #if defined(POLARSSL_FS_IO) |
| ansond | 0:137634ff4186 | 70 | #include <stdio.h> |
| ansond | 0:137634ff4186 | 71 | #if !defined(_WIN32) |
| ansond | 0:137634ff4186 | 72 | #include <sys/types.h> |
| ansond | 0:137634ff4186 | 73 | #include <sys/stat.h> |
| ansond | 0:137634ff4186 | 74 | #include <dirent.h> |
| ansond | 0:137634ff4186 | 75 | #endif |
| ansond | 0:137634ff4186 | 76 | #endif |
| ansond | 0:137634ff4186 | 77 | |
| ansond | 0:137634ff4186 | 78 | #define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); } |
| ansond | 0:137634ff4186 | 79 | |
| ansond | 0:137634ff4186 | 80 | /* |
| ansond | 0:137634ff4186 | 81 | * CertificateSerialNumber ::= INTEGER |
| ansond | 0:137634ff4186 | 82 | */ |
| ansond | 0:137634ff4186 | 83 | int x509_get_serial( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 84 | x509_buf *serial ) |
| ansond | 0:137634ff4186 | 85 | { |
| ansond | 0:137634ff4186 | 86 | int ret; |
| ansond | 0:137634ff4186 | 87 | |
| ansond | 0:137634ff4186 | 88 | if( ( end - *p ) < 1 ) |
| ansond | 0:137634ff4186 | 89 | return( POLARSSL_ERR_X509_INVALID_SERIAL + |
| ansond | 0:137634ff4186 | 90 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 91 | |
| ansond | 0:137634ff4186 | 92 | if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) && |
| ansond | 0:137634ff4186 | 93 | **p != ASN1_INTEGER ) |
| ansond | 0:137634ff4186 | 94 | return( POLARSSL_ERR_X509_INVALID_SERIAL + |
| ansond | 0:137634ff4186 | 95 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| ansond | 0:137634ff4186 | 96 | |
| ansond | 0:137634ff4186 | 97 | serial->tag = *(*p)++; |
| ansond | 0:137634ff4186 | 98 | |
| ansond | 0:137634ff4186 | 99 | if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 ) |
| ansond | 0:137634ff4186 | 100 | return( POLARSSL_ERR_X509_INVALID_SERIAL + ret ); |
| ansond | 0:137634ff4186 | 101 | |
| ansond | 0:137634ff4186 | 102 | serial->p = *p; |
| ansond | 0:137634ff4186 | 103 | *p += serial->len; |
| ansond | 0:137634ff4186 | 104 | |
| ansond | 0:137634ff4186 | 105 | return( 0 ); |
| ansond | 0:137634ff4186 | 106 | } |
| ansond | 0:137634ff4186 | 107 | |
| ansond | 0:137634ff4186 | 108 | /* Get an algorithm identifier without parameters (eg for signatures) |
| ansond | 0:137634ff4186 | 109 | * |
| ansond | 0:137634ff4186 | 110 | * AlgorithmIdentifier ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 111 | * algorithm OBJECT IDENTIFIER, |
| ansond | 0:137634ff4186 | 112 | * parameters ANY DEFINED BY algorithm OPTIONAL } |
| ansond | 0:137634ff4186 | 113 | */ |
| ansond | 0:137634ff4186 | 114 | int x509_get_alg_null( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 115 | x509_buf *alg ) |
| ansond | 0:137634ff4186 | 116 | { |
| ansond | 0:137634ff4186 | 117 | int ret; |
| ansond | 0:137634ff4186 | 118 | |
| ansond | 0:137634ff4186 | 119 | if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 ) |
| ansond | 0:137634ff4186 | 120 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 121 | |
| ansond | 0:137634ff4186 | 122 | return( 0 ); |
| ansond | 0:137634ff4186 | 123 | } |
| ansond | 0:137634ff4186 | 124 | |
| ansond | 0:137634ff4186 | 125 | /* |
| ansond | 0:137634ff4186 | 126 | * Parse an algorithm identifier with (optional) paramaters |
| ansond | 0:137634ff4186 | 127 | */ |
| ansond | 0:137634ff4186 | 128 | int x509_get_alg( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 129 | x509_buf *alg, x509_buf *params ) |
| ansond | 0:137634ff4186 | 130 | { |
| ansond | 0:137634ff4186 | 131 | int ret; |
| ansond | 0:137634ff4186 | 132 | |
| ansond | 0:137634ff4186 | 133 | if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 ) |
| ansond | 0:137634ff4186 | 134 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 135 | |
| ansond | 0:137634ff4186 | 136 | return( 0 ); |
| ansond | 0:137634ff4186 | 137 | } |
| ansond | 0:137634ff4186 | 138 | |
| ansond | 0:137634ff4186 | 139 | #if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT) |
| ansond | 0:137634ff4186 | 140 | /* |
| ansond | 0:137634ff4186 | 141 | * HashAlgorithm ::= AlgorithmIdentifier |
| ansond | 0:137634ff4186 | 142 | * |
| ansond | 0:137634ff4186 | 143 | * AlgorithmIdentifier ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 144 | * algorithm OBJECT IDENTIFIER, |
| ansond | 0:137634ff4186 | 145 | * parameters ANY DEFINED BY algorithm OPTIONAL } |
| ansond | 0:137634ff4186 | 146 | * |
| ansond | 0:137634ff4186 | 147 | * For HashAlgorithm, parameters MUST be NULL or absent. |
| ansond | 0:137634ff4186 | 148 | */ |
| ansond | 0:137634ff4186 | 149 | static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg ) |
| ansond | 0:137634ff4186 | 150 | { |
| ansond | 0:137634ff4186 | 151 | int ret; |
| ansond | 0:137634ff4186 | 152 | unsigned char *p; |
| ansond | 0:137634ff4186 | 153 | const unsigned char *end; |
| ansond | 0:137634ff4186 | 154 | x509_buf md_oid; |
| ansond | 0:137634ff4186 | 155 | size_t len; |
| ansond | 0:137634ff4186 | 156 | |
| ansond | 0:137634ff4186 | 157 | /* Make sure we got a SEQUENCE and setup bounds */ |
| ansond | 0:137634ff4186 | 158 | if( alg->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) |
| ansond | 0:137634ff4186 | 159 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 160 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| ansond | 0:137634ff4186 | 161 | |
| ansond | 0:137634ff4186 | 162 | p = (unsigned char *) alg->p; |
| ansond | 0:137634ff4186 | 163 | end = p + alg->len; |
| ansond | 0:137634ff4186 | 164 | |
| ansond | 0:137634ff4186 | 165 | if( p >= end ) |
| ansond | 0:137634ff4186 | 166 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 167 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 168 | |
| ansond | 0:137634ff4186 | 169 | /* Parse md_oid */ |
| ansond | 0:137634ff4186 | 170 | md_oid.tag = *p; |
| ansond | 0:137634ff4186 | 171 | |
| ansond | 0:137634ff4186 | 172 | if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 ) |
| ansond | 0:137634ff4186 | 173 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 174 | |
| ansond | 0:137634ff4186 | 175 | md_oid.p = p; |
| ansond | 0:137634ff4186 | 176 | p += md_oid.len; |
| ansond | 0:137634ff4186 | 177 | |
| ansond | 0:137634ff4186 | 178 | /* Get md_alg from md_oid */ |
| ansond | 0:137634ff4186 | 179 | if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 ) |
| ansond | 0:137634ff4186 | 180 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 181 | |
| ansond | 0:137634ff4186 | 182 | /* Make sure params is absent of NULL */ |
| ansond | 0:137634ff4186 | 183 | if( p == end ) |
| ansond | 0:137634ff4186 | 184 | return( 0 ); |
| ansond | 0:137634ff4186 | 185 | |
| ansond | 0:137634ff4186 | 186 | if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 || len != 0 ) |
| ansond | 0:137634ff4186 | 187 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 188 | |
| ansond | 0:137634ff4186 | 189 | if( p != end ) |
| ansond | 0:137634ff4186 | 190 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 191 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 192 | |
| ansond | 0:137634ff4186 | 193 | return( 0 ); |
| ansond | 0:137634ff4186 | 194 | } |
| ansond | 0:137634ff4186 | 195 | |
| ansond | 0:137634ff4186 | 196 | /* |
| ansond | 0:137634ff4186 | 197 | * RSASSA-PSS-params ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 198 | * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, |
| ansond | 0:137634ff4186 | 199 | * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, |
| ansond | 0:137634ff4186 | 200 | * saltLength [2] INTEGER DEFAULT 20, |
| ansond | 0:137634ff4186 | 201 | * trailerField [3] INTEGER DEFAULT 1 } |
| ansond | 0:137634ff4186 | 202 | * -- Note that the tags in this Sequence are explicit. |
| ansond | 0:137634ff4186 | 203 | * |
| ansond | 0:137634ff4186 | 204 | * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value |
| ansond | 0:137634ff4186 | 205 | * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other |
| ansond | 0:137634ff4186 | 206 | * option. Enfore this at parsing time. |
| ansond | 0:137634ff4186 | 207 | */ |
| ansond | 0:137634ff4186 | 208 | int x509_get_rsassa_pss_params( const x509_buf *params, |
| ansond | 0:137634ff4186 | 209 | md_type_t *md_alg, md_type_t *mgf_md, |
| ansond | 0:137634ff4186 | 210 | int *salt_len ) |
| ansond | 0:137634ff4186 | 211 | { |
| ansond | 0:137634ff4186 | 212 | int ret; |
| ansond | 0:137634ff4186 | 213 | unsigned char *p; |
| ansond | 0:137634ff4186 | 214 | const unsigned char *end, *end2; |
| ansond | 0:137634ff4186 | 215 | size_t len; |
| ansond | 0:137634ff4186 | 216 | x509_buf alg_id, alg_params; |
| ansond | 0:137634ff4186 | 217 | |
| ansond | 0:137634ff4186 | 218 | /* First set everything to defaults */ |
| ansond | 0:137634ff4186 | 219 | *md_alg = POLARSSL_MD_SHA1; |
| ansond | 0:137634ff4186 | 220 | *mgf_md = POLARSSL_MD_SHA1; |
| ansond | 0:137634ff4186 | 221 | *salt_len = 20; |
| ansond | 0:137634ff4186 | 222 | |
| ansond | 0:137634ff4186 | 223 | /* Make sure params is a SEQUENCE and setup bounds */ |
| ansond | 0:137634ff4186 | 224 | if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) |
| ansond | 0:137634ff4186 | 225 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 226 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| ansond | 0:137634ff4186 | 227 | |
| ansond | 0:137634ff4186 | 228 | p = (unsigned char *) params->p; |
| ansond | 0:137634ff4186 | 229 | end = p + params->len; |
| ansond | 0:137634ff4186 | 230 | |
| ansond | 0:137634ff4186 | 231 | if( p == end ) |
| ansond | 0:137634ff4186 | 232 | return( 0 ); |
| ansond | 0:137634ff4186 | 233 | |
| ansond | 0:137634ff4186 | 234 | /* |
| ansond | 0:137634ff4186 | 235 | * HashAlgorithm |
| ansond | 0:137634ff4186 | 236 | */ |
| ansond | 0:137634ff4186 | 237 | if( ( ret = asn1_get_tag( &p, end, &len, |
| ansond | 0:137634ff4186 | 238 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 ) |
| ansond | 0:137634ff4186 | 239 | { |
| ansond | 0:137634ff4186 | 240 | end2 = p + len; |
| ansond | 0:137634ff4186 | 241 | |
| ansond | 0:137634ff4186 | 242 | /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */ |
| ansond | 0:137634ff4186 | 243 | if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 ) |
| ansond | 0:137634ff4186 | 244 | return( ret ); |
| ansond | 0:137634ff4186 | 245 | |
| ansond | 0:137634ff4186 | 246 | if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 ) |
| ansond | 0:137634ff4186 | 247 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 248 | |
| ansond | 0:137634ff4186 | 249 | if( p != end2 ) |
| ansond | 0:137634ff4186 | 250 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 251 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 252 | } |
| ansond | 0:137634ff4186 | 253 | else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| ansond | 0:137634ff4186 | 254 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 255 | |
| ansond | 0:137634ff4186 | 256 | if( p == end ) |
| ansond | 0:137634ff4186 | 257 | return( 0 ); |
| ansond | 0:137634ff4186 | 258 | |
| ansond | 0:137634ff4186 | 259 | /* |
| ansond | 0:137634ff4186 | 260 | * MaskGenAlgorithm |
| ansond | 0:137634ff4186 | 261 | */ |
| ansond | 0:137634ff4186 | 262 | if( ( ret = asn1_get_tag( &p, end, &len, |
| ansond | 0:137634ff4186 | 263 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 ) |
| ansond | 0:137634ff4186 | 264 | { |
| ansond | 0:137634ff4186 | 265 | end2 = p + len; |
| ansond | 0:137634ff4186 | 266 | |
| ansond | 0:137634ff4186 | 267 | /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */ |
| ansond | 0:137634ff4186 | 268 | if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 ) |
| ansond | 0:137634ff4186 | 269 | return( ret ); |
| ansond | 0:137634ff4186 | 270 | |
| ansond | 0:137634ff4186 | 271 | /* Only MFG1 is recognised for now */ |
| ansond | 0:137634ff4186 | 272 | if( ! OID_CMP( OID_MGF1, &alg_id ) ) |
| ansond | 0:137634ff4186 | 273 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE + |
| ansond | 0:137634ff4186 | 274 | POLARSSL_ERR_OID_NOT_FOUND ); |
| ansond | 0:137634ff4186 | 275 | |
| ansond | 0:137634ff4186 | 276 | /* Parse HashAlgorithm */ |
| ansond | 0:137634ff4186 | 277 | if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 ) |
| ansond | 0:137634ff4186 | 278 | return( ret ); |
| ansond | 0:137634ff4186 | 279 | |
| ansond | 0:137634ff4186 | 280 | if( p != end2 ) |
| ansond | 0:137634ff4186 | 281 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 282 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 283 | } |
| ansond | 0:137634ff4186 | 284 | else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| ansond | 0:137634ff4186 | 285 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 286 | |
| ansond | 0:137634ff4186 | 287 | if( p == end ) |
| ansond | 0:137634ff4186 | 288 | return( 0 ); |
| ansond | 0:137634ff4186 | 289 | |
| ansond | 0:137634ff4186 | 290 | /* |
| ansond | 0:137634ff4186 | 291 | * salt_len |
| ansond | 0:137634ff4186 | 292 | */ |
| ansond | 0:137634ff4186 | 293 | if( ( ret = asn1_get_tag( &p, end, &len, |
| ansond | 0:137634ff4186 | 294 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 ) |
| ansond | 0:137634ff4186 | 295 | { |
| ansond | 0:137634ff4186 | 296 | end2 = p + len; |
| ansond | 0:137634ff4186 | 297 | |
| ansond | 0:137634ff4186 | 298 | if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 ) |
| ansond | 0:137634ff4186 | 299 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 300 | |
| ansond | 0:137634ff4186 | 301 | if( p != end2 ) |
| ansond | 0:137634ff4186 | 302 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 303 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 304 | } |
| ansond | 0:137634ff4186 | 305 | else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| ansond | 0:137634ff4186 | 306 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 307 | |
| ansond | 0:137634ff4186 | 308 | if( p == end ) |
| ansond | 0:137634ff4186 | 309 | return( 0 ); |
| ansond | 0:137634ff4186 | 310 | |
| ansond | 0:137634ff4186 | 311 | /* |
| ansond | 0:137634ff4186 | 312 | * trailer_field (if present, must be 1) |
| ansond | 0:137634ff4186 | 313 | */ |
| ansond | 0:137634ff4186 | 314 | if( ( ret = asn1_get_tag( &p, end, &len, |
| ansond | 0:137634ff4186 | 315 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 ) |
| ansond | 0:137634ff4186 | 316 | { |
| ansond | 0:137634ff4186 | 317 | int trailer_field; |
| ansond | 0:137634ff4186 | 318 | |
| ansond | 0:137634ff4186 | 319 | end2 = p + len; |
| ansond | 0:137634ff4186 | 320 | |
| ansond | 0:137634ff4186 | 321 | if( ( ret = asn1_get_int( &p, end2, &trailer_field ) ) != 0 ) |
| ansond | 0:137634ff4186 | 322 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 323 | |
| ansond | 0:137634ff4186 | 324 | if( p != end2 ) |
| ansond | 0:137634ff4186 | 325 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 326 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 327 | |
| ansond | 0:137634ff4186 | 328 | if( trailer_field != 1 ) |
| ansond | 0:137634ff4186 | 329 | return( POLARSSL_ERR_X509_INVALID_ALG ); |
| ansond | 0:137634ff4186 | 330 | } |
| ansond | 0:137634ff4186 | 331 | else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| ansond | 0:137634ff4186 | 332 | return( POLARSSL_ERR_X509_INVALID_ALG + ret ); |
| ansond | 0:137634ff4186 | 333 | |
| ansond | 0:137634ff4186 | 334 | if( p != end ) |
| ansond | 0:137634ff4186 | 335 | return( POLARSSL_ERR_X509_INVALID_ALG + |
| ansond | 0:137634ff4186 | 336 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 337 | |
| ansond | 0:137634ff4186 | 338 | return( 0 ); |
| ansond | 0:137634ff4186 | 339 | } |
| ansond | 0:137634ff4186 | 340 | #endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */ |
| ansond | 0:137634ff4186 | 341 | |
| ansond | 0:137634ff4186 | 342 | /* |
| ansond | 0:137634ff4186 | 343 | * AttributeTypeAndValue ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 344 | * type AttributeType, |
| ansond | 0:137634ff4186 | 345 | * value AttributeValue } |
| ansond | 0:137634ff4186 | 346 | * |
| ansond | 0:137634ff4186 | 347 | * AttributeType ::= OBJECT IDENTIFIER |
| ansond | 0:137634ff4186 | 348 | * |
| ansond | 0:137634ff4186 | 349 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| ansond | 0:137634ff4186 | 350 | */ |
| ansond | 0:137634ff4186 | 351 | static int x509_get_attr_type_value( unsigned char **p, |
| ansond | 0:137634ff4186 | 352 | const unsigned char *end, |
| ansond | 0:137634ff4186 | 353 | x509_name *cur ) |
| ansond | 0:137634ff4186 | 354 | { |
| ansond | 0:137634ff4186 | 355 | int ret; |
| ansond | 0:137634ff4186 | 356 | size_t len; |
| ansond | 0:137634ff4186 | 357 | x509_buf *oid; |
| ansond | 0:137634ff4186 | 358 | x509_buf *val; |
| ansond | 0:137634ff4186 | 359 | |
| ansond | 0:137634ff4186 | 360 | if( ( ret = asn1_get_tag( p, end, &len, |
| ansond | 0:137634ff4186 | 361 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| ansond | 0:137634ff4186 | 362 | return( POLARSSL_ERR_X509_INVALID_NAME + ret ); |
| ansond | 0:137634ff4186 | 363 | |
| ansond | 0:137634ff4186 | 364 | if( ( end - *p ) < 1 ) |
| ansond | 0:137634ff4186 | 365 | return( POLARSSL_ERR_X509_INVALID_NAME + |
| ansond | 0:137634ff4186 | 366 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 367 | |
| ansond | 0:137634ff4186 | 368 | oid = &cur->oid; |
| ansond | 0:137634ff4186 | 369 | oid->tag = **p; |
| ansond | 0:137634ff4186 | 370 | |
| ansond | 0:137634ff4186 | 371 | if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 ) |
| ansond | 0:137634ff4186 | 372 | return( POLARSSL_ERR_X509_INVALID_NAME + ret ); |
| ansond | 0:137634ff4186 | 373 | |
| ansond | 0:137634ff4186 | 374 | oid->p = *p; |
| ansond | 0:137634ff4186 | 375 | *p += oid->len; |
| ansond | 0:137634ff4186 | 376 | |
| ansond | 0:137634ff4186 | 377 | if( ( end - *p ) < 1 ) |
| ansond | 0:137634ff4186 | 378 | return( POLARSSL_ERR_X509_INVALID_NAME + |
| ansond | 0:137634ff4186 | 379 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 380 | |
| ansond | 0:137634ff4186 | 381 | if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING && |
| ansond | 0:137634ff4186 | 382 | **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING && |
| ansond | 0:137634ff4186 | 383 | **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING && |
| ansond | 0:137634ff4186 | 384 | **p != ASN1_BIT_STRING ) |
| ansond | 0:137634ff4186 | 385 | return( POLARSSL_ERR_X509_INVALID_NAME + |
| ansond | 0:137634ff4186 | 386 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| ansond | 0:137634ff4186 | 387 | |
| ansond | 0:137634ff4186 | 388 | val = &cur->val; |
| ansond | 0:137634ff4186 | 389 | val->tag = *(*p)++; |
| ansond | 0:137634ff4186 | 390 | |
| ansond | 0:137634ff4186 | 391 | if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 ) |
| ansond | 0:137634ff4186 | 392 | return( POLARSSL_ERR_X509_INVALID_NAME + ret ); |
| ansond | 0:137634ff4186 | 393 | |
| ansond | 0:137634ff4186 | 394 | val->p = *p; |
| ansond | 0:137634ff4186 | 395 | *p += val->len; |
| ansond | 0:137634ff4186 | 396 | |
| ansond | 0:137634ff4186 | 397 | cur->next = NULL; |
| ansond | 0:137634ff4186 | 398 | |
| ansond | 0:137634ff4186 | 399 | return( 0 ); |
| ansond | 0:137634ff4186 | 400 | } |
| ansond | 0:137634ff4186 | 401 | |
| ansond | 0:137634ff4186 | 402 | /* |
| ansond | 0:137634ff4186 | 403 | * Name ::= CHOICE { -- only one possibility for now -- |
| ansond | 0:137634ff4186 | 404 | * rdnSequence RDNSequence } |
| ansond | 0:137634ff4186 | 405 | * |
| ansond | 0:137634ff4186 | 406 | * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName |
| ansond | 0:137634ff4186 | 407 | * |
| ansond | 0:137634ff4186 | 408 | * RelativeDistinguishedName ::= |
| ansond | 0:137634ff4186 | 409 | * SET OF AttributeTypeAndValue |
| ansond | 0:137634ff4186 | 410 | * |
| ansond | 0:137634ff4186 | 411 | * AttributeTypeAndValue ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 412 | * type AttributeType, |
| ansond | 0:137634ff4186 | 413 | * value AttributeValue } |
| ansond | 0:137634ff4186 | 414 | * |
| ansond | 0:137634ff4186 | 415 | * AttributeType ::= OBJECT IDENTIFIER |
| ansond | 0:137634ff4186 | 416 | * |
| ansond | 0:137634ff4186 | 417 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| ansond | 0:137634ff4186 | 418 | * |
| ansond | 0:137634ff4186 | 419 | * The data structure is optimized for the common case where each RDN has only |
| ansond | 0:137634ff4186 | 420 | * one element, which is represented as a list of AttributeTypeAndValue. |
| ansond | 0:137634ff4186 | 421 | * For the general case we still use a flat list, but we mark elements of the |
| ansond | 0:137634ff4186 | 422 | * same set so that they are "merged" together in the functions that consume |
| ansond | 0:137634ff4186 | 423 | * this list, eg x509_dn_gets(). |
| ansond | 0:137634ff4186 | 424 | */ |
| ansond | 0:137634ff4186 | 425 | int x509_get_name( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 426 | x509_name *cur ) |
| ansond | 0:137634ff4186 | 427 | { |
| ansond | 0:137634ff4186 | 428 | int ret; |
| ansond | 0:137634ff4186 | 429 | size_t set_len; |
| ansond | 0:137634ff4186 | 430 | const unsigned char *end_set; |
| ansond | 0:137634ff4186 | 431 | |
| ansond | 0:137634ff4186 | 432 | /* don't use recursion, we'd risk stack overflow if not optimized */ |
| ansond | 0:137634ff4186 | 433 | while( 1 ) |
| ansond | 0:137634ff4186 | 434 | { |
| ansond | 0:137634ff4186 | 435 | /* |
| ansond | 0:137634ff4186 | 436 | * parse SET |
| ansond | 0:137634ff4186 | 437 | */ |
| ansond | 0:137634ff4186 | 438 | if( ( ret = asn1_get_tag( p, end, &set_len, |
| ansond | 0:137634ff4186 | 439 | ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) |
| ansond | 0:137634ff4186 | 440 | return( POLARSSL_ERR_X509_INVALID_NAME + ret ); |
| ansond | 0:137634ff4186 | 441 | |
| ansond | 0:137634ff4186 | 442 | end_set = *p + set_len; |
| ansond | 0:137634ff4186 | 443 | |
| ansond | 0:137634ff4186 | 444 | while( 1 ) |
| ansond | 0:137634ff4186 | 445 | { |
| ansond | 0:137634ff4186 | 446 | if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 ) |
| ansond | 0:137634ff4186 | 447 | return( ret ); |
| ansond | 0:137634ff4186 | 448 | |
| ansond | 0:137634ff4186 | 449 | if( *p == end_set ) |
| ansond | 0:137634ff4186 | 450 | break; |
| ansond | 0:137634ff4186 | 451 | |
| ansond | 0:137634ff4186 | 452 | /* Mark this item as being not the only one in a set */ |
| ansond | 0:137634ff4186 | 453 | cur->next_merged = 1; |
| ansond | 0:137634ff4186 | 454 | |
| ansond | 0:137634ff4186 | 455 | cur->next = polarssl_malloc( sizeof( x509_name ) ); |
| ansond | 0:137634ff4186 | 456 | |
| ansond | 0:137634ff4186 | 457 | if( cur->next == NULL ) |
| ansond | 0:137634ff4186 | 458 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
| ansond | 0:137634ff4186 | 459 | |
| ansond | 0:137634ff4186 | 460 | memset( cur->next, 0, sizeof( x509_name ) ); |
| ansond | 0:137634ff4186 | 461 | |
| ansond | 0:137634ff4186 | 462 | cur = cur->next; |
| ansond | 0:137634ff4186 | 463 | } |
| ansond | 0:137634ff4186 | 464 | |
| ansond | 0:137634ff4186 | 465 | /* |
| ansond | 0:137634ff4186 | 466 | * continue until end of SEQUENCE is reached |
| ansond | 0:137634ff4186 | 467 | */ |
| ansond | 0:137634ff4186 | 468 | if( *p == end ) |
| ansond | 0:137634ff4186 | 469 | return( 0 ); |
| ansond | 0:137634ff4186 | 470 | |
| ansond | 0:137634ff4186 | 471 | cur->next = polarssl_malloc( sizeof( x509_name ) ); |
| ansond | 0:137634ff4186 | 472 | |
| ansond | 0:137634ff4186 | 473 | if( cur->next == NULL ) |
| ansond | 0:137634ff4186 | 474 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
| ansond | 0:137634ff4186 | 475 | |
| ansond | 0:137634ff4186 | 476 | memset( cur->next, 0, sizeof( x509_name ) ); |
| ansond | 0:137634ff4186 | 477 | |
| ansond | 0:137634ff4186 | 478 | cur = cur->next; |
| ansond | 0:137634ff4186 | 479 | } |
| ansond | 0:137634ff4186 | 480 | } |
| ansond | 0:137634ff4186 | 481 | |
| ansond | 0:137634ff4186 | 482 | static int x509_parse_int(unsigned char **p, unsigned n, int *res){ |
| ansond | 0:137634ff4186 | 483 | *res = 0; |
| ansond | 0:137634ff4186 | 484 | for( ; n > 0; --n ){ |
| ansond | 0:137634ff4186 | 485 | if( ( **p < '0') || ( **p > '9' ) ) return POLARSSL_ERR_X509_INVALID_DATE; |
| ansond | 0:137634ff4186 | 486 | *res *= 10; |
| ansond | 0:137634ff4186 | 487 | *res += (*(*p)++ - '0'); |
| ansond | 0:137634ff4186 | 488 | } |
| ansond | 0:137634ff4186 | 489 | return 0; |
| ansond | 0:137634ff4186 | 490 | } |
| ansond | 0:137634ff4186 | 491 | |
| ansond | 0:137634ff4186 | 492 | /* |
| ansond | 0:137634ff4186 | 493 | * Time ::= CHOICE { |
| ansond | 0:137634ff4186 | 494 | * utcTime UTCTime, |
| ansond | 0:137634ff4186 | 495 | * generalTime GeneralizedTime } |
| ansond | 0:137634ff4186 | 496 | */ |
| ansond | 0:137634ff4186 | 497 | int x509_get_time( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 498 | x509_time *time ) |
| ansond | 0:137634ff4186 | 499 | { |
| ansond | 0:137634ff4186 | 500 | int ret; |
| ansond | 0:137634ff4186 | 501 | size_t len; |
| ansond | 0:137634ff4186 | 502 | unsigned char tag; |
| ansond | 0:137634ff4186 | 503 | |
| ansond | 0:137634ff4186 | 504 | if( ( end - *p ) < 1 ) |
| ansond | 0:137634ff4186 | 505 | return( POLARSSL_ERR_X509_INVALID_DATE + |
| ansond | 0:137634ff4186 | 506 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 507 | |
| ansond | 0:137634ff4186 | 508 | tag = **p; |
| ansond | 0:137634ff4186 | 509 | |
| ansond | 0:137634ff4186 | 510 | if( tag == ASN1_UTC_TIME ) |
| ansond | 0:137634ff4186 | 511 | { |
| ansond | 0:137634ff4186 | 512 | (*p)++; |
| ansond | 0:137634ff4186 | 513 | ret = asn1_get_len( p, end, &len ); |
| ansond | 0:137634ff4186 | 514 | |
| ansond | 0:137634ff4186 | 515 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 516 | return( POLARSSL_ERR_X509_INVALID_DATE + ret ); |
| ansond | 0:137634ff4186 | 517 | |
| ansond | 0:137634ff4186 | 518 | CHECK( x509_parse_int( p, 2, &time->year ) ); |
| ansond | 0:137634ff4186 | 519 | CHECK( x509_parse_int( p, 2, &time->mon ) ); |
| ansond | 0:137634ff4186 | 520 | CHECK( x509_parse_int( p, 2, &time->day ) ); |
| ansond | 0:137634ff4186 | 521 | CHECK( x509_parse_int( p, 2, &time->hour ) ); |
| ansond | 0:137634ff4186 | 522 | CHECK( x509_parse_int( p, 2, &time->min ) ); |
| ansond | 0:137634ff4186 | 523 | if( len > 10 ) |
| ansond | 0:137634ff4186 | 524 | CHECK( x509_parse_int( p, 2, &time->sec ) ); |
| ansond | 0:137634ff4186 | 525 | if( len > 12 && *(*p)++ != 'Z' ) |
| ansond | 0:137634ff4186 | 526 | return( POLARSSL_ERR_X509_INVALID_DATE ); |
| ansond | 0:137634ff4186 | 527 | |
| ansond | 0:137634ff4186 | 528 | time->year += 100 * ( time->year < 50 ); |
| ansond | 0:137634ff4186 | 529 | time->year += 1900; |
| ansond | 0:137634ff4186 | 530 | |
| ansond | 0:137634ff4186 | 531 | return( 0 ); |
| ansond | 0:137634ff4186 | 532 | } |
| ansond | 0:137634ff4186 | 533 | else if( tag == ASN1_GENERALIZED_TIME ) |
| ansond | 0:137634ff4186 | 534 | { |
| ansond | 0:137634ff4186 | 535 | (*p)++; |
| ansond | 0:137634ff4186 | 536 | ret = asn1_get_len( p, end, &len ); |
| ansond | 0:137634ff4186 | 537 | |
| ansond | 0:137634ff4186 | 538 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 539 | return( POLARSSL_ERR_X509_INVALID_DATE + ret ); |
| ansond | 0:137634ff4186 | 540 | |
| ansond | 0:137634ff4186 | 541 | CHECK( x509_parse_int( p, 4, &time->year ) ); |
| ansond | 0:137634ff4186 | 542 | CHECK( x509_parse_int( p, 2, &time->mon ) ); |
| ansond | 0:137634ff4186 | 543 | CHECK( x509_parse_int( p, 2, &time->day ) ); |
| ansond | 0:137634ff4186 | 544 | CHECK( x509_parse_int( p, 2, &time->hour ) ); |
| ansond | 0:137634ff4186 | 545 | CHECK( x509_parse_int( p, 2, &time->min ) ); |
| ansond | 0:137634ff4186 | 546 | if( len > 12 ) |
| ansond | 0:137634ff4186 | 547 | CHECK( x509_parse_int( p, 2, &time->sec ) ); |
| ansond | 0:137634ff4186 | 548 | if( len > 14 && *(*p)++ != 'Z' ) |
| ansond | 0:137634ff4186 | 549 | return( POLARSSL_ERR_X509_INVALID_DATE ); |
| ansond | 0:137634ff4186 | 550 | |
| ansond | 0:137634ff4186 | 551 | return( 0 ); |
| ansond | 0:137634ff4186 | 552 | } |
| ansond | 0:137634ff4186 | 553 | else |
| ansond | 0:137634ff4186 | 554 | return( POLARSSL_ERR_X509_INVALID_DATE + |
| ansond | 0:137634ff4186 | 555 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| ansond | 0:137634ff4186 | 556 | } |
| ansond | 0:137634ff4186 | 557 | |
| ansond | 0:137634ff4186 | 558 | int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig ) |
| ansond | 0:137634ff4186 | 559 | { |
| ansond | 0:137634ff4186 | 560 | int ret; |
| ansond | 0:137634ff4186 | 561 | size_t len; |
| ansond | 0:137634ff4186 | 562 | |
| ansond | 0:137634ff4186 | 563 | if( ( end - *p ) < 1 ) |
| ansond | 0:137634ff4186 | 564 | return( POLARSSL_ERR_X509_INVALID_SIGNATURE + |
| ansond | 0:137634ff4186 | 565 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| ansond | 0:137634ff4186 | 566 | |
| ansond | 0:137634ff4186 | 567 | sig->tag = **p; |
| ansond | 0:137634ff4186 | 568 | |
| ansond | 0:137634ff4186 | 569 | if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 ) |
| ansond | 0:137634ff4186 | 570 | return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret ); |
| ansond | 0:137634ff4186 | 571 | |
| ansond | 0:137634ff4186 | 572 | sig->len = len; |
| ansond | 0:137634ff4186 | 573 | sig->p = *p; |
| ansond | 0:137634ff4186 | 574 | |
| ansond | 0:137634ff4186 | 575 | *p += len; |
| ansond | 0:137634ff4186 | 576 | |
| ansond | 0:137634ff4186 | 577 | return( 0 ); |
| ansond | 0:137634ff4186 | 578 | } |
| ansond | 0:137634ff4186 | 579 | |
| ansond | 0:137634ff4186 | 580 | /* |
| ansond | 0:137634ff4186 | 581 | * Get signature algorithm from alg OID and optional parameters |
| ansond | 0:137634ff4186 | 582 | */ |
| ansond | 0:137634ff4186 | 583 | int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params, |
| ansond | 0:137634ff4186 | 584 | md_type_t *md_alg, pk_type_t *pk_alg, |
| ansond | 0:137634ff4186 | 585 | void **sig_opts ) |
| ansond | 0:137634ff4186 | 586 | { |
| ansond | 0:137634ff4186 | 587 | int ret; |
| ansond | 0:137634ff4186 | 588 | |
| ansond | 0:137634ff4186 | 589 | if( *sig_opts != NULL ) |
| ansond | 0:137634ff4186 | 590 | return( POLARSSL_ERR_X509_BAD_INPUT_DATA ); |
| ansond | 0:137634ff4186 | 591 | |
| ansond | 0:137634ff4186 | 592 | if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 ) |
| ansond | 0:137634ff4186 | 593 | return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret ); |
| ansond | 0:137634ff4186 | 594 | |
| ansond | 0:137634ff4186 | 595 | #if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT) |
| ansond | 0:137634ff4186 | 596 | if( *pk_alg == POLARSSL_PK_RSASSA_PSS ) |
| ansond | 0:137634ff4186 | 597 | { |
| ansond | 0:137634ff4186 | 598 | pk_rsassa_pss_options *pss_opts; |
| ansond | 0:137634ff4186 | 599 | |
| ansond | 0:137634ff4186 | 600 | pss_opts = polarssl_malloc( sizeof( pk_rsassa_pss_options ) ); |
| ansond | 0:137634ff4186 | 601 | if( pss_opts == NULL ) |
| ansond | 0:137634ff4186 | 602 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
| ansond | 0:137634ff4186 | 603 | |
| ansond | 0:137634ff4186 | 604 | ret = x509_get_rsassa_pss_params( sig_params, |
| ansond | 0:137634ff4186 | 605 | md_alg, |
| ansond | 0:137634ff4186 | 606 | &pss_opts->mgf1_hash_id, |
| ansond | 0:137634ff4186 | 607 | &pss_opts->expected_salt_len ); |
| ansond | 0:137634ff4186 | 608 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 609 | { |
| ansond | 0:137634ff4186 | 610 | polarssl_free( pss_opts ); |
| ansond | 0:137634ff4186 | 611 | return( ret ); |
| ansond | 0:137634ff4186 | 612 | } |
| ansond | 0:137634ff4186 | 613 | |
| ansond | 0:137634ff4186 | 614 | *sig_opts = (void *) pss_opts; |
| ansond | 0:137634ff4186 | 615 | } |
| ansond | 0:137634ff4186 | 616 | else |
| ansond | 0:137634ff4186 | 617 | #endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */ |
| ansond | 0:137634ff4186 | 618 | { |
| ansond | 0:137634ff4186 | 619 | /* Make sure parameters are absent or NULL */ |
| ansond | 0:137634ff4186 | 620 | if( ( sig_params->tag != ASN1_NULL && sig_params->tag != 0 ) || |
| ansond | 0:137634ff4186 | 621 | sig_params->len != 0 ) |
| ansond | 0:137634ff4186 | 622 | return( POLARSSL_ERR_X509_INVALID_ALG ); |
| ansond | 0:137634ff4186 | 623 | } |
| ansond | 0:137634ff4186 | 624 | |
| ansond | 0:137634ff4186 | 625 | return( 0 ); |
| ansond | 0:137634ff4186 | 626 | } |
| ansond | 0:137634ff4186 | 627 | |
| ansond | 0:137634ff4186 | 628 | /* |
| ansond | 0:137634ff4186 | 629 | * X.509 Extensions (No parsing of extensions, pointer should |
| ansond | 0:137634ff4186 | 630 | * be either manually updated or extensions should be parsed! |
| ansond | 0:137634ff4186 | 631 | */ |
| ansond | 0:137634ff4186 | 632 | int x509_get_ext( unsigned char **p, const unsigned char *end, |
| ansond | 0:137634ff4186 | 633 | x509_buf *ext, int tag ) |
| ansond | 0:137634ff4186 | 634 | { |
| ansond | 0:137634ff4186 | 635 | int ret; |
| ansond | 0:137634ff4186 | 636 | size_t len; |
| ansond | 0:137634ff4186 | 637 | |
| ansond | 0:137634ff4186 | 638 | if( *p == end ) |
| ansond | 0:137634ff4186 | 639 | return( 0 ); |
| ansond | 0:137634ff4186 | 640 | |
| ansond | 0:137634ff4186 | 641 | ext->tag = **p; |
| ansond | 0:137634ff4186 | 642 | |
| ansond | 0:137634ff4186 | 643 | if( ( ret = asn1_get_tag( p, end, &ext->len, |
| ansond | 0:137634ff4186 | 644 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 ) |
| ansond | 0:137634ff4186 | 645 | return( ret ); |
| ansond | 0:137634ff4186 | 646 | |
| ansond | 0:137634ff4186 | 647 | ext->p = *p; |
| ansond | 0:137634ff4186 | 648 | end = *p + ext->len; |
| ansond | 0:137634ff4186 | 649 | |
| ansond | 0:137634ff4186 | 650 | /* |
| ansond | 0:137634ff4186 | 651 | * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
| ansond | 0:137634ff4186 | 652 | * |
| ansond | 0:137634ff4186 | 653 | * Extension ::= SEQUENCE { |
| ansond | 0:137634ff4186 | 654 | * extnID OBJECT IDENTIFIER, |
| ansond | 0:137634ff4186 | 655 | * critical BOOLEAN DEFAULT FALSE, |
| ansond | 0:137634ff4186 | 656 | * extnValue OCTET STRING } |
| ansond | 0:137634ff4186 | 657 | */ |
| ansond | 0:137634ff4186 | 658 | if( ( ret = asn1_get_tag( p, end, &len, |
| ansond | 0:137634ff4186 | 659 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| ansond | 0:137634ff4186 | 660 | return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret ); |
| ansond | 0:137634ff4186 | 661 | |
| ansond | 0:137634ff4186 | 662 | if( end != *p + len ) |
| ansond | 0:137634ff4186 | 663 | return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + |
| ansond | 0:137634ff4186 | 664 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| ansond | 0:137634ff4186 | 665 | |
| ansond | 0:137634ff4186 | 666 | return( 0 ); |
| ansond | 0:137634ff4186 | 667 | } |
| ansond | 0:137634ff4186 | 668 | |
| ansond | 0:137634ff4186 | 669 | #if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \ |
| ansond | 0:137634ff4186 | 670 | !defined(EFI32) |
| ansond | 0:137634ff4186 | 671 | #include <stdarg.h> |
| ansond | 0:137634ff4186 | 672 | |
| ansond | 0:137634ff4186 | 673 | #if !defined vsnprintf |
| ansond | 0:137634ff4186 | 674 | #define vsnprintf _vsnprintf |
| ansond | 0:137634ff4186 | 675 | #endif // vsnprintf |
| ansond | 0:137634ff4186 | 676 | |
| ansond | 0:137634ff4186 | 677 | /* |
| ansond | 0:137634ff4186 | 678 | * Windows _snprintf and _vsnprintf are not compatible to linux versions. |
| ansond | 0:137634ff4186 | 679 | * Result value is not size of buffer needed, but -1 if no fit is possible. |
| ansond | 0:137634ff4186 | 680 | * |
| ansond | 0:137634ff4186 | 681 | * This fuction tries to 'fix' this by at least suggesting enlarging the |
| ansond | 0:137634ff4186 | 682 | * size by 20. |
| ansond | 0:137634ff4186 | 683 | */ |
| ansond | 0:137634ff4186 | 684 | static int compat_snprintf( char *str, size_t size, const char *format, ... ) |
| ansond | 0:137634ff4186 | 685 | { |
| ansond | 0:137634ff4186 | 686 | va_list ap; |
| ansond | 0:137634ff4186 | 687 | int res = -1; |
| ansond | 0:137634ff4186 | 688 | |
| ansond | 0:137634ff4186 | 689 | va_start( ap, format ); |
| ansond | 0:137634ff4186 | 690 | |
| ansond | 0:137634ff4186 | 691 | res = vsnprintf( str, size, format, ap ); |
| ansond | 0:137634ff4186 | 692 | |
| ansond | 0:137634ff4186 | 693 | va_end( ap ); |
| ansond | 0:137634ff4186 | 694 | |
| ansond | 0:137634ff4186 | 695 | // No quick fix possible |
| ansond | 0:137634ff4186 | 696 | if( res < 0 ) |
| ansond | 0:137634ff4186 | 697 | return( (int) size + 20 ); |
| ansond | 0:137634ff4186 | 698 | |
| ansond | 0:137634ff4186 | 699 | return( res ); |
| ansond | 0:137634ff4186 | 700 | } |
| ansond | 0:137634ff4186 | 701 | |
| ansond | 0:137634ff4186 | 702 | #define snprintf compat_snprintf |
| ansond | 0:137634ff4186 | 703 | #endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */ |
| ansond | 0:137634ff4186 | 704 | |
| ansond | 0:137634ff4186 | 705 | #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2 |
| ansond | 0:137634ff4186 | 706 | |
| ansond | 0:137634ff4186 | 707 | #define SAFE_SNPRINTF() \ |
| ansond | 0:137634ff4186 | 708 | { \ |
| ansond | 0:137634ff4186 | 709 | if( ret == -1 ) \ |
| ansond | 0:137634ff4186 | 710 | return( -1 ); \ |
| ansond | 0:137634ff4186 | 711 | \ |
| ansond | 0:137634ff4186 | 712 | if( (unsigned int) ret > n ) { \ |
| ansond | 0:137634ff4186 | 713 | p[n - 1] = '\0'; \ |
| ansond | 0:137634ff4186 | 714 | return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \ |
| ansond | 0:137634ff4186 | 715 | } \ |
| ansond | 0:137634ff4186 | 716 | \ |
| ansond | 0:137634ff4186 | 717 | n -= (unsigned int) ret; \ |
| ansond | 0:137634ff4186 | 718 | p += (unsigned int) ret; \ |
| ansond | 0:137634ff4186 | 719 | } |
| ansond | 0:137634ff4186 | 720 | |
| ansond | 0:137634ff4186 | 721 | /* |
| ansond | 0:137634ff4186 | 722 | * Store the name in printable form into buf; no more |
| ansond | 0:137634ff4186 | 723 | * than size characters will be written |
| ansond | 0:137634ff4186 | 724 | */ |
| ansond | 0:137634ff4186 | 725 | int x509_dn_gets( char *buf, size_t size, const x509_name *dn ) |
| ansond | 0:137634ff4186 | 726 | { |
| ansond | 0:137634ff4186 | 727 | int ret; |
| ansond | 0:137634ff4186 | 728 | size_t i, n; |
| ansond | 0:137634ff4186 | 729 | unsigned char c, merge = 0; |
| ansond | 0:137634ff4186 | 730 | const x509_name *name; |
| ansond | 0:137634ff4186 | 731 | const char *short_name = NULL; |
| ansond | 0:137634ff4186 | 732 | char s[X509_MAX_DN_NAME_SIZE], *p; |
| ansond | 0:137634ff4186 | 733 | |
| ansond | 0:137634ff4186 | 734 | memset( s, 0, sizeof( s ) ); |
| ansond | 0:137634ff4186 | 735 | |
| ansond | 0:137634ff4186 | 736 | name = dn; |
| ansond | 0:137634ff4186 | 737 | p = buf; |
| ansond | 0:137634ff4186 | 738 | n = size; |
| ansond | 0:137634ff4186 | 739 | |
| ansond | 0:137634ff4186 | 740 | while( name != NULL ) |
| ansond | 0:137634ff4186 | 741 | { |
| ansond | 0:137634ff4186 | 742 | if( !name->oid.p ) |
| ansond | 0:137634ff4186 | 743 | { |
| ansond | 0:137634ff4186 | 744 | name = name->next; |
| ansond | 0:137634ff4186 | 745 | continue; |
| ansond | 0:137634ff4186 | 746 | } |
| ansond | 0:137634ff4186 | 747 | |
| ansond | 0:137634ff4186 | 748 | if( name != dn ) |
| ansond | 0:137634ff4186 | 749 | { |
| ansond | 0:137634ff4186 | 750 | ret = polarssl_snprintf( p, n, merge ? " + " : ", " ); |
| ansond | 0:137634ff4186 | 751 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 752 | } |
| ansond | 0:137634ff4186 | 753 | |
| ansond | 0:137634ff4186 | 754 | ret = oid_get_attr_short_name( &name->oid, &short_name ); |
| ansond | 0:137634ff4186 | 755 | |
| ansond | 0:137634ff4186 | 756 | if( ret == 0 ) |
| ansond | 0:137634ff4186 | 757 | ret = polarssl_snprintf( p, n, "%s=", short_name ); |
| ansond | 0:137634ff4186 | 758 | else |
| ansond | 0:137634ff4186 | 759 | ret = polarssl_snprintf( p, n, "\?\?=" ); |
| ansond | 0:137634ff4186 | 760 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 761 | |
| ansond | 0:137634ff4186 | 762 | for( i = 0; i < name->val.len; i++ ) |
| ansond | 0:137634ff4186 | 763 | { |
| ansond | 0:137634ff4186 | 764 | if( i >= sizeof( s ) - 1 ) |
| ansond | 0:137634ff4186 | 765 | break; |
| ansond | 0:137634ff4186 | 766 | |
| ansond | 0:137634ff4186 | 767 | c = name->val.p[i]; |
| ansond | 0:137634ff4186 | 768 | if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) |
| ansond | 0:137634ff4186 | 769 | s[i] = '?'; |
| ansond | 0:137634ff4186 | 770 | else s[i] = c; |
| ansond | 0:137634ff4186 | 771 | } |
| ansond | 0:137634ff4186 | 772 | s[i] = '\0'; |
| ansond | 0:137634ff4186 | 773 | ret = polarssl_snprintf( p, n, "%s", s ); |
| ansond | 0:137634ff4186 | 774 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 775 | |
| ansond | 0:137634ff4186 | 776 | merge = name->next_merged; |
| ansond | 0:137634ff4186 | 777 | name = name->next; |
| ansond | 0:137634ff4186 | 778 | } |
| ansond | 0:137634ff4186 | 779 | |
| ansond | 0:137634ff4186 | 780 | return( (int) ( size - n ) ); |
| ansond | 0:137634ff4186 | 781 | } |
| ansond | 0:137634ff4186 | 782 | |
| ansond | 0:137634ff4186 | 783 | /* |
| ansond | 0:137634ff4186 | 784 | * Store the serial in printable form into buf; no more |
| ansond | 0:137634ff4186 | 785 | * than size characters will be written |
| ansond | 0:137634ff4186 | 786 | */ |
| ansond | 0:137634ff4186 | 787 | int x509_serial_gets( char *buf, size_t size, const x509_buf *serial ) |
| ansond | 0:137634ff4186 | 788 | { |
| ansond | 0:137634ff4186 | 789 | int ret; |
| ansond | 0:137634ff4186 | 790 | size_t i, n, nr; |
| ansond | 0:137634ff4186 | 791 | char *p; |
| ansond | 0:137634ff4186 | 792 | |
| ansond | 0:137634ff4186 | 793 | p = buf; |
| ansond | 0:137634ff4186 | 794 | n = size; |
| ansond | 0:137634ff4186 | 795 | |
| ansond | 0:137634ff4186 | 796 | nr = ( serial->len <= 32 ) |
| ansond | 0:137634ff4186 | 797 | ? serial->len : 28; |
| ansond | 0:137634ff4186 | 798 | |
| ansond | 0:137634ff4186 | 799 | for( i = 0; i < nr; i++ ) |
| ansond | 0:137634ff4186 | 800 | { |
| ansond | 0:137634ff4186 | 801 | if( i == 0 && nr > 1 && serial->p[i] == 0x0 ) |
| ansond | 0:137634ff4186 | 802 | continue; |
| ansond | 0:137634ff4186 | 803 | |
| ansond | 0:137634ff4186 | 804 | ret = polarssl_snprintf( p, n, "%02X%s", |
| ansond | 0:137634ff4186 | 805 | serial->p[i], ( i < nr - 1 ) ? ":" : "" ); |
| ansond | 0:137634ff4186 | 806 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 807 | } |
| ansond | 0:137634ff4186 | 808 | |
| ansond | 0:137634ff4186 | 809 | if( nr != serial->len ) |
| ansond | 0:137634ff4186 | 810 | { |
| ansond | 0:137634ff4186 | 811 | ret = polarssl_snprintf( p, n, "...." ); |
| ansond | 0:137634ff4186 | 812 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 813 | } |
| ansond | 0:137634ff4186 | 814 | |
| ansond | 0:137634ff4186 | 815 | return( (int) ( size - n ) ); |
| ansond | 0:137634ff4186 | 816 | } |
| ansond | 0:137634ff4186 | 817 | |
| ansond | 0:137634ff4186 | 818 | /* |
| ansond | 0:137634ff4186 | 819 | * Helper for writing signature algorithms |
| ansond | 0:137634ff4186 | 820 | */ |
| ansond | 0:137634ff4186 | 821 | int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid, |
| ansond | 0:137634ff4186 | 822 | pk_type_t pk_alg, md_type_t md_alg, |
| ansond | 0:137634ff4186 | 823 | const void *sig_opts ) |
| ansond | 0:137634ff4186 | 824 | { |
| ansond | 0:137634ff4186 | 825 | int ret; |
| ansond | 0:137634ff4186 | 826 | char *p = buf; |
| ansond | 0:137634ff4186 | 827 | size_t n = size; |
| ansond | 0:137634ff4186 | 828 | const char *desc = NULL; |
| ansond | 0:137634ff4186 | 829 | |
| ansond | 0:137634ff4186 | 830 | ret = oid_get_sig_alg_desc( sig_oid, &desc ); |
| ansond | 0:137634ff4186 | 831 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 832 | ret = polarssl_snprintf( p, n, "???" ); |
| ansond | 0:137634ff4186 | 833 | else |
| ansond | 0:137634ff4186 | 834 | ret = polarssl_snprintf( p, n, "%s", desc ); |
| ansond | 0:137634ff4186 | 835 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 836 | |
| ansond | 0:137634ff4186 | 837 | #if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT) |
| ansond | 0:137634ff4186 | 838 | if( pk_alg == POLARSSL_PK_RSASSA_PSS ) |
| ansond | 0:137634ff4186 | 839 | { |
| ansond | 0:137634ff4186 | 840 | const pk_rsassa_pss_options *pss_opts; |
| ansond | 0:137634ff4186 | 841 | const md_info_t *md_info, *mgf_md_info; |
| ansond | 0:137634ff4186 | 842 | |
| ansond | 0:137634ff4186 | 843 | pss_opts = (const pk_rsassa_pss_options *) sig_opts; |
| ansond | 0:137634ff4186 | 844 | |
| ansond | 0:137634ff4186 | 845 | md_info = md_info_from_type( md_alg ); |
| ansond | 0:137634ff4186 | 846 | mgf_md_info = md_info_from_type( pss_opts->mgf1_hash_id ); |
| ansond | 0:137634ff4186 | 847 | |
| ansond | 0:137634ff4186 | 848 | ret = polarssl_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)", |
| ansond | 0:137634ff4186 | 849 | md_info ? md_info->name : "???", |
| ansond | 0:137634ff4186 | 850 | mgf_md_info ? mgf_md_info->name : "???", |
| ansond | 0:137634ff4186 | 851 | pss_opts->expected_salt_len ); |
| ansond | 0:137634ff4186 | 852 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 853 | } |
| ansond | 0:137634ff4186 | 854 | #else |
| ansond | 0:137634ff4186 | 855 | ((void) pk_alg); |
| ansond | 0:137634ff4186 | 856 | ((void) md_alg); |
| ansond | 0:137634ff4186 | 857 | ((void) sig_opts); |
| ansond | 0:137634ff4186 | 858 | #endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */ |
| ansond | 0:137634ff4186 | 859 | |
| ansond | 0:137634ff4186 | 860 | return( (int)( size - n ) ); |
| ansond | 0:137634ff4186 | 861 | } |
| ansond | 0:137634ff4186 | 862 | |
| ansond | 0:137634ff4186 | 863 | /* |
| ansond | 0:137634ff4186 | 864 | * Helper for writing "RSA key size", "EC key size", etc |
| ansond | 0:137634ff4186 | 865 | */ |
| ansond | 0:137634ff4186 | 866 | int x509_key_size_helper( char *buf, size_t size, const char *name ) |
| ansond | 0:137634ff4186 | 867 | { |
| ansond | 0:137634ff4186 | 868 | char *p = buf; |
| ansond | 0:137634ff4186 | 869 | size_t n = size; |
| ansond | 0:137634ff4186 | 870 | int ret; |
| ansond | 0:137634ff4186 | 871 | |
| ansond | 0:137634ff4186 | 872 | if( strlen( name ) + sizeof( " key size" ) > size ) |
| ansond | 0:137634ff4186 | 873 | return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); |
| ansond | 0:137634ff4186 | 874 | |
| ansond | 0:137634ff4186 | 875 | ret = polarssl_snprintf( p, n, "%s key size", name ); |
| ansond | 0:137634ff4186 | 876 | SAFE_SNPRINTF(); |
| ansond | 0:137634ff4186 | 877 | |
| ansond | 0:137634ff4186 | 878 | return( 0 ); |
| ansond | 0:137634ff4186 | 879 | } |
| ansond | 0:137634ff4186 | 880 | |
| ansond | 0:137634ff4186 | 881 | /* |
| ansond | 0:137634ff4186 | 882 | * Return an informational string describing the given OID |
| ansond | 0:137634ff4186 | 883 | */ |
| ansond | 0:137634ff4186 | 884 | #if ! defined(POLARSSL_DEPRECATED_REMOVED) |
| ansond | 0:137634ff4186 | 885 | const char *x509_oid_get_description( x509_buf *oid ) |
| ansond | 0:137634ff4186 | 886 | { |
| ansond | 0:137634ff4186 | 887 | const char *desc = NULL; |
| ansond | 0:137634ff4186 | 888 | int ret; |
| ansond | 0:137634ff4186 | 889 | |
| ansond | 0:137634ff4186 | 890 | ret = oid_get_extended_key_usage( oid, &desc ); |
| ansond | 0:137634ff4186 | 891 | |
| ansond | 0:137634ff4186 | 892 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 893 | return( NULL ); |
| ansond | 0:137634ff4186 | 894 | |
| ansond | 0:137634ff4186 | 895 | return( desc ); |
| ansond | 0:137634ff4186 | 896 | } |
| ansond | 0:137634ff4186 | 897 | #endif |
| ansond | 0:137634ff4186 | 898 | |
| ansond | 0:137634ff4186 | 899 | /* Return the x.y.z.... style numeric string for the given OID */ |
| ansond | 0:137634ff4186 | 900 | #if ! defined(POLARSSL_DEPRECATED_REMOVED) |
| ansond | 0:137634ff4186 | 901 | int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ) |
| ansond | 0:137634ff4186 | 902 | { |
| ansond | 0:137634ff4186 | 903 | return oid_get_numeric_string( buf, size, oid ); |
| ansond | 0:137634ff4186 | 904 | } |
| ansond | 0:137634ff4186 | 905 | #endif |
| ansond | 0:137634ff4186 | 906 | |
| ansond | 0:137634ff4186 | 907 | /* |
| ansond | 0:137634ff4186 | 908 | * Return 0 if the x509_time is still valid, or 1 otherwise. |
| ansond | 0:137634ff4186 | 909 | */ |
| ansond | 0:137634ff4186 | 910 | #if defined(POLARSSL_HAVE_TIME) |
| ansond | 0:137634ff4186 | 911 | |
| ansond | 0:137634ff4186 | 912 | static void x509_get_current_time( x509_time *now ) |
| ansond | 0:137634ff4186 | 913 | { |
| ansond | 0:137634ff4186 | 914 | #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) |
| ansond | 0:137634ff4186 | 915 | SYSTEMTIME st; |
| ansond | 0:137634ff4186 | 916 | |
| ansond | 0:137634ff4186 | 917 | GetSystemTime( &st ); |
| ansond | 0:137634ff4186 | 918 | |
| ansond | 0:137634ff4186 | 919 | now->year = st.wYear; |
| ansond | 0:137634ff4186 | 920 | now->mon = st.wMonth; |
| ansond | 0:137634ff4186 | 921 | now->day = st.wDay; |
| ansond | 0:137634ff4186 | 922 | now->hour = st.wHour; |
| ansond | 0:137634ff4186 | 923 | now->min = st.wMinute; |
| ansond | 0:137634ff4186 | 924 | now->sec = st.wSecond; |
| ansond | 0:137634ff4186 | 925 | #else |
| ansond | 0:137634ff4186 | 926 | struct tm lt; |
| ansond | 0:137634ff4186 | 927 | time_t tt; |
| ansond | 0:137634ff4186 | 928 | |
| ansond | 0:137634ff4186 | 929 | tt = time( NULL ); |
| ansond | 0:137634ff4186 | 930 | gmtime_r( &tt, < ); |
| ansond | 0:137634ff4186 | 931 | |
| ansond | 0:137634ff4186 | 932 | now->year = lt.tm_year + 1900; |
| ansond | 0:137634ff4186 | 933 | now->mon = lt.tm_mon + 1; |
| ansond | 0:137634ff4186 | 934 | now->day = lt.tm_mday; |
| ansond | 0:137634ff4186 | 935 | now->hour = lt.tm_hour; |
| ansond | 0:137634ff4186 | 936 | now->min = lt.tm_min; |
| ansond | 0:137634ff4186 | 937 | now->sec = lt.tm_sec; |
| ansond | 0:137634ff4186 | 938 | #endif /* _WIN32 && !EFIX64 && !EFI32 */ |
| ansond | 0:137634ff4186 | 939 | } |
| ansond | 0:137634ff4186 | 940 | |
| ansond | 0:137634ff4186 | 941 | /* |
| ansond | 0:137634ff4186 | 942 | * Return 0 if before <= after, 1 otherwise |
| ansond | 0:137634ff4186 | 943 | */ |
| ansond | 0:137634ff4186 | 944 | static int x509_check_time( const x509_time *before, const x509_time *after ) |
| ansond | 0:137634ff4186 | 945 | { |
| ansond | 0:137634ff4186 | 946 | if( before->year > after->year ) |
| ansond | 0:137634ff4186 | 947 | return( 1 ); |
| ansond | 0:137634ff4186 | 948 | |
| ansond | 0:137634ff4186 | 949 | if( before->year == after->year && |
| ansond | 0:137634ff4186 | 950 | before->mon > after->mon ) |
| ansond | 0:137634ff4186 | 951 | return( 1 ); |
| ansond | 0:137634ff4186 | 952 | |
| ansond | 0:137634ff4186 | 953 | if( before->year == after->year && |
| ansond | 0:137634ff4186 | 954 | before->mon == after->mon && |
| ansond | 0:137634ff4186 | 955 | before->day > after->day ) |
| ansond | 0:137634ff4186 | 956 | return( 1 ); |
| ansond | 0:137634ff4186 | 957 | |
| ansond | 0:137634ff4186 | 958 | if( before->year == after->year && |
| ansond | 0:137634ff4186 | 959 | before->mon == after->mon && |
| ansond | 0:137634ff4186 | 960 | before->day == after->day && |
| ansond | 0:137634ff4186 | 961 | before->hour > after->hour ) |
| ansond | 0:137634ff4186 | 962 | return( 1 ); |
| ansond | 0:137634ff4186 | 963 | |
| ansond | 0:137634ff4186 | 964 | if( before->year == after->year && |
| ansond | 0:137634ff4186 | 965 | before->mon == after->mon && |
| ansond | 0:137634ff4186 | 966 | before->day == after->day && |
| ansond | 0:137634ff4186 | 967 | before->hour == after->hour && |
| ansond | 0:137634ff4186 | 968 | before->min > after->min ) |
| ansond | 0:137634ff4186 | 969 | return( 1 ); |
| ansond | 0:137634ff4186 | 970 | |
| ansond | 0:137634ff4186 | 971 | if( before->year == after->year && |
| ansond | 0:137634ff4186 | 972 | before->mon == after->mon && |
| ansond | 0:137634ff4186 | 973 | before->day == after->day && |
| ansond | 0:137634ff4186 | 974 | before->hour == after->hour && |
| ansond | 0:137634ff4186 | 975 | before->min == after->min && |
| ansond | 0:137634ff4186 | 976 | before->sec > after->sec ) |
| ansond | 0:137634ff4186 | 977 | return( 1 ); |
| ansond | 0:137634ff4186 | 978 | |
| ansond | 0:137634ff4186 | 979 | return( 0 ); |
| ansond | 0:137634ff4186 | 980 | } |
| ansond | 0:137634ff4186 | 981 | |
| ansond | 0:137634ff4186 | 982 | int x509_time_expired( const x509_time *to ) |
| ansond | 0:137634ff4186 | 983 | { |
| ansond | 0:137634ff4186 | 984 | x509_time now; |
| ansond | 0:137634ff4186 | 985 | |
| ansond | 0:137634ff4186 | 986 | x509_get_current_time( &now ); |
| ansond | 0:137634ff4186 | 987 | |
| ansond | 0:137634ff4186 | 988 | return( x509_check_time( &now, to ) ); |
| ansond | 0:137634ff4186 | 989 | } |
| ansond | 0:137634ff4186 | 990 | |
| ansond | 0:137634ff4186 | 991 | int x509_time_future( const x509_time *from ) |
| ansond | 0:137634ff4186 | 992 | { |
| ansond | 0:137634ff4186 | 993 | x509_time now; |
| ansond | 0:137634ff4186 | 994 | |
| ansond | 0:137634ff4186 | 995 | x509_get_current_time( &now ); |
| ansond | 0:137634ff4186 | 996 | |
| ansond | 0:137634ff4186 | 997 | return( x509_check_time( from, &now ) ); |
| ansond | 0:137634ff4186 | 998 | } |
| ansond | 0:137634ff4186 | 999 | |
| ansond | 0:137634ff4186 | 1000 | #else /* POLARSSL_HAVE_TIME */ |
| ansond | 0:137634ff4186 | 1001 | |
| ansond | 0:137634ff4186 | 1002 | int x509_time_expired( const x509_time *to ) |
| ansond | 0:137634ff4186 | 1003 | { |
| ansond | 0:137634ff4186 | 1004 | ((void) to); |
| ansond | 0:137634ff4186 | 1005 | return( 0 ); |
| ansond | 0:137634ff4186 | 1006 | } |
| ansond | 0:137634ff4186 | 1007 | |
| ansond | 0:137634ff4186 | 1008 | int x509_time_future( const x509_time *from ) |
| ansond | 0:137634ff4186 | 1009 | { |
| ansond | 0:137634ff4186 | 1010 | ((void) from); |
| ansond | 0:137634ff4186 | 1011 | return( 0 ); |
| ansond | 0:137634ff4186 | 1012 | } |
| ansond | 0:137634ff4186 | 1013 | #endif /* POLARSSL_HAVE_TIME */ |
| ansond | 0:137634ff4186 | 1014 | |
| ansond | 0:137634ff4186 | 1015 | #if defined(POLARSSL_SELF_TEST) |
| ansond | 0:137634ff4186 | 1016 | |
| ansond | 0:137634ff4186 | 1017 | #include "polarssl/x509_crt.h" |
| ansond | 0:137634ff4186 | 1018 | #include "polarssl/certs.h" |
| ansond | 0:137634ff4186 | 1019 | |
| ansond | 0:137634ff4186 | 1020 | /* |
| ansond | 0:137634ff4186 | 1021 | * Checkup routine |
| ansond | 0:137634ff4186 | 1022 | */ |
| ansond | 0:137634ff4186 | 1023 | int x509_self_test( int verbose ) |
| ansond | 0:137634ff4186 | 1024 | { |
| ansond | 0:137634ff4186 | 1025 | #if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C) |
| ansond | 0:137634ff4186 | 1026 | int ret; |
| ansond | 0:137634ff4186 | 1027 | int flags; |
| ansond | 0:137634ff4186 | 1028 | x509_crt cacert; |
| ansond | 0:137634ff4186 | 1029 | x509_crt clicert; |
| ansond | 0:137634ff4186 | 1030 | |
| ansond | 0:137634ff4186 | 1031 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1032 | polarssl_printf( " X.509 certificate load: " ); |
| ansond | 0:137634ff4186 | 1033 | |
| ansond | 0:137634ff4186 | 1034 | x509_crt_init( &clicert ); |
| ansond | 0:137634ff4186 | 1035 | |
| ansond | 0:137634ff4186 | 1036 | ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt, |
| ansond | 0:137634ff4186 | 1037 | strlen( test_cli_crt ) ); |
| ansond | 0:137634ff4186 | 1038 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 1039 | { |
| ansond | 0:137634ff4186 | 1040 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1041 | polarssl_printf( "failed\n" ); |
| ansond | 0:137634ff4186 | 1042 | |
| ansond | 0:137634ff4186 | 1043 | return( ret ); |
| ansond | 0:137634ff4186 | 1044 | } |
| ansond | 0:137634ff4186 | 1045 | |
| ansond | 0:137634ff4186 | 1046 | x509_crt_init( &cacert ); |
| ansond | 0:137634ff4186 | 1047 | |
| ansond | 0:137634ff4186 | 1048 | ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt, |
| ansond | 0:137634ff4186 | 1049 | strlen( test_ca_crt ) ); |
| ansond | 0:137634ff4186 | 1050 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 1051 | { |
| ansond | 0:137634ff4186 | 1052 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1053 | polarssl_printf( "failed\n" ); |
| ansond | 0:137634ff4186 | 1054 | |
| ansond | 0:137634ff4186 | 1055 | return( ret ); |
| ansond | 0:137634ff4186 | 1056 | } |
| ansond | 0:137634ff4186 | 1057 | |
| ansond | 0:137634ff4186 | 1058 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1059 | polarssl_printf( "passed\n X.509 signature verify: "); |
| ansond | 0:137634ff4186 | 1060 | |
| ansond | 0:137634ff4186 | 1061 | ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL ); |
| ansond | 0:137634ff4186 | 1062 | if( ret != 0 ) |
| ansond | 0:137634ff4186 | 1063 | { |
| ansond | 0:137634ff4186 | 1064 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1065 | polarssl_printf( "failed\n" ); |
| ansond | 0:137634ff4186 | 1066 | |
| ansond | 0:137634ff4186 | 1067 | polarssl_printf( "ret = %d, &flags = %04x\n", ret, flags ); |
| ansond | 0:137634ff4186 | 1068 | |
| ansond | 0:137634ff4186 | 1069 | return( ret ); |
| ansond | 0:137634ff4186 | 1070 | } |
| ansond | 0:137634ff4186 | 1071 | |
| ansond | 0:137634ff4186 | 1072 | if( verbose != 0 ) |
| ansond | 0:137634ff4186 | 1073 | polarssl_printf( "passed\n\n"); |
| ansond | 0:137634ff4186 | 1074 | |
| ansond | 0:137634ff4186 | 1075 | x509_crt_free( &cacert ); |
| ansond | 0:137634ff4186 | 1076 | x509_crt_free( &clicert ); |
| ansond | 0:137634ff4186 | 1077 | |
| ansond | 0:137634ff4186 | 1078 | return( 0 ); |
| ansond | 0:137634ff4186 | 1079 | #else |
| ansond | 0:137634ff4186 | 1080 | ((void) verbose); |
| ansond | 0:137634ff4186 | 1081 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); |
| ansond | 0:137634ff4186 | 1082 | #endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */ |
| ansond | 0:137634ff4186 | 1083 | } |
| ansond | 0:137634ff4186 | 1084 | |
| ansond | 0:137634ff4186 | 1085 | #endif /* POLARSSL_SELF_TEST */ |
| ansond | 0:137634ff4186 | 1086 | |
| ansond | 0:137634ff4186 | 1087 | #endif /* POLARSSL_X509_USE_C */ |
| ansond | 0:137634ff4186 | 1088 |