Simon Cooksey
Pinned to some recent date
features/mbedtls/src/x509_crt.c@0:fb7af294d5d9, 2016-11-17 (annotated)
- Committer:
- Simon Cooksey
- Date:
- Thu Nov 17 16:43:53 2016 +0000
- Revision:
- 0:fb7af294d5d9
Initial commit
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| Simon Cooksey |
0:fb7af294d5d9 | 1 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2 | * X.509 certificate parsing and verification |
| Simon Cooksey |
0:fb7af294d5d9 | 3 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved |
| Simon Cooksey |
0:fb7af294d5d9 | 5 | * SPDX-License-Identifier: Apache-2.0 |
| Simon Cooksey |
0:fb7af294d5d9 | 6 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| Simon Cooksey |
0:fb7af294d5d9 | 8 | * not use this file except in compliance with the License. |
| Simon Cooksey |
0:fb7af294d5d9 | 9 | * You may obtain a copy of the License at |
| Simon Cooksey |
0:fb7af294d5d9 | 10 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| Simon Cooksey |
0:fb7af294d5d9 | 12 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 13 | * Unless required by applicable law or agreed to in writing, software |
| Simon Cooksey |
0:fb7af294d5d9 | 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| Simon Cooksey |
0:fb7af294d5d9 | 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| Simon Cooksey |
0:fb7af294d5d9 | 16 | * See the License for the specific language governing permissions and |
| Simon Cooksey |
0:fb7af294d5d9 | 17 | * limitations under the License. |
| Simon Cooksey |
0:fb7af294d5d9 | 18 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 19 | * This file is part of mbed TLS (https://tls.mbed.org) |
| Simon Cooksey |
0:fb7af294d5d9 | 20 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 21 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 22 | * The ITU-T X.509 standard defines a certificate format for PKI. |
| Simon Cooksey |
0:fb7af294d5d9 | 23 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 24 | * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) |
| Simon Cooksey |
0:fb7af294d5d9 | 25 | * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) |
| Simon Cooksey |
0:fb7af294d5d9 | 26 | * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) |
| Simon Cooksey |
0:fb7af294d5d9 | 27 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 28 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf |
| Simon Cooksey |
0:fb7af294d5d9 | 29 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf |
| Simon Cooksey |
0:fb7af294d5d9 | 30 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 31 | |
| Simon Cooksey |
0:fb7af294d5d9 | 32 | #if !defined(MBEDTLS_CONFIG_FILE) |
| Simon Cooksey |
0:fb7af294d5d9 | 33 | #include "mbedtls/config.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 34 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 35 | #include MBEDTLS_CONFIG_FILE |
| Simon Cooksey |
0:fb7af294d5d9 | 36 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 37 | |
| Simon Cooksey |
0:fb7af294d5d9 | 38 | #if defined(MBEDTLS_X509_CRT_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 39 | |
| Simon Cooksey |
0:fb7af294d5d9 | 40 | #include "mbedtls/x509_crt.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 41 | #include "mbedtls/oid.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 42 | |
| Simon Cooksey |
0:fb7af294d5d9 | 43 | #include <stdio.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 44 | #include <string.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 45 | |
| Simon Cooksey |
0:fb7af294d5d9 | 46 | #if defined(MBEDTLS_PEM_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 47 | #include "mbedtls/pem.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 48 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 49 | |
| Simon Cooksey |
0:fb7af294d5d9 | 50 | #if defined(MBEDTLS_PLATFORM_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 51 | #include "mbedtls/platform.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 52 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 53 | #include <stdlib.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 54 | #define mbedtls_free free |
| Simon Cooksey |
0:fb7af294d5d9 | 55 | #define mbedtls_calloc calloc |
| Simon Cooksey |
0:fb7af294d5d9 | 56 | #define mbedtls_snprintf snprintf |
| Simon Cooksey |
0:fb7af294d5d9 | 57 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 58 | |
| Simon Cooksey |
0:fb7af294d5d9 | 59 | #if defined(MBEDTLS_THREADING_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 60 | #include "mbedtls/threading.h" |
| Simon Cooksey |
0:fb7af294d5d9 | 61 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 62 | |
| Simon Cooksey |
0:fb7af294d5d9 | 63 | #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) |
| Simon Cooksey |
0:fb7af294d5d9 | 64 | #include <windows.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 65 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 66 | #include <time.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 67 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 68 | |
| Simon Cooksey |
0:fb7af294d5d9 | 69 | #if defined(MBEDTLS_FS_IO) |
| Simon Cooksey |
0:fb7af294d5d9 | 70 | #include <stdio.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 71 | #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32) |
| Simon Cooksey |
0:fb7af294d5d9 | 72 | #include <sys/types.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 73 | #include <sys/stat.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 74 | #include <dirent.h> |
| Simon Cooksey |
0:fb7af294d5d9 | 75 | #endif /* !_WIN32 || EFIX64 || EFI32 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 76 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 77 | |
| Simon Cooksey |
0:fb7af294d5d9 | 78 | /* Implementation that should never be optimized out by the compiler */ |
| Simon Cooksey |
0:fb7af294d5d9 | 79 | static void mbedtls_zeroize( void *v, size_t n ) { |
| Simon Cooksey |
0:fb7af294d5d9 | 80 | volatile unsigned char *p = v; while( n-- ) *p++ = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 81 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 82 | |
| Simon Cooksey |
0:fb7af294d5d9 | 83 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 84 | * Default profile |
| Simon Cooksey |
0:fb7af294d5d9 | 85 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 86 | const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = |
| Simon Cooksey |
0:fb7af294d5d9 | 87 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 88 | /* Hashes from SHA-1 and above */ |
| Simon Cooksey |
0:fb7af294d5d9 | 89 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 90 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 91 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 92 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 93 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 94 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), |
| Simon Cooksey |
0:fb7af294d5d9 | 95 | 0xFFFFFFF, /* Any PK alg */ |
| Simon Cooksey |
0:fb7af294d5d9 | 96 | 0xFFFFFFF, /* Any curve */ |
| Simon Cooksey |
0:fb7af294d5d9 | 97 | 2048, |
| Simon Cooksey |
0:fb7af294d5d9 | 98 | }; |
| Simon Cooksey |
0:fb7af294d5d9 | 99 | |
| Simon Cooksey |
0:fb7af294d5d9 | 100 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 101 | * Next-default profile |
| Simon Cooksey |
0:fb7af294d5d9 | 102 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 103 | const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next = |
| Simon Cooksey |
0:fb7af294d5d9 | 104 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 105 | /* Hashes from SHA-256 and above */ |
| Simon Cooksey |
0:fb7af294d5d9 | 106 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 107 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 108 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), |
| Simon Cooksey |
0:fb7af294d5d9 | 109 | 0xFFFFFFF, /* Any PK alg */ |
| Simon Cooksey |
0:fb7af294d5d9 | 110 | #if defined(MBEDTLS_ECP_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 111 | /* Curves at or above 128-bit security level */ |
| Simon Cooksey |
0:fb7af294d5d9 | 112 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 113 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 114 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 115 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 116 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 117 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 118 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ), |
| Simon Cooksey |
0:fb7af294d5d9 | 119 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 120 | 0, |
| Simon Cooksey |
0:fb7af294d5d9 | 121 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 122 | 2048, |
| Simon Cooksey |
0:fb7af294d5d9 | 123 | }; |
| Simon Cooksey |
0:fb7af294d5d9 | 124 | |
| Simon Cooksey |
0:fb7af294d5d9 | 125 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 126 | * NSA Suite B Profile |
| Simon Cooksey |
0:fb7af294d5d9 | 127 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 128 | const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb = |
| Simon Cooksey |
0:fb7af294d5d9 | 129 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 130 | /* Only SHA-256 and 384 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 131 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 132 | MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ), |
| Simon Cooksey |
0:fb7af294d5d9 | 133 | /* Only ECDSA */ |
| Simon Cooksey |
0:fb7af294d5d9 | 134 | MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ), |
| Simon Cooksey |
0:fb7af294d5d9 | 135 | #if defined(MBEDTLS_ECP_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 136 | /* Only NIST P-256 and P-384 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 137 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) | |
| Simon Cooksey |
0:fb7af294d5d9 | 138 | MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ), |
| Simon Cooksey |
0:fb7af294d5d9 | 139 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 140 | 0, |
| Simon Cooksey |
0:fb7af294d5d9 | 141 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 142 | 0, |
| Simon Cooksey |
0:fb7af294d5d9 | 143 | }; |
| Simon Cooksey |
0:fb7af294d5d9 | 144 | |
| Simon Cooksey |
0:fb7af294d5d9 | 145 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 146 | * Check md_alg against profile |
| Simon Cooksey |
0:fb7af294d5d9 | 147 | * Return 0 if md_alg acceptable for this profile, -1 otherwise |
| Simon Cooksey |
0:fb7af294d5d9 | 148 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 149 | static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 150 | mbedtls_md_type_t md_alg ) |
| Simon Cooksey |
0:fb7af294d5d9 | 151 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 152 | if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 153 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 154 | |
| Simon Cooksey |
0:fb7af294d5d9 | 155 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 156 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 157 | |
| Simon Cooksey |
0:fb7af294d5d9 | 158 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 159 | * Check pk_alg against profile |
| Simon Cooksey |
0:fb7af294d5d9 | 160 | * Return 0 if pk_alg acceptable for this profile, -1 otherwise |
| Simon Cooksey |
0:fb7af294d5d9 | 161 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 162 | static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 163 | mbedtls_pk_type_t pk_alg ) |
| Simon Cooksey |
0:fb7af294d5d9 | 164 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 165 | if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 166 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 167 | |
| Simon Cooksey |
0:fb7af294d5d9 | 168 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 169 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 170 | |
| Simon Cooksey |
0:fb7af294d5d9 | 171 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 172 | * Check key against profile |
| Simon Cooksey |
0:fb7af294d5d9 | 173 | * Return 0 if pk_alg acceptable for this profile, -1 otherwise |
| Simon Cooksey |
0:fb7af294d5d9 | 174 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 175 | static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 176 | mbedtls_pk_type_t pk_alg, |
| Simon Cooksey |
0:fb7af294d5d9 | 177 | const mbedtls_pk_context *pk ) |
| Simon Cooksey |
0:fb7af294d5d9 | 178 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 179 | #if defined(MBEDTLS_RSA_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 180 | if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS ) |
| Simon Cooksey |
0:fb7af294d5d9 | 181 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 182 | if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen ) |
| Simon Cooksey |
0:fb7af294d5d9 | 183 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 184 | |
| Simon Cooksey |
0:fb7af294d5d9 | 185 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 186 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 187 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 188 | |
| Simon Cooksey |
0:fb7af294d5d9 | 189 | #if defined(MBEDTLS_ECP_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 190 | if( pk_alg == MBEDTLS_PK_ECDSA || |
| Simon Cooksey |
0:fb7af294d5d9 | 191 | pk_alg == MBEDTLS_PK_ECKEY || |
| Simon Cooksey |
0:fb7af294d5d9 | 192 | pk_alg == MBEDTLS_PK_ECKEY_DH ) |
| Simon Cooksey |
0:fb7af294d5d9 | 193 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 194 | mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id; |
| Simon Cooksey |
0:fb7af294d5d9 | 195 | |
| Simon Cooksey |
0:fb7af294d5d9 | 196 | if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 197 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 198 | |
| Simon Cooksey |
0:fb7af294d5d9 | 199 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 200 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 201 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 202 | |
| Simon Cooksey |
0:fb7af294d5d9 | 203 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 204 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 205 | |
| Simon Cooksey |
0:fb7af294d5d9 | 206 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 207 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| Simon Cooksey |
0:fb7af294d5d9 | 208 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 209 | static int x509_get_version( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 210 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 211 | int *ver ) |
| Simon Cooksey |
0:fb7af294d5d9 | 212 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 213 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 214 | size_t len; |
| Simon Cooksey |
0:fb7af294d5d9 | 215 | |
| Simon Cooksey |
0:fb7af294d5d9 | 216 | if( ( ret = mbedtls_asn1_get_tag( p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 217 | MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 218 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 219 | if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) |
| Simon Cooksey |
0:fb7af294d5d9 | 220 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 221 | *ver = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 222 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 223 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 224 | |
| Simon Cooksey |
0:fb7af294d5d9 | 225 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 226 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 227 | |
| Simon Cooksey |
0:fb7af294d5d9 | 228 | end = *p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 229 | |
| Simon Cooksey |
0:fb7af294d5d9 | 230 | if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 231 | return( MBEDTLS_ERR_X509_INVALID_VERSION + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 232 | |
| Simon Cooksey |
0:fb7af294d5d9 | 233 | if( *p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 234 | return( MBEDTLS_ERR_X509_INVALID_VERSION + |
| Simon Cooksey |
0:fb7af294d5d9 | 235 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 236 | |
| Simon Cooksey |
0:fb7af294d5d9 | 237 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 238 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 239 | |
| Simon Cooksey |
0:fb7af294d5d9 | 240 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 241 | * Validity ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 242 | * notBefore Time, |
| Simon Cooksey |
0:fb7af294d5d9 | 243 | * notAfter Time } |
| Simon Cooksey |
0:fb7af294d5d9 | 244 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 245 | static int x509_get_dates( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 246 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 247 | mbedtls_x509_time *from, |
| Simon Cooksey |
0:fb7af294d5d9 | 248 | mbedtls_x509_time *to ) |
| Simon Cooksey |
0:fb7af294d5d9 | 249 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 250 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 251 | size_t len; |
| Simon Cooksey |
0:fb7af294d5d9 | 252 | |
| Simon Cooksey |
0:fb7af294d5d9 | 253 | if( ( ret = mbedtls_asn1_get_tag( p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 254 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 255 | return( MBEDTLS_ERR_X509_INVALID_DATE + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 256 | |
| Simon Cooksey |
0:fb7af294d5d9 | 257 | end = *p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 258 | |
| Simon Cooksey |
0:fb7af294d5d9 | 259 | if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 260 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 261 | |
| Simon Cooksey |
0:fb7af294d5d9 | 262 | if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 263 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 264 | |
| Simon Cooksey |
0:fb7af294d5d9 | 265 | if( *p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 266 | return( MBEDTLS_ERR_X509_INVALID_DATE + |
| Simon Cooksey |
0:fb7af294d5d9 | 267 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 268 | |
| Simon Cooksey |
0:fb7af294d5d9 | 269 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 270 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 271 | |
| Simon Cooksey |
0:fb7af294d5d9 | 272 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 273 | * X.509 v2/v3 unique identifier (not parsed) |
| Simon Cooksey |
0:fb7af294d5d9 | 274 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 275 | static int x509_get_uid( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 276 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 277 | mbedtls_x509_buf *uid, int n ) |
| Simon Cooksey |
0:fb7af294d5d9 | 278 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 279 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 280 | |
| Simon Cooksey |
0:fb7af294d5d9 | 281 | if( *p == end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 282 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 283 | |
| Simon Cooksey |
0:fb7af294d5d9 | 284 | uid->tag = **p; |
| Simon Cooksey |
0:fb7af294d5d9 | 285 | |
| Simon Cooksey |
0:fb7af294d5d9 | 286 | if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len, |
| Simon Cooksey |
0:fb7af294d5d9 | 287 | MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 288 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 289 | if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) |
| Simon Cooksey |
0:fb7af294d5d9 | 290 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 291 | |
| Simon Cooksey |
0:fb7af294d5d9 | 292 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 293 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 294 | |
| Simon Cooksey |
0:fb7af294d5d9 | 295 | uid->p = *p; |
| Simon Cooksey |
0:fb7af294d5d9 | 296 | *p += uid->len; |
| Simon Cooksey |
0:fb7af294d5d9 | 297 | |
| Simon Cooksey |
0:fb7af294d5d9 | 298 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 299 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 300 | |
| Simon Cooksey |
0:fb7af294d5d9 | 301 | static int x509_get_basic_constraints( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 302 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 303 | int *ca_istrue, |
| Simon Cooksey |
0:fb7af294d5d9 | 304 | int *max_pathlen ) |
| Simon Cooksey |
0:fb7af294d5d9 | 305 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 306 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 307 | size_t len; |
| Simon Cooksey |
0:fb7af294d5d9 | 308 | |
| Simon Cooksey |
0:fb7af294d5d9 | 309 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 310 | * BasicConstraints ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 311 | * cA BOOLEAN DEFAULT FALSE, |
| Simon Cooksey |
0:fb7af294d5d9 | 312 | * pathLenConstraint INTEGER (0..MAX) OPTIONAL } |
| Simon Cooksey |
0:fb7af294d5d9 | 313 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 314 | *ca_istrue = 0; /* DEFAULT FALSE */ |
| Simon Cooksey |
0:fb7af294d5d9 | 315 | *max_pathlen = 0; /* endless */ |
| Simon Cooksey |
0:fb7af294d5d9 | 316 | |
| Simon Cooksey |
0:fb7af294d5d9 | 317 | if( ( ret = mbedtls_asn1_get_tag( p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 318 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 319 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 320 | |
| Simon Cooksey |
0:fb7af294d5d9 | 321 | if( *p == end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 322 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 323 | |
| Simon Cooksey |
0:fb7af294d5d9 | 324 | if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 325 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 326 | if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) |
| Simon Cooksey |
0:fb7af294d5d9 | 327 | ret = mbedtls_asn1_get_int( p, end, ca_istrue ); |
| Simon Cooksey |
0:fb7af294d5d9 | 328 | |
| Simon Cooksey |
0:fb7af294d5d9 | 329 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 330 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 331 | |
| Simon Cooksey |
0:fb7af294d5d9 | 332 | if( *ca_istrue != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 333 | *ca_istrue = 1; |
| Simon Cooksey |
0:fb7af294d5d9 | 334 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 335 | |
| Simon Cooksey |
0:fb7af294d5d9 | 336 | if( *p == end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 337 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 338 | |
| Simon Cooksey |
0:fb7af294d5d9 | 339 | if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 340 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 341 | |
| Simon Cooksey |
0:fb7af294d5d9 | 342 | if( *p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 343 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 344 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 345 | |
| Simon Cooksey |
0:fb7af294d5d9 | 346 | (*max_pathlen)++; |
| Simon Cooksey |
0:fb7af294d5d9 | 347 | |
| Simon Cooksey |
0:fb7af294d5d9 | 348 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 349 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 350 | |
| Simon Cooksey |
0:fb7af294d5d9 | 351 | static int x509_get_ns_cert_type( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 352 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 353 | unsigned char *ns_cert_type) |
| Simon Cooksey |
0:fb7af294d5d9 | 354 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 355 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 356 | mbedtls_x509_bitstring bs = { 0, 0, NULL }; |
| Simon Cooksey |
0:fb7af294d5d9 | 357 | |
| Simon Cooksey |
0:fb7af294d5d9 | 358 | if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 359 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 360 | |
| Simon Cooksey |
0:fb7af294d5d9 | 361 | if( bs.len != 1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 362 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 363 | MBEDTLS_ERR_ASN1_INVALID_LENGTH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 364 | |
| Simon Cooksey |
0:fb7af294d5d9 | 365 | /* Get actual bitstring */ |
| Simon Cooksey |
0:fb7af294d5d9 | 366 | *ns_cert_type = *bs.p; |
| Simon Cooksey |
0:fb7af294d5d9 | 367 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 368 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 369 | |
| Simon Cooksey |
0:fb7af294d5d9 | 370 | static int x509_get_key_usage( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 371 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 372 | unsigned int *key_usage) |
| Simon Cooksey |
0:fb7af294d5d9 | 373 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 374 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 375 | size_t i; |
| Simon Cooksey |
0:fb7af294d5d9 | 376 | mbedtls_x509_bitstring bs = { 0, 0, NULL }; |
| Simon Cooksey |
0:fb7af294d5d9 | 377 | |
| Simon Cooksey |
0:fb7af294d5d9 | 378 | if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 379 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 380 | |
| Simon Cooksey |
0:fb7af294d5d9 | 381 | if( bs.len < 1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 382 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 383 | MBEDTLS_ERR_ASN1_INVALID_LENGTH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 384 | |
| Simon Cooksey |
0:fb7af294d5d9 | 385 | /* Get actual bitstring */ |
| Simon Cooksey |
0:fb7af294d5d9 | 386 | *key_usage = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 387 | for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ ) |
| Simon Cooksey |
0:fb7af294d5d9 | 388 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 389 | *key_usage |= (unsigned int) bs.p[i] << (8*i); |
| Simon Cooksey |
0:fb7af294d5d9 | 390 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 391 | |
| Simon Cooksey |
0:fb7af294d5d9 | 392 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 393 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 394 | |
| Simon Cooksey |
0:fb7af294d5d9 | 395 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 396 | * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId |
| Simon Cooksey |
0:fb7af294d5d9 | 397 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 398 | * KeyPurposeId ::= OBJECT IDENTIFIER |
| Simon Cooksey |
0:fb7af294d5d9 | 399 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 400 | static int x509_get_ext_key_usage( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 401 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 402 | mbedtls_x509_sequence *ext_key_usage) |
| Simon Cooksey |
0:fb7af294d5d9 | 403 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 404 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 405 | |
| Simon Cooksey |
0:fb7af294d5d9 | 406 | if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 407 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 408 | |
| Simon Cooksey |
0:fb7af294d5d9 | 409 | /* Sequence length must be >= 1 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 410 | if( ext_key_usage->buf.p == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 411 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 412 | MBEDTLS_ERR_ASN1_INVALID_LENGTH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 413 | |
| Simon Cooksey |
0:fb7af294d5d9 | 414 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 415 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 416 | |
| Simon Cooksey |
0:fb7af294d5d9 | 417 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 418 | * SubjectAltName ::= GeneralNames |
| Simon Cooksey |
0:fb7af294d5d9 | 419 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 420 | * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName |
| Simon Cooksey |
0:fb7af294d5d9 | 421 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 422 | * GeneralName ::= CHOICE { |
| Simon Cooksey |
0:fb7af294d5d9 | 423 | * otherName [0] OtherName, |
| Simon Cooksey |
0:fb7af294d5d9 | 424 | * rfc822Name [1] IA5String, |
| Simon Cooksey |
0:fb7af294d5d9 | 425 | * dNSName [2] IA5String, |
| Simon Cooksey |
0:fb7af294d5d9 | 426 | * x400Address [3] ORAddress, |
| Simon Cooksey |
0:fb7af294d5d9 | 427 | * directoryName [4] Name, |
| Simon Cooksey |
0:fb7af294d5d9 | 428 | * ediPartyName [5] EDIPartyName, |
| Simon Cooksey |
0:fb7af294d5d9 | 429 | * uniformResourceIdentifier [6] IA5String, |
| Simon Cooksey |
0:fb7af294d5d9 | 430 | * iPAddress [7] OCTET STRING, |
| Simon Cooksey |
0:fb7af294d5d9 | 431 | * registeredID [8] OBJECT IDENTIFIER } |
| Simon Cooksey |
0:fb7af294d5d9 | 432 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 433 | * OtherName ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 434 | * type-id OBJECT IDENTIFIER, |
| Simon Cooksey |
0:fb7af294d5d9 | 435 | * value [0] EXPLICIT ANY DEFINED BY type-id } |
| Simon Cooksey |
0:fb7af294d5d9 | 436 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 437 | * EDIPartyName ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 438 | * nameAssigner [0] DirectoryString OPTIONAL, |
| Simon Cooksey |
0:fb7af294d5d9 | 439 | * partyName [1] DirectoryString } |
| Simon Cooksey |
0:fb7af294d5d9 | 440 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 441 | * NOTE: we only parse and use dNSName at this point. |
| Simon Cooksey |
0:fb7af294d5d9 | 442 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 443 | static int x509_get_subject_alt_name( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 444 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 445 | mbedtls_x509_sequence *subject_alt_name ) |
| Simon Cooksey |
0:fb7af294d5d9 | 446 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 447 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 448 | size_t len, tag_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 449 | mbedtls_asn1_buf *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 450 | unsigned char tag; |
| Simon Cooksey |
0:fb7af294d5d9 | 451 | mbedtls_asn1_sequence *cur = subject_alt_name; |
| Simon Cooksey |
0:fb7af294d5d9 | 452 | |
| Simon Cooksey |
0:fb7af294d5d9 | 453 | /* Get main sequence tag */ |
| Simon Cooksey |
0:fb7af294d5d9 | 454 | if( ( ret = mbedtls_asn1_get_tag( p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 455 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 456 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 457 | |
| Simon Cooksey |
0:fb7af294d5d9 | 458 | if( *p + len != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 459 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 460 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 461 | |
| Simon Cooksey |
0:fb7af294d5d9 | 462 | while( *p < end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 463 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 464 | if( ( end - *p ) < 1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 465 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 466 | MBEDTLS_ERR_ASN1_OUT_OF_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 467 | |
| Simon Cooksey |
0:fb7af294d5d9 | 468 | tag = **p; |
| Simon Cooksey |
0:fb7af294d5d9 | 469 | (*p)++; |
| Simon Cooksey |
0:fb7af294d5d9 | 470 | if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 471 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 472 | |
| Simon Cooksey |
0:fb7af294d5d9 | 473 | if( ( tag & MBEDTLS_ASN1_CONTEXT_SPECIFIC ) != MBEDTLS_ASN1_CONTEXT_SPECIFIC ) |
| Simon Cooksey |
0:fb7af294d5d9 | 474 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 475 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); |
| Simon Cooksey |
0:fb7af294d5d9 | 476 | |
| Simon Cooksey |
0:fb7af294d5d9 | 477 | /* Skip everything but DNS name */ |
| Simon Cooksey |
0:fb7af294d5d9 | 478 | if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 479 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 480 | *p += tag_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 481 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 482 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 483 | |
| Simon Cooksey |
0:fb7af294d5d9 | 484 | /* Allocate and assign next pointer */ |
| Simon Cooksey |
0:fb7af294d5d9 | 485 | if( cur->buf.p != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 486 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 487 | if( cur->next != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 488 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS ); |
| Simon Cooksey |
0:fb7af294d5d9 | 489 | |
| Simon Cooksey |
0:fb7af294d5d9 | 490 | cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 491 | |
| Simon Cooksey |
0:fb7af294d5d9 | 492 | if( cur->next == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 493 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 494 | MBEDTLS_ERR_ASN1_ALLOC_FAILED ); |
| Simon Cooksey |
0:fb7af294d5d9 | 495 | |
| Simon Cooksey |
0:fb7af294d5d9 | 496 | cur = cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 497 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 498 | |
| Simon Cooksey |
0:fb7af294d5d9 | 499 | buf = &(cur->buf); |
| Simon Cooksey |
0:fb7af294d5d9 | 500 | buf->tag = tag; |
| Simon Cooksey |
0:fb7af294d5d9 | 501 | buf->p = *p; |
| Simon Cooksey |
0:fb7af294d5d9 | 502 | buf->len = tag_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 503 | *p += buf->len; |
| Simon Cooksey |
0:fb7af294d5d9 | 504 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 505 | |
| Simon Cooksey |
0:fb7af294d5d9 | 506 | /* Set final sequence entry's next pointer to NULL */ |
| Simon Cooksey |
0:fb7af294d5d9 | 507 | cur->next = NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 508 | |
| Simon Cooksey |
0:fb7af294d5d9 | 509 | if( *p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 510 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 511 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 512 | |
| Simon Cooksey |
0:fb7af294d5d9 | 513 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 514 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 515 | |
| Simon Cooksey |
0:fb7af294d5d9 | 516 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 517 | * X.509 v3 extensions |
| Simon Cooksey |
0:fb7af294d5d9 | 518 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 519 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 520 | static int x509_get_crt_ext( unsigned char **p, |
| Simon Cooksey |
0:fb7af294d5d9 | 521 | const unsigned char *end, |
| Simon Cooksey |
0:fb7af294d5d9 | 522 | mbedtls_x509_crt *crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 523 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 524 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 525 | size_t len; |
| Simon Cooksey |
0:fb7af294d5d9 | 526 | unsigned char *end_ext_data, *end_ext_octet; |
| Simon Cooksey |
0:fb7af294d5d9 | 527 | |
| Simon Cooksey |
0:fb7af294d5d9 | 528 | if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 529 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 530 | if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) |
| Simon Cooksey |
0:fb7af294d5d9 | 531 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 532 | |
| Simon Cooksey |
0:fb7af294d5d9 | 533 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 534 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 535 | |
| Simon Cooksey |
0:fb7af294d5d9 | 536 | while( *p < end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 537 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 538 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 539 | * Extension ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 540 | * extnID OBJECT IDENTIFIER, |
| Simon Cooksey |
0:fb7af294d5d9 | 541 | * critical BOOLEAN DEFAULT FALSE, |
| Simon Cooksey |
0:fb7af294d5d9 | 542 | * extnValue OCTET STRING } |
| Simon Cooksey |
0:fb7af294d5d9 | 543 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 544 | mbedtls_x509_buf extn_oid = {0, 0, NULL}; |
| Simon Cooksey |
0:fb7af294d5d9 | 545 | int is_critical = 0; /* DEFAULT FALSE */ |
| Simon Cooksey |
0:fb7af294d5d9 | 546 | int ext_type = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 547 | |
| Simon Cooksey |
0:fb7af294d5d9 | 548 | if( ( ret = mbedtls_asn1_get_tag( p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 549 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 550 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 551 | |
| Simon Cooksey |
0:fb7af294d5d9 | 552 | end_ext_data = *p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 553 | |
| Simon Cooksey |
0:fb7af294d5d9 | 554 | /* Get extension ID */ |
| Simon Cooksey |
0:fb7af294d5d9 | 555 | extn_oid.tag = **p; |
| Simon Cooksey |
0:fb7af294d5d9 | 556 | |
| Simon Cooksey |
0:fb7af294d5d9 | 557 | if( ( ret = mbedtls_asn1_get_tag( p, end, &extn_oid.len, MBEDTLS_ASN1_OID ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 558 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 559 | |
| Simon Cooksey |
0:fb7af294d5d9 | 560 | extn_oid.p = *p; |
| Simon Cooksey |
0:fb7af294d5d9 | 561 | *p += extn_oid.len; |
| Simon Cooksey |
0:fb7af294d5d9 | 562 | |
| Simon Cooksey |
0:fb7af294d5d9 | 563 | if( ( end - *p ) < 1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 564 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 565 | MBEDTLS_ERR_ASN1_OUT_OF_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 566 | |
| Simon Cooksey |
0:fb7af294d5d9 | 567 | /* Get optional critical */ |
| Simon Cooksey |
0:fb7af294d5d9 | 568 | if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 569 | ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 570 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 571 | |
| Simon Cooksey |
0:fb7af294d5d9 | 572 | /* Data should be octet string type */ |
| Simon Cooksey |
0:fb7af294d5d9 | 573 | if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 574 | MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 575 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 576 | |
| Simon Cooksey |
0:fb7af294d5d9 | 577 | end_ext_octet = *p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 578 | |
| Simon Cooksey |
0:fb7af294d5d9 | 579 | if( end_ext_octet != end_ext_data ) |
| Simon Cooksey |
0:fb7af294d5d9 | 580 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 581 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 582 | |
| Simon Cooksey |
0:fb7af294d5d9 | 583 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 584 | * Detect supported extensions |
| Simon Cooksey |
0:fb7af294d5d9 | 585 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 586 | ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type ); |
| Simon Cooksey |
0:fb7af294d5d9 | 587 | |
| Simon Cooksey |
0:fb7af294d5d9 | 588 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 589 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 590 | /* No parser found, skip extension */ |
| Simon Cooksey |
0:fb7af294d5d9 | 591 | *p = end_ext_octet; |
| Simon Cooksey |
0:fb7af294d5d9 | 592 | |
| Simon Cooksey |
0:fb7af294d5d9 | 593 | #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) |
| Simon Cooksey |
0:fb7af294d5d9 | 594 | if( is_critical ) |
| Simon Cooksey |
0:fb7af294d5d9 | 595 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 596 | /* Data is marked as critical: fail */ |
| Simon Cooksey |
0:fb7af294d5d9 | 597 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 598 | MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); |
| Simon Cooksey |
0:fb7af294d5d9 | 599 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 600 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 601 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 602 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 603 | |
| Simon Cooksey |
0:fb7af294d5d9 | 604 | /* Forbid repeated extensions */ |
| Simon Cooksey |
0:fb7af294d5d9 | 605 | if( ( crt->ext_types & ext_type ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 606 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS ); |
| Simon Cooksey |
0:fb7af294d5d9 | 607 | |
| Simon Cooksey |
0:fb7af294d5d9 | 608 | crt->ext_types |= ext_type; |
| Simon Cooksey |
0:fb7af294d5d9 | 609 | |
| Simon Cooksey |
0:fb7af294d5d9 | 610 | switch( ext_type ) |
| Simon Cooksey |
0:fb7af294d5d9 | 611 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 612 | case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS: |
| Simon Cooksey |
0:fb7af294d5d9 | 613 | /* Parse basic constraints */ |
| Simon Cooksey |
0:fb7af294d5d9 | 614 | if( ( ret = x509_get_basic_constraints( p, end_ext_octet, |
| Simon Cooksey |
0:fb7af294d5d9 | 615 | &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 616 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 617 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 618 | |
| Simon Cooksey |
0:fb7af294d5d9 | 619 | case MBEDTLS_X509_EXT_KEY_USAGE: |
| Simon Cooksey |
0:fb7af294d5d9 | 620 | /* Parse key usage */ |
| Simon Cooksey |
0:fb7af294d5d9 | 621 | if( ( ret = x509_get_key_usage( p, end_ext_octet, |
| Simon Cooksey |
0:fb7af294d5d9 | 622 | &crt->key_usage ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 623 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 624 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 625 | |
| Simon Cooksey |
0:fb7af294d5d9 | 626 | case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: |
| Simon Cooksey |
0:fb7af294d5d9 | 627 | /* Parse extended key usage */ |
| Simon Cooksey |
0:fb7af294d5d9 | 628 | if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, |
| Simon Cooksey |
0:fb7af294d5d9 | 629 | &crt->ext_key_usage ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 630 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 631 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 632 | |
| Simon Cooksey |
0:fb7af294d5d9 | 633 | case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: |
| Simon Cooksey |
0:fb7af294d5d9 | 634 | /* Parse subject alt name */ |
| Simon Cooksey |
0:fb7af294d5d9 | 635 | if( ( ret = x509_get_subject_alt_name( p, end_ext_octet, |
| Simon Cooksey |
0:fb7af294d5d9 | 636 | &crt->subject_alt_names ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 637 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 638 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 639 | |
| Simon Cooksey |
0:fb7af294d5d9 | 640 | case MBEDTLS_X509_EXT_NS_CERT_TYPE: |
| Simon Cooksey |
0:fb7af294d5d9 | 641 | /* Parse netscape certificate type */ |
| Simon Cooksey |
0:fb7af294d5d9 | 642 | if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, |
| Simon Cooksey |
0:fb7af294d5d9 | 643 | &crt->ns_cert_type ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 644 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 645 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 646 | |
| Simon Cooksey |
0:fb7af294d5d9 | 647 | default: |
| Simon Cooksey |
0:fb7af294d5d9 | 648 | return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); |
| Simon Cooksey |
0:fb7af294d5d9 | 649 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 650 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 651 | |
| Simon Cooksey |
0:fb7af294d5d9 | 652 | if( *p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 653 | return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + |
| Simon Cooksey |
0:fb7af294d5d9 | 654 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 655 | |
| Simon Cooksey |
0:fb7af294d5d9 | 656 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 657 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 658 | |
| Simon Cooksey |
0:fb7af294d5d9 | 659 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 660 | * Parse and fill a single X.509 certificate in DER format |
| Simon Cooksey |
0:fb7af294d5d9 | 661 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 662 | static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *buf, |
| Simon Cooksey |
0:fb7af294d5d9 | 663 | size_t buflen ) |
| Simon Cooksey |
0:fb7af294d5d9 | 664 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 665 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 666 | size_t len; |
| Simon Cooksey |
0:fb7af294d5d9 | 667 | unsigned char *p, *end, *crt_end; |
| Simon Cooksey |
0:fb7af294d5d9 | 668 | mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; |
| Simon Cooksey |
0:fb7af294d5d9 | 669 | |
| Simon Cooksey |
0:fb7af294d5d9 | 670 | memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 671 | memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 672 | memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 673 | |
| Simon Cooksey |
0:fb7af294d5d9 | 674 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 675 | * Check for valid input |
| Simon Cooksey |
0:fb7af294d5d9 | 676 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 677 | if( crt == NULL || buf == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 678 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 679 | |
| Simon Cooksey |
0:fb7af294d5d9 | 680 | // Use the original buffer until we figure out actual length |
| Simon Cooksey |
0:fb7af294d5d9 | 681 | p = (unsigned char*) buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 682 | len = buflen; |
| Simon Cooksey |
0:fb7af294d5d9 | 683 | end = p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 684 | |
| Simon Cooksey |
0:fb7af294d5d9 | 685 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 686 | * Certificate ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 687 | * tbsCertificate TBSCertificate, |
| Simon Cooksey |
0:fb7af294d5d9 | 688 | * signatureAlgorithm AlgorithmIdentifier, |
| Simon Cooksey |
0:fb7af294d5d9 | 689 | * signatureValue BIT STRING } |
| Simon Cooksey |
0:fb7af294d5d9 | 690 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 691 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 692 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 693 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 694 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 695 | return( MBEDTLS_ERR_X509_INVALID_FORMAT ); |
| Simon Cooksey |
0:fb7af294d5d9 | 696 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 697 | |
| Simon Cooksey |
0:fb7af294d5d9 | 698 | if( len > (size_t) ( end - p ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 699 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 700 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 701 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + |
| Simon Cooksey |
0:fb7af294d5d9 | 702 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 703 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 704 | crt_end = p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 705 | |
| Simon Cooksey |
0:fb7af294d5d9 | 706 | // Create and populate a new buffer for the raw field |
| Simon Cooksey |
0:fb7af294d5d9 | 707 | crt->raw.len = crt_end - buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 708 | crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 709 | if( p == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 710 | return( MBEDTLS_ERR_X509_ALLOC_FAILED ); |
| Simon Cooksey |
0:fb7af294d5d9 | 711 | |
| Simon Cooksey |
0:fb7af294d5d9 | 712 | memcpy( p, buf, crt->raw.len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 713 | |
| Simon Cooksey |
0:fb7af294d5d9 | 714 | // Direct pointers to the new buffer |
| Simon Cooksey |
0:fb7af294d5d9 | 715 | p += crt->raw.len - len; |
| Simon Cooksey |
0:fb7af294d5d9 | 716 | end = crt_end = p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 717 | |
| Simon Cooksey |
0:fb7af294d5d9 | 718 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 719 | * TBSCertificate ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 720 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 721 | crt->tbs.p = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 722 | |
| Simon Cooksey |
0:fb7af294d5d9 | 723 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 724 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 725 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 726 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 727 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 728 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 729 | |
| Simon Cooksey |
0:fb7af294d5d9 | 730 | end = p + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 731 | crt->tbs.len = end - crt->tbs.p; |
| Simon Cooksey |
0:fb7af294d5d9 | 732 | |
| Simon Cooksey |
0:fb7af294d5d9 | 733 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 734 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| Simon Cooksey |
0:fb7af294d5d9 | 735 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 736 | * CertificateSerialNumber ::= INTEGER |
| Simon Cooksey |
0:fb7af294d5d9 | 737 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 738 | * signature AlgorithmIdentifier |
| Simon Cooksey |
0:fb7af294d5d9 | 739 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 740 | if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || |
| Simon Cooksey |
0:fb7af294d5d9 | 741 | ( ret = mbedtls_x509_get_serial( &p, end, &crt->serial ) ) != 0 || |
| Simon Cooksey |
0:fb7af294d5d9 | 742 | ( ret = mbedtls_x509_get_alg( &p, end, &crt->sig_oid, |
| Simon Cooksey |
0:fb7af294d5d9 | 743 | &sig_params1 ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 744 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 745 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 746 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 747 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 748 | |
| Simon Cooksey |
0:fb7af294d5d9 | 749 | crt->version++; |
| Simon Cooksey |
0:fb7af294d5d9 | 750 | |
| Simon Cooksey |
0:fb7af294d5d9 | 751 | if( crt->version > 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 752 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 753 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 754 | return( MBEDTLS_ERR_X509_UNKNOWN_VERSION ); |
| Simon Cooksey |
0:fb7af294d5d9 | 755 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 756 | |
| Simon Cooksey |
0:fb7af294d5d9 | 757 | if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1, |
| Simon Cooksey |
0:fb7af294d5d9 | 758 | &crt->sig_md, &crt->sig_pk, |
| Simon Cooksey |
0:fb7af294d5d9 | 759 | &crt->sig_opts ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 760 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 761 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 762 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 763 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 764 | |
| Simon Cooksey |
0:fb7af294d5d9 | 765 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 766 | * issuer Name |
| Simon Cooksey |
0:fb7af294d5d9 | 767 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 768 | crt->issuer_raw.p = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 769 | |
| Simon Cooksey |
0:fb7af294d5d9 | 770 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 771 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 772 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 773 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 774 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 775 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 776 | |
| Simon Cooksey |
0:fb7af294d5d9 | 777 | if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 778 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 779 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 780 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 781 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 782 | |
| Simon Cooksey |
0:fb7af294d5d9 | 783 | crt->issuer_raw.len = p - crt->issuer_raw.p; |
| Simon Cooksey |
0:fb7af294d5d9 | 784 | |
| Simon Cooksey |
0:fb7af294d5d9 | 785 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 786 | * Validity ::= SEQUENCE { |
| Simon Cooksey |
0:fb7af294d5d9 | 787 | * notBefore Time, |
| Simon Cooksey |
0:fb7af294d5d9 | 788 | * notAfter Time } |
| Simon Cooksey |
0:fb7af294d5d9 | 789 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 790 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 791 | if( ( ret = x509_get_dates( &p, end, &crt->valid_from, |
| Simon Cooksey |
0:fb7af294d5d9 | 792 | &crt->valid_to ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 793 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 794 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 795 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 796 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 797 | |
| Simon Cooksey |
0:fb7af294d5d9 | 798 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 799 | * subject Name |
| Simon Cooksey |
0:fb7af294d5d9 | 800 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 801 | crt->subject_raw.p = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 802 | |
| Simon Cooksey |
0:fb7af294d5d9 | 803 | if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, |
| Simon Cooksey |
0:fb7af294d5d9 | 804 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 805 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 806 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 807 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 808 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 809 | |
| Simon Cooksey |
0:fb7af294d5d9 | 810 | if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 811 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 812 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 813 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 814 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 815 | |
| Simon Cooksey |
0:fb7af294d5d9 | 816 | crt->subject_raw.len = p - crt->subject_raw.p; |
| Simon Cooksey |
0:fb7af294d5d9 | 817 | |
| Simon Cooksey |
0:fb7af294d5d9 | 818 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 819 | * SubjectPublicKeyInfo |
| Simon Cooksey |
0:fb7af294d5d9 | 820 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 821 | if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 822 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 823 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 824 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 825 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 826 | |
| Simon Cooksey |
0:fb7af294d5d9 | 827 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 828 | * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| Simon Cooksey |
0:fb7af294d5d9 | 829 | * -- If present, version shall be v2 or v3 |
| Simon Cooksey |
0:fb7af294d5d9 | 830 | * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| Simon Cooksey |
0:fb7af294d5d9 | 831 | * -- If present, version shall be v2 or v3 |
| Simon Cooksey |
0:fb7af294d5d9 | 832 | * extensions [3] EXPLICIT Extensions OPTIONAL |
| Simon Cooksey |
0:fb7af294d5d9 | 833 | * -- If present, version shall be v3 |
| Simon Cooksey |
0:fb7af294d5d9 | 834 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 835 | if( crt->version == 2 || crt->version == 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 836 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 837 | ret = x509_get_uid( &p, end, &crt->issuer_id, 1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 838 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 839 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 840 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 841 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 842 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 843 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 844 | |
| Simon Cooksey |
0:fb7af294d5d9 | 845 | if( crt->version == 2 || crt->version == 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 846 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 847 | ret = x509_get_uid( &p, end, &crt->subject_id, 2 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 848 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 849 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 850 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 851 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 852 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 853 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 854 | |
| Simon Cooksey |
0:fb7af294d5d9 | 855 | #if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3) |
| Simon Cooksey |
0:fb7af294d5d9 | 856 | if( crt->version == 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 857 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 858 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 859 | ret = x509_get_crt_ext( &p, end, crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 860 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 861 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 862 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 863 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 864 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 865 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 866 | |
| Simon Cooksey |
0:fb7af294d5d9 | 867 | if( p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 868 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 869 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 870 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + |
| Simon Cooksey |
0:fb7af294d5d9 | 871 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 872 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 873 | |
| Simon Cooksey |
0:fb7af294d5d9 | 874 | end = crt_end; |
| Simon Cooksey |
0:fb7af294d5d9 | 875 | |
| Simon Cooksey |
0:fb7af294d5d9 | 876 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 877 | * } |
| Simon Cooksey |
0:fb7af294d5d9 | 878 | * -- end of TBSCertificate |
| Simon Cooksey |
0:fb7af294d5d9 | 879 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 880 | * signatureAlgorithm AlgorithmIdentifier, |
| Simon Cooksey |
0:fb7af294d5d9 | 881 | * signatureValue BIT STRING |
| Simon Cooksey |
0:fb7af294d5d9 | 882 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 883 | if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 884 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 885 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 886 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 887 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 888 | |
| Simon Cooksey |
0:fb7af294d5d9 | 889 | if( crt->sig_oid.len != sig_oid2.len || |
| Simon Cooksey |
0:fb7af294d5d9 | 890 | memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 || |
| Simon Cooksey |
0:fb7af294d5d9 | 891 | sig_params1.len != sig_params2.len || |
| Simon Cooksey |
0:fb7af294d5d9 | 892 | ( sig_params1.len != 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 893 | memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 894 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 895 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 896 | return( MBEDTLS_ERR_X509_SIG_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 897 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 898 | |
| Simon Cooksey |
0:fb7af294d5d9 | 899 | if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 900 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 901 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 902 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 903 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 904 | |
| Simon Cooksey |
0:fb7af294d5d9 | 905 | if( p != end ) |
| Simon Cooksey |
0:fb7af294d5d9 | 906 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 907 | mbedtls_x509_crt_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 908 | return( MBEDTLS_ERR_X509_INVALID_FORMAT + |
| Simon Cooksey |
0:fb7af294d5d9 | 909 | MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 910 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 911 | |
| Simon Cooksey |
0:fb7af294d5d9 | 912 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 913 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 914 | |
| Simon Cooksey |
0:fb7af294d5d9 | 915 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 916 | * Parse one X.509 certificate in DER format from a buffer and add them to a |
| Simon Cooksey |
0:fb7af294d5d9 | 917 | * chained list |
| Simon Cooksey |
0:fb7af294d5d9 | 918 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 919 | int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf, |
| Simon Cooksey |
0:fb7af294d5d9 | 920 | size_t buflen ) |
| Simon Cooksey |
0:fb7af294d5d9 | 921 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 922 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 923 | mbedtls_x509_crt *crt = chain, *prev = NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 924 | |
| Simon Cooksey |
0:fb7af294d5d9 | 925 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 926 | * Check for valid input |
| Simon Cooksey |
0:fb7af294d5d9 | 927 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 928 | if( crt == NULL || buf == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 929 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 930 | |
| Simon Cooksey |
0:fb7af294d5d9 | 931 | while( crt->version != 0 && crt->next != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 932 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 933 | prev = crt; |
| Simon Cooksey |
0:fb7af294d5d9 | 934 | crt = crt->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 935 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 936 | |
| Simon Cooksey |
0:fb7af294d5d9 | 937 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 938 | * Add new certificate on the end of the chain if needed. |
| Simon Cooksey |
0:fb7af294d5d9 | 939 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 940 | if( crt->version != 0 && crt->next == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 941 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 942 | crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 943 | |
| Simon Cooksey |
0:fb7af294d5d9 | 944 | if( crt->next == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 945 | return( MBEDTLS_ERR_X509_ALLOC_FAILED ); |
| Simon Cooksey |
0:fb7af294d5d9 | 946 | |
| Simon Cooksey |
0:fb7af294d5d9 | 947 | prev = crt; |
| Simon Cooksey |
0:fb7af294d5d9 | 948 | mbedtls_x509_crt_init( crt->next ); |
| Simon Cooksey |
0:fb7af294d5d9 | 949 | crt = crt->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 950 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 951 | |
| Simon Cooksey |
0:fb7af294d5d9 | 952 | if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 953 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 954 | if( prev ) |
| Simon Cooksey |
0:fb7af294d5d9 | 955 | prev->next = NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 956 | |
| Simon Cooksey |
0:fb7af294d5d9 | 957 | if( crt != chain ) |
| Simon Cooksey |
0:fb7af294d5d9 | 958 | mbedtls_free( crt ); |
| Simon Cooksey |
0:fb7af294d5d9 | 959 | |
| Simon Cooksey |
0:fb7af294d5d9 | 960 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 961 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 962 | |
| Simon Cooksey |
0:fb7af294d5d9 | 963 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 964 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 965 | |
| Simon Cooksey |
0:fb7af294d5d9 | 966 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 967 | * Parse one or more PEM certificates from a buffer and add them to the chained |
| Simon Cooksey |
0:fb7af294d5d9 | 968 | * list |
| Simon Cooksey |
0:fb7af294d5d9 | 969 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 970 | int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen ) |
| Simon Cooksey |
0:fb7af294d5d9 | 971 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 972 | int success = 0, first_error = 0, total_failed = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 973 | #if defined(MBEDTLS_PEM_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 974 | int buf_format = MBEDTLS_X509_FORMAT_DER; |
| Simon Cooksey |
0:fb7af294d5d9 | 975 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 976 | |
| Simon Cooksey |
0:fb7af294d5d9 | 977 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 978 | * Check for valid input |
| Simon Cooksey |
0:fb7af294d5d9 | 979 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 980 | if( chain == NULL || buf == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 981 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 982 | |
| Simon Cooksey |
0:fb7af294d5d9 | 983 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 984 | * Determine buffer content. Buffer contains either one DER certificate or |
| Simon Cooksey |
0:fb7af294d5d9 | 985 | * one or more PEM certificates. |
| Simon Cooksey |
0:fb7af294d5d9 | 986 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 987 | #if defined(MBEDTLS_PEM_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 988 | if( buflen != 0 && buf[buflen - 1] == '\0' && |
| Simon Cooksey |
0:fb7af294d5d9 | 989 | strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 990 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 991 | buf_format = MBEDTLS_X509_FORMAT_PEM; |
| Simon Cooksey |
0:fb7af294d5d9 | 992 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 993 | |
| Simon Cooksey |
0:fb7af294d5d9 | 994 | if( buf_format == MBEDTLS_X509_FORMAT_DER ) |
| Simon Cooksey |
0:fb7af294d5d9 | 995 | return mbedtls_x509_crt_parse_der( chain, buf, buflen ); |
| Simon Cooksey |
0:fb7af294d5d9 | 996 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 997 | return mbedtls_x509_crt_parse_der( chain, buf, buflen ); |
| Simon Cooksey |
0:fb7af294d5d9 | 998 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 999 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1000 | #if defined(MBEDTLS_PEM_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 1001 | if( buf_format == MBEDTLS_X509_FORMAT_PEM ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1002 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1003 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1004 | mbedtls_pem_context pem; |
| Simon Cooksey |
0:fb7af294d5d9 | 1005 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1006 | /* 1 rather than 0 since the terminating NULL byte is counted in */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1007 | while( buflen > 1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1008 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1009 | size_t use_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1010 | mbedtls_pem_init( &pem ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1011 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1012 | /* If we get there, we know the string is null-terminated */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1013 | ret = mbedtls_pem_read_buffer( &pem, |
| Simon Cooksey |
0:fb7af294d5d9 | 1014 | "-----BEGIN CERTIFICATE-----", |
| Simon Cooksey |
0:fb7af294d5d9 | 1015 | "-----END CERTIFICATE-----", |
| Simon Cooksey |
0:fb7af294d5d9 | 1016 | buf, NULL, 0, &use_len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1017 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1018 | if( ret == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1019 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1020 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1021 | * Was PEM encoded |
| Simon Cooksey |
0:fb7af294d5d9 | 1022 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1023 | buflen -= use_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1024 | buf += use_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1025 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1026 | else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1027 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1028 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1029 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1030 | else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1031 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1032 | mbedtls_pem_free( &pem ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1033 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1034 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1035 | * PEM header and footer were found |
| Simon Cooksey |
0:fb7af294d5d9 | 1036 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1037 | buflen -= use_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1038 | buf += use_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1039 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1040 | if( first_error == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1041 | first_error = ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1042 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1043 | total_failed++; |
| Simon Cooksey |
0:fb7af294d5d9 | 1044 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1045 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1046 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 1047 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1048 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1049 | ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1050 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1051 | mbedtls_pem_free( &pem ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1052 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1053 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1054 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1055 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1056 | * Quit parsing on a memory error |
| Simon Cooksey |
0:fb7af294d5d9 | 1057 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1058 | if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1059 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1060 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1061 | if( first_error == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1062 | first_error = ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1063 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1064 | total_failed++; |
| Simon Cooksey |
0:fb7af294d5d9 | 1065 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1066 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1067 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1068 | success = 1; |
| Simon Cooksey |
0:fb7af294d5d9 | 1069 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1070 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1071 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1072 | if( success ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1073 | return( total_failed ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1074 | else if( first_error ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1075 | return( first_error ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1076 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 1077 | return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1078 | #endif /* MBEDTLS_PEM_PARSE_C */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1079 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1080 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1081 | #if defined(MBEDTLS_FS_IO) |
| Simon Cooksey |
0:fb7af294d5d9 | 1082 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1083 | * Load one or more certificates and add them to the chained list |
| Simon Cooksey |
0:fb7af294d5d9 | 1084 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1085 | int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1086 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1087 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1088 | size_t n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1089 | unsigned char *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1090 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1091 | if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1092 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1093 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1094 | ret = mbedtls_x509_crt_parse( chain, buf, n ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1095 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1096 | mbedtls_zeroize( buf, n ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1097 | mbedtls_free( buf ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1098 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1099 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1100 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1101 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1102 | int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1103 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1104 | int ret = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1105 | #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) |
| Simon Cooksey |
0:fb7af294d5d9 | 1106 | int w_ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1107 | WCHAR szDir[MAX_PATH]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1108 | char filename[MAX_PATH]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1109 | char *p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1110 | size_t len = strlen( path ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1111 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1112 | WIN32_FIND_DATAW file_data; |
| Simon Cooksey |
0:fb7af294d5d9 | 1113 | HANDLE hFind; |
| Simon Cooksey |
0:fb7af294d5d9 | 1114 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1115 | if( len > MAX_PATH - 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1116 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1117 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1118 | memset( szDir, 0, sizeof(szDir) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1119 | memset( filename, 0, MAX_PATH ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1120 | memcpy( filename, path, len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1121 | filename[len++] = '\\'; |
| Simon Cooksey |
0:fb7af294d5d9 | 1122 | p = filename + len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1123 | filename[len++] = '*'; |
| Simon Cooksey |
0:fb7af294d5d9 | 1124 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1125 | w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, |
| Simon Cooksey |
0:fb7af294d5d9 | 1126 | MAX_PATH - 3 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1127 | if( w_ret == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1128 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1129 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1130 | hFind = FindFirstFileW( szDir, &file_data ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1131 | if( hFind == INVALID_HANDLE_VALUE ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1132 | return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1133 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1134 | len = MAX_PATH - len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1135 | do |
| Simon Cooksey |
0:fb7af294d5d9 | 1136 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1137 | memset( p, 0, len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1138 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1139 | if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1140 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1141 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1142 | w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, |
| Simon Cooksey |
0:fb7af294d5d9 | 1143 | lstrlenW( file_data.cFileName ), |
| Simon Cooksey |
0:fb7af294d5d9 | 1144 | p, (int) len - 1, |
| Simon Cooksey |
0:fb7af294d5d9 | 1145 | NULL, NULL ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1146 | if( w_ret == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1147 | return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1148 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1149 | w_ret = mbedtls_x509_crt_parse_file( chain, filename ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1150 | if( w_ret < 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1151 | ret++; |
| Simon Cooksey |
0:fb7af294d5d9 | 1152 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 1153 | ret += w_ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1154 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1155 | while( FindNextFileW( hFind, &file_data ) != 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1156 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1157 | if( GetLastError() != ERROR_NO_MORE_FILES ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1158 | ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; |
| Simon Cooksey |
0:fb7af294d5d9 | 1159 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1160 | FindClose( hFind ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1161 | #else /* _WIN32 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1162 | int t_ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1163 | int snp_ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1164 | struct stat sb; |
| Simon Cooksey |
0:fb7af294d5d9 | 1165 | struct dirent *entry; |
| Simon Cooksey |
0:fb7af294d5d9 | 1166 | char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1167 | DIR *dir = opendir( path ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1168 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1169 | if( dir == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1170 | return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1171 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1172 | #if defined(MBEDTLS_THREADING_PTHREAD) |
| Simon Cooksey |
0:fb7af294d5d9 | 1173 | if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1174 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1175 | closedir( dir ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1176 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1177 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1178 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 1179 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1180 | while( ( entry = readdir( dir ) ) != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1181 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1182 | snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name, |
| Simon Cooksey |
0:fb7af294d5d9 | 1183 | "%s/%s", path, entry->d_name ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1184 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1185 | if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1186 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1187 | ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; |
| Simon Cooksey |
0:fb7af294d5d9 | 1188 | goto cleanup; |
| Simon Cooksey |
0:fb7af294d5d9 | 1189 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1190 | else if( stat( entry_name, &sb ) == -1 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1191 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1192 | ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; |
| Simon Cooksey |
0:fb7af294d5d9 | 1193 | goto cleanup; |
| Simon Cooksey |
0:fb7af294d5d9 | 1194 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1195 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1196 | if( !S_ISREG( sb.st_mode ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1197 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1198 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1199 | // Ignore parse errors |
| Simon Cooksey |
0:fb7af294d5d9 | 1200 | // |
| Simon Cooksey |
0:fb7af294d5d9 | 1201 | t_ret = mbedtls_x509_crt_parse_file( chain, entry_name ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1202 | if( t_ret < 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1203 | ret++; |
| Simon Cooksey |
0:fb7af294d5d9 | 1204 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 1205 | ret += t_ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1206 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1207 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1208 | cleanup: |
| Simon Cooksey |
0:fb7af294d5d9 | 1209 | closedir( dir ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1210 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1211 | #if defined(MBEDTLS_THREADING_PTHREAD) |
| Simon Cooksey |
0:fb7af294d5d9 | 1212 | if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1213 | ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; |
| Simon Cooksey |
0:fb7af294d5d9 | 1214 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 1215 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1216 | #endif /* _WIN32 */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1217 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1218 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1219 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1220 | #endif /* MBEDTLS_FS_IO */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1221 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1222 | static int x509_info_subject_alt_name( char **buf, size_t *size, |
| Simon Cooksey |
0:fb7af294d5d9 | 1223 | const mbedtls_x509_sequence *subject_alt_name ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1224 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1225 | size_t i; |
| Simon Cooksey |
0:fb7af294d5d9 | 1226 | size_t n = *size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1227 | char *p = *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1228 | const mbedtls_x509_sequence *cur = subject_alt_name; |
| Simon Cooksey |
0:fb7af294d5d9 | 1229 | const char *sep = ""; |
| Simon Cooksey |
0:fb7af294d5d9 | 1230 | size_t sep_len = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1231 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1232 | while( cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1233 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1234 | if( cur->buf.len + sep_len >= n ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1235 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1236 | *p = '\0'; |
| Simon Cooksey |
0:fb7af294d5d9 | 1237 | return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1238 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1239 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1240 | n -= cur->buf.len + sep_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 1241 | for( i = 0; i < sep_len; i++ ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1242 | *p++ = sep[i]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1243 | for( i = 0; i < cur->buf.len; i++ ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1244 | *p++ = cur->buf.p[i]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1245 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1246 | sep = ", "; |
| Simon Cooksey |
0:fb7af294d5d9 | 1247 | sep_len = 2; |
| Simon Cooksey |
0:fb7af294d5d9 | 1248 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1249 | cur = cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1250 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1251 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1252 | *p = '\0'; |
| Simon Cooksey |
0:fb7af294d5d9 | 1253 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1254 | *size = n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1255 | *buf = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1256 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1257 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1258 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1259 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1260 | #define PRINT_ITEM(i) \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1261 | { \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1262 | ret = mbedtls_snprintf( p, n, "%s" i, sep ); \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1263 | MBEDTLS_X509_SAFE_SNPRINTF; \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1264 | sep = ", "; \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1265 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1266 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1267 | #define CERT_TYPE(type,name) \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1268 | if( ns_cert_type & type ) \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1269 | PRINT_ITEM( name ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1270 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1271 | static int x509_info_cert_type( char **buf, size_t *size, |
| Simon Cooksey |
0:fb7af294d5d9 | 1272 | unsigned char ns_cert_type ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1273 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1274 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1275 | size_t n = *size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1276 | char *p = *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1277 | const char *sep = ""; |
| Simon Cooksey |
0:fb7af294d5d9 | 1278 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1279 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1280 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1281 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1282 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1283 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1284 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1285 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1286 | CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1287 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1288 | *size = n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1289 | *buf = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1290 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1291 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1292 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1293 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1294 | #define KEY_USAGE(code,name) \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1295 | if( key_usage & code ) \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1296 | PRINT_ITEM( name ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1297 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1298 | static int x509_info_key_usage( char **buf, size_t *size, |
| Simon Cooksey |
0:fb7af294d5d9 | 1299 | unsigned int key_usage ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1300 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1301 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1302 | size_t n = *size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1303 | char *p = *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1304 | const char *sep = ""; |
| Simon Cooksey |
0:fb7af294d5d9 | 1305 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1306 | KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1307 | KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1308 | KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1309 | KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1310 | KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1311 | KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1312 | KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1313 | KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1314 | KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1315 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1316 | *size = n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1317 | *buf = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1318 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1319 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1320 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1321 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1322 | static int x509_info_ext_key_usage( char **buf, size_t *size, |
| Simon Cooksey |
0:fb7af294d5d9 | 1323 | const mbedtls_x509_sequence *extended_key_usage ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1324 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1325 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1326 | const char *desc; |
| Simon Cooksey |
0:fb7af294d5d9 | 1327 | size_t n = *size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1328 | char *p = *buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1329 | const mbedtls_x509_sequence *cur = extended_key_usage; |
| Simon Cooksey |
0:fb7af294d5d9 | 1330 | const char *sep = ""; |
| Simon Cooksey |
0:fb7af294d5d9 | 1331 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1332 | while( cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1333 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1334 | if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1335 | desc = "???"; |
| Simon Cooksey |
0:fb7af294d5d9 | 1336 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1337 | ret = mbedtls_snprintf( p, n, "%s%s", sep, desc ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1338 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1339 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1340 | sep = ", "; |
| Simon Cooksey |
0:fb7af294d5d9 | 1341 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1342 | cur = cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1343 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1344 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1345 | *size = n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1346 | *buf = p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1347 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1348 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1349 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1350 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1351 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1352 | * Return an informational string about the certificate. |
| Simon Cooksey |
0:fb7af294d5d9 | 1353 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1354 | #define BEFORE_COLON 18 |
| Simon Cooksey |
0:fb7af294d5d9 | 1355 | #define BC "18" |
| Simon Cooksey |
0:fb7af294d5d9 | 1356 | int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, |
| Simon Cooksey |
0:fb7af294d5d9 | 1357 | const mbedtls_x509_crt *crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1358 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1359 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1360 | size_t n; |
| Simon Cooksey |
0:fb7af294d5d9 | 1361 | char *p; |
| Simon Cooksey |
0:fb7af294d5d9 | 1362 | char key_size_str[BEFORE_COLON]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1363 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1364 | p = buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1365 | n = size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1366 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1367 | if( NULL == crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1368 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1369 | ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1370 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1371 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1372 | return( (int) ( size - n ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1373 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1374 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1375 | ret = mbedtls_snprintf( p, n, "%scert. version : %d\n", |
| Simon Cooksey |
0:fb7af294d5d9 | 1376 | prefix, crt->version ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1377 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1378 | ret = mbedtls_snprintf( p, n, "%sserial number : ", |
| Simon Cooksey |
0:fb7af294d5d9 | 1379 | prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1380 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1381 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1382 | ret = mbedtls_x509_serial_gets( p, n, &crt->serial ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1383 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1384 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1385 | ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1386 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1387 | ret = mbedtls_x509_dn_gets( p, n, &crt->issuer ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1388 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1389 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1390 | ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1391 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1392 | ret = mbedtls_x509_dn_gets( p, n, &crt->subject ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1393 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1394 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1395 | ret = mbedtls_snprintf( p, n, "\n%sissued on : " \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1396 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| Simon Cooksey |
0:fb7af294d5d9 | 1397 | crt->valid_from.year, crt->valid_from.mon, |
| Simon Cooksey |
0:fb7af294d5d9 | 1398 | crt->valid_from.day, crt->valid_from.hour, |
| Simon Cooksey |
0:fb7af294d5d9 | 1399 | crt->valid_from.min, crt->valid_from.sec ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1400 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1401 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1402 | ret = mbedtls_snprintf( p, n, "\n%sexpires on : " \ |
| Simon Cooksey |
0:fb7af294d5d9 | 1403 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| Simon Cooksey |
0:fb7af294d5d9 | 1404 | crt->valid_to.year, crt->valid_to.mon, |
| Simon Cooksey |
0:fb7af294d5d9 | 1405 | crt->valid_to.day, crt->valid_to.hour, |
| Simon Cooksey |
0:fb7af294d5d9 | 1406 | crt->valid_to.min, crt->valid_to.sec ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1407 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1408 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1409 | ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1410 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1411 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1412 | ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk, |
| Simon Cooksey |
0:fb7af294d5d9 | 1413 | crt->sig_md, crt->sig_opts ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1414 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1415 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1416 | /* Key size */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1417 | if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON, |
| Simon Cooksey |
0:fb7af294d5d9 | 1418 | mbedtls_pk_get_name( &crt->pk ) ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1419 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1420 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1421 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1422 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1423 | ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str, |
| Simon Cooksey |
0:fb7af294d5d9 | 1424 | (int) mbedtls_pk_get_bitlen( &crt->pk ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1425 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1426 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1427 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1428 | * Optional extensions |
| Simon Cooksey |
0:fb7af294d5d9 | 1429 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1430 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1431 | if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1432 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1433 | ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix, |
| Simon Cooksey |
0:fb7af294d5d9 | 1434 | crt->ca_istrue ? "true" : "false" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1435 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1436 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1437 | if( crt->max_pathlen > 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1438 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1439 | ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1440 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1441 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1442 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1443 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1444 | if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1445 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1446 | ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1447 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1448 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1449 | if( ( ret = x509_info_subject_alt_name( &p, &n, |
| Simon Cooksey |
0:fb7af294d5d9 | 1450 | &crt->subject_alt_names ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1451 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1452 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1453 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1454 | if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1455 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1456 | ret = mbedtls_snprintf( p, n, "\n%scert. type : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1457 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1458 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1459 | if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1460 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1461 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1462 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1463 | if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1464 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1465 | ret = mbedtls_snprintf( p, n, "\n%skey usage : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1466 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1467 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1468 | if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1469 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1470 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1471 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1472 | if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1473 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1474 | ret = mbedtls_snprintf( p, n, "\n%sext key usage : ", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1475 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1476 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1477 | if( ( ret = x509_info_ext_key_usage( &p, &n, |
| Simon Cooksey |
0:fb7af294d5d9 | 1478 | &crt->ext_key_usage ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1479 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1480 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1481 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1482 | ret = mbedtls_snprintf( p, n, "\n" ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1483 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1484 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1485 | return( (int) ( size - n ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1486 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1487 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1488 | struct x509_crt_verify_string { |
| Simon Cooksey |
0:fb7af294d5d9 | 1489 | int code; |
| Simon Cooksey |
0:fb7af294d5d9 | 1490 | const char *string; |
| Simon Cooksey |
0:fb7af294d5d9 | 1491 | }; |
| Simon Cooksey |
0:fb7af294d5d9 | 1492 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1493 | static const struct x509_crt_verify_string x509_crt_verify_strings[] = { |
| Simon Cooksey |
0:fb7af294d5d9 | 1494 | { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1495 | { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1496 | { MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1497 | { MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1498 | { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1499 | { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1500 | { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1501 | { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1502 | { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1503 | { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1504 | { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1505 | { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1506 | { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1507 | { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1508 | { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1509 | { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1510 | { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1511 | { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1512 | { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1513 | { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." }, |
| Simon Cooksey |
0:fb7af294d5d9 | 1514 | { 0, NULL } |
| Simon Cooksey |
0:fb7af294d5d9 | 1515 | }; |
| Simon Cooksey |
0:fb7af294d5d9 | 1516 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1517 | int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, |
| Simon Cooksey |
0:fb7af294d5d9 | 1518 | uint32_t flags ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1519 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1520 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1521 | const struct x509_crt_verify_string *cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 1522 | char *p = buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1523 | size_t n = size; |
| Simon Cooksey |
0:fb7af294d5d9 | 1524 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1525 | for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1526 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1527 | if( ( flags & cur->code ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1528 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1529 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1530 | ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1531 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1532 | flags ^= cur->code; |
| Simon Cooksey |
0:fb7af294d5d9 | 1533 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1534 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1535 | if( flags != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1536 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1537 | ret = mbedtls_snprintf( p, n, "%sUnknown reason " |
| Simon Cooksey |
0:fb7af294d5d9 | 1538 | "(this should not happen)\n", prefix ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1539 | MBEDTLS_X509_SAFE_SNPRINTF; |
| Simon Cooksey |
0:fb7af294d5d9 | 1540 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1541 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1542 | return( (int) ( size - n ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1543 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1544 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1545 | #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) |
| Simon Cooksey |
0:fb7af294d5d9 | 1546 | int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, |
| Simon Cooksey |
0:fb7af294d5d9 | 1547 | unsigned int usage ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1548 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1549 | unsigned int usage_must, usage_may; |
| Simon Cooksey |
0:fb7af294d5d9 | 1550 | unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY |
| Simon Cooksey |
0:fb7af294d5d9 | 1551 | | MBEDTLS_X509_KU_DECIPHER_ONLY; |
| Simon Cooksey |
0:fb7af294d5d9 | 1552 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1553 | if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1554 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1555 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1556 | usage_must = usage & ~may_mask; |
| Simon Cooksey |
0:fb7af294d5d9 | 1557 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1558 | if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1559 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1560 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1561 | usage_may = usage & may_mask; |
| Simon Cooksey |
0:fb7af294d5d9 | 1562 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1563 | if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1564 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1565 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1566 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1567 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1568 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 1569 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1570 | #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) |
| Simon Cooksey |
0:fb7af294d5d9 | 1571 | int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, |
| Simon Cooksey |
0:fb7af294d5d9 | 1572 | const char *usage_oid, |
| Simon Cooksey |
0:fb7af294d5d9 | 1573 | size_t usage_len ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1574 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1575 | const mbedtls_x509_sequence *cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 1576 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1577 | /* Extension is not mandatory, absent means no restriction */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1578 | if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1579 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1580 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1581 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1582 | * Look for the requested usage (or wildcard ANY) in our list |
| Simon Cooksey |
0:fb7af294d5d9 | 1583 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1584 | for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1585 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1586 | const mbedtls_x509_buf *cur_oid = &cur->buf; |
| Simon Cooksey |
0:fb7af294d5d9 | 1587 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1588 | if( cur_oid->len == usage_len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1589 | memcmp( cur_oid->p, usage_oid, usage_len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1590 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1591 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1592 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1593 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1594 | if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1595 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1596 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1597 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1598 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1599 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1600 | #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1601 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1602 | #if defined(MBEDTLS_X509_CRL_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 1603 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1604 | * Return 1 if the certificate is revoked, or 0 otherwise. |
| Simon Cooksey |
0:fb7af294d5d9 | 1605 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1606 | int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1607 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1608 | const mbedtls_x509_crl_entry *cur = &crl->entry; |
| Simon Cooksey |
0:fb7af294d5d9 | 1609 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1610 | while( cur != NULL && cur->serial.len != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1611 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1612 | if( crt->serial.len == cur->serial.len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1613 | memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1614 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1615 | if( mbedtls_x509_time_is_past( &cur->revocation_date ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1616 | return( 1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1617 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1618 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1619 | cur = cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1620 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1621 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1622 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1623 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1624 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1625 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1626 | * Check that the given certificate is not revoked according to the CRL. |
| Simon Cooksey |
0:fb7af294d5d9 | 1627 | * Skip validation is no CRL for the given CA is present. |
| Simon Cooksey |
0:fb7af294d5d9 | 1628 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1629 | static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, |
| Simon Cooksey |
0:fb7af294d5d9 | 1630 | mbedtls_x509_crl *crl_list, |
| Simon Cooksey |
0:fb7af294d5d9 | 1631 | const mbedtls_x509_crt_profile *profile ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1632 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1633 | int flags = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1634 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1635 | const mbedtls_md_info_t *md_info; |
| Simon Cooksey |
0:fb7af294d5d9 | 1636 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1637 | if( ca == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1638 | return( flags ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1639 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1640 | while( crl_list != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1641 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1642 | if( crl_list->version == 0 || |
| Simon Cooksey |
0:fb7af294d5d9 | 1643 | crl_list->issuer_raw.len != ca->subject_raw.len || |
| Simon Cooksey |
0:fb7af294d5d9 | 1644 | memcmp( crl_list->issuer_raw.p, ca->subject_raw.p, |
| Simon Cooksey |
0:fb7af294d5d9 | 1645 | crl_list->issuer_raw.len ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1646 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1647 | crl_list = crl_list->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1648 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1649 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1650 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1651 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1652 | * Check if the CA is configured to sign CRLs |
| Simon Cooksey |
0:fb7af294d5d9 | 1653 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1654 | #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) |
| Simon Cooksey |
0:fb7af294d5d9 | 1655 | if( mbedtls_x509_crt_check_key_usage( ca, MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1656 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1657 | flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1658 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1659 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1660 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 1661 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1662 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1663 | * Check if CRL is correctly signed by the trusted CA |
| Simon Cooksey |
0:fb7af294d5d9 | 1664 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1665 | if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1666 | flags |= MBEDTLS_X509_BADCRL_BAD_MD; |
| Simon Cooksey |
0:fb7af294d5d9 | 1667 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1668 | if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1669 | flags |= MBEDTLS_X509_BADCRL_BAD_PK; |
| Simon Cooksey |
0:fb7af294d5d9 | 1670 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1671 | md_info = mbedtls_md_info_from_type( crl_list->sig_md ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1672 | if( md_info == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1673 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1674 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1675 | * Cannot check 'unknown' hash |
| Simon Cooksey |
0:fb7af294d5d9 | 1676 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1677 | flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1678 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1679 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1680 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1681 | mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1682 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1683 | if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1684 | flags |= MBEDTLS_X509_BADCERT_BAD_KEY; |
| Simon Cooksey |
0:fb7af294d5d9 | 1685 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1686 | if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk, |
| Simon Cooksey |
0:fb7af294d5d9 | 1687 | crl_list->sig_md, hash, mbedtls_md_get_size( md_info ), |
| Simon Cooksey |
0:fb7af294d5d9 | 1688 | crl_list->sig.p, crl_list->sig.len ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1689 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1690 | flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1691 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1692 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1693 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1694 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1695 | * Check for validity of CRL (Do not drop out) |
| Simon Cooksey |
0:fb7af294d5d9 | 1696 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1697 | if( mbedtls_x509_time_is_past( &crl_list->next_update ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1698 | flags |= MBEDTLS_X509_BADCRL_EXPIRED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1699 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1700 | if( mbedtls_x509_time_is_future( &crl_list->this_update ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1701 | flags |= MBEDTLS_X509_BADCRL_FUTURE; |
| Simon Cooksey |
0:fb7af294d5d9 | 1702 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1703 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1704 | * Check if certificate is revoked |
| Simon Cooksey |
0:fb7af294d5d9 | 1705 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1706 | if( mbedtls_x509_crt_is_revoked( crt, crl_list ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1707 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1708 | flags |= MBEDTLS_X509_BADCERT_REVOKED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1709 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1710 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1711 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1712 | crl_list = crl_list->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1713 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1714 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1715 | return( flags ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1716 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1717 | #endif /* MBEDTLS_X509_CRL_PARSE_C */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1718 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1719 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1720 | * Like memcmp, but case-insensitive and always returns -1 if different |
| Simon Cooksey |
0:fb7af294d5d9 | 1721 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1722 | static int x509_memcasecmp( const void *s1, const void *s2, size_t len ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1723 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1724 | size_t i; |
| Simon Cooksey |
0:fb7af294d5d9 | 1725 | unsigned char diff; |
| Simon Cooksey |
0:fb7af294d5d9 | 1726 | const unsigned char *n1 = s1, *n2 = s2; |
| Simon Cooksey |
0:fb7af294d5d9 | 1727 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1728 | for( i = 0; i < len; i++ ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1729 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1730 | diff = n1[i] ^ n2[i]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1731 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1732 | if( diff == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1733 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1734 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1735 | if( diff == 32 && |
| Simon Cooksey |
0:fb7af294d5d9 | 1736 | ( ( n1[i] >= 'a' && n1[i] <= 'z' ) || |
| Simon Cooksey |
0:fb7af294d5d9 | 1737 | ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1738 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1739 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1740 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1741 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1742 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1743 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1744 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1745 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1746 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1747 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1748 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1749 | * Return 0 if name matches wildcard, -1 otherwise |
| Simon Cooksey |
0:fb7af294d5d9 | 1750 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1751 | static int x509_check_wildcard( const char *cn, mbedtls_x509_buf *name ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1752 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1753 | size_t i; |
| Simon Cooksey |
0:fb7af294d5d9 | 1754 | size_t cn_idx = 0, cn_len = strlen( cn ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1755 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1756 | if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1757 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1758 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1759 | for( i = 0; i < cn_len; ++i ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1760 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1761 | if( cn[i] == '.' ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1762 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1763 | cn_idx = i; |
| Simon Cooksey |
0:fb7af294d5d9 | 1764 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1765 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1766 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1767 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1768 | if( cn_idx == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1769 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1770 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1771 | if( cn_len - cn_idx == name->len - 1 && |
| Simon Cooksey |
0:fb7af294d5d9 | 1772 | x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1773 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1774 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1775 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1776 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1777 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1778 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1779 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1780 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1781 | * Compare two X.509 strings, case-insensitive, and allowing for some encoding |
| Simon Cooksey |
0:fb7af294d5d9 | 1782 | * variations (but not all). |
| Simon Cooksey |
0:fb7af294d5d9 | 1783 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 1784 | * Return 0 if equal, -1 otherwise. |
| Simon Cooksey |
0:fb7af294d5d9 | 1785 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1786 | static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1787 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1788 | if( a->tag == b->tag && |
| Simon Cooksey |
0:fb7af294d5d9 | 1789 | a->len == b->len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1790 | memcmp( a->p, b->p, b->len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1791 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1792 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1793 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1794 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1795 | if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && |
| Simon Cooksey |
0:fb7af294d5d9 | 1796 | ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && |
| Simon Cooksey |
0:fb7af294d5d9 | 1797 | a->len == b->len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1798 | x509_memcasecmp( a->p, b->p, b->len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1799 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1800 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1801 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1802 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1803 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1804 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1805 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1806 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1807 | * Compare two X.509 Names (aka rdnSequence). |
| Simon Cooksey |
0:fb7af294d5d9 | 1808 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 1809 | * See RFC 5280 section 7.1, though we don't implement the whole algorithm: |
| Simon Cooksey |
0:fb7af294d5d9 | 1810 | * we sometimes return unequal when the full algorithm would return equal, |
| Simon Cooksey |
0:fb7af294d5d9 | 1811 | * but never the other way. (In particular, we don't do Unicode normalisation |
| Simon Cooksey |
0:fb7af294d5d9 | 1812 | * or space folding.) |
| Simon Cooksey |
0:fb7af294d5d9 | 1813 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 1814 | * Return 0 if equal, -1 otherwise. |
| Simon Cooksey |
0:fb7af294d5d9 | 1815 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1816 | static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1817 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1818 | /* Avoid recursion, it might not be optimised by the compiler */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1819 | while( a != NULL || b != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1820 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1821 | if( a == NULL || b == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1822 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1823 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1824 | /* type */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1825 | if( a->oid.tag != b->oid.tag || |
| Simon Cooksey |
0:fb7af294d5d9 | 1826 | a->oid.len != b->oid.len || |
| Simon Cooksey |
0:fb7af294d5d9 | 1827 | memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1828 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1829 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1830 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1831 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1832 | /* value */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1833 | if( x509_string_cmp( &a->val, &b->val ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1834 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1835 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1836 | /* structure of the list of sets */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1837 | if( a->next_merged != b->next_merged ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1838 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1839 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1840 | a = a->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1841 | b = b->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 1842 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1843 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1844 | /* a == NULL == b */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1845 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1846 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1847 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1848 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1849 | * Check if 'parent' is a suitable parent (signing CA) for 'child'. |
| Simon Cooksey |
0:fb7af294d5d9 | 1850 | * Return 0 if yes, -1 if not. |
| Simon Cooksey |
0:fb7af294d5d9 | 1851 | * |
| Simon Cooksey |
0:fb7af294d5d9 | 1852 | * top means parent is a locally-trusted certificate |
| Simon Cooksey |
0:fb7af294d5d9 | 1853 | * bottom means child is the end entity cert |
| Simon Cooksey |
0:fb7af294d5d9 | 1854 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1855 | static int x509_crt_check_parent( const mbedtls_x509_crt *child, |
| Simon Cooksey |
0:fb7af294d5d9 | 1856 | const mbedtls_x509_crt *parent, |
| Simon Cooksey |
0:fb7af294d5d9 | 1857 | int top, int bottom ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1858 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1859 | int need_ca_bit; |
| Simon Cooksey |
0:fb7af294d5d9 | 1860 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1861 | /* Parent must be the issuer */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1862 | if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1863 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1864 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1865 | /* Parent must have the basicConstraints CA bit set as a general rule */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1866 | need_ca_bit = 1; |
| Simon Cooksey |
0:fb7af294d5d9 | 1867 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1868 | /* Exception: v1/v2 certificates that are locally trusted. */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1869 | if( top && parent->version < 3 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1870 | need_ca_bit = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1871 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1872 | /* Exception: self-signed end-entity certs that are locally trusted. */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1873 | if( top && bottom && |
| Simon Cooksey |
0:fb7af294d5d9 | 1874 | child->raw.len == parent->raw.len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1875 | memcmp( child->raw.p, parent->raw.p, child->raw.len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1876 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1877 | need_ca_bit = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1878 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1879 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1880 | if( need_ca_bit && ! parent->ca_istrue ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1881 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1882 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1883 | #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) |
| Simon Cooksey |
0:fb7af294d5d9 | 1884 | if( need_ca_bit && |
| Simon Cooksey |
0:fb7af294d5d9 | 1885 | mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1886 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1887 | return( -1 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1888 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1889 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 1890 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1891 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1892 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1893 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1894 | static int x509_crt_verify_top( |
| Simon Cooksey |
0:fb7af294d5d9 | 1895 | mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca, |
| Simon Cooksey |
0:fb7af294d5d9 | 1896 | mbedtls_x509_crl *ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 1897 | const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 1898 | int path_cnt, int self_cnt, uint32_t *flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 1899 | int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), |
| Simon Cooksey |
0:fb7af294d5d9 | 1900 | void *p_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1901 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1902 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 1903 | uint32_t ca_flags = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 1904 | int check_path_cnt; |
| Simon Cooksey |
0:fb7af294d5d9 | 1905 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Simon Cooksey |
0:fb7af294d5d9 | 1906 | const mbedtls_md_info_t *md_info; |
| Simon Cooksey |
0:fb7af294d5d9 | 1907 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1908 | if( mbedtls_x509_time_is_past( &child->valid_to ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1909 | *flags |= MBEDTLS_X509_BADCERT_EXPIRED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1910 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1911 | if( mbedtls_x509_time_is_future( &child->valid_from ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1912 | *flags |= MBEDTLS_X509_BADCERT_FUTURE; |
| Simon Cooksey |
0:fb7af294d5d9 | 1913 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1914 | if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1915 | *flags |= MBEDTLS_X509_BADCERT_BAD_MD; |
| Simon Cooksey |
0:fb7af294d5d9 | 1916 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1917 | if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1918 | *flags |= MBEDTLS_X509_BADCERT_BAD_PK; |
| Simon Cooksey |
0:fb7af294d5d9 | 1919 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1920 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1921 | * Child is the top of the chain. Check against the trust_ca list. |
| Simon Cooksey |
0:fb7af294d5d9 | 1922 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1923 | *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1924 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1925 | md_info = mbedtls_md_info_from_type( child->sig_md ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1926 | if( md_info == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1927 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1928 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1929 | * Cannot check 'unknown', no need to try any CA |
| Simon Cooksey |
0:fb7af294d5d9 | 1930 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1931 | trust_ca = NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 1932 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1933 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 1934 | mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ); |
| Simon Cooksey |
0:fb7af294d5d9 | 1935 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1936 | for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1937 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1938 | if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1939 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1940 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1941 | check_path_cnt = path_cnt + 1; |
| Simon Cooksey |
0:fb7af294d5d9 | 1942 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1943 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1944 | * Reduce check_path_cnt to check against if top of the chain is |
| Simon Cooksey |
0:fb7af294d5d9 | 1945 | * the same as the trusted CA |
| Simon Cooksey |
0:fb7af294d5d9 | 1946 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1947 | if( child->subject_raw.len == trust_ca->subject_raw.len && |
| Simon Cooksey |
0:fb7af294d5d9 | 1948 | memcmp( child->subject_raw.p, trust_ca->subject_raw.p, |
| Simon Cooksey |
0:fb7af294d5d9 | 1949 | child->issuer_raw.len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1950 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1951 | check_path_cnt--; |
| Simon Cooksey |
0:fb7af294d5d9 | 1952 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1953 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1954 | /* Self signed certificates do not count towards the limit */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1955 | if( trust_ca->max_pathlen > 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 1956 | trust_ca->max_pathlen < check_path_cnt - self_cnt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1957 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1958 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1959 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1960 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1961 | if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1962 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1963 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1964 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1965 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1966 | if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1967 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1968 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1969 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1970 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1971 | if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk, |
| Simon Cooksey |
0:fb7af294d5d9 | 1972 | child->sig_md, hash, mbedtls_md_get_size( md_info ), |
| Simon Cooksey |
0:fb7af294d5d9 | 1973 | child->sig.p, child->sig.len ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1974 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1975 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 1976 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1977 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1978 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1979 | * Top of chain is signed by a trusted CA |
| Simon Cooksey |
0:fb7af294d5d9 | 1980 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1981 | *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 1982 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1983 | if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1984 | *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; |
| Simon Cooksey |
0:fb7af294d5d9 | 1985 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1986 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 1987 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 1988 | |
| Simon Cooksey |
0:fb7af294d5d9 | 1989 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 1990 | * If top of chain is not the same as the trusted CA send a verify request |
| Simon Cooksey |
0:fb7af294d5d9 | 1991 | * to the callback for any issues with validity and CRL presence for the |
| Simon Cooksey |
0:fb7af294d5d9 | 1992 | * trusted CA certificate. |
| Simon Cooksey |
0:fb7af294d5d9 | 1993 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 1994 | if( trust_ca != NULL && |
| Simon Cooksey |
0:fb7af294d5d9 | 1995 | ( child->subject_raw.len != trust_ca->subject_raw.len || |
| Simon Cooksey |
0:fb7af294d5d9 | 1996 | memcmp( child->subject_raw.p, trust_ca->subject_raw.p, |
| Simon Cooksey |
0:fb7af294d5d9 | 1997 | child->issuer_raw.len ) != 0 ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 1998 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 1999 | #if defined(MBEDTLS_X509_CRL_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 2000 | /* Check trusted CA's CRL for the chain's top crt */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2001 | *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl, profile ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2002 | #else |
| Simon Cooksey |
0:fb7af294d5d9 | 2003 | ((void) ca_crl); |
| Simon Cooksey |
0:fb7af294d5d9 | 2004 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 2005 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2006 | if( NULL != f_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2007 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2008 | if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, |
| Simon Cooksey |
0:fb7af294d5d9 | 2009 | &ca_flags ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2010 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2011 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2012 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2013 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2014 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2015 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2016 | /* Call callback on top cert */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2017 | if( NULL != f_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2018 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2019 | if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2020 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2021 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2022 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2023 | *flags |= ca_flags; |
| Simon Cooksey |
0:fb7af294d5d9 | 2024 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2025 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2026 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2027 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2028 | static int x509_crt_verify_child( |
| Simon Cooksey |
0:fb7af294d5d9 | 2029 | mbedtls_x509_crt *child, mbedtls_x509_crt *parent, |
| Simon Cooksey |
0:fb7af294d5d9 | 2030 | mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 2031 | const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2032 | int path_cnt, int self_cnt, uint32_t *flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 2033 | int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), |
| Simon Cooksey |
0:fb7af294d5d9 | 2034 | void *p_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2035 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2036 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 2037 | uint32_t parent_flags = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 2038 | unsigned char hash[MBEDTLS_MD_MAX_SIZE]; |
| Simon Cooksey |
0:fb7af294d5d9 | 2039 | mbedtls_x509_crt *grandparent; |
| Simon Cooksey |
0:fb7af294d5d9 | 2040 | const mbedtls_md_info_t *md_info; |
| Simon Cooksey |
0:fb7af294d5d9 | 2041 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2042 | /* Counting intermediate self signed certificates */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2043 | if( ( path_cnt != 0 ) && x509_name_cmp( &child->issuer, &child->subject ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2044 | self_cnt++; |
| Simon Cooksey |
0:fb7af294d5d9 | 2045 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2046 | /* path_cnt is 0 for the first intermediate CA */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2047 | if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2048 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2049 | *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 2050 | return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2051 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2052 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2053 | if( mbedtls_x509_time_is_past( &child->valid_to ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2054 | *flags |= MBEDTLS_X509_BADCERT_EXPIRED; |
| Simon Cooksey |
0:fb7af294d5d9 | 2055 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2056 | if( mbedtls_x509_time_is_future( &child->valid_from ) ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2057 | *flags |= MBEDTLS_X509_BADCERT_FUTURE; |
| Simon Cooksey |
0:fb7af294d5d9 | 2058 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2059 | if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2060 | *flags |= MBEDTLS_X509_BADCERT_BAD_MD; |
| Simon Cooksey |
0:fb7af294d5d9 | 2061 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2062 | if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2063 | *flags |= MBEDTLS_X509_BADCERT_BAD_PK; |
| Simon Cooksey |
0:fb7af294d5d9 | 2064 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2065 | md_info = mbedtls_md_info_from_type( child->sig_md ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2066 | if( md_info == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2067 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2068 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2069 | * Cannot check 'unknown' hash |
| Simon Cooksey |
0:fb7af294d5d9 | 2070 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2071 | *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 2072 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2073 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2074 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2075 | mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2076 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2077 | if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2078 | *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; |
| Simon Cooksey |
0:fb7af294d5d9 | 2079 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2080 | if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk, |
| Simon Cooksey |
0:fb7af294d5d9 | 2081 | child->sig_md, hash, mbedtls_md_get_size( md_info ), |
| Simon Cooksey |
0:fb7af294d5d9 | 2082 | child->sig.p, child->sig.len ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2083 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2084 | *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; |
| Simon Cooksey |
0:fb7af294d5d9 | 2085 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2086 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2087 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2088 | #if defined(MBEDTLS_X509_CRL_PARSE_C) |
| Simon Cooksey |
0:fb7af294d5d9 | 2089 | /* Check trusted CA's CRL for the given crt */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2090 | *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2091 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 2092 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2093 | /* Look for a grandparent in trusted CAs */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2094 | for( grandparent = trust_ca; |
| Simon Cooksey |
0:fb7af294d5d9 | 2095 | grandparent != NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 2096 | grandparent = grandparent->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2097 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2098 | if( x509_crt_check_parent( parent, grandparent, |
| Simon Cooksey |
0:fb7af294d5d9 | 2099 | 0, path_cnt == 0 ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2100 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2101 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2102 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2103 | if( grandparent != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2104 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2105 | ret = x509_crt_verify_top( parent, grandparent, ca_crl, profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2106 | path_cnt + 1, self_cnt, &parent_flags, f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2107 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2108 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2109 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2110 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2111 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2112 | /* Look for a grandparent upwards the chain */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2113 | for( grandparent = parent->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2114 | grandparent != NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 2115 | grandparent = grandparent->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2116 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2117 | /* +2 because the current step is not yet accounted for |
| Simon Cooksey |
0:fb7af294d5d9 | 2118 | * and because max_pathlen is one higher than it should be. |
| Simon Cooksey |
0:fb7af294d5d9 | 2119 | * Also self signed certificates do not count to the limit. */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2120 | if( grandparent->max_pathlen > 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 2121 | grandparent->max_pathlen < 2 + path_cnt - self_cnt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2122 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2123 | continue; |
| Simon Cooksey |
0:fb7af294d5d9 | 2124 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2125 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2126 | if( x509_crt_check_parent( parent, grandparent, |
| Simon Cooksey |
0:fb7af294d5d9 | 2127 | 0, path_cnt == 0 ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2128 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2129 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2130 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2131 | /* Is our parent part of the chain or at the top? */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2132 | if( grandparent != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2133 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2134 | ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 2135 | profile, path_cnt + 1, self_cnt, &parent_flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 2136 | f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2137 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2138 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2139 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2140 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2141 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2142 | ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2143 | path_cnt + 1, self_cnt, &parent_flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 2144 | f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2145 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2146 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2147 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2148 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2149 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2150 | /* child is verified to be a child of the parent, call verify callback */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2151 | if( NULL != f_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2152 | if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2153 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2154 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2155 | *flags |= parent_flags; |
| Simon Cooksey |
0:fb7af294d5d9 | 2156 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2157 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2158 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2159 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2160 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2161 | * Verify the certificate validity |
| Simon Cooksey |
0:fb7af294d5d9 | 2162 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2163 | int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, |
| Simon Cooksey |
0:fb7af294d5d9 | 2164 | mbedtls_x509_crt *trust_ca, |
| Simon Cooksey |
0:fb7af294d5d9 | 2165 | mbedtls_x509_crl *ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 2166 | const char *cn, uint32_t *flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 2167 | int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), |
| Simon Cooksey |
0:fb7af294d5d9 | 2168 | void *p_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2169 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2170 | return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 2171 | &mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2172 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2173 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2174 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2175 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2176 | * Verify the certificate validity, with profile |
| Simon Cooksey |
0:fb7af294d5d9 | 2177 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2178 | int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, |
| Simon Cooksey |
0:fb7af294d5d9 | 2179 | mbedtls_x509_crt *trust_ca, |
| Simon Cooksey |
0:fb7af294d5d9 | 2180 | mbedtls_x509_crl *ca_crl, |
| Simon Cooksey |
0:fb7af294d5d9 | 2181 | const mbedtls_x509_crt_profile *profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2182 | const char *cn, uint32_t *flags, |
| Simon Cooksey |
0:fb7af294d5d9 | 2183 | int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), |
| Simon Cooksey |
0:fb7af294d5d9 | 2184 | void *p_vrfy ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2185 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2186 | size_t cn_len; |
| Simon Cooksey |
0:fb7af294d5d9 | 2187 | int ret; |
| Simon Cooksey |
0:fb7af294d5d9 | 2188 | int pathlen = 0, selfsigned = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 2189 | mbedtls_x509_crt *parent; |
| Simon Cooksey |
0:fb7af294d5d9 | 2190 | mbedtls_x509_name *name; |
| Simon Cooksey |
0:fb7af294d5d9 | 2191 | mbedtls_x509_sequence *cur = NULL; |
| Simon Cooksey |
0:fb7af294d5d9 | 2192 | mbedtls_pk_type_t pk_type; |
| Simon Cooksey |
0:fb7af294d5d9 | 2193 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2194 | if( profile == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2195 | return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2196 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2197 | *flags = 0; |
| Simon Cooksey |
0:fb7af294d5d9 | 2198 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2199 | if( cn != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2200 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2201 | name = &crt->subject; |
| Simon Cooksey |
0:fb7af294d5d9 | 2202 | cn_len = strlen( cn ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2203 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2204 | if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2205 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2206 | cur = &crt->subject_alt_names; |
| Simon Cooksey |
0:fb7af294d5d9 | 2207 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2208 | while( cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2209 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2210 | if( cur->buf.len == cn_len && |
| Simon Cooksey |
0:fb7af294d5d9 | 2211 | x509_memcasecmp( cn, cur->buf.p, cn_len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2212 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2213 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2214 | if( cur->buf.len > 2 && |
| Simon Cooksey |
0:fb7af294d5d9 | 2215 | memcmp( cur->buf.p, "*.", 2 ) == 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 2216 | x509_check_wildcard( cn, &cur->buf ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2217 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2218 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2219 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2220 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2221 | cur = cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2222 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2223 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2224 | if( cur == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2225 | *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; |
| Simon Cooksey |
0:fb7af294d5d9 | 2226 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2227 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2228 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2229 | while( name != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2230 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2231 | if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2232 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2233 | if( name->val.len == cn_len && |
| Simon Cooksey |
0:fb7af294d5d9 | 2234 | x509_memcasecmp( name->val.p, cn, cn_len ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2235 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2236 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2237 | if( name->val.len > 2 && |
| Simon Cooksey |
0:fb7af294d5d9 | 2238 | memcmp( name->val.p, "*.", 2 ) == 0 && |
| Simon Cooksey |
0:fb7af294d5d9 | 2239 | x509_check_wildcard( cn, &name->val ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2240 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2241 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2242 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2243 | name = name->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2244 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2245 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2246 | if( name == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2247 | *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; |
| Simon Cooksey |
0:fb7af294d5d9 | 2248 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2249 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2250 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2251 | /* Check the type and size of the key */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2252 | pk_type = mbedtls_pk_get_type( &crt->pk ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2253 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2254 | if( x509_profile_check_pk_alg( profile, pk_type ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2255 | *flags |= MBEDTLS_X509_BADCERT_BAD_PK; |
| Simon Cooksey |
0:fb7af294d5d9 | 2256 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2257 | if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2258 | *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; |
| Simon Cooksey |
0:fb7af294d5d9 | 2259 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2260 | /* Look for a parent in trusted CAs */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2261 | for( parent = trust_ca; parent != NULL; parent = parent->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2262 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2263 | if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2264 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2265 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2266 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2267 | if( parent != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2268 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2269 | ret = x509_crt_verify_top( crt, parent, ca_crl, profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2270 | pathlen, selfsigned, flags, f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2271 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2272 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2273 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2274 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2275 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2276 | /* Look for a parent upwards the chain */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2277 | for( parent = crt->next; parent != NULL; parent = parent->next ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2278 | if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2279 | break; |
| Simon Cooksey |
0:fb7af294d5d9 | 2280 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2281 | /* Are we part of the chain or at the top? */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2282 | if( parent != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2283 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2284 | ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2285 | pathlen, selfsigned, flags, f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2286 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2287 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2288 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2289 | else |
| Simon Cooksey |
0:fb7af294d5d9 | 2290 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2291 | ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, |
| Simon Cooksey |
0:fb7af294d5d9 | 2292 | pathlen, selfsigned, flags, f_vrfy, p_vrfy ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2293 | if( ret != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2294 | return( ret ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2295 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2296 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2297 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2298 | if( *flags != 0 ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2299 | return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2300 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2301 | return( 0 ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2302 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2303 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2304 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2305 | * Initialize a certificate chain |
| Simon Cooksey |
0:fb7af294d5d9 | 2306 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2307 | void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2308 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2309 | memset( crt, 0, sizeof(mbedtls_x509_crt) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2310 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2311 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2312 | /* |
| Simon Cooksey |
0:fb7af294d5d9 | 2313 | * Unallocate all certificate data |
| Simon Cooksey |
0:fb7af294d5d9 | 2314 | */ |
| Simon Cooksey |
0:fb7af294d5d9 | 2315 | void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2316 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2317 | mbedtls_x509_crt *cert_cur = crt; |
| Simon Cooksey |
0:fb7af294d5d9 | 2318 | mbedtls_x509_crt *cert_prv; |
| Simon Cooksey |
0:fb7af294d5d9 | 2319 | mbedtls_x509_name *name_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2320 | mbedtls_x509_name *name_prv; |
| Simon Cooksey |
0:fb7af294d5d9 | 2321 | mbedtls_x509_sequence *seq_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2322 | mbedtls_x509_sequence *seq_prv; |
| Simon Cooksey |
0:fb7af294d5d9 | 2323 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2324 | if( crt == NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2325 | return; |
| Simon Cooksey |
0:fb7af294d5d9 | 2326 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2327 | do |
| Simon Cooksey |
0:fb7af294d5d9 | 2328 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2329 | mbedtls_pk_free( &cert_cur->pk ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2330 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2331 | #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) |
| Simon Cooksey |
0:fb7af294d5d9 | 2332 | mbedtls_free( cert_cur->sig_opts ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2333 | #endif |
| Simon Cooksey |
0:fb7af294d5d9 | 2334 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2335 | name_cur = cert_cur->issuer.next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2336 | while( name_cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2337 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2338 | name_prv = name_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2339 | name_cur = name_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2340 | mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2341 | mbedtls_free( name_prv ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2342 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2343 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2344 | name_cur = cert_cur->subject.next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2345 | while( name_cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2346 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2347 | name_prv = name_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2348 | name_cur = name_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2349 | mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2350 | mbedtls_free( name_prv ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2351 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2352 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2353 | seq_cur = cert_cur->ext_key_usage.next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2354 | while( seq_cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2355 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2356 | seq_prv = seq_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2357 | seq_cur = seq_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2358 | mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2359 | mbedtls_free( seq_prv ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2360 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2361 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2362 | seq_cur = cert_cur->subject_alt_names.next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2363 | while( seq_cur != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2364 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2365 | seq_prv = seq_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2366 | seq_cur = seq_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2367 | mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2368 | mbedtls_free( seq_prv ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2369 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2370 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2371 | if( cert_cur->raw.p != NULL ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2372 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2373 | mbedtls_zeroize( cert_cur->raw.p, cert_cur->raw.len ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2374 | mbedtls_free( cert_cur->raw.p ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2375 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2376 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2377 | cert_cur = cert_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2378 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2379 | while( cert_cur != NULL ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2380 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2381 | cert_cur = crt; |
| Simon Cooksey |
0:fb7af294d5d9 | 2382 | do |
| Simon Cooksey |
0:fb7af294d5d9 | 2383 | { |
| Simon Cooksey |
0:fb7af294d5d9 | 2384 | cert_prv = cert_cur; |
| Simon Cooksey |
0:fb7af294d5d9 | 2385 | cert_cur = cert_cur->next; |
| Simon Cooksey |
0:fb7af294d5d9 | 2386 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2387 | mbedtls_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2388 | if( cert_prv != crt ) |
| Simon Cooksey |
0:fb7af294d5d9 | 2389 | mbedtls_free( cert_prv ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2390 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2391 | while( cert_cur != NULL ); |
| Simon Cooksey |
0:fb7af294d5d9 | 2392 | } |
| Simon Cooksey |
0:fb7af294d5d9 | 2393 | |
| Simon Cooksey |
0:fb7af294d5d9 | 2394 | #endif /* MBEDTLS_X509_CRT_PARSE_C */ |