nexpaq_dev - Preliminary main mbed library for nexpaq developm…

Users » nexpaq » Code » nexpaq_dev

Preliminary main mbed library for nexpaq development

features/mbedtls/src/x509_crt.c@0:6c56fb4bc5f0, 2016-11-04 (annotated)

Committer:: nexpaq
Date:: Fri Nov 04 20:27:58 2016 +0000
Revision:: 0:6c56fb4bc5f0

Moving to library for sharing updates

Who changed what in which revision?

User	Revision	Line number	New contents of line
nexpaq	0:6c56fb4bc5f0	1	/*
nexpaq	0:6c56fb4bc5f0	2	* X.509 certificate parsing and verification
nexpaq	0:6c56fb4bc5f0	3	*
nexpaq	0:6c56fb4bc5f0	4	* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
nexpaq	0:6c56fb4bc5f0	5	* SPDX-License-Identifier: Apache-2.0
nexpaq	0:6c56fb4bc5f0	6	*
nexpaq	0:6c56fb4bc5f0	7	* Licensed under the Apache License, Version 2.0 (the "License"); you may
nexpaq	0:6c56fb4bc5f0	8	* not use this file except in compliance with the License.
nexpaq	0:6c56fb4bc5f0	9	* You may obtain a copy of the License at
nexpaq	0:6c56fb4bc5f0	10	*
nexpaq	0:6c56fb4bc5f0	11	* http://www.apache.org/licenses/LICENSE-2.0
nexpaq	0:6c56fb4bc5f0	12	*
nexpaq	0:6c56fb4bc5f0	13	* Unless required by applicable law or agreed to in writing, software
nexpaq	0:6c56fb4bc5f0	14	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
nexpaq	0:6c56fb4bc5f0	15	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
nexpaq	0:6c56fb4bc5f0	16	* See the License for the specific language governing permissions and
nexpaq	0:6c56fb4bc5f0	17	* limitations under the License.
nexpaq	0:6c56fb4bc5f0	18	*
nexpaq	0:6c56fb4bc5f0	19	* This file is part of mbed TLS (https://tls.mbed.org)
nexpaq	0:6c56fb4bc5f0	20	*/
nexpaq	0:6c56fb4bc5f0	21	/*
nexpaq	0:6c56fb4bc5f0	22	* The ITU-T X.509 standard defines a certificate format for PKI.
nexpaq	0:6c56fb4bc5f0	23	*
nexpaq	0:6c56fb4bc5f0	24	* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
nexpaq	0:6c56fb4bc5f0	25	* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
nexpaq	0:6c56fb4bc5f0	26	* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
nexpaq	0:6c56fb4bc5f0	27	*
nexpaq	0:6c56fb4bc5f0	28	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
nexpaq	0:6c56fb4bc5f0	29	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
nexpaq	0:6c56fb4bc5f0	30	*/
nexpaq	0:6c56fb4bc5f0	31
nexpaq	0:6c56fb4bc5f0	32	#if !defined(MBEDTLS_CONFIG_FILE)
nexpaq	0:6c56fb4bc5f0	33	#include "mbedtls/config.h"
nexpaq	0:6c56fb4bc5f0	34	#else
nexpaq	0:6c56fb4bc5f0	35	#include MBEDTLS_CONFIG_FILE
nexpaq	0:6c56fb4bc5f0	36	#endif
nexpaq	0:6c56fb4bc5f0	37
nexpaq	0:6c56fb4bc5f0	38	#if defined(MBEDTLS_X509_CRT_PARSE_C)
nexpaq	0:6c56fb4bc5f0	39
nexpaq	0:6c56fb4bc5f0	40	#include "mbedtls/x509_crt.h"
nexpaq	0:6c56fb4bc5f0	41	#include "mbedtls/oid.h"
nexpaq	0:6c56fb4bc5f0	42
nexpaq	0:6c56fb4bc5f0	43	#include <stdio.h>
nexpaq	0:6c56fb4bc5f0	44	#include <string.h>
nexpaq	0:6c56fb4bc5f0	45
nexpaq	0:6c56fb4bc5f0	46	#if defined(MBEDTLS_PEM_PARSE_C)
nexpaq	0:6c56fb4bc5f0	47	#include "mbedtls/pem.h"
nexpaq	0:6c56fb4bc5f0	48	#endif
nexpaq	0:6c56fb4bc5f0	49
nexpaq	0:6c56fb4bc5f0	50	#if defined(MBEDTLS_PLATFORM_C)
nexpaq	0:6c56fb4bc5f0	51	#include "mbedtls/platform.h"
nexpaq	0:6c56fb4bc5f0	52	#else
nexpaq	0:6c56fb4bc5f0	53	#include <stdlib.h>
nexpaq	0:6c56fb4bc5f0	54	#define mbedtls_free free
nexpaq	0:6c56fb4bc5f0	55	#define mbedtls_calloc calloc
nexpaq	0:6c56fb4bc5f0	56	#define mbedtls_snprintf snprintf
nexpaq	0:6c56fb4bc5f0	57	#endif
nexpaq	0:6c56fb4bc5f0	58
nexpaq	0:6c56fb4bc5f0	59	#if defined(MBEDTLS_THREADING_C)
nexpaq	0:6c56fb4bc5f0	60	#include "mbedtls/threading.h"
nexpaq	0:6c56fb4bc5f0	61	#endif
nexpaq	0:6c56fb4bc5f0	62
nexpaq	0:6c56fb4bc5f0	63	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
nexpaq	0:6c56fb4bc5f0	64	#include <windows.h>
nexpaq	0:6c56fb4bc5f0	65	#else
nexpaq	0:6c56fb4bc5f0	66	#include <time.h>
nexpaq	0:6c56fb4bc5f0	67	#endif
nexpaq	0:6c56fb4bc5f0	68
nexpaq	0:6c56fb4bc5f0	69	#if defined(MBEDTLS_FS_IO)
nexpaq	0:6c56fb4bc5f0	70	#include <stdio.h>
nexpaq	0:6c56fb4bc5f0	71	#if !defined(_WIN32) \|\| defined(EFIX64) \|\| defined(EFI32)
nexpaq	0:6c56fb4bc5f0	72	#include <sys/types.h>
nexpaq	0:6c56fb4bc5f0	73	#include <sys/stat.h>
nexpaq	0:6c56fb4bc5f0	74	#include <dirent.h>
nexpaq	0:6c56fb4bc5f0	75	#endif /* !_WIN32 \|\| EFIX64 \|\| EFI32 */
nexpaq	0:6c56fb4bc5f0	76	#endif
nexpaq	0:6c56fb4bc5f0	77
nexpaq	0:6c56fb4bc5f0	78	/* Implementation that should never be optimized out by the compiler */
nexpaq	0:6c56fb4bc5f0	79	static void mbedtls_zeroize( void *v, size_t n ) {
nexpaq	0:6c56fb4bc5f0	80	volatile unsigned char p = v; while( n-- ) p++ = 0;
nexpaq	0:6c56fb4bc5f0	81	}
nexpaq	0:6c56fb4bc5f0	82
nexpaq	0:6c56fb4bc5f0	83	/*
nexpaq	0:6c56fb4bc5f0	84	* Default profile
nexpaq	0:6c56fb4bc5f0	85	*/
nexpaq	0:6c56fb4bc5f0	86	const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
nexpaq	0:6c56fb4bc5f0	87	{
nexpaq	0:6c56fb4bc5f0	88	/* Hashes from SHA-1 and above */
nexpaq	0:6c56fb4bc5f0	89	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) \|
nexpaq	0:6c56fb4bc5f0	90	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) \|
nexpaq	0:6c56fb4bc5f0	91	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) \|
nexpaq	0:6c56fb4bc5f0	92	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) \|
nexpaq	0:6c56fb4bc5f0	93	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) \|
nexpaq	0:6c56fb4bc5f0	94	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
nexpaq	0:6c56fb4bc5f0	95	0xFFFFFFF, /* Any PK alg */
nexpaq	0:6c56fb4bc5f0	96	0xFFFFFFF, /* Any curve */
nexpaq	0:6c56fb4bc5f0	97	2048,
nexpaq	0:6c56fb4bc5f0	98	};
nexpaq	0:6c56fb4bc5f0	99
nexpaq	0:6c56fb4bc5f0	100	/*
nexpaq	0:6c56fb4bc5f0	101	* Next-default profile
nexpaq	0:6c56fb4bc5f0	102	*/
nexpaq	0:6c56fb4bc5f0	103	const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
nexpaq	0:6c56fb4bc5f0	104	{
nexpaq	0:6c56fb4bc5f0	105	/* Hashes from SHA-256 and above */
nexpaq	0:6c56fb4bc5f0	106	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) \|
nexpaq	0:6c56fb4bc5f0	107	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) \|
nexpaq	0:6c56fb4bc5f0	108	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
nexpaq	0:6c56fb4bc5f0	109	0xFFFFFFF, /* Any PK alg */
nexpaq	0:6c56fb4bc5f0	110	#if defined(MBEDTLS_ECP_C)
nexpaq	0:6c56fb4bc5f0	111	/* Curves at or above 128-bit security level */
nexpaq	0:6c56fb4bc5f0	112	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) \|
nexpaq	0:6c56fb4bc5f0	113	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) \|
nexpaq	0:6c56fb4bc5f0	114	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) \|
nexpaq	0:6c56fb4bc5f0	115	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) \|
nexpaq	0:6c56fb4bc5f0	116	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) \|
nexpaq	0:6c56fb4bc5f0	117	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) \|
nexpaq	0:6c56fb4bc5f0	118	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
nexpaq	0:6c56fb4bc5f0	119	#else
nexpaq	0:6c56fb4bc5f0	120	0,
nexpaq	0:6c56fb4bc5f0	121	#endif
nexpaq	0:6c56fb4bc5f0	122	2048,
nexpaq	0:6c56fb4bc5f0	123	};
nexpaq	0:6c56fb4bc5f0	124
nexpaq	0:6c56fb4bc5f0	125	/*
nexpaq	0:6c56fb4bc5f0	126	* NSA Suite B Profile
nexpaq	0:6c56fb4bc5f0	127	*/
nexpaq	0:6c56fb4bc5f0	128	const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
nexpaq	0:6c56fb4bc5f0	129	{
nexpaq	0:6c56fb4bc5f0	130	/* Only SHA-256 and 384 */
nexpaq	0:6c56fb4bc5f0	131	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) \|
nexpaq	0:6c56fb4bc5f0	132	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
nexpaq	0:6c56fb4bc5f0	133	/* Only ECDSA */
nexpaq	0:6c56fb4bc5f0	134	MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ),
nexpaq	0:6c56fb4bc5f0	135	#if defined(MBEDTLS_ECP_C)
nexpaq	0:6c56fb4bc5f0	136	/* Only NIST P-256 and P-384 */
nexpaq	0:6c56fb4bc5f0	137	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) \|
nexpaq	0:6c56fb4bc5f0	138	MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
nexpaq	0:6c56fb4bc5f0	139	#else
nexpaq	0:6c56fb4bc5f0	140	0,
nexpaq	0:6c56fb4bc5f0	141	#endif
nexpaq	0:6c56fb4bc5f0	142	0,
nexpaq	0:6c56fb4bc5f0	143	};
nexpaq	0:6c56fb4bc5f0	144
nexpaq	0:6c56fb4bc5f0	145	/*
nexpaq	0:6c56fb4bc5f0	146	* Check md_alg against profile
nexpaq	0:6c56fb4bc5f0	147	* Return 0 if md_alg acceptable for this profile, -1 otherwise
nexpaq	0:6c56fb4bc5f0	148	*/
nexpaq	0:6c56fb4bc5f0	149	static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	150	mbedtls_md_type_t md_alg )
nexpaq	0:6c56fb4bc5f0	151	{
nexpaq	0:6c56fb4bc5f0	152	if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	153	return( 0 );
nexpaq	0:6c56fb4bc5f0	154
nexpaq	0:6c56fb4bc5f0	155	return( -1 );
nexpaq	0:6c56fb4bc5f0	156	}
nexpaq	0:6c56fb4bc5f0	157
nexpaq	0:6c56fb4bc5f0	158	/*
nexpaq	0:6c56fb4bc5f0	159	* Check pk_alg against profile
nexpaq	0:6c56fb4bc5f0	160	* Return 0 if pk_alg acceptable for this profile, -1 otherwise
nexpaq	0:6c56fb4bc5f0	161	*/
nexpaq	0:6c56fb4bc5f0	162	static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	163	mbedtls_pk_type_t pk_alg )
nexpaq	0:6c56fb4bc5f0	164	{
nexpaq	0:6c56fb4bc5f0	165	if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	166	return( 0 );
nexpaq	0:6c56fb4bc5f0	167
nexpaq	0:6c56fb4bc5f0	168	return( -1 );
nexpaq	0:6c56fb4bc5f0	169	}
nexpaq	0:6c56fb4bc5f0	170
nexpaq	0:6c56fb4bc5f0	171	/*
nexpaq	0:6c56fb4bc5f0	172	* Check key against profile
nexpaq	0:6c56fb4bc5f0	173	* Return 0 if pk_alg acceptable for this profile, -1 otherwise
nexpaq	0:6c56fb4bc5f0	174	*/
nexpaq	0:6c56fb4bc5f0	175	static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	176	mbedtls_pk_type_t pk_alg,
nexpaq	0:6c56fb4bc5f0	177	const mbedtls_pk_context *pk )
nexpaq	0:6c56fb4bc5f0	178	{
nexpaq	0:6c56fb4bc5f0	179	#if defined(MBEDTLS_RSA_C)
nexpaq	0:6c56fb4bc5f0	180	if( pk_alg == MBEDTLS_PK_RSA \|\| pk_alg == MBEDTLS_PK_RSASSA_PSS )
nexpaq	0:6c56fb4bc5f0	181	{
nexpaq	0:6c56fb4bc5f0	182	if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
nexpaq	0:6c56fb4bc5f0	183	return( 0 );
nexpaq	0:6c56fb4bc5f0	184
nexpaq	0:6c56fb4bc5f0	185	return( -1 );
nexpaq	0:6c56fb4bc5f0	186	}
nexpaq	0:6c56fb4bc5f0	187	#endif
nexpaq	0:6c56fb4bc5f0	188
nexpaq	0:6c56fb4bc5f0	189	#if defined(MBEDTLS_ECP_C)
nexpaq	0:6c56fb4bc5f0	190	if( pk_alg == MBEDTLS_PK_ECDSA \|\|
nexpaq	0:6c56fb4bc5f0	191	pk_alg == MBEDTLS_PK_ECKEY \|\|
nexpaq	0:6c56fb4bc5f0	192	pk_alg == MBEDTLS_PK_ECKEY_DH )
nexpaq	0:6c56fb4bc5f0	193	{
nexpaq	0:6c56fb4bc5f0	194	mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
nexpaq	0:6c56fb4bc5f0	195
nexpaq	0:6c56fb4bc5f0	196	if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	197	return( 0 );
nexpaq	0:6c56fb4bc5f0	198
nexpaq	0:6c56fb4bc5f0	199	return( -1 );
nexpaq	0:6c56fb4bc5f0	200	}
nexpaq	0:6c56fb4bc5f0	201	#endif
nexpaq	0:6c56fb4bc5f0	202
nexpaq	0:6c56fb4bc5f0	203	return( -1 );
nexpaq	0:6c56fb4bc5f0	204	}
nexpaq	0:6c56fb4bc5f0	205
nexpaq	0:6c56fb4bc5f0	206	/*
nexpaq	0:6c56fb4bc5f0	207	* Version ::= INTEGER { v1(0), v2(1), v3(2) }
nexpaq	0:6c56fb4bc5f0	208	*/
nexpaq	0:6c56fb4bc5f0	209	static int x509_get_version( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	210	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	211	int *ver )
nexpaq	0:6c56fb4bc5f0	212	{
nexpaq	0:6c56fb4bc5f0	213	int ret;
nexpaq	0:6c56fb4bc5f0	214	size_t len;
nexpaq	0:6c56fb4bc5f0	215
nexpaq	0:6c56fb4bc5f0	216	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
nexpaq	0:6c56fb4bc5f0	217	MBEDTLS_ASN1_CONTEXT_SPECIFIC \| MBEDTLS_ASN1_CONSTRUCTED \| 0 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	218	{
nexpaq	0:6c56fb4bc5f0	219	if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
nexpaq	0:6c56fb4bc5f0	220	{
nexpaq	0:6c56fb4bc5f0	221	*ver = 0;
nexpaq	0:6c56fb4bc5f0	222	return( 0 );
nexpaq	0:6c56fb4bc5f0	223	}
nexpaq	0:6c56fb4bc5f0	224
nexpaq	0:6c56fb4bc5f0	225	return( ret );
nexpaq	0:6c56fb4bc5f0	226	}
nexpaq	0:6c56fb4bc5f0	227
nexpaq	0:6c56fb4bc5f0	228	end = *p + len;
nexpaq	0:6c56fb4bc5f0	229
nexpaq	0:6c56fb4bc5f0	230	if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	231	return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
nexpaq	0:6c56fb4bc5f0	232
nexpaq	0:6c56fb4bc5f0	233	if( *p != end )
nexpaq	0:6c56fb4bc5f0	234	return( MBEDTLS_ERR_X509_INVALID_VERSION +
nexpaq	0:6c56fb4bc5f0	235	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	236
nexpaq	0:6c56fb4bc5f0	237	return( 0 );
nexpaq	0:6c56fb4bc5f0	238	}
nexpaq	0:6c56fb4bc5f0	239
nexpaq	0:6c56fb4bc5f0	240	/*
nexpaq	0:6c56fb4bc5f0	241	* Validity ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	242	* notBefore Time,
nexpaq	0:6c56fb4bc5f0	243	* notAfter Time }
nexpaq	0:6c56fb4bc5f0	244	*/
nexpaq	0:6c56fb4bc5f0	245	static int x509_get_dates( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	246	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	247	mbedtls_x509_time *from,
nexpaq	0:6c56fb4bc5f0	248	mbedtls_x509_time *to )
nexpaq	0:6c56fb4bc5f0	249	{
nexpaq	0:6c56fb4bc5f0	250	int ret;
nexpaq	0:6c56fb4bc5f0	251	size_t len;
nexpaq	0:6c56fb4bc5f0	252
nexpaq	0:6c56fb4bc5f0	253	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
nexpaq	0:6c56fb4bc5f0	254	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	255	return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
nexpaq	0:6c56fb4bc5f0	256
nexpaq	0:6c56fb4bc5f0	257	end = *p + len;
nexpaq	0:6c56fb4bc5f0	258
nexpaq	0:6c56fb4bc5f0	259	if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	260	return( ret );
nexpaq	0:6c56fb4bc5f0	261
nexpaq	0:6c56fb4bc5f0	262	if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	263	return( ret );
nexpaq	0:6c56fb4bc5f0	264
nexpaq	0:6c56fb4bc5f0	265	if( *p != end )
nexpaq	0:6c56fb4bc5f0	266	return( MBEDTLS_ERR_X509_INVALID_DATE +
nexpaq	0:6c56fb4bc5f0	267	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	268
nexpaq	0:6c56fb4bc5f0	269	return( 0 );
nexpaq	0:6c56fb4bc5f0	270	}
nexpaq	0:6c56fb4bc5f0	271
nexpaq	0:6c56fb4bc5f0	272	/*
nexpaq	0:6c56fb4bc5f0	273	* X.509 v2/v3 unique identifier (not parsed)
nexpaq	0:6c56fb4bc5f0	274	*/
nexpaq	0:6c56fb4bc5f0	275	static int x509_get_uid( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	276	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	277	mbedtls_x509_buf *uid, int n )
nexpaq	0:6c56fb4bc5f0	278	{
nexpaq	0:6c56fb4bc5f0	279	int ret;
nexpaq	0:6c56fb4bc5f0	280
nexpaq	0:6c56fb4bc5f0	281	if( *p == end )
nexpaq	0:6c56fb4bc5f0	282	return( 0 );
nexpaq	0:6c56fb4bc5f0	283
nexpaq	0:6c56fb4bc5f0	284	uid->tag = **p;
nexpaq	0:6c56fb4bc5f0	285
nexpaq	0:6c56fb4bc5f0	286	if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
nexpaq	0:6c56fb4bc5f0	287	MBEDTLS_ASN1_CONTEXT_SPECIFIC \| MBEDTLS_ASN1_CONSTRUCTED \| n ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	288	{
nexpaq	0:6c56fb4bc5f0	289	if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
nexpaq	0:6c56fb4bc5f0	290	return( 0 );
nexpaq	0:6c56fb4bc5f0	291
nexpaq	0:6c56fb4bc5f0	292	return( ret );
nexpaq	0:6c56fb4bc5f0	293	}
nexpaq	0:6c56fb4bc5f0	294
nexpaq	0:6c56fb4bc5f0	295	uid->p = *p;
nexpaq	0:6c56fb4bc5f0	296	*p += uid->len;
nexpaq	0:6c56fb4bc5f0	297
nexpaq	0:6c56fb4bc5f0	298	return( 0 );
nexpaq	0:6c56fb4bc5f0	299	}
nexpaq	0:6c56fb4bc5f0	300
nexpaq	0:6c56fb4bc5f0	301	static int x509_get_basic_constraints( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	302	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	303	int *ca_istrue,
nexpaq	0:6c56fb4bc5f0	304	int *max_pathlen )
nexpaq	0:6c56fb4bc5f0	305	{
nexpaq	0:6c56fb4bc5f0	306	int ret;
nexpaq	0:6c56fb4bc5f0	307	size_t len;
nexpaq	0:6c56fb4bc5f0	308
nexpaq	0:6c56fb4bc5f0	309	/*
nexpaq	0:6c56fb4bc5f0	310	* BasicConstraints ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	311	* cA BOOLEAN DEFAULT FALSE,
nexpaq	0:6c56fb4bc5f0	312	* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
nexpaq	0:6c56fb4bc5f0	313	*/
nexpaq	0:6c56fb4bc5f0	314	ca_istrue = 0; / DEFAULT FALSE */
nexpaq	0:6c56fb4bc5f0	315	max_pathlen = 0; / endless */
nexpaq	0:6c56fb4bc5f0	316
nexpaq	0:6c56fb4bc5f0	317	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
nexpaq	0:6c56fb4bc5f0	318	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	319	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	320
nexpaq	0:6c56fb4bc5f0	321	if( *p == end )
nexpaq	0:6c56fb4bc5f0	322	return( 0 );
nexpaq	0:6c56fb4bc5f0	323
nexpaq	0:6c56fb4bc5f0	324	if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	325	{
nexpaq	0:6c56fb4bc5f0	326	if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
nexpaq	0:6c56fb4bc5f0	327	ret = mbedtls_asn1_get_int( p, end, ca_istrue );
nexpaq	0:6c56fb4bc5f0	328
nexpaq	0:6c56fb4bc5f0	329	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	330	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	331
nexpaq	0:6c56fb4bc5f0	332	if( *ca_istrue != 0 )
nexpaq	0:6c56fb4bc5f0	333	*ca_istrue = 1;
nexpaq	0:6c56fb4bc5f0	334	}
nexpaq	0:6c56fb4bc5f0	335
nexpaq	0:6c56fb4bc5f0	336	if( *p == end )
nexpaq	0:6c56fb4bc5f0	337	return( 0 );
nexpaq	0:6c56fb4bc5f0	338
nexpaq	0:6c56fb4bc5f0	339	if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	340	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	341
nexpaq	0:6c56fb4bc5f0	342	if( *p != end )
nexpaq	0:6c56fb4bc5f0	343	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	344	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	345
nexpaq	0:6c56fb4bc5f0	346	(*max_pathlen)++;
nexpaq	0:6c56fb4bc5f0	347
nexpaq	0:6c56fb4bc5f0	348	return( 0 );
nexpaq	0:6c56fb4bc5f0	349	}
nexpaq	0:6c56fb4bc5f0	350
nexpaq	0:6c56fb4bc5f0	351	static int x509_get_ns_cert_type( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	352	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	353	unsigned char *ns_cert_type)
nexpaq	0:6c56fb4bc5f0	354	{
nexpaq	0:6c56fb4bc5f0	355	int ret;
nexpaq	0:6c56fb4bc5f0	356	mbedtls_x509_bitstring bs = { 0, 0, NULL };
nexpaq	0:6c56fb4bc5f0	357
nexpaq	0:6c56fb4bc5f0	358	if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	359	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	360
nexpaq	0:6c56fb4bc5f0	361	if( bs.len != 1 )
nexpaq	0:6c56fb4bc5f0	362	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	363	MBEDTLS_ERR_ASN1_INVALID_LENGTH );
nexpaq	0:6c56fb4bc5f0	364
nexpaq	0:6c56fb4bc5f0	365	/* Get actual bitstring */
nexpaq	0:6c56fb4bc5f0	366	ns_cert_type = bs.p;
nexpaq	0:6c56fb4bc5f0	367	return( 0 );
nexpaq	0:6c56fb4bc5f0	368	}
nexpaq	0:6c56fb4bc5f0	369
nexpaq	0:6c56fb4bc5f0	370	static int x509_get_key_usage( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	371	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	372	unsigned int *key_usage)
nexpaq	0:6c56fb4bc5f0	373	{
nexpaq	0:6c56fb4bc5f0	374	int ret;
nexpaq	0:6c56fb4bc5f0	375	size_t i;
nexpaq	0:6c56fb4bc5f0	376	mbedtls_x509_bitstring bs = { 0, 0, NULL };
nexpaq	0:6c56fb4bc5f0	377
nexpaq	0:6c56fb4bc5f0	378	if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	379	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	380
nexpaq	0:6c56fb4bc5f0	381	if( bs.len < 1 )
nexpaq	0:6c56fb4bc5f0	382	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	383	MBEDTLS_ERR_ASN1_INVALID_LENGTH );
nexpaq	0:6c56fb4bc5f0	384
nexpaq	0:6c56fb4bc5f0	385	/* Get actual bitstring */
nexpaq	0:6c56fb4bc5f0	386	*key_usage = 0;
nexpaq	0:6c56fb4bc5f0	387	for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
nexpaq	0:6c56fb4bc5f0	388	{
nexpaq	0:6c56fb4bc5f0	389	key_usage \|= (unsigned int) bs.p[i] << (8i);
nexpaq	0:6c56fb4bc5f0	390	}
nexpaq	0:6c56fb4bc5f0	391
nexpaq	0:6c56fb4bc5f0	392	return( 0 );
nexpaq	0:6c56fb4bc5f0	393	}
nexpaq	0:6c56fb4bc5f0	394
nexpaq	0:6c56fb4bc5f0	395	/*
nexpaq	0:6c56fb4bc5f0	396	* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
nexpaq	0:6c56fb4bc5f0	397	*
nexpaq	0:6c56fb4bc5f0	398	* KeyPurposeId ::= OBJECT IDENTIFIER
nexpaq	0:6c56fb4bc5f0	399	*/
nexpaq	0:6c56fb4bc5f0	400	static int x509_get_ext_key_usage( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	401	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	402	mbedtls_x509_sequence *ext_key_usage)
nexpaq	0:6c56fb4bc5f0	403	{
nexpaq	0:6c56fb4bc5f0	404	int ret;
nexpaq	0:6c56fb4bc5f0	405
nexpaq	0:6c56fb4bc5f0	406	if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	407	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	408
nexpaq	0:6c56fb4bc5f0	409	/* Sequence length must be >= 1 */
nexpaq	0:6c56fb4bc5f0	410	if( ext_key_usage->buf.p == NULL )
nexpaq	0:6c56fb4bc5f0	411	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	412	MBEDTLS_ERR_ASN1_INVALID_LENGTH );
nexpaq	0:6c56fb4bc5f0	413
nexpaq	0:6c56fb4bc5f0	414	return( 0 );
nexpaq	0:6c56fb4bc5f0	415	}
nexpaq	0:6c56fb4bc5f0	416
nexpaq	0:6c56fb4bc5f0	417	/*
nexpaq	0:6c56fb4bc5f0	418	* SubjectAltName ::= GeneralNames
nexpaq	0:6c56fb4bc5f0	419	*
nexpaq	0:6c56fb4bc5f0	420	* GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
nexpaq	0:6c56fb4bc5f0	421	*
nexpaq	0:6c56fb4bc5f0	422	* GeneralName ::= CHOICE {
nexpaq	0:6c56fb4bc5f0	423	* otherName [0] OtherName,
nexpaq	0:6c56fb4bc5f0	424	* rfc822Name [1] IA5String,
nexpaq	0:6c56fb4bc5f0	425	* dNSName [2] IA5String,
nexpaq	0:6c56fb4bc5f0	426	* x400Address [3] ORAddress,
nexpaq	0:6c56fb4bc5f0	427	* directoryName [4] Name,
nexpaq	0:6c56fb4bc5f0	428	* ediPartyName [5] EDIPartyName,
nexpaq	0:6c56fb4bc5f0	429	* uniformResourceIdentifier [6] IA5String,
nexpaq	0:6c56fb4bc5f0	430	* iPAddress [7] OCTET STRING,
nexpaq	0:6c56fb4bc5f0	431	* registeredID [8] OBJECT IDENTIFIER }
nexpaq	0:6c56fb4bc5f0	432	*
nexpaq	0:6c56fb4bc5f0	433	* OtherName ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	434	* type-id OBJECT IDENTIFIER,
nexpaq	0:6c56fb4bc5f0	435	* value [0] EXPLICIT ANY DEFINED BY type-id }
nexpaq	0:6c56fb4bc5f0	436	*
nexpaq	0:6c56fb4bc5f0	437	* EDIPartyName ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	438	* nameAssigner [0] DirectoryString OPTIONAL,
nexpaq	0:6c56fb4bc5f0	439	* partyName [1] DirectoryString }
nexpaq	0:6c56fb4bc5f0	440	*
nexpaq	0:6c56fb4bc5f0	441	* NOTE: we only parse and use dNSName at this point.
nexpaq	0:6c56fb4bc5f0	442	*/
nexpaq	0:6c56fb4bc5f0	443	static int x509_get_subject_alt_name( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	444	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	445	mbedtls_x509_sequence *subject_alt_name )
nexpaq	0:6c56fb4bc5f0	446	{
nexpaq	0:6c56fb4bc5f0	447	int ret;
nexpaq	0:6c56fb4bc5f0	448	size_t len, tag_len;
nexpaq	0:6c56fb4bc5f0	449	mbedtls_asn1_buf *buf;
nexpaq	0:6c56fb4bc5f0	450	unsigned char tag;
nexpaq	0:6c56fb4bc5f0	451	mbedtls_asn1_sequence *cur = subject_alt_name;
nexpaq	0:6c56fb4bc5f0	452
nexpaq	0:6c56fb4bc5f0	453	/* Get main sequence tag */
nexpaq	0:6c56fb4bc5f0	454	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
nexpaq	0:6c56fb4bc5f0	455	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	456	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	457
nexpaq	0:6c56fb4bc5f0	458	if( *p + len != end )
nexpaq	0:6c56fb4bc5f0	459	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	460	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	461
nexpaq	0:6c56fb4bc5f0	462	while( *p < end )
nexpaq	0:6c56fb4bc5f0	463	{
nexpaq	0:6c56fb4bc5f0	464	if( ( end - *p ) < 1 )
nexpaq	0:6c56fb4bc5f0	465	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	466	MBEDTLS_ERR_ASN1_OUT_OF_DATA );
nexpaq	0:6c56fb4bc5f0	467
nexpaq	0:6c56fb4bc5f0	468	tag = **p;
nexpaq	0:6c56fb4bc5f0	469	(*p)++;
nexpaq	0:6c56fb4bc5f0	470	if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	471	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	472
nexpaq	0:6c56fb4bc5f0	473	if( ( tag & MBEDTLS_ASN1_CONTEXT_SPECIFIC ) != MBEDTLS_ASN1_CONTEXT_SPECIFIC )
nexpaq	0:6c56fb4bc5f0	474	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	475	MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
nexpaq	0:6c56fb4bc5f0	476
nexpaq	0:6c56fb4bc5f0	477	/* Skip everything but DNS name */
nexpaq	0:6c56fb4bc5f0	478	if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC \| 2 ) )
nexpaq	0:6c56fb4bc5f0	479	{
nexpaq	0:6c56fb4bc5f0	480	*p += tag_len;
nexpaq	0:6c56fb4bc5f0	481	continue;
nexpaq	0:6c56fb4bc5f0	482	}
nexpaq	0:6c56fb4bc5f0	483
nexpaq	0:6c56fb4bc5f0	484	/* Allocate and assign next pointer */
nexpaq	0:6c56fb4bc5f0	485	if( cur->buf.p != NULL )
nexpaq	0:6c56fb4bc5f0	486	{
nexpaq	0:6c56fb4bc5f0	487	if( cur->next != NULL )
nexpaq	0:6c56fb4bc5f0	488	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
nexpaq	0:6c56fb4bc5f0	489
nexpaq	0:6c56fb4bc5f0	490	cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
nexpaq	0:6c56fb4bc5f0	491
nexpaq	0:6c56fb4bc5f0	492	if( cur->next == NULL )
nexpaq	0:6c56fb4bc5f0	493	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	494	MBEDTLS_ERR_ASN1_ALLOC_FAILED );
nexpaq	0:6c56fb4bc5f0	495
nexpaq	0:6c56fb4bc5f0	496	cur = cur->next;
nexpaq	0:6c56fb4bc5f0	497	}
nexpaq	0:6c56fb4bc5f0	498
nexpaq	0:6c56fb4bc5f0	499	buf = &(cur->buf);
nexpaq	0:6c56fb4bc5f0	500	buf->tag = tag;
nexpaq	0:6c56fb4bc5f0	501	buf->p = *p;
nexpaq	0:6c56fb4bc5f0	502	buf->len = tag_len;
nexpaq	0:6c56fb4bc5f0	503	*p += buf->len;
nexpaq	0:6c56fb4bc5f0	504	}
nexpaq	0:6c56fb4bc5f0	505
nexpaq	0:6c56fb4bc5f0	506	/* Set final sequence entry's next pointer to NULL */
nexpaq	0:6c56fb4bc5f0	507	cur->next = NULL;
nexpaq	0:6c56fb4bc5f0	508
nexpaq	0:6c56fb4bc5f0	509	if( *p != end )
nexpaq	0:6c56fb4bc5f0	510	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	511	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	512
nexpaq	0:6c56fb4bc5f0	513	return( 0 );
nexpaq	0:6c56fb4bc5f0	514	}
nexpaq	0:6c56fb4bc5f0	515
nexpaq	0:6c56fb4bc5f0	516	/*
nexpaq	0:6c56fb4bc5f0	517	* X.509 v3 extensions
nexpaq	0:6c56fb4bc5f0	518	*
nexpaq	0:6c56fb4bc5f0	519	*/
nexpaq	0:6c56fb4bc5f0	520	static int x509_get_crt_ext( unsigned char **p,
nexpaq	0:6c56fb4bc5f0	521	const unsigned char *end,
nexpaq	0:6c56fb4bc5f0	522	mbedtls_x509_crt *crt )
nexpaq	0:6c56fb4bc5f0	523	{
nexpaq	0:6c56fb4bc5f0	524	int ret;
nexpaq	0:6c56fb4bc5f0	525	size_t len;
nexpaq	0:6c56fb4bc5f0	526	unsigned char end_ext_data, end_ext_octet;
nexpaq	0:6c56fb4bc5f0	527
nexpaq	0:6c56fb4bc5f0	528	if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	529	{
nexpaq	0:6c56fb4bc5f0	530	if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
nexpaq	0:6c56fb4bc5f0	531	return( 0 );
nexpaq	0:6c56fb4bc5f0	532
nexpaq	0:6c56fb4bc5f0	533	return( ret );
nexpaq	0:6c56fb4bc5f0	534	}
nexpaq	0:6c56fb4bc5f0	535
nexpaq	0:6c56fb4bc5f0	536	while( *p < end )
nexpaq	0:6c56fb4bc5f0	537	{
nexpaq	0:6c56fb4bc5f0	538	/*
nexpaq	0:6c56fb4bc5f0	539	* Extension ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	540	* extnID OBJECT IDENTIFIER,
nexpaq	0:6c56fb4bc5f0	541	* critical BOOLEAN DEFAULT FALSE,
nexpaq	0:6c56fb4bc5f0	542	* extnValue OCTET STRING }
nexpaq	0:6c56fb4bc5f0	543	*/
nexpaq	0:6c56fb4bc5f0	544	mbedtls_x509_buf extn_oid = {0, 0, NULL};
nexpaq	0:6c56fb4bc5f0	545	int is_critical = 0; /* DEFAULT FALSE */
nexpaq	0:6c56fb4bc5f0	546	int ext_type = 0;
nexpaq	0:6c56fb4bc5f0	547
nexpaq	0:6c56fb4bc5f0	548	if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
nexpaq	0:6c56fb4bc5f0	549	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	550	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	551
nexpaq	0:6c56fb4bc5f0	552	end_ext_data = *p + len;
nexpaq	0:6c56fb4bc5f0	553
nexpaq	0:6c56fb4bc5f0	554	/* Get extension ID */
nexpaq	0:6c56fb4bc5f0	555	extn_oid.tag = **p;
nexpaq	0:6c56fb4bc5f0	556
nexpaq	0:6c56fb4bc5f0	557	if( ( ret = mbedtls_asn1_get_tag( p, end, &extn_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	558	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	559
nexpaq	0:6c56fb4bc5f0	560	extn_oid.p = *p;
nexpaq	0:6c56fb4bc5f0	561	*p += extn_oid.len;
nexpaq	0:6c56fb4bc5f0	562
nexpaq	0:6c56fb4bc5f0	563	if( ( end - *p ) < 1 )
nexpaq	0:6c56fb4bc5f0	564	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	565	MBEDTLS_ERR_ASN1_OUT_OF_DATA );
nexpaq	0:6c56fb4bc5f0	566
nexpaq	0:6c56fb4bc5f0	567	/* Get optional critical */
nexpaq	0:6c56fb4bc5f0	568	if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
nexpaq	0:6c56fb4bc5f0	569	( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
nexpaq	0:6c56fb4bc5f0	570	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	571
nexpaq	0:6c56fb4bc5f0	572	/* Data should be octet string type */
nexpaq	0:6c56fb4bc5f0	573	if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
nexpaq	0:6c56fb4bc5f0	574	MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	575	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
nexpaq	0:6c56fb4bc5f0	576
nexpaq	0:6c56fb4bc5f0	577	end_ext_octet = *p + len;
nexpaq	0:6c56fb4bc5f0	578
nexpaq	0:6c56fb4bc5f0	579	if( end_ext_octet != end_ext_data )
nexpaq	0:6c56fb4bc5f0	580	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	581	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	582
nexpaq	0:6c56fb4bc5f0	583	/*
nexpaq	0:6c56fb4bc5f0	584	* Detect supported extensions
nexpaq	0:6c56fb4bc5f0	585	*/
nexpaq	0:6c56fb4bc5f0	586	ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
nexpaq	0:6c56fb4bc5f0	587
nexpaq	0:6c56fb4bc5f0	588	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	589	{
nexpaq	0:6c56fb4bc5f0	590	/* No parser found, skip extension */
nexpaq	0:6c56fb4bc5f0	591	*p = end_ext_octet;
nexpaq	0:6c56fb4bc5f0	592
nexpaq	0:6c56fb4bc5f0	593	#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
nexpaq	0:6c56fb4bc5f0	594	if( is_critical )
nexpaq	0:6c56fb4bc5f0	595	{
nexpaq	0:6c56fb4bc5f0	596	/* Data is marked as critical: fail */
nexpaq	0:6c56fb4bc5f0	597	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	598	MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
nexpaq	0:6c56fb4bc5f0	599	}
nexpaq	0:6c56fb4bc5f0	600	#endif
nexpaq	0:6c56fb4bc5f0	601	continue;
nexpaq	0:6c56fb4bc5f0	602	}
nexpaq	0:6c56fb4bc5f0	603
nexpaq	0:6c56fb4bc5f0	604	/* Forbid repeated extensions */
nexpaq	0:6c56fb4bc5f0	605	if( ( crt->ext_types & ext_type ) != 0 )
nexpaq	0:6c56fb4bc5f0	606	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
nexpaq	0:6c56fb4bc5f0	607
nexpaq	0:6c56fb4bc5f0	608	crt->ext_types \|= ext_type;
nexpaq	0:6c56fb4bc5f0	609
nexpaq	0:6c56fb4bc5f0	610	switch( ext_type )
nexpaq	0:6c56fb4bc5f0	611	{
nexpaq	0:6c56fb4bc5f0	612	case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
nexpaq	0:6c56fb4bc5f0	613	/* Parse basic constraints */
nexpaq	0:6c56fb4bc5f0	614	if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
nexpaq	0:6c56fb4bc5f0	615	&crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	616	return( ret );
nexpaq	0:6c56fb4bc5f0	617	break;
nexpaq	0:6c56fb4bc5f0	618
nexpaq	0:6c56fb4bc5f0	619	case MBEDTLS_X509_EXT_KEY_USAGE:
nexpaq	0:6c56fb4bc5f0	620	/* Parse key usage */
nexpaq	0:6c56fb4bc5f0	621	if( ( ret = x509_get_key_usage( p, end_ext_octet,
nexpaq	0:6c56fb4bc5f0	622	&crt->key_usage ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	623	return( ret );
nexpaq	0:6c56fb4bc5f0	624	break;
nexpaq	0:6c56fb4bc5f0	625
nexpaq	0:6c56fb4bc5f0	626	case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
nexpaq	0:6c56fb4bc5f0	627	/* Parse extended key usage */
nexpaq	0:6c56fb4bc5f0	628	if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
nexpaq	0:6c56fb4bc5f0	629	&crt->ext_key_usage ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	630	return( ret );
nexpaq	0:6c56fb4bc5f0	631	break;
nexpaq	0:6c56fb4bc5f0	632
nexpaq	0:6c56fb4bc5f0	633	case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
nexpaq	0:6c56fb4bc5f0	634	/* Parse subject alt name */
nexpaq	0:6c56fb4bc5f0	635	if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
nexpaq	0:6c56fb4bc5f0	636	&crt->subject_alt_names ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	637	return( ret );
nexpaq	0:6c56fb4bc5f0	638	break;
nexpaq	0:6c56fb4bc5f0	639
nexpaq	0:6c56fb4bc5f0	640	case MBEDTLS_X509_EXT_NS_CERT_TYPE:
nexpaq	0:6c56fb4bc5f0	641	/* Parse netscape certificate type */
nexpaq	0:6c56fb4bc5f0	642	if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
nexpaq	0:6c56fb4bc5f0	643	&crt->ns_cert_type ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	644	return( ret );
nexpaq	0:6c56fb4bc5f0	645	break;
nexpaq	0:6c56fb4bc5f0	646
nexpaq	0:6c56fb4bc5f0	647	default:
nexpaq	0:6c56fb4bc5f0	648	return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
nexpaq	0:6c56fb4bc5f0	649	}
nexpaq	0:6c56fb4bc5f0	650	}
nexpaq	0:6c56fb4bc5f0	651
nexpaq	0:6c56fb4bc5f0	652	if( *p != end )
nexpaq	0:6c56fb4bc5f0	653	return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
nexpaq	0:6c56fb4bc5f0	654	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	655
nexpaq	0:6c56fb4bc5f0	656	return( 0 );
nexpaq	0:6c56fb4bc5f0	657	}
nexpaq	0:6c56fb4bc5f0	658
nexpaq	0:6c56fb4bc5f0	659	/*
nexpaq	0:6c56fb4bc5f0	660	* Parse and fill a single X.509 certificate in DER format
nexpaq	0:6c56fb4bc5f0	661	*/
nexpaq	0:6c56fb4bc5f0	662	static int x509_crt_parse_der_core( mbedtls_x509_crt crt, const unsigned char buf,
nexpaq	0:6c56fb4bc5f0	663	size_t buflen )
nexpaq	0:6c56fb4bc5f0	664	{
nexpaq	0:6c56fb4bc5f0	665	int ret;
nexpaq	0:6c56fb4bc5f0	666	size_t len;
nexpaq	0:6c56fb4bc5f0	667	unsigned char p, end, *crt_end;
nexpaq	0:6c56fb4bc5f0	668	mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
nexpaq	0:6c56fb4bc5f0	669
nexpaq	0:6c56fb4bc5f0	670	memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
nexpaq	0:6c56fb4bc5f0	671	memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
nexpaq	0:6c56fb4bc5f0	672	memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
nexpaq	0:6c56fb4bc5f0	673
nexpaq	0:6c56fb4bc5f0	674	/*
nexpaq	0:6c56fb4bc5f0	675	* Check for valid input
nexpaq	0:6c56fb4bc5f0	676	*/
nexpaq	0:6c56fb4bc5f0	677	if( crt == NULL \|\| buf == NULL )
nexpaq	0:6c56fb4bc5f0	678	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	679
nexpaq	0:6c56fb4bc5f0	680	// Use the original buffer until we figure out actual length
nexpaq	0:6c56fb4bc5f0	681	p = (unsigned char*) buf;
nexpaq	0:6c56fb4bc5f0	682	len = buflen;
nexpaq	0:6c56fb4bc5f0	683	end = p + len;
nexpaq	0:6c56fb4bc5f0	684
nexpaq	0:6c56fb4bc5f0	685	/*
nexpaq	0:6c56fb4bc5f0	686	* Certificate ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	687	* tbsCertificate TBSCertificate,
nexpaq	0:6c56fb4bc5f0	688	* signatureAlgorithm AlgorithmIdentifier,
nexpaq	0:6c56fb4bc5f0	689	* signatureValue BIT STRING }
nexpaq	0:6c56fb4bc5f0	690	*/
nexpaq	0:6c56fb4bc5f0	691	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
nexpaq	0:6c56fb4bc5f0	692	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	693	{
nexpaq	0:6c56fb4bc5f0	694	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	695	return( MBEDTLS_ERR_X509_INVALID_FORMAT );
nexpaq	0:6c56fb4bc5f0	696	}
nexpaq	0:6c56fb4bc5f0	697
nexpaq	0:6c56fb4bc5f0	698	if( len > (size_t) ( end - p ) )
nexpaq	0:6c56fb4bc5f0	699	{
nexpaq	0:6c56fb4bc5f0	700	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	701	return( MBEDTLS_ERR_X509_INVALID_FORMAT +
nexpaq	0:6c56fb4bc5f0	702	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	703	}
nexpaq	0:6c56fb4bc5f0	704	crt_end = p + len;
nexpaq	0:6c56fb4bc5f0	705
nexpaq	0:6c56fb4bc5f0	706	// Create and populate a new buffer for the raw field
nexpaq	0:6c56fb4bc5f0	707	crt->raw.len = crt_end - buf;
nexpaq	0:6c56fb4bc5f0	708	crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
nexpaq	0:6c56fb4bc5f0	709	if( p == NULL )
nexpaq	0:6c56fb4bc5f0	710	return( MBEDTLS_ERR_X509_ALLOC_FAILED );
nexpaq	0:6c56fb4bc5f0	711
nexpaq	0:6c56fb4bc5f0	712	memcpy( p, buf, crt->raw.len );
nexpaq	0:6c56fb4bc5f0	713
nexpaq	0:6c56fb4bc5f0	714	// Direct pointers to the new buffer
nexpaq	0:6c56fb4bc5f0	715	p += crt->raw.len - len;
nexpaq	0:6c56fb4bc5f0	716	end = crt_end = p + len;
nexpaq	0:6c56fb4bc5f0	717
nexpaq	0:6c56fb4bc5f0	718	/*
nexpaq	0:6c56fb4bc5f0	719	* TBSCertificate ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	720	*/
nexpaq	0:6c56fb4bc5f0	721	crt->tbs.p = p;
nexpaq	0:6c56fb4bc5f0	722
nexpaq	0:6c56fb4bc5f0	723	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
nexpaq	0:6c56fb4bc5f0	724	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	725	{
nexpaq	0:6c56fb4bc5f0	726	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	727	return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
nexpaq	0:6c56fb4bc5f0	728	}
nexpaq	0:6c56fb4bc5f0	729
nexpaq	0:6c56fb4bc5f0	730	end = p + len;
nexpaq	0:6c56fb4bc5f0	731	crt->tbs.len = end - crt->tbs.p;
nexpaq	0:6c56fb4bc5f0	732
nexpaq	0:6c56fb4bc5f0	733	/*
nexpaq	0:6c56fb4bc5f0	734	* Version ::= INTEGER { v1(0), v2(1), v3(2) }
nexpaq	0:6c56fb4bc5f0	735	*
nexpaq	0:6c56fb4bc5f0	736	* CertificateSerialNumber ::= INTEGER
nexpaq	0:6c56fb4bc5f0	737	*
nexpaq	0:6c56fb4bc5f0	738	* signature AlgorithmIdentifier
nexpaq	0:6c56fb4bc5f0	739	*/
nexpaq	0:6c56fb4bc5f0	740	if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	741	( ret = mbedtls_x509_get_serial( &p, end, &crt->serial ) ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	742	( ret = mbedtls_x509_get_alg( &p, end, &crt->sig_oid,
nexpaq	0:6c56fb4bc5f0	743	&sig_params1 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	744	{
nexpaq	0:6c56fb4bc5f0	745	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	746	return( ret );
nexpaq	0:6c56fb4bc5f0	747	}
nexpaq	0:6c56fb4bc5f0	748
nexpaq	0:6c56fb4bc5f0	749	crt->version++;
nexpaq	0:6c56fb4bc5f0	750
nexpaq	0:6c56fb4bc5f0	751	if( crt->version > 3 )
nexpaq	0:6c56fb4bc5f0	752	{
nexpaq	0:6c56fb4bc5f0	753	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	754	return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
nexpaq	0:6c56fb4bc5f0	755	}
nexpaq	0:6c56fb4bc5f0	756
nexpaq	0:6c56fb4bc5f0	757	if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
nexpaq	0:6c56fb4bc5f0	758	&crt->sig_md, &crt->sig_pk,
nexpaq	0:6c56fb4bc5f0	759	&crt->sig_opts ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	760	{
nexpaq	0:6c56fb4bc5f0	761	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	762	return( ret );
nexpaq	0:6c56fb4bc5f0	763	}
nexpaq	0:6c56fb4bc5f0	764
nexpaq	0:6c56fb4bc5f0	765	/*
nexpaq	0:6c56fb4bc5f0	766	* issuer Name
nexpaq	0:6c56fb4bc5f0	767	*/
nexpaq	0:6c56fb4bc5f0	768	crt->issuer_raw.p = p;
nexpaq	0:6c56fb4bc5f0	769
nexpaq	0:6c56fb4bc5f0	770	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
nexpaq	0:6c56fb4bc5f0	771	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	772	{
nexpaq	0:6c56fb4bc5f0	773	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	774	return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
nexpaq	0:6c56fb4bc5f0	775	}
nexpaq	0:6c56fb4bc5f0	776
nexpaq	0:6c56fb4bc5f0	777	if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	778	{
nexpaq	0:6c56fb4bc5f0	779	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	780	return( ret );
nexpaq	0:6c56fb4bc5f0	781	}
nexpaq	0:6c56fb4bc5f0	782
nexpaq	0:6c56fb4bc5f0	783	crt->issuer_raw.len = p - crt->issuer_raw.p;
nexpaq	0:6c56fb4bc5f0	784
nexpaq	0:6c56fb4bc5f0	785	/*
nexpaq	0:6c56fb4bc5f0	786	* Validity ::= SEQUENCE {
nexpaq	0:6c56fb4bc5f0	787	* notBefore Time,
nexpaq	0:6c56fb4bc5f0	788	* notAfter Time }
nexpaq	0:6c56fb4bc5f0	789	*
nexpaq	0:6c56fb4bc5f0	790	*/
nexpaq	0:6c56fb4bc5f0	791	if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
nexpaq	0:6c56fb4bc5f0	792	&crt->valid_to ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	793	{
nexpaq	0:6c56fb4bc5f0	794	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	795	return( ret );
nexpaq	0:6c56fb4bc5f0	796	}
nexpaq	0:6c56fb4bc5f0	797
nexpaq	0:6c56fb4bc5f0	798	/*
nexpaq	0:6c56fb4bc5f0	799	* subject Name
nexpaq	0:6c56fb4bc5f0	800	*/
nexpaq	0:6c56fb4bc5f0	801	crt->subject_raw.p = p;
nexpaq	0:6c56fb4bc5f0	802
nexpaq	0:6c56fb4bc5f0	803	if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
nexpaq	0:6c56fb4bc5f0	804	MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	805	{
nexpaq	0:6c56fb4bc5f0	806	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	807	return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
nexpaq	0:6c56fb4bc5f0	808	}
nexpaq	0:6c56fb4bc5f0	809
nexpaq	0:6c56fb4bc5f0	810	if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	811	{
nexpaq	0:6c56fb4bc5f0	812	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	813	return( ret );
nexpaq	0:6c56fb4bc5f0	814	}
nexpaq	0:6c56fb4bc5f0	815
nexpaq	0:6c56fb4bc5f0	816	crt->subject_raw.len = p - crt->subject_raw.p;
nexpaq	0:6c56fb4bc5f0	817
nexpaq	0:6c56fb4bc5f0	818	/*
nexpaq	0:6c56fb4bc5f0	819	* SubjectPublicKeyInfo
nexpaq	0:6c56fb4bc5f0	820	*/
nexpaq	0:6c56fb4bc5f0	821	if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	822	{
nexpaq	0:6c56fb4bc5f0	823	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	824	return( ret );
nexpaq	0:6c56fb4bc5f0	825	}
nexpaq	0:6c56fb4bc5f0	826
nexpaq	0:6c56fb4bc5f0	827	/*
nexpaq	0:6c56fb4bc5f0	828	* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
nexpaq	0:6c56fb4bc5f0	829	* -- If present, version shall be v2 or v3
nexpaq	0:6c56fb4bc5f0	830	* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
nexpaq	0:6c56fb4bc5f0	831	* -- If present, version shall be v2 or v3
nexpaq	0:6c56fb4bc5f0	832	* extensions [3] EXPLICIT Extensions OPTIONAL
nexpaq	0:6c56fb4bc5f0	833	* -- If present, version shall be v3
nexpaq	0:6c56fb4bc5f0	834	*/
nexpaq	0:6c56fb4bc5f0	835	if( crt->version == 2 \|\| crt->version == 3 )
nexpaq	0:6c56fb4bc5f0	836	{
nexpaq	0:6c56fb4bc5f0	837	ret = x509_get_uid( &p, end, &crt->issuer_id, 1 );
nexpaq	0:6c56fb4bc5f0	838	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	839	{
nexpaq	0:6c56fb4bc5f0	840	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	841	return( ret );
nexpaq	0:6c56fb4bc5f0	842	}
nexpaq	0:6c56fb4bc5f0	843	}
nexpaq	0:6c56fb4bc5f0	844
nexpaq	0:6c56fb4bc5f0	845	if( crt->version == 2 \|\| crt->version == 3 )
nexpaq	0:6c56fb4bc5f0	846	{
nexpaq	0:6c56fb4bc5f0	847	ret = x509_get_uid( &p, end, &crt->subject_id, 2 );
nexpaq	0:6c56fb4bc5f0	848	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	849	{
nexpaq	0:6c56fb4bc5f0	850	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	851	return( ret );
nexpaq	0:6c56fb4bc5f0	852	}
nexpaq	0:6c56fb4bc5f0	853	}
nexpaq	0:6c56fb4bc5f0	854
nexpaq	0:6c56fb4bc5f0	855	#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
nexpaq	0:6c56fb4bc5f0	856	if( crt->version == 3 )
nexpaq	0:6c56fb4bc5f0	857	#endif
nexpaq	0:6c56fb4bc5f0	858	{
nexpaq	0:6c56fb4bc5f0	859	ret = x509_get_crt_ext( &p, end, crt );
nexpaq	0:6c56fb4bc5f0	860	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	861	{
nexpaq	0:6c56fb4bc5f0	862	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	863	return( ret );
nexpaq	0:6c56fb4bc5f0	864	}
nexpaq	0:6c56fb4bc5f0	865	}
nexpaq	0:6c56fb4bc5f0	866
nexpaq	0:6c56fb4bc5f0	867	if( p != end )
nexpaq	0:6c56fb4bc5f0	868	{
nexpaq	0:6c56fb4bc5f0	869	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	870	return( MBEDTLS_ERR_X509_INVALID_FORMAT +
nexpaq	0:6c56fb4bc5f0	871	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	872	}
nexpaq	0:6c56fb4bc5f0	873
nexpaq	0:6c56fb4bc5f0	874	end = crt_end;
nexpaq	0:6c56fb4bc5f0	875
nexpaq	0:6c56fb4bc5f0	876	/*
nexpaq	0:6c56fb4bc5f0	877	* }
nexpaq	0:6c56fb4bc5f0	878	* -- end of TBSCertificate
nexpaq	0:6c56fb4bc5f0	879	*
nexpaq	0:6c56fb4bc5f0	880	* signatureAlgorithm AlgorithmIdentifier,
nexpaq	0:6c56fb4bc5f0	881	* signatureValue BIT STRING
nexpaq	0:6c56fb4bc5f0	882	*/
nexpaq	0:6c56fb4bc5f0	883	if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	884	{
nexpaq	0:6c56fb4bc5f0	885	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	886	return( ret );
nexpaq	0:6c56fb4bc5f0	887	}
nexpaq	0:6c56fb4bc5f0	888
nexpaq	0:6c56fb4bc5f0	889	if( crt->sig_oid.len != sig_oid2.len \|\|
nexpaq	0:6c56fb4bc5f0	890	memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 \|\|
nexpaq	0:6c56fb4bc5f0	891	sig_params1.len != sig_params2.len \|\|
nexpaq	0:6c56fb4bc5f0	892	( sig_params1.len != 0 &&
nexpaq	0:6c56fb4bc5f0	893	memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
nexpaq	0:6c56fb4bc5f0	894	{
nexpaq	0:6c56fb4bc5f0	895	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	896	return( MBEDTLS_ERR_X509_SIG_MISMATCH );
nexpaq	0:6c56fb4bc5f0	897	}
nexpaq	0:6c56fb4bc5f0	898
nexpaq	0:6c56fb4bc5f0	899	if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	900	{
nexpaq	0:6c56fb4bc5f0	901	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	902	return( ret );
nexpaq	0:6c56fb4bc5f0	903	}
nexpaq	0:6c56fb4bc5f0	904
nexpaq	0:6c56fb4bc5f0	905	if( p != end )
nexpaq	0:6c56fb4bc5f0	906	{
nexpaq	0:6c56fb4bc5f0	907	mbedtls_x509_crt_free( crt );
nexpaq	0:6c56fb4bc5f0	908	return( MBEDTLS_ERR_X509_INVALID_FORMAT +
nexpaq	0:6c56fb4bc5f0	909	MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
nexpaq	0:6c56fb4bc5f0	910	}
nexpaq	0:6c56fb4bc5f0	911
nexpaq	0:6c56fb4bc5f0	912	return( 0 );
nexpaq	0:6c56fb4bc5f0	913	}
nexpaq	0:6c56fb4bc5f0	914
nexpaq	0:6c56fb4bc5f0	915	/*
nexpaq	0:6c56fb4bc5f0	916	* Parse one X.509 certificate in DER format from a buffer and add them to a
nexpaq	0:6c56fb4bc5f0	917	* chained list
nexpaq	0:6c56fb4bc5f0	918	*/
nexpaq	0:6c56fb4bc5f0	919	int mbedtls_x509_crt_parse_der( mbedtls_x509_crt chain, const unsigned char buf,
nexpaq	0:6c56fb4bc5f0	920	size_t buflen )
nexpaq	0:6c56fb4bc5f0	921	{
nexpaq	0:6c56fb4bc5f0	922	int ret;
nexpaq	0:6c56fb4bc5f0	923	mbedtls_x509_crt crt = chain, prev = NULL;
nexpaq	0:6c56fb4bc5f0	924
nexpaq	0:6c56fb4bc5f0	925	/*
nexpaq	0:6c56fb4bc5f0	926	* Check for valid input
nexpaq	0:6c56fb4bc5f0	927	*/
nexpaq	0:6c56fb4bc5f0	928	if( crt == NULL \|\| buf == NULL )
nexpaq	0:6c56fb4bc5f0	929	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	930
nexpaq	0:6c56fb4bc5f0	931	while( crt->version != 0 && crt->next != NULL )
nexpaq	0:6c56fb4bc5f0	932	{
nexpaq	0:6c56fb4bc5f0	933	prev = crt;
nexpaq	0:6c56fb4bc5f0	934	crt = crt->next;
nexpaq	0:6c56fb4bc5f0	935	}
nexpaq	0:6c56fb4bc5f0	936
nexpaq	0:6c56fb4bc5f0	937	/*
nexpaq	0:6c56fb4bc5f0	938	* Add new certificate on the end of the chain if needed.
nexpaq	0:6c56fb4bc5f0	939	*/
nexpaq	0:6c56fb4bc5f0	940	if( crt->version != 0 && crt->next == NULL )
nexpaq	0:6c56fb4bc5f0	941	{
nexpaq	0:6c56fb4bc5f0	942	crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
nexpaq	0:6c56fb4bc5f0	943
nexpaq	0:6c56fb4bc5f0	944	if( crt->next == NULL )
nexpaq	0:6c56fb4bc5f0	945	return( MBEDTLS_ERR_X509_ALLOC_FAILED );
nexpaq	0:6c56fb4bc5f0	946
nexpaq	0:6c56fb4bc5f0	947	prev = crt;
nexpaq	0:6c56fb4bc5f0	948	mbedtls_x509_crt_init( crt->next );
nexpaq	0:6c56fb4bc5f0	949	crt = crt->next;
nexpaq	0:6c56fb4bc5f0	950	}
nexpaq	0:6c56fb4bc5f0	951
nexpaq	0:6c56fb4bc5f0	952	if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	953	{
nexpaq	0:6c56fb4bc5f0	954	if( prev )
nexpaq	0:6c56fb4bc5f0	955	prev->next = NULL;
nexpaq	0:6c56fb4bc5f0	956
nexpaq	0:6c56fb4bc5f0	957	if( crt != chain )
nexpaq	0:6c56fb4bc5f0	958	mbedtls_free( crt );
nexpaq	0:6c56fb4bc5f0	959
nexpaq	0:6c56fb4bc5f0	960	return( ret );
nexpaq	0:6c56fb4bc5f0	961	}
nexpaq	0:6c56fb4bc5f0	962
nexpaq	0:6c56fb4bc5f0	963	return( 0 );
nexpaq	0:6c56fb4bc5f0	964	}
nexpaq	0:6c56fb4bc5f0	965
nexpaq	0:6c56fb4bc5f0	966	/*
nexpaq	0:6c56fb4bc5f0	967	* Parse one or more PEM certificates from a buffer and add them to the chained
nexpaq	0:6c56fb4bc5f0	968	* list
nexpaq	0:6c56fb4bc5f0	969	*/
nexpaq	0:6c56fb4bc5f0	970	int mbedtls_x509_crt_parse( mbedtls_x509_crt chain, const unsigned char buf, size_t buflen )
nexpaq	0:6c56fb4bc5f0	971	{
nexpaq	0:6c56fb4bc5f0	972	int success = 0, first_error = 0, total_failed = 0;
nexpaq	0:6c56fb4bc5f0	973	#if defined(MBEDTLS_PEM_PARSE_C)
nexpaq	0:6c56fb4bc5f0	974	int buf_format = MBEDTLS_X509_FORMAT_DER;
nexpaq	0:6c56fb4bc5f0	975	#endif
nexpaq	0:6c56fb4bc5f0	976
nexpaq	0:6c56fb4bc5f0	977	/*
nexpaq	0:6c56fb4bc5f0	978	* Check for valid input
nexpaq	0:6c56fb4bc5f0	979	*/
nexpaq	0:6c56fb4bc5f0	980	if( chain == NULL \|\| buf == NULL )
nexpaq	0:6c56fb4bc5f0	981	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	982
nexpaq	0:6c56fb4bc5f0	983	/*
nexpaq	0:6c56fb4bc5f0	984	* Determine buffer content. Buffer contains either one DER certificate or
nexpaq	0:6c56fb4bc5f0	985	* one or more PEM certificates.
nexpaq	0:6c56fb4bc5f0	986	*/
nexpaq	0:6c56fb4bc5f0	987	#if defined(MBEDTLS_PEM_PARSE_C)
nexpaq	0:6c56fb4bc5f0	988	if( buflen != 0 && buf[buflen - 1] == '\0' &&
nexpaq	0:6c56fb4bc5f0	989	strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
nexpaq	0:6c56fb4bc5f0	990	{
nexpaq	0:6c56fb4bc5f0	991	buf_format = MBEDTLS_X509_FORMAT_PEM;
nexpaq	0:6c56fb4bc5f0	992	}
nexpaq	0:6c56fb4bc5f0	993
nexpaq	0:6c56fb4bc5f0	994	if( buf_format == MBEDTLS_X509_FORMAT_DER )
nexpaq	0:6c56fb4bc5f0	995	return mbedtls_x509_crt_parse_der( chain, buf, buflen );
nexpaq	0:6c56fb4bc5f0	996	#else
nexpaq	0:6c56fb4bc5f0	997	return mbedtls_x509_crt_parse_der( chain, buf, buflen );
nexpaq	0:6c56fb4bc5f0	998	#endif
nexpaq	0:6c56fb4bc5f0	999
nexpaq	0:6c56fb4bc5f0	1000	#if defined(MBEDTLS_PEM_PARSE_C)
nexpaq	0:6c56fb4bc5f0	1001	if( buf_format == MBEDTLS_X509_FORMAT_PEM )
nexpaq	0:6c56fb4bc5f0	1002	{
nexpaq	0:6c56fb4bc5f0	1003	int ret;
nexpaq	0:6c56fb4bc5f0	1004	mbedtls_pem_context pem;
nexpaq	0:6c56fb4bc5f0	1005
nexpaq	0:6c56fb4bc5f0	1006	/* 1 rather than 0 since the terminating NULL byte is counted in */
nexpaq	0:6c56fb4bc5f0	1007	while( buflen > 1 )
nexpaq	0:6c56fb4bc5f0	1008	{
nexpaq	0:6c56fb4bc5f0	1009	size_t use_len;
nexpaq	0:6c56fb4bc5f0	1010	mbedtls_pem_init( &pem );
nexpaq	0:6c56fb4bc5f0	1011
nexpaq	0:6c56fb4bc5f0	1012	/* If we get there, we know the string is null-terminated */
nexpaq	0:6c56fb4bc5f0	1013	ret = mbedtls_pem_read_buffer( &pem,
nexpaq	0:6c56fb4bc5f0	1014	"-----BEGIN CERTIFICATE-----",
nexpaq	0:6c56fb4bc5f0	1015	"-----END CERTIFICATE-----",
nexpaq	0:6c56fb4bc5f0	1016	buf, NULL, 0, &use_len );
nexpaq	0:6c56fb4bc5f0	1017
nexpaq	0:6c56fb4bc5f0	1018	if( ret == 0 )
nexpaq	0:6c56fb4bc5f0	1019	{
nexpaq	0:6c56fb4bc5f0	1020	/*
nexpaq	0:6c56fb4bc5f0	1021	* Was PEM encoded
nexpaq	0:6c56fb4bc5f0	1022	*/
nexpaq	0:6c56fb4bc5f0	1023	buflen -= use_len;
nexpaq	0:6c56fb4bc5f0	1024	buf += use_len;
nexpaq	0:6c56fb4bc5f0	1025	}
nexpaq	0:6c56fb4bc5f0	1026	else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
nexpaq	0:6c56fb4bc5f0	1027	{
nexpaq	0:6c56fb4bc5f0	1028	return( ret );
nexpaq	0:6c56fb4bc5f0	1029	}
nexpaq	0:6c56fb4bc5f0	1030	else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
nexpaq	0:6c56fb4bc5f0	1031	{
nexpaq	0:6c56fb4bc5f0	1032	mbedtls_pem_free( &pem );
nexpaq	0:6c56fb4bc5f0	1033
nexpaq	0:6c56fb4bc5f0	1034	/*
nexpaq	0:6c56fb4bc5f0	1035	* PEM header and footer were found
nexpaq	0:6c56fb4bc5f0	1036	*/
nexpaq	0:6c56fb4bc5f0	1037	buflen -= use_len;
nexpaq	0:6c56fb4bc5f0	1038	buf += use_len;
nexpaq	0:6c56fb4bc5f0	1039
nexpaq	0:6c56fb4bc5f0	1040	if( first_error == 0 )
nexpaq	0:6c56fb4bc5f0	1041	first_error = ret;
nexpaq	0:6c56fb4bc5f0	1042
nexpaq	0:6c56fb4bc5f0	1043	total_failed++;
nexpaq	0:6c56fb4bc5f0	1044	continue;
nexpaq	0:6c56fb4bc5f0	1045	}
nexpaq	0:6c56fb4bc5f0	1046	else
nexpaq	0:6c56fb4bc5f0	1047	break;
nexpaq	0:6c56fb4bc5f0	1048
nexpaq	0:6c56fb4bc5f0	1049	ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
nexpaq	0:6c56fb4bc5f0	1050
nexpaq	0:6c56fb4bc5f0	1051	mbedtls_pem_free( &pem );
nexpaq	0:6c56fb4bc5f0	1052
nexpaq	0:6c56fb4bc5f0	1053	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	1054	{
nexpaq	0:6c56fb4bc5f0	1055	/*
nexpaq	0:6c56fb4bc5f0	1056	* Quit parsing on a memory error
nexpaq	0:6c56fb4bc5f0	1057	*/
nexpaq	0:6c56fb4bc5f0	1058	if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
nexpaq	0:6c56fb4bc5f0	1059	return( ret );
nexpaq	0:6c56fb4bc5f0	1060
nexpaq	0:6c56fb4bc5f0	1061	if( first_error == 0 )
nexpaq	0:6c56fb4bc5f0	1062	first_error = ret;
nexpaq	0:6c56fb4bc5f0	1063
nexpaq	0:6c56fb4bc5f0	1064	total_failed++;
nexpaq	0:6c56fb4bc5f0	1065	continue;
nexpaq	0:6c56fb4bc5f0	1066	}
nexpaq	0:6c56fb4bc5f0	1067
nexpaq	0:6c56fb4bc5f0	1068	success = 1;
nexpaq	0:6c56fb4bc5f0	1069	}
nexpaq	0:6c56fb4bc5f0	1070	}
nexpaq	0:6c56fb4bc5f0	1071
nexpaq	0:6c56fb4bc5f0	1072	if( success )
nexpaq	0:6c56fb4bc5f0	1073	return( total_failed );
nexpaq	0:6c56fb4bc5f0	1074	else if( first_error )
nexpaq	0:6c56fb4bc5f0	1075	return( first_error );
nexpaq	0:6c56fb4bc5f0	1076	else
nexpaq	0:6c56fb4bc5f0	1077	return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
nexpaq	0:6c56fb4bc5f0	1078	#endif /* MBEDTLS_PEM_PARSE_C */
nexpaq	0:6c56fb4bc5f0	1079	}
nexpaq	0:6c56fb4bc5f0	1080
nexpaq	0:6c56fb4bc5f0	1081	#if defined(MBEDTLS_FS_IO)
nexpaq	0:6c56fb4bc5f0	1082	/*
nexpaq	0:6c56fb4bc5f0	1083	* Load one or more certificates and add them to the chained list
nexpaq	0:6c56fb4bc5f0	1084	*/
nexpaq	0:6c56fb4bc5f0	1085	int mbedtls_x509_crt_parse_file( mbedtls_x509_crt chain, const char path )
nexpaq	0:6c56fb4bc5f0	1086	{
nexpaq	0:6c56fb4bc5f0	1087	int ret;
nexpaq	0:6c56fb4bc5f0	1088	size_t n;
nexpaq	0:6c56fb4bc5f0	1089	unsigned char *buf;
nexpaq	0:6c56fb4bc5f0	1090
nexpaq	0:6c56fb4bc5f0	1091	if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1092	return( ret );
nexpaq	0:6c56fb4bc5f0	1093
nexpaq	0:6c56fb4bc5f0	1094	ret = mbedtls_x509_crt_parse( chain, buf, n );
nexpaq	0:6c56fb4bc5f0	1095
nexpaq	0:6c56fb4bc5f0	1096	mbedtls_zeroize( buf, n );
nexpaq	0:6c56fb4bc5f0	1097	mbedtls_free( buf );
nexpaq	0:6c56fb4bc5f0	1098
nexpaq	0:6c56fb4bc5f0	1099	return( ret );
nexpaq	0:6c56fb4bc5f0	1100	}
nexpaq	0:6c56fb4bc5f0	1101
nexpaq	0:6c56fb4bc5f0	1102	int mbedtls_x509_crt_parse_path( mbedtls_x509_crt chain, const char path )
nexpaq	0:6c56fb4bc5f0	1103	{
nexpaq	0:6c56fb4bc5f0	1104	int ret = 0;
nexpaq	0:6c56fb4bc5f0	1105	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
nexpaq	0:6c56fb4bc5f0	1106	int w_ret;
nexpaq	0:6c56fb4bc5f0	1107	WCHAR szDir[MAX_PATH];
nexpaq	0:6c56fb4bc5f0	1108	char filename[MAX_PATH];
nexpaq	0:6c56fb4bc5f0	1109	char *p;
nexpaq	0:6c56fb4bc5f0	1110	size_t len = strlen( path );
nexpaq	0:6c56fb4bc5f0	1111
nexpaq	0:6c56fb4bc5f0	1112	WIN32_FIND_DATAW file_data;
nexpaq	0:6c56fb4bc5f0	1113	HANDLE hFind;
nexpaq	0:6c56fb4bc5f0	1114
nexpaq	0:6c56fb4bc5f0	1115	if( len > MAX_PATH - 3 )
nexpaq	0:6c56fb4bc5f0	1116	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1117
nexpaq	0:6c56fb4bc5f0	1118	memset( szDir, 0, sizeof(szDir) );
nexpaq	0:6c56fb4bc5f0	1119	memset( filename, 0, MAX_PATH );
nexpaq	0:6c56fb4bc5f0	1120	memcpy( filename, path, len );
nexpaq	0:6c56fb4bc5f0	1121	filename[len++] = '\\';
nexpaq	0:6c56fb4bc5f0	1122	p = filename + len;
nexpaq	0:6c56fb4bc5f0	1123	filename[len++] = '*';
nexpaq	0:6c56fb4bc5f0	1124
nexpaq	0:6c56fb4bc5f0	1125	w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir,
nexpaq	0:6c56fb4bc5f0	1126	MAX_PATH - 3 );
nexpaq	0:6c56fb4bc5f0	1127	if( w_ret == 0 )
nexpaq	0:6c56fb4bc5f0	1128	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1129
nexpaq	0:6c56fb4bc5f0	1130	hFind = FindFirstFileW( szDir, &file_data );
nexpaq	0:6c56fb4bc5f0	1131	if( hFind == INVALID_HANDLE_VALUE )
nexpaq	0:6c56fb4bc5f0	1132	return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
nexpaq	0:6c56fb4bc5f0	1133
nexpaq	0:6c56fb4bc5f0	1134	len = MAX_PATH - len;
nexpaq	0:6c56fb4bc5f0	1135	do
nexpaq	0:6c56fb4bc5f0	1136	{
nexpaq	0:6c56fb4bc5f0	1137	memset( p, 0, len );
nexpaq	0:6c56fb4bc5f0	1138
nexpaq	0:6c56fb4bc5f0	1139	if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
nexpaq	0:6c56fb4bc5f0	1140	continue;
nexpaq	0:6c56fb4bc5f0	1141
nexpaq	0:6c56fb4bc5f0	1142	w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
nexpaq	0:6c56fb4bc5f0	1143	lstrlenW( file_data.cFileName ),
nexpaq	0:6c56fb4bc5f0	1144	p, (int) len - 1,
nexpaq	0:6c56fb4bc5f0	1145	NULL, NULL );
nexpaq	0:6c56fb4bc5f0	1146	if( w_ret == 0 )
nexpaq	0:6c56fb4bc5f0	1147	return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
nexpaq	0:6c56fb4bc5f0	1148
nexpaq	0:6c56fb4bc5f0	1149	w_ret = mbedtls_x509_crt_parse_file( chain, filename );
nexpaq	0:6c56fb4bc5f0	1150	if( w_ret < 0 )
nexpaq	0:6c56fb4bc5f0	1151	ret++;
nexpaq	0:6c56fb4bc5f0	1152	else
nexpaq	0:6c56fb4bc5f0	1153	ret += w_ret;
nexpaq	0:6c56fb4bc5f0	1154	}
nexpaq	0:6c56fb4bc5f0	1155	while( FindNextFileW( hFind, &file_data ) != 0 );
nexpaq	0:6c56fb4bc5f0	1156
nexpaq	0:6c56fb4bc5f0	1157	if( GetLastError() != ERROR_NO_MORE_FILES )
nexpaq	0:6c56fb4bc5f0	1158	ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
nexpaq	0:6c56fb4bc5f0	1159
nexpaq	0:6c56fb4bc5f0	1160	FindClose( hFind );
nexpaq	0:6c56fb4bc5f0	1161	#else /* _WIN32 */
nexpaq	0:6c56fb4bc5f0	1162	int t_ret;
nexpaq	0:6c56fb4bc5f0	1163	struct stat sb;
nexpaq	0:6c56fb4bc5f0	1164	struct dirent *entry;
nexpaq	0:6c56fb4bc5f0	1165	char entry_name[255];
nexpaq	0:6c56fb4bc5f0	1166	DIR *dir = opendir( path );
nexpaq	0:6c56fb4bc5f0	1167
nexpaq	0:6c56fb4bc5f0	1168	if( dir == NULL )
nexpaq	0:6c56fb4bc5f0	1169	return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
nexpaq	0:6c56fb4bc5f0	1170
nexpaq	0:6c56fb4bc5f0	1171	#if defined(MBEDTLS_THREADING_PTHREAD)
nexpaq	0:6c56fb4bc5f0	1172	if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1173	{
nexpaq	0:6c56fb4bc5f0	1174	closedir( dir );
nexpaq	0:6c56fb4bc5f0	1175	return( ret );
nexpaq	0:6c56fb4bc5f0	1176	}
nexpaq	0:6c56fb4bc5f0	1177	#endif
nexpaq	0:6c56fb4bc5f0	1178
nexpaq	0:6c56fb4bc5f0	1179	while( ( entry = readdir( dir ) ) != NULL )
nexpaq	0:6c56fb4bc5f0	1180	{
nexpaq	0:6c56fb4bc5f0	1181	mbedtls_snprintf( entry_name, sizeof entry_name, "%s/%s", path, entry->d_name );
nexpaq	0:6c56fb4bc5f0	1182
nexpaq	0:6c56fb4bc5f0	1183	if( stat( entry_name, &sb ) == -1 )
nexpaq	0:6c56fb4bc5f0	1184	{
nexpaq	0:6c56fb4bc5f0	1185	closedir( dir );
nexpaq	0:6c56fb4bc5f0	1186	ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
nexpaq	0:6c56fb4bc5f0	1187	goto cleanup;
nexpaq	0:6c56fb4bc5f0	1188	}
nexpaq	0:6c56fb4bc5f0	1189
nexpaq	0:6c56fb4bc5f0	1190	if( !S_ISREG( sb.st_mode ) )
nexpaq	0:6c56fb4bc5f0	1191	continue;
nexpaq	0:6c56fb4bc5f0	1192
nexpaq	0:6c56fb4bc5f0	1193	// Ignore parse errors
nexpaq	0:6c56fb4bc5f0	1194	//
nexpaq	0:6c56fb4bc5f0	1195	t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
nexpaq	0:6c56fb4bc5f0	1196	if( t_ret < 0 )
nexpaq	0:6c56fb4bc5f0	1197	ret++;
nexpaq	0:6c56fb4bc5f0	1198	else
nexpaq	0:6c56fb4bc5f0	1199	ret += t_ret;
nexpaq	0:6c56fb4bc5f0	1200	}
nexpaq	0:6c56fb4bc5f0	1201	closedir( dir );
nexpaq	0:6c56fb4bc5f0	1202
nexpaq	0:6c56fb4bc5f0	1203	cleanup:
nexpaq	0:6c56fb4bc5f0	1204	#if defined(MBEDTLS_THREADING_PTHREAD)
nexpaq	0:6c56fb4bc5f0	1205	if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
nexpaq	0:6c56fb4bc5f0	1206	ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
nexpaq	0:6c56fb4bc5f0	1207	#endif
nexpaq	0:6c56fb4bc5f0	1208
nexpaq	0:6c56fb4bc5f0	1209	#endif /* _WIN32 */
nexpaq	0:6c56fb4bc5f0	1210
nexpaq	0:6c56fb4bc5f0	1211	return( ret );
nexpaq	0:6c56fb4bc5f0	1212	}
nexpaq	0:6c56fb4bc5f0	1213	#endif /* MBEDTLS_FS_IO */
nexpaq	0:6c56fb4bc5f0	1214
nexpaq	0:6c56fb4bc5f0	1215	static int x509_info_subject_alt_name( char *buf, size_t size,
nexpaq	0:6c56fb4bc5f0	1216	const mbedtls_x509_sequence *subject_alt_name )
nexpaq	0:6c56fb4bc5f0	1217	{
nexpaq	0:6c56fb4bc5f0	1218	size_t i;
nexpaq	0:6c56fb4bc5f0	1219	size_t n = *size;
nexpaq	0:6c56fb4bc5f0	1220	char p = buf;
nexpaq	0:6c56fb4bc5f0	1221	const mbedtls_x509_sequence *cur = subject_alt_name;
nexpaq	0:6c56fb4bc5f0	1222	const char *sep = "";
nexpaq	0:6c56fb4bc5f0	1223	size_t sep_len = 0;
nexpaq	0:6c56fb4bc5f0	1224
nexpaq	0:6c56fb4bc5f0	1225	while( cur != NULL )
nexpaq	0:6c56fb4bc5f0	1226	{
nexpaq	0:6c56fb4bc5f0	1227	if( cur->buf.len + sep_len >= n )
nexpaq	0:6c56fb4bc5f0	1228	{
nexpaq	0:6c56fb4bc5f0	1229	*p = '\0';
nexpaq	0:6c56fb4bc5f0	1230	return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
nexpaq	0:6c56fb4bc5f0	1231	}
nexpaq	0:6c56fb4bc5f0	1232
nexpaq	0:6c56fb4bc5f0	1233	n -= cur->buf.len + sep_len;
nexpaq	0:6c56fb4bc5f0	1234	for( i = 0; i < sep_len; i++ )
nexpaq	0:6c56fb4bc5f0	1235	*p++ = sep[i];
nexpaq	0:6c56fb4bc5f0	1236	for( i = 0; i < cur->buf.len; i++ )
nexpaq	0:6c56fb4bc5f0	1237	*p++ = cur->buf.p[i];
nexpaq	0:6c56fb4bc5f0	1238
nexpaq	0:6c56fb4bc5f0	1239	sep = ", ";
nexpaq	0:6c56fb4bc5f0	1240	sep_len = 2;
nexpaq	0:6c56fb4bc5f0	1241
nexpaq	0:6c56fb4bc5f0	1242	cur = cur->next;
nexpaq	0:6c56fb4bc5f0	1243	}
nexpaq	0:6c56fb4bc5f0	1244
nexpaq	0:6c56fb4bc5f0	1245	*p = '\0';
nexpaq	0:6c56fb4bc5f0	1246
nexpaq	0:6c56fb4bc5f0	1247	*size = n;
nexpaq	0:6c56fb4bc5f0	1248	*buf = p;
nexpaq	0:6c56fb4bc5f0	1249
nexpaq	0:6c56fb4bc5f0	1250	return( 0 );
nexpaq	0:6c56fb4bc5f0	1251	}
nexpaq	0:6c56fb4bc5f0	1252
nexpaq	0:6c56fb4bc5f0	1253	#define PRINT_ITEM(i) \
nexpaq	0:6c56fb4bc5f0	1254	{ \
nexpaq	0:6c56fb4bc5f0	1255	ret = mbedtls_snprintf( p, n, "%s" i, sep ); \
nexpaq	0:6c56fb4bc5f0	1256	MBEDTLS_X509_SAFE_SNPRINTF; \
nexpaq	0:6c56fb4bc5f0	1257	sep = ", "; \
nexpaq	0:6c56fb4bc5f0	1258	}
nexpaq	0:6c56fb4bc5f0	1259
nexpaq	0:6c56fb4bc5f0	1260	#define CERT_TYPE(type,name) \
nexpaq	0:6c56fb4bc5f0	1261	if( ns_cert_type & type ) \
nexpaq	0:6c56fb4bc5f0	1262	PRINT_ITEM( name );
nexpaq	0:6c56fb4bc5f0	1263
nexpaq	0:6c56fb4bc5f0	1264	static int x509_info_cert_type( char *buf, size_t size,
nexpaq	0:6c56fb4bc5f0	1265	unsigned char ns_cert_type )
nexpaq	0:6c56fb4bc5f0	1266	{
nexpaq	0:6c56fb4bc5f0	1267	int ret;
nexpaq	0:6c56fb4bc5f0	1268	size_t n = *size;
nexpaq	0:6c56fb4bc5f0	1269	char p = buf;
nexpaq	0:6c56fb4bc5f0	1270	const char *sep = "";
nexpaq	0:6c56fb4bc5f0	1271
nexpaq	0:6c56fb4bc5f0	1272	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client" );
nexpaq	0:6c56fb4bc5f0	1273	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server" );
nexpaq	0:6c56fb4bc5f0	1274	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email" );
nexpaq	0:6c56fb4bc5f0	1275	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" );
nexpaq	0:6c56fb4bc5f0	1276	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved" );
nexpaq	0:6c56fb4bc5f0	1277	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA" );
nexpaq	0:6c56fb4bc5f0	1278	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA" );
nexpaq	0:6c56fb4bc5f0	1279	CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" );
nexpaq	0:6c56fb4bc5f0	1280
nexpaq	0:6c56fb4bc5f0	1281	*size = n;
nexpaq	0:6c56fb4bc5f0	1282	*buf = p;
nexpaq	0:6c56fb4bc5f0	1283
nexpaq	0:6c56fb4bc5f0	1284	return( 0 );
nexpaq	0:6c56fb4bc5f0	1285	}
nexpaq	0:6c56fb4bc5f0	1286
nexpaq	0:6c56fb4bc5f0	1287	#define KEY_USAGE(code,name) \
nexpaq	0:6c56fb4bc5f0	1288	if( key_usage & code ) \
nexpaq	0:6c56fb4bc5f0	1289	PRINT_ITEM( name );
nexpaq	0:6c56fb4bc5f0	1290
nexpaq	0:6c56fb4bc5f0	1291	static int x509_info_key_usage( char *buf, size_t size,
nexpaq	0:6c56fb4bc5f0	1292	unsigned int key_usage )
nexpaq	0:6c56fb4bc5f0	1293	{
nexpaq	0:6c56fb4bc5f0	1294	int ret;
nexpaq	0:6c56fb4bc5f0	1295	size_t n = *size;
nexpaq	0:6c56fb4bc5f0	1296	char p = buf;
nexpaq	0:6c56fb4bc5f0	1297	const char *sep = "";
nexpaq	0:6c56fb4bc5f0	1298
nexpaq	0:6c56fb4bc5f0	1299	KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature" );
nexpaq	0:6c56fb4bc5f0	1300	KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation" );
nexpaq	0:6c56fb4bc5f0	1301	KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment" );
nexpaq	0:6c56fb4bc5f0	1302	KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment" );
nexpaq	0:6c56fb4bc5f0	1303	KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" );
nexpaq	0:6c56fb4bc5f0	1304	KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" );
nexpaq	0:6c56fb4bc5f0	1305	KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" );
nexpaq	0:6c56fb4bc5f0	1306	KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" );
nexpaq	0:6c56fb4bc5f0	1307	KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" );
nexpaq	0:6c56fb4bc5f0	1308
nexpaq	0:6c56fb4bc5f0	1309	*size = n;
nexpaq	0:6c56fb4bc5f0	1310	*buf = p;
nexpaq	0:6c56fb4bc5f0	1311
nexpaq	0:6c56fb4bc5f0	1312	return( 0 );
nexpaq	0:6c56fb4bc5f0	1313	}
nexpaq	0:6c56fb4bc5f0	1314
nexpaq	0:6c56fb4bc5f0	1315	static int x509_info_ext_key_usage( char *buf, size_t size,
nexpaq	0:6c56fb4bc5f0	1316	const mbedtls_x509_sequence *extended_key_usage )
nexpaq	0:6c56fb4bc5f0	1317	{
nexpaq	0:6c56fb4bc5f0	1318	int ret;
nexpaq	0:6c56fb4bc5f0	1319	const char *desc;
nexpaq	0:6c56fb4bc5f0	1320	size_t n = *size;
nexpaq	0:6c56fb4bc5f0	1321	char p = buf;
nexpaq	0:6c56fb4bc5f0	1322	const mbedtls_x509_sequence *cur = extended_key_usage;
nexpaq	0:6c56fb4bc5f0	1323	const char *sep = "";
nexpaq	0:6c56fb4bc5f0	1324
nexpaq	0:6c56fb4bc5f0	1325	while( cur != NULL )
nexpaq	0:6c56fb4bc5f0	1326	{
nexpaq	0:6c56fb4bc5f0	1327	if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
nexpaq	0:6c56fb4bc5f0	1328	desc = "???";
nexpaq	0:6c56fb4bc5f0	1329
nexpaq	0:6c56fb4bc5f0	1330	ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
nexpaq	0:6c56fb4bc5f0	1331	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1332
nexpaq	0:6c56fb4bc5f0	1333	sep = ", ";
nexpaq	0:6c56fb4bc5f0	1334
nexpaq	0:6c56fb4bc5f0	1335	cur = cur->next;
nexpaq	0:6c56fb4bc5f0	1336	}
nexpaq	0:6c56fb4bc5f0	1337
nexpaq	0:6c56fb4bc5f0	1338	*size = n;
nexpaq	0:6c56fb4bc5f0	1339	*buf = p;
nexpaq	0:6c56fb4bc5f0	1340
nexpaq	0:6c56fb4bc5f0	1341	return( 0 );
nexpaq	0:6c56fb4bc5f0	1342	}
nexpaq	0:6c56fb4bc5f0	1343
nexpaq	0:6c56fb4bc5f0	1344	/*
nexpaq	0:6c56fb4bc5f0	1345	* Return an informational string about the certificate.
nexpaq	0:6c56fb4bc5f0	1346	*/
nexpaq	0:6c56fb4bc5f0	1347	#define BEFORE_COLON 18
nexpaq	0:6c56fb4bc5f0	1348	#define BC "18"
nexpaq	0:6c56fb4bc5f0	1349	int mbedtls_x509_crt_info( char buf, size_t size, const char prefix,
nexpaq	0:6c56fb4bc5f0	1350	const mbedtls_x509_crt *crt )
nexpaq	0:6c56fb4bc5f0	1351	{
nexpaq	0:6c56fb4bc5f0	1352	int ret;
nexpaq	0:6c56fb4bc5f0	1353	size_t n;
nexpaq	0:6c56fb4bc5f0	1354	char *p;
nexpaq	0:6c56fb4bc5f0	1355	char key_size_str[BEFORE_COLON];
nexpaq	0:6c56fb4bc5f0	1356
nexpaq	0:6c56fb4bc5f0	1357	p = buf;
nexpaq	0:6c56fb4bc5f0	1358	n = size;
nexpaq	0:6c56fb4bc5f0	1359
nexpaq	0:6c56fb4bc5f0	1360	if( NULL == crt )
nexpaq	0:6c56fb4bc5f0	1361	{
nexpaq	0:6c56fb4bc5f0	1362	ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
nexpaq	0:6c56fb4bc5f0	1363	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1364
nexpaq	0:6c56fb4bc5f0	1365	return( (int) ( size - n ) );
nexpaq	0:6c56fb4bc5f0	1366	}
nexpaq	0:6c56fb4bc5f0	1367
nexpaq	0:6c56fb4bc5f0	1368	ret = mbedtls_snprintf( p, n, "%scert. version : %d\n",
nexpaq	0:6c56fb4bc5f0	1369	prefix, crt->version );
nexpaq	0:6c56fb4bc5f0	1370	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1371	ret = mbedtls_snprintf( p, n, "%sserial number : ",
nexpaq	0:6c56fb4bc5f0	1372	prefix );
nexpaq	0:6c56fb4bc5f0	1373	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1374
nexpaq	0:6c56fb4bc5f0	1375	ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
nexpaq	0:6c56fb4bc5f0	1376	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1377
nexpaq	0:6c56fb4bc5f0	1378	ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
nexpaq	0:6c56fb4bc5f0	1379	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1380	ret = mbedtls_x509_dn_gets( p, n, &crt->issuer );
nexpaq	0:6c56fb4bc5f0	1381	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1382
nexpaq	0:6c56fb4bc5f0	1383	ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix );
nexpaq	0:6c56fb4bc5f0	1384	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1385	ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
nexpaq	0:6c56fb4bc5f0	1386	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1387
nexpaq	0:6c56fb4bc5f0	1388	ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
nexpaq	0:6c56fb4bc5f0	1389	"%04d-%02d-%02d %02d:%02d:%02d", prefix,
nexpaq	0:6c56fb4bc5f0	1390	crt->valid_from.year, crt->valid_from.mon,
nexpaq	0:6c56fb4bc5f0	1391	crt->valid_from.day, crt->valid_from.hour,
nexpaq	0:6c56fb4bc5f0	1392	crt->valid_from.min, crt->valid_from.sec );
nexpaq	0:6c56fb4bc5f0	1393	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1394
nexpaq	0:6c56fb4bc5f0	1395	ret = mbedtls_snprintf( p, n, "\n%sexpires on : " \
nexpaq	0:6c56fb4bc5f0	1396	"%04d-%02d-%02d %02d:%02d:%02d", prefix,
nexpaq	0:6c56fb4bc5f0	1397	crt->valid_to.year, crt->valid_to.mon,
nexpaq	0:6c56fb4bc5f0	1398	crt->valid_to.day, crt->valid_to.hour,
nexpaq	0:6c56fb4bc5f0	1399	crt->valid_to.min, crt->valid_to.sec );
nexpaq	0:6c56fb4bc5f0	1400	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1401
nexpaq	0:6c56fb4bc5f0	1402	ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
nexpaq	0:6c56fb4bc5f0	1403	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1404
nexpaq	0:6c56fb4bc5f0	1405	ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
nexpaq	0:6c56fb4bc5f0	1406	crt->sig_md, crt->sig_opts );
nexpaq	0:6c56fb4bc5f0	1407	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1408
nexpaq	0:6c56fb4bc5f0	1409	/* Key size */
nexpaq	0:6c56fb4bc5f0	1410	if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
nexpaq	0:6c56fb4bc5f0	1411	mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1412	{
nexpaq	0:6c56fb4bc5f0	1413	return( ret );
nexpaq	0:6c56fb4bc5f0	1414	}
nexpaq	0:6c56fb4bc5f0	1415
nexpaq	0:6c56fb4bc5f0	1416	ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
nexpaq	0:6c56fb4bc5f0	1417	(int) mbedtls_pk_get_bitlen( &crt->pk ) );
nexpaq	0:6c56fb4bc5f0	1418	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1419
nexpaq	0:6c56fb4bc5f0	1420	/*
nexpaq	0:6c56fb4bc5f0	1421	* Optional extensions
nexpaq	0:6c56fb4bc5f0	1422	*/
nexpaq	0:6c56fb4bc5f0	1423
nexpaq	0:6c56fb4bc5f0	1424	if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
nexpaq	0:6c56fb4bc5f0	1425	{
nexpaq	0:6c56fb4bc5f0	1426	ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
nexpaq	0:6c56fb4bc5f0	1427	crt->ca_istrue ? "true" : "false" );
nexpaq	0:6c56fb4bc5f0	1428	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1429
nexpaq	0:6c56fb4bc5f0	1430	if( crt->max_pathlen > 0 )
nexpaq	0:6c56fb4bc5f0	1431	{
nexpaq	0:6c56fb4bc5f0	1432	ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
nexpaq	0:6c56fb4bc5f0	1433	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1434	}
nexpaq	0:6c56fb4bc5f0	1435	}
nexpaq	0:6c56fb4bc5f0	1436
nexpaq	0:6c56fb4bc5f0	1437	if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
nexpaq	0:6c56fb4bc5f0	1438	{
nexpaq	0:6c56fb4bc5f0	1439	ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix );
nexpaq	0:6c56fb4bc5f0	1440	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1441
nexpaq	0:6c56fb4bc5f0	1442	if( ( ret = x509_info_subject_alt_name( &p, &n,
nexpaq	0:6c56fb4bc5f0	1443	&crt->subject_alt_names ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1444	return( ret );
nexpaq	0:6c56fb4bc5f0	1445	}
nexpaq	0:6c56fb4bc5f0	1446
nexpaq	0:6c56fb4bc5f0	1447	if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
nexpaq	0:6c56fb4bc5f0	1448	{
nexpaq	0:6c56fb4bc5f0	1449	ret = mbedtls_snprintf( p, n, "\n%scert. type : ", prefix );
nexpaq	0:6c56fb4bc5f0	1450	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1451
nexpaq	0:6c56fb4bc5f0	1452	if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1453	return( ret );
nexpaq	0:6c56fb4bc5f0	1454	}
nexpaq	0:6c56fb4bc5f0	1455
nexpaq	0:6c56fb4bc5f0	1456	if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
nexpaq	0:6c56fb4bc5f0	1457	{
nexpaq	0:6c56fb4bc5f0	1458	ret = mbedtls_snprintf( p, n, "\n%skey usage : ", prefix );
nexpaq	0:6c56fb4bc5f0	1459	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1460
nexpaq	0:6c56fb4bc5f0	1461	if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1462	return( ret );
nexpaq	0:6c56fb4bc5f0	1463	}
nexpaq	0:6c56fb4bc5f0	1464
nexpaq	0:6c56fb4bc5f0	1465	if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
nexpaq	0:6c56fb4bc5f0	1466	{
nexpaq	0:6c56fb4bc5f0	1467	ret = mbedtls_snprintf( p, n, "\n%sext key usage : ", prefix );
nexpaq	0:6c56fb4bc5f0	1468	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1469
nexpaq	0:6c56fb4bc5f0	1470	if( ( ret = x509_info_ext_key_usage( &p, &n,
nexpaq	0:6c56fb4bc5f0	1471	&crt->ext_key_usage ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	1472	return( ret );
nexpaq	0:6c56fb4bc5f0	1473	}
nexpaq	0:6c56fb4bc5f0	1474
nexpaq	0:6c56fb4bc5f0	1475	ret = mbedtls_snprintf( p, n, "\n" );
nexpaq	0:6c56fb4bc5f0	1476	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1477
nexpaq	0:6c56fb4bc5f0	1478	return( (int) ( size - n ) );
nexpaq	0:6c56fb4bc5f0	1479	}
nexpaq	0:6c56fb4bc5f0	1480
nexpaq	0:6c56fb4bc5f0	1481	struct x509_crt_verify_string {
nexpaq	0:6c56fb4bc5f0	1482	int code;
nexpaq	0:6c56fb4bc5f0	1483	const char *string;
nexpaq	0:6c56fb4bc5f0	1484	};
nexpaq	0:6c56fb4bc5f0	1485
nexpaq	0:6c56fb4bc5f0	1486	static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
nexpaq	0:6c56fb4bc5f0	1487	{ MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" },
nexpaq	0:6c56fb4bc5f0	1488	{ MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" },
nexpaq	0:6c56fb4bc5f0	1489	{ MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" },
nexpaq	0:6c56fb4bc5f0	1490	{ MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" },
nexpaq	0:6c56fb4bc5f0	1491	{ MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" },
nexpaq	0:6c56fb4bc5f0	1492	{ MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" },
nexpaq	0:6c56fb4bc5f0	1493	{ MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" },
nexpaq	0:6c56fb4bc5f0	1494	{ MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" },
nexpaq	0:6c56fb4bc5f0	1495	{ MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" },
nexpaq	0:6c56fb4bc5f0	1496	{ MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" },
nexpaq	0:6c56fb4bc5f0	1497	{ MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" },
nexpaq	0:6c56fb4bc5f0	1498	{ MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
nexpaq	0:6c56fb4bc5f0	1499	{ MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
nexpaq	0:6c56fb4bc5f0	1500	{ MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
nexpaq	0:6c56fb4bc5f0	1501	{ MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
nexpaq	0:6c56fb4bc5f0	1502	{ MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
nexpaq	0:6c56fb4bc5f0	1503	{ MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
nexpaq	0:6c56fb4bc5f0	1504	{ MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
nexpaq	0:6c56fb4bc5f0	1505	{ MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
nexpaq	0:6c56fb4bc5f0	1506	{ MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
nexpaq	0:6c56fb4bc5f0	1507	{ 0, NULL }
nexpaq	0:6c56fb4bc5f0	1508	};
nexpaq	0:6c56fb4bc5f0	1509
nexpaq	0:6c56fb4bc5f0	1510	int mbedtls_x509_crt_verify_info( char buf, size_t size, const char prefix,
nexpaq	0:6c56fb4bc5f0	1511	uint32_t flags )
nexpaq	0:6c56fb4bc5f0	1512	{
nexpaq	0:6c56fb4bc5f0	1513	int ret;
nexpaq	0:6c56fb4bc5f0	1514	const struct x509_crt_verify_string *cur;
nexpaq	0:6c56fb4bc5f0	1515	char *p = buf;
nexpaq	0:6c56fb4bc5f0	1516	size_t n = size;
nexpaq	0:6c56fb4bc5f0	1517
nexpaq	0:6c56fb4bc5f0	1518	for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
nexpaq	0:6c56fb4bc5f0	1519	{
nexpaq	0:6c56fb4bc5f0	1520	if( ( flags & cur->code ) == 0 )
nexpaq	0:6c56fb4bc5f0	1521	continue;
nexpaq	0:6c56fb4bc5f0	1522
nexpaq	0:6c56fb4bc5f0	1523	ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
nexpaq	0:6c56fb4bc5f0	1524	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1525	flags ^= cur->code;
nexpaq	0:6c56fb4bc5f0	1526	}
nexpaq	0:6c56fb4bc5f0	1527
nexpaq	0:6c56fb4bc5f0	1528	if( flags != 0 )
nexpaq	0:6c56fb4bc5f0	1529	{
nexpaq	0:6c56fb4bc5f0	1530	ret = mbedtls_snprintf( p, n, "%sUnknown reason "
nexpaq	0:6c56fb4bc5f0	1531	"(this should not happen)\n", prefix );
nexpaq	0:6c56fb4bc5f0	1532	MBEDTLS_X509_SAFE_SNPRINTF;
nexpaq	0:6c56fb4bc5f0	1533	}
nexpaq	0:6c56fb4bc5f0	1534
nexpaq	0:6c56fb4bc5f0	1535	return( (int) ( size - n ) );
nexpaq	0:6c56fb4bc5f0	1536	}
nexpaq	0:6c56fb4bc5f0	1537
nexpaq	0:6c56fb4bc5f0	1538	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
nexpaq	0:6c56fb4bc5f0	1539	int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
nexpaq	0:6c56fb4bc5f0	1540	unsigned int usage )
nexpaq	0:6c56fb4bc5f0	1541	{
nexpaq	0:6c56fb4bc5f0	1542	unsigned int usage_must, usage_may;
nexpaq	0:6c56fb4bc5f0	1543	unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
nexpaq	0:6c56fb4bc5f0	1544	\| MBEDTLS_X509_KU_DECIPHER_ONLY;
nexpaq	0:6c56fb4bc5f0	1545
nexpaq	0:6c56fb4bc5f0	1546	if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
nexpaq	0:6c56fb4bc5f0	1547	return( 0 );
nexpaq	0:6c56fb4bc5f0	1548
nexpaq	0:6c56fb4bc5f0	1549	usage_must = usage & ~may_mask;
nexpaq	0:6c56fb4bc5f0	1550
nexpaq	0:6c56fb4bc5f0	1551	if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
nexpaq	0:6c56fb4bc5f0	1552	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1553
nexpaq	0:6c56fb4bc5f0	1554	usage_may = usage & may_mask;
nexpaq	0:6c56fb4bc5f0	1555
nexpaq	0:6c56fb4bc5f0	1556	if( ( ( crt->key_usage & may_mask ) \| usage_may ) != usage_may )
nexpaq	0:6c56fb4bc5f0	1557	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1558
nexpaq	0:6c56fb4bc5f0	1559	return( 0 );
nexpaq	0:6c56fb4bc5f0	1560	}
nexpaq	0:6c56fb4bc5f0	1561	#endif
nexpaq	0:6c56fb4bc5f0	1562
nexpaq	0:6c56fb4bc5f0	1563	#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
nexpaq	0:6c56fb4bc5f0	1564	int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
nexpaq	0:6c56fb4bc5f0	1565	const char *usage_oid,
nexpaq	0:6c56fb4bc5f0	1566	size_t usage_len )
nexpaq	0:6c56fb4bc5f0	1567	{
nexpaq	0:6c56fb4bc5f0	1568	const mbedtls_x509_sequence *cur;
nexpaq	0:6c56fb4bc5f0	1569
nexpaq	0:6c56fb4bc5f0	1570	/* Extension is not mandatory, absent means no restriction */
nexpaq	0:6c56fb4bc5f0	1571	if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
nexpaq	0:6c56fb4bc5f0	1572	return( 0 );
nexpaq	0:6c56fb4bc5f0	1573
nexpaq	0:6c56fb4bc5f0	1574	/*
nexpaq	0:6c56fb4bc5f0	1575	* Look for the requested usage (or wildcard ANY) in our list
nexpaq	0:6c56fb4bc5f0	1576	*/
nexpaq	0:6c56fb4bc5f0	1577	for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
nexpaq	0:6c56fb4bc5f0	1578	{
nexpaq	0:6c56fb4bc5f0	1579	const mbedtls_x509_buf *cur_oid = &cur->buf;
nexpaq	0:6c56fb4bc5f0	1580
nexpaq	0:6c56fb4bc5f0	1581	if( cur_oid->len == usage_len &&
nexpaq	0:6c56fb4bc5f0	1582	memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1583	{
nexpaq	0:6c56fb4bc5f0	1584	return( 0 );
nexpaq	0:6c56fb4bc5f0	1585	}
nexpaq	0:6c56fb4bc5f0	1586
nexpaq	0:6c56fb4bc5f0	1587	if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
nexpaq	0:6c56fb4bc5f0	1588	return( 0 );
nexpaq	0:6c56fb4bc5f0	1589	}
nexpaq	0:6c56fb4bc5f0	1590
nexpaq	0:6c56fb4bc5f0	1591	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	1592	}
nexpaq	0:6c56fb4bc5f0	1593	#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
nexpaq	0:6c56fb4bc5f0	1594
nexpaq	0:6c56fb4bc5f0	1595	#if defined(MBEDTLS_X509_CRL_PARSE_C)
nexpaq	0:6c56fb4bc5f0	1596	/*
nexpaq	0:6c56fb4bc5f0	1597	* Return 1 if the certificate is revoked, or 0 otherwise.
nexpaq	0:6c56fb4bc5f0	1598	*/
nexpaq	0:6c56fb4bc5f0	1599	int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt crt, const mbedtls_x509_crl crl )
nexpaq	0:6c56fb4bc5f0	1600	{
nexpaq	0:6c56fb4bc5f0	1601	const mbedtls_x509_crl_entry *cur = &crl->entry;
nexpaq	0:6c56fb4bc5f0	1602
nexpaq	0:6c56fb4bc5f0	1603	while( cur != NULL && cur->serial.len != 0 )
nexpaq	0:6c56fb4bc5f0	1604	{
nexpaq	0:6c56fb4bc5f0	1605	if( crt->serial.len == cur->serial.len &&
nexpaq	0:6c56fb4bc5f0	1606	memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1607	{
nexpaq	0:6c56fb4bc5f0	1608	if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
nexpaq	0:6c56fb4bc5f0	1609	return( 1 );
nexpaq	0:6c56fb4bc5f0	1610	}
nexpaq	0:6c56fb4bc5f0	1611
nexpaq	0:6c56fb4bc5f0	1612	cur = cur->next;
nexpaq	0:6c56fb4bc5f0	1613	}
nexpaq	0:6c56fb4bc5f0	1614
nexpaq	0:6c56fb4bc5f0	1615	return( 0 );
nexpaq	0:6c56fb4bc5f0	1616	}
nexpaq	0:6c56fb4bc5f0	1617
nexpaq	0:6c56fb4bc5f0	1618	/*
nexpaq	0:6c56fb4bc5f0	1619	* Check that the given certificate is not revoked according to the CRL.
nexpaq	0:6c56fb4bc5f0	1620	* Skip validation is no CRL for the given CA is present.
nexpaq	0:6c56fb4bc5f0	1621	*/
nexpaq	0:6c56fb4bc5f0	1622	static int x509_crt_verifycrl( mbedtls_x509_crt crt, mbedtls_x509_crt ca,
nexpaq	0:6c56fb4bc5f0	1623	mbedtls_x509_crl *crl_list,
nexpaq	0:6c56fb4bc5f0	1624	const mbedtls_x509_crt_profile *profile )
nexpaq	0:6c56fb4bc5f0	1625	{
nexpaq	0:6c56fb4bc5f0	1626	int flags = 0;
nexpaq	0:6c56fb4bc5f0	1627	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	1628	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	1629
nexpaq	0:6c56fb4bc5f0	1630	if( ca == NULL )
nexpaq	0:6c56fb4bc5f0	1631	return( flags );
nexpaq	0:6c56fb4bc5f0	1632
nexpaq	0:6c56fb4bc5f0	1633	while( crl_list != NULL )
nexpaq	0:6c56fb4bc5f0	1634	{
nexpaq	0:6c56fb4bc5f0	1635	if( crl_list->version == 0 \|\|
nexpaq	0:6c56fb4bc5f0	1636	crl_list->issuer_raw.len != ca->subject_raw.len \|\|
nexpaq	0:6c56fb4bc5f0	1637	memcmp( crl_list->issuer_raw.p, ca->subject_raw.p,
nexpaq	0:6c56fb4bc5f0	1638	crl_list->issuer_raw.len ) != 0 )
nexpaq	0:6c56fb4bc5f0	1639	{
nexpaq	0:6c56fb4bc5f0	1640	crl_list = crl_list->next;
nexpaq	0:6c56fb4bc5f0	1641	continue;
nexpaq	0:6c56fb4bc5f0	1642	}
nexpaq	0:6c56fb4bc5f0	1643
nexpaq	0:6c56fb4bc5f0	1644	/*
nexpaq	0:6c56fb4bc5f0	1645	* Check if the CA is configured to sign CRLs
nexpaq	0:6c56fb4bc5f0	1646	*/
nexpaq	0:6c56fb4bc5f0	1647	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
nexpaq	0:6c56fb4bc5f0	1648	if( mbedtls_x509_crt_check_key_usage( ca, MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
nexpaq	0:6c56fb4bc5f0	1649	{
nexpaq	0:6c56fb4bc5f0	1650	flags \|= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	1651	break;
nexpaq	0:6c56fb4bc5f0	1652	}
nexpaq	0:6c56fb4bc5f0	1653	#endif
nexpaq	0:6c56fb4bc5f0	1654
nexpaq	0:6c56fb4bc5f0	1655	/*
nexpaq	0:6c56fb4bc5f0	1656	* Check if CRL is correctly signed by the trusted CA
nexpaq	0:6c56fb4bc5f0	1657	*/
nexpaq	0:6c56fb4bc5f0	1658	if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
nexpaq	0:6c56fb4bc5f0	1659	flags \|= MBEDTLS_X509_BADCRL_BAD_MD;
nexpaq	0:6c56fb4bc5f0	1660
nexpaq	0:6c56fb4bc5f0	1661	if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	1662	flags \|= MBEDTLS_X509_BADCRL_BAD_PK;
nexpaq	0:6c56fb4bc5f0	1663
nexpaq	0:6c56fb4bc5f0	1664	md_info = mbedtls_md_info_from_type( crl_list->sig_md );
nexpaq	0:6c56fb4bc5f0	1665	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1666	{
nexpaq	0:6c56fb4bc5f0	1667	/*
nexpaq	0:6c56fb4bc5f0	1668	* Cannot check 'unknown' hash
nexpaq	0:6c56fb4bc5f0	1669	*/
nexpaq	0:6c56fb4bc5f0	1670	flags \|= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	1671	break;
nexpaq	0:6c56fb4bc5f0	1672	}
nexpaq	0:6c56fb4bc5f0	1673
nexpaq	0:6c56fb4bc5f0	1674	mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
nexpaq	0:6c56fb4bc5f0	1675
nexpaq	0:6c56fb4bc5f0	1676	if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	1677	flags \|= MBEDTLS_X509_BADCERT_BAD_KEY;
nexpaq	0:6c56fb4bc5f0	1678
nexpaq	0:6c56fb4bc5f0	1679	if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
nexpaq	0:6c56fb4bc5f0	1680	crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
nexpaq	0:6c56fb4bc5f0	1681	crl_list->sig.p, crl_list->sig.len ) != 0 )
nexpaq	0:6c56fb4bc5f0	1682	{
nexpaq	0:6c56fb4bc5f0	1683	flags \|= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	1684	break;
nexpaq	0:6c56fb4bc5f0	1685	}
nexpaq	0:6c56fb4bc5f0	1686
nexpaq	0:6c56fb4bc5f0	1687	/*
nexpaq	0:6c56fb4bc5f0	1688	* Check for validity of CRL (Do not drop out)
nexpaq	0:6c56fb4bc5f0	1689	*/
nexpaq	0:6c56fb4bc5f0	1690	if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
nexpaq	0:6c56fb4bc5f0	1691	flags \|= MBEDTLS_X509_BADCRL_EXPIRED;
nexpaq	0:6c56fb4bc5f0	1692
nexpaq	0:6c56fb4bc5f0	1693	if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
nexpaq	0:6c56fb4bc5f0	1694	flags \|= MBEDTLS_X509_BADCRL_FUTURE;
nexpaq	0:6c56fb4bc5f0	1695
nexpaq	0:6c56fb4bc5f0	1696	/*
nexpaq	0:6c56fb4bc5f0	1697	* Check if certificate is revoked
nexpaq	0:6c56fb4bc5f0	1698	*/
nexpaq	0:6c56fb4bc5f0	1699	if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
nexpaq	0:6c56fb4bc5f0	1700	{
nexpaq	0:6c56fb4bc5f0	1701	flags \|= MBEDTLS_X509_BADCERT_REVOKED;
nexpaq	0:6c56fb4bc5f0	1702	break;
nexpaq	0:6c56fb4bc5f0	1703	}
nexpaq	0:6c56fb4bc5f0	1704
nexpaq	0:6c56fb4bc5f0	1705	crl_list = crl_list->next;
nexpaq	0:6c56fb4bc5f0	1706	}
nexpaq	0:6c56fb4bc5f0	1707
nexpaq	0:6c56fb4bc5f0	1708	return( flags );
nexpaq	0:6c56fb4bc5f0	1709	}
nexpaq	0:6c56fb4bc5f0	1710	#endif /* MBEDTLS_X509_CRL_PARSE_C */
nexpaq	0:6c56fb4bc5f0	1711
nexpaq	0:6c56fb4bc5f0	1712	/*
nexpaq	0:6c56fb4bc5f0	1713	* Like memcmp, but case-insensitive and always returns -1 if different
nexpaq	0:6c56fb4bc5f0	1714	*/
nexpaq	0:6c56fb4bc5f0	1715	static int x509_memcasecmp( const void s1, const void s2, size_t len )
nexpaq	0:6c56fb4bc5f0	1716	{
nexpaq	0:6c56fb4bc5f0	1717	size_t i;
nexpaq	0:6c56fb4bc5f0	1718	unsigned char diff;
nexpaq	0:6c56fb4bc5f0	1719	const unsigned char n1 = s1, n2 = s2;
nexpaq	0:6c56fb4bc5f0	1720
nexpaq	0:6c56fb4bc5f0	1721	for( i = 0; i < len; i++ )
nexpaq	0:6c56fb4bc5f0	1722	{
nexpaq	0:6c56fb4bc5f0	1723	diff = n1[i] ^ n2[i];
nexpaq	0:6c56fb4bc5f0	1724
nexpaq	0:6c56fb4bc5f0	1725	if( diff == 0 )
nexpaq	0:6c56fb4bc5f0	1726	continue;
nexpaq	0:6c56fb4bc5f0	1727
nexpaq	0:6c56fb4bc5f0	1728	if( diff == 32 &&
nexpaq	0:6c56fb4bc5f0	1729	( ( n1[i] >= 'a' && n1[i] <= 'z' ) \|\|
nexpaq	0:6c56fb4bc5f0	1730	( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
nexpaq	0:6c56fb4bc5f0	1731	{
nexpaq	0:6c56fb4bc5f0	1732	continue;
nexpaq	0:6c56fb4bc5f0	1733	}
nexpaq	0:6c56fb4bc5f0	1734
nexpaq	0:6c56fb4bc5f0	1735	return( -1 );
nexpaq	0:6c56fb4bc5f0	1736	}
nexpaq	0:6c56fb4bc5f0	1737
nexpaq	0:6c56fb4bc5f0	1738	return( 0 );
nexpaq	0:6c56fb4bc5f0	1739	}
nexpaq	0:6c56fb4bc5f0	1740
nexpaq	0:6c56fb4bc5f0	1741	/*
nexpaq	0:6c56fb4bc5f0	1742	* Return 0 if name matches wildcard, -1 otherwise
nexpaq	0:6c56fb4bc5f0	1743	*/
nexpaq	0:6c56fb4bc5f0	1744	static int x509_check_wildcard( const char cn, mbedtls_x509_buf name )
nexpaq	0:6c56fb4bc5f0	1745	{
nexpaq	0:6c56fb4bc5f0	1746	size_t i;
nexpaq	0:6c56fb4bc5f0	1747	size_t cn_idx = 0, cn_len = strlen( cn );
nexpaq	0:6c56fb4bc5f0	1748
nexpaq	0:6c56fb4bc5f0	1749	if( name->len < 3 \|\| name->p[0] != '*' \|\| name->p[1] != '.' )
nexpaq	0:6c56fb4bc5f0	1750	return( 0 );
nexpaq	0:6c56fb4bc5f0	1751
nexpaq	0:6c56fb4bc5f0	1752	for( i = 0; i < cn_len; ++i )
nexpaq	0:6c56fb4bc5f0	1753	{
nexpaq	0:6c56fb4bc5f0	1754	if( cn[i] == '.' )
nexpaq	0:6c56fb4bc5f0	1755	{
nexpaq	0:6c56fb4bc5f0	1756	cn_idx = i;
nexpaq	0:6c56fb4bc5f0	1757	break;
nexpaq	0:6c56fb4bc5f0	1758	}
nexpaq	0:6c56fb4bc5f0	1759	}
nexpaq	0:6c56fb4bc5f0	1760
nexpaq	0:6c56fb4bc5f0	1761	if( cn_idx == 0 )
nexpaq	0:6c56fb4bc5f0	1762	return( -1 );
nexpaq	0:6c56fb4bc5f0	1763
nexpaq	0:6c56fb4bc5f0	1764	if( cn_len - cn_idx == name->len - 1 &&
nexpaq	0:6c56fb4bc5f0	1765	x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
nexpaq	0:6c56fb4bc5f0	1766	{
nexpaq	0:6c56fb4bc5f0	1767	return( 0 );
nexpaq	0:6c56fb4bc5f0	1768	}
nexpaq	0:6c56fb4bc5f0	1769
nexpaq	0:6c56fb4bc5f0	1770	return( -1 );
nexpaq	0:6c56fb4bc5f0	1771	}
nexpaq	0:6c56fb4bc5f0	1772
nexpaq	0:6c56fb4bc5f0	1773	/*
nexpaq	0:6c56fb4bc5f0	1774	* Compare two X.509 strings, case-insensitive, and allowing for some encoding
nexpaq	0:6c56fb4bc5f0	1775	* variations (but not all).
nexpaq	0:6c56fb4bc5f0	1776	*
nexpaq	0:6c56fb4bc5f0	1777	* Return 0 if equal, -1 otherwise.
nexpaq	0:6c56fb4bc5f0	1778	*/
nexpaq	0:6c56fb4bc5f0	1779	static int x509_string_cmp( const mbedtls_x509_buf a, const mbedtls_x509_buf b )
nexpaq	0:6c56fb4bc5f0	1780	{
nexpaq	0:6c56fb4bc5f0	1781	if( a->tag == b->tag &&
nexpaq	0:6c56fb4bc5f0	1782	a->len == b->len &&
nexpaq	0:6c56fb4bc5f0	1783	memcmp( a->p, b->p, b->len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1784	{
nexpaq	0:6c56fb4bc5f0	1785	return( 0 );
nexpaq	0:6c56fb4bc5f0	1786	}
nexpaq	0:6c56fb4bc5f0	1787
nexpaq	0:6c56fb4bc5f0	1788	if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING \|\| a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
nexpaq	0:6c56fb4bc5f0	1789	( b->tag == MBEDTLS_ASN1_UTF8_STRING \|\| b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
nexpaq	0:6c56fb4bc5f0	1790	a->len == b->len &&
nexpaq	0:6c56fb4bc5f0	1791	x509_memcasecmp( a->p, b->p, b->len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1792	{
nexpaq	0:6c56fb4bc5f0	1793	return( 0 );
nexpaq	0:6c56fb4bc5f0	1794	}
nexpaq	0:6c56fb4bc5f0	1795
nexpaq	0:6c56fb4bc5f0	1796	return( -1 );
nexpaq	0:6c56fb4bc5f0	1797	}
nexpaq	0:6c56fb4bc5f0	1798
nexpaq	0:6c56fb4bc5f0	1799	/*
nexpaq	0:6c56fb4bc5f0	1800	* Compare two X.509 Names (aka rdnSequence).
nexpaq	0:6c56fb4bc5f0	1801	*
nexpaq	0:6c56fb4bc5f0	1802	* See RFC 5280 section 7.1, though we don't implement the whole algorithm:
nexpaq	0:6c56fb4bc5f0	1803	* we sometimes return unequal when the full algorithm would return equal,
nexpaq	0:6c56fb4bc5f0	1804	* but never the other way. (In particular, we don't do Unicode normalisation
nexpaq	0:6c56fb4bc5f0	1805	* or space folding.)
nexpaq	0:6c56fb4bc5f0	1806	*
nexpaq	0:6c56fb4bc5f0	1807	* Return 0 if equal, -1 otherwise.
nexpaq	0:6c56fb4bc5f0	1808	*/
nexpaq	0:6c56fb4bc5f0	1809	static int x509_name_cmp( const mbedtls_x509_name a, const mbedtls_x509_name b )
nexpaq	0:6c56fb4bc5f0	1810	{
nexpaq	0:6c56fb4bc5f0	1811	/* Avoid recursion, it might not be optimised by the compiler */
nexpaq	0:6c56fb4bc5f0	1812	while( a != NULL \|\| b != NULL )
nexpaq	0:6c56fb4bc5f0	1813	{
nexpaq	0:6c56fb4bc5f0	1814	if( a == NULL \|\| b == NULL )
nexpaq	0:6c56fb4bc5f0	1815	return( -1 );
nexpaq	0:6c56fb4bc5f0	1816
nexpaq	0:6c56fb4bc5f0	1817	/* type */
nexpaq	0:6c56fb4bc5f0	1818	if( a->oid.tag != b->oid.tag \|\|
nexpaq	0:6c56fb4bc5f0	1819	a->oid.len != b->oid.len \|\|
nexpaq	0:6c56fb4bc5f0	1820	memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
nexpaq	0:6c56fb4bc5f0	1821	{
nexpaq	0:6c56fb4bc5f0	1822	return( -1 );
nexpaq	0:6c56fb4bc5f0	1823	}
nexpaq	0:6c56fb4bc5f0	1824
nexpaq	0:6c56fb4bc5f0	1825	/* value */
nexpaq	0:6c56fb4bc5f0	1826	if( x509_string_cmp( &a->val, &b->val ) != 0 )
nexpaq	0:6c56fb4bc5f0	1827	return( -1 );
nexpaq	0:6c56fb4bc5f0	1828
nexpaq	0:6c56fb4bc5f0	1829	/* structure of the list of sets */
nexpaq	0:6c56fb4bc5f0	1830	if( a->next_merged != b->next_merged )
nexpaq	0:6c56fb4bc5f0	1831	return( -1 );
nexpaq	0:6c56fb4bc5f0	1832
nexpaq	0:6c56fb4bc5f0	1833	a = a->next;
nexpaq	0:6c56fb4bc5f0	1834	b = b->next;
nexpaq	0:6c56fb4bc5f0	1835	}
nexpaq	0:6c56fb4bc5f0	1836
nexpaq	0:6c56fb4bc5f0	1837	/* a == NULL == b */
nexpaq	0:6c56fb4bc5f0	1838	return( 0 );
nexpaq	0:6c56fb4bc5f0	1839	}
nexpaq	0:6c56fb4bc5f0	1840
nexpaq	0:6c56fb4bc5f0	1841	/*
nexpaq	0:6c56fb4bc5f0	1842	* Check if 'parent' is a suitable parent (signing CA) for 'child'.
nexpaq	0:6c56fb4bc5f0	1843	* Return 0 if yes, -1 if not.
nexpaq	0:6c56fb4bc5f0	1844	*
nexpaq	0:6c56fb4bc5f0	1845	* top means parent is a locally-trusted certificate
nexpaq	0:6c56fb4bc5f0	1846	* bottom means child is the end entity cert
nexpaq	0:6c56fb4bc5f0	1847	*/
nexpaq	0:6c56fb4bc5f0	1848	static int x509_crt_check_parent( const mbedtls_x509_crt *child,
nexpaq	0:6c56fb4bc5f0	1849	const mbedtls_x509_crt *parent,
nexpaq	0:6c56fb4bc5f0	1850	int top, int bottom )
nexpaq	0:6c56fb4bc5f0	1851	{
nexpaq	0:6c56fb4bc5f0	1852	int need_ca_bit;
nexpaq	0:6c56fb4bc5f0	1853
nexpaq	0:6c56fb4bc5f0	1854	/* Parent must be the issuer */
nexpaq	0:6c56fb4bc5f0	1855	if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
nexpaq	0:6c56fb4bc5f0	1856	return( -1 );
nexpaq	0:6c56fb4bc5f0	1857
nexpaq	0:6c56fb4bc5f0	1858	/* Parent must have the basicConstraints CA bit set as a general rule */
nexpaq	0:6c56fb4bc5f0	1859	need_ca_bit = 1;
nexpaq	0:6c56fb4bc5f0	1860
nexpaq	0:6c56fb4bc5f0	1861	/* Exception: v1/v2 certificates that are locally trusted. */
nexpaq	0:6c56fb4bc5f0	1862	if( top && parent->version < 3 )
nexpaq	0:6c56fb4bc5f0	1863	need_ca_bit = 0;
nexpaq	0:6c56fb4bc5f0	1864
nexpaq	0:6c56fb4bc5f0	1865	/* Exception: self-signed end-entity certs that are locally trusted. */
nexpaq	0:6c56fb4bc5f0	1866	if( top && bottom &&
nexpaq	0:6c56fb4bc5f0	1867	child->raw.len == parent->raw.len &&
nexpaq	0:6c56fb4bc5f0	1868	memcmp( child->raw.p, parent->raw.p, child->raw.len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1869	{
nexpaq	0:6c56fb4bc5f0	1870	need_ca_bit = 0;
nexpaq	0:6c56fb4bc5f0	1871	}
nexpaq	0:6c56fb4bc5f0	1872
nexpaq	0:6c56fb4bc5f0	1873	if( need_ca_bit && ! parent->ca_istrue )
nexpaq	0:6c56fb4bc5f0	1874	return( -1 );
nexpaq	0:6c56fb4bc5f0	1875
nexpaq	0:6c56fb4bc5f0	1876	#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
nexpaq	0:6c56fb4bc5f0	1877	if( need_ca_bit &&
nexpaq	0:6c56fb4bc5f0	1878	mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
nexpaq	0:6c56fb4bc5f0	1879	{
nexpaq	0:6c56fb4bc5f0	1880	return( -1 );
nexpaq	0:6c56fb4bc5f0	1881	}
nexpaq	0:6c56fb4bc5f0	1882	#endif
nexpaq	0:6c56fb4bc5f0	1883
nexpaq	0:6c56fb4bc5f0	1884	return( 0 );
nexpaq	0:6c56fb4bc5f0	1885	}
nexpaq	0:6c56fb4bc5f0	1886
nexpaq	0:6c56fb4bc5f0	1887	static int x509_crt_verify_top(
nexpaq	0:6c56fb4bc5f0	1888	mbedtls_x509_crt child, mbedtls_x509_crt trust_ca,
nexpaq	0:6c56fb4bc5f0	1889	mbedtls_x509_crl *ca_crl,
nexpaq	0:6c56fb4bc5f0	1890	const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	1891	int path_cnt, int self_cnt, uint32_t *flags,
nexpaq	0:6c56fb4bc5f0	1892	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
nexpaq	0:6c56fb4bc5f0	1893	void *p_vrfy )
nexpaq	0:6c56fb4bc5f0	1894	{
nexpaq	0:6c56fb4bc5f0	1895	int ret;
nexpaq	0:6c56fb4bc5f0	1896	uint32_t ca_flags = 0;
nexpaq	0:6c56fb4bc5f0	1897	int check_path_cnt;
nexpaq	0:6c56fb4bc5f0	1898	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	1899	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	1900
nexpaq	0:6c56fb4bc5f0	1901	if( mbedtls_x509_time_is_past( &child->valid_to ) )
nexpaq	0:6c56fb4bc5f0	1902	*flags \|= MBEDTLS_X509_BADCERT_EXPIRED;
nexpaq	0:6c56fb4bc5f0	1903
nexpaq	0:6c56fb4bc5f0	1904	if( mbedtls_x509_time_is_future( &child->valid_from ) )
nexpaq	0:6c56fb4bc5f0	1905	*flags \|= MBEDTLS_X509_BADCERT_FUTURE;
nexpaq	0:6c56fb4bc5f0	1906
nexpaq	0:6c56fb4bc5f0	1907	if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
nexpaq	0:6c56fb4bc5f0	1908	*flags \|= MBEDTLS_X509_BADCERT_BAD_MD;
nexpaq	0:6c56fb4bc5f0	1909
nexpaq	0:6c56fb4bc5f0	1910	if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	1911	*flags \|= MBEDTLS_X509_BADCERT_BAD_PK;
nexpaq	0:6c56fb4bc5f0	1912
nexpaq	0:6c56fb4bc5f0	1913	/*
nexpaq	0:6c56fb4bc5f0	1914	* Child is the top of the chain. Check against the trust_ca list.
nexpaq	0:6c56fb4bc5f0	1915	*/
nexpaq	0:6c56fb4bc5f0	1916	*flags \|= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	1917
nexpaq	0:6c56fb4bc5f0	1918	md_info = mbedtls_md_info_from_type( child->sig_md );
nexpaq	0:6c56fb4bc5f0	1919	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	1920	{
nexpaq	0:6c56fb4bc5f0	1921	/*
nexpaq	0:6c56fb4bc5f0	1922	* Cannot check 'unknown', no need to try any CA
nexpaq	0:6c56fb4bc5f0	1923	*/
nexpaq	0:6c56fb4bc5f0	1924	trust_ca = NULL;
nexpaq	0:6c56fb4bc5f0	1925	}
nexpaq	0:6c56fb4bc5f0	1926	else
nexpaq	0:6c56fb4bc5f0	1927	mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
nexpaq	0:6c56fb4bc5f0	1928
nexpaq	0:6c56fb4bc5f0	1929	for( /* trust_ca */ ; trust_ca != NULL; trust_ca = trust_ca->next )
nexpaq	0:6c56fb4bc5f0	1930	{
nexpaq	0:6c56fb4bc5f0	1931	if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
nexpaq	0:6c56fb4bc5f0	1932	continue;
nexpaq	0:6c56fb4bc5f0	1933
nexpaq	0:6c56fb4bc5f0	1934	check_path_cnt = path_cnt + 1;
nexpaq	0:6c56fb4bc5f0	1935
nexpaq	0:6c56fb4bc5f0	1936	/*
nexpaq	0:6c56fb4bc5f0	1937	* Reduce check_path_cnt to check against if top of the chain is
nexpaq	0:6c56fb4bc5f0	1938	* the same as the trusted CA
nexpaq	0:6c56fb4bc5f0	1939	*/
nexpaq	0:6c56fb4bc5f0	1940	if( child->subject_raw.len == trust_ca->subject_raw.len &&
nexpaq	0:6c56fb4bc5f0	1941	memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
nexpaq	0:6c56fb4bc5f0	1942	child->issuer_raw.len ) == 0 )
nexpaq	0:6c56fb4bc5f0	1943	{
nexpaq	0:6c56fb4bc5f0	1944	check_path_cnt--;
nexpaq	0:6c56fb4bc5f0	1945	}
nexpaq	0:6c56fb4bc5f0	1946
nexpaq	0:6c56fb4bc5f0	1947	/* Self signed certificates do not count towards the limit */
nexpaq	0:6c56fb4bc5f0	1948	if( trust_ca->max_pathlen > 0 &&
nexpaq	0:6c56fb4bc5f0	1949	trust_ca->max_pathlen < check_path_cnt - self_cnt )
nexpaq	0:6c56fb4bc5f0	1950	{
nexpaq	0:6c56fb4bc5f0	1951	continue;
nexpaq	0:6c56fb4bc5f0	1952	}
nexpaq	0:6c56fb4bc5f0	1953
nexpaq	0:6c56fb4bc5f0	1954	if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
nexpaq	0:6c56fb4bc5f0	1955	{
nexpaq	0:6c56fb4bc5f0	1956	continue;
nexpaq	0:6c56fb4bc5f0	1957	}
nexpaq	0:6c56fb4bc5f0	1958
nexpaq	0:6c56fb4bc5f0	1959	if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
nexpaq	0:6c56fb4bc5f0	1960	{
nexpaq	0:6c56fb4bc5f0	1961	continue;
nexpaq	0:6c56fb4bc5f0	1962	}
nexpaq	0:6c56fb4bc5f0	1963
nexpaq	0:6c56fb4bc5f0	1964	if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
nexpaq	0:6c56fb4bc5f0	1965	child->sig_md, hash, mbedtls_md_get_size( md_info ),
nexpaq	0:6c56fb4bc5f0	1966	child->sig.p, child->sig.len ) != 0 )
nexpaq	0:6c56fb4bc5f0	1967	{
nexpaq	0:6c56fb4bc5f0	1968	continue;
nexpaq	0:6c56fb4bc5f0	1969	}
nexpaq	0:6c56fb4bc5f0	1970
nexpaq	0:6c56fb4bc5f0	1971	/*
nexpaq	0:6c56fb4bc5f0	1972	* Top of chain is signed by a trusted CA
nexpaq	0:6c56fb4bc5f0	1973	*/
nexpaq	0:6c56fb4bc5f0	1974	*flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	1975
nexpaq	0:6c56fb4bc5f0	1976	if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	1977	*flags \|= MBEDTLS_X509_BADCERT_BAD_KEY;
nexpaq	0:6c56fb4bc5f0	1978
nexpaq	0:6c56fb4bc5f0	1979	break;
nexpaq	0:6c56fb4bc5f0	1980	}
nexpaq	0:6c56fb4bc5f0	1981
nexpaq	0:6c56fb4bc5f0	1982	/*
nexpaq	0:6c56fb4bc5f0	1983	* If top of chain is not the same as the trusted CA send a verify request
nexpaq	0:6c56fb4bc5f0	1984	* to the callback for any issues with validity and CRL presence for the
nexpaq	0:6c56fb4bc5f0	1985	* trusted CA certificate.
nexpaq	0:6c56fb4bc5f0	1986	*/
nexpaq	0:6c56fb4bc5f0	1987	if( trust_ca != NULL &&
nexpaq	0:6c56fb4bc5f0	1988	( child->subject_raw.len != trust_ca->subject_raw.len \|\|
nexpaq	0:6c56fb4bc5f0	1989	memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
nexpaq	0:6c56fb4bc5f0	1990	child->issuer_raw.len ) != 0 ) )
nexpaq	0:6c56fb4bc5f0	1991	{
nexpaq	0:6c56fb4bc5f0	1992	#if defined(MBEDTLS_X509_CRL_PARSE_C)
nexpaq	0:6c56fb4bc5f0	1993	/* Check trusted CA's CRL for the chain's top crt */
nexpaq	0:6c56fb4bc5f0	1994	*flags \|= x509_crt_verifycrl( child, trust_ca, ca_crl, profile );
nexpaq	0:6c56fb4bc5f0	1995	#else
nexpaq	0:6c56fb4bc5f0	1996	((void) ca_crl);
nexpaq	0:6c56fb4bc5f0	1997	#endif
nexpaq	0:6c56fb4bc5f0	1998
nexpaq	0:6c56fb4bc5f0	1999	if( NULL != f_vrfy )
nexpaq	0:6c56fb4bc5f0	2000	{
nexpaq	0:6c56fb4bc5f0	2001	if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
nexpaq	0:6c56fb4bc5f0	2002	&ca_flags ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	2003	{
nexpaq	0:6c56fb4bc5f0	2004	return( ret );
nexpaq	0:6c56fb4bc5f0	2005	}
nexpaq	0:6c56fb4bc5f0	2006	}
nexpaq	0:6c56fb4bc5f0	2007	}
nexpaq	0:6c56fb4bc5f0	2008
nexpaq	0:6c56fb4bc5f0	2009	/* Call callback on top cert */
nexpaq	0:6c56fb4bc5f0	2010	if( NULL != f_vrfy )
nexpaq	0:6c56fb4bc5f0	2011	{
nexpaq	0:6c56fb4bc5f0	2012	if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	2013	return( ret );
nexpaq	0:6c56fb4bc5f0	2014	}
nexpaq	0:6c56fb4bc5f0	2015
nexpaq	0:6c56fb4bc5f0	2016	*flags \|= ca_flags;
nexpaq	0:6c56fb4bc5f0	2017
nexpaq	0:6c56fb4bc5f0	2018	return( 0 );
nexpaq	0:6c56fb4bc5f0	2019	}
nexpaq	0:6c56fb4bc5f0	2020
nexpaq	0:6c56fb4bc5f0	2021	static int x509_crt_verify_child(
nexpaq	0:6c56fb4bc5f0	2022	mbedtls_x509_crt child, mbedtls_x509_crt parent,
nexpaq	0:6c56fb4bc5f0	2023	mbedtls_x509_crt trust_ca, mbedtls_x509_crl ca_crl,
nexpaq	0:6c56fb4bc5f0	2024	const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	2025	int path_cnt, int self_cnt, uint32_t *flags,
nexpaq	0:6c56fb4bc5f0	2026	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
nexpaq	0:6c56fb4bc5f0	2027	void *p_vrfy )
nexpaq	0:6c56fb4bc5f0	2028	{
nexpaq	0:6c56fb4bc5f0	2029	int ret;
nexpaq	0:6c56fb4bc5f0	2030	uint32_t parent_flags = 0;
nexpaq	0:6c56fb4bc5f0	2031	unsigned char hash[MBEDTLS_MD_MAX_SIZE];
nexpaq	0:6c56fb4bc5f0	2032	mbedtls_x509_crt *grandparent;
nexpaq	0:6c56fb4bc5f0	2033	const mbedtls_md_info_t *md_info;
nexpaq	0:6c56fb4bc5f0	2034
nexpaq	0:6c56fb4bc5f0	2035	/* Counting intermediate self signed certificates */
nexpaq	0:6c56fb4bc5f0	2036	if( ( path_cnt != 0 ) && x509_name_cmp( &child->issuer, &child->subject ) == 0 )
nexpaq	0:6c56fb4bc5f0	2037	self_cnt++;
nexpaq	0:6c56fb4bc5f0	2038
nexpaq	0:6c56fb4bc5f0	2039	/* path_cnt is 0 for the first intermediate CA */
nexpaq	0:6c56fb4bc5f0	2040	if( 1 + path_cnt > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
nexpaq	0:6c56fb4bc5f0	2041	{
nexpaq	0:6c56fb4bc5f0	2042	*flags \|= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	2043	return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	2044	}
nexpaq	0:6c56fb4bc5f0	2045
nexpaq	0:6c56fb4bc5f0	2046	if( mbedtls_x509_time_is_past( &child->valid_to ) )
nexpaq	0:6c56fb4bc5f0	2047	*flags \|= MBEDTLS_X509_BADCERT_EXPIRED;
nexpaq	0:6c56fb4bc5f0	2048
nexpaq	0:6c56fb4bc5f0	2049	if( mbedtls_x509_time_is_future( &child->valid_from ) )
nexpaq	0:6c56fb4bc5f0	2050	*flags \|= MBEDTLS_X509_BADCERT_FUTURE;
nexpaq	0:6c56fb4bc5f0	2051
nexpaq	0:6c56fb4bc5f0	2052	if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
nexpaq	0:6c56fb4bc5f0	2053	*flags \|= MBEDTLS_X509_BADCERT_BAD_MD;
nexpaq	0:6c56fb4bc5f0	2054
nexpaq	0:6c56fb4bc5f0	2055	if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	2056	*flags \|= MBEDTLS_X509_BADCERT_BAD_PK;
nexpaq	0:6c56fb4bc5f0	2057
nexpaq	0:6c56fb4bc5f0	2058	md_info = mbedtls_md_info_from_type( child->sig_md );
nexpaq	0:6c56fb4bc5f0	2059	if( md_info == NULL )
nexpaq	0:6c56fb4bc5f0	2060	{
nexpaq	0:6c56fb4bc5f0	2061	/*
nexpaq	0:6c56fb4bc5f0	2062	* Cannot check 'unknown' hash
nexpaq	0:6c56fb4bc5f0	2063	*/
nexpaq	0:6c56fb4bc5f0	2064	*flags \|= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	2065	}
nexpaq	0:6c56fb4bc5f0	2066	else
nexpaq	0:6c56fb4bc5f0	2067	{
nexpaq	0:6c56fb4bc5f0	2068	mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash );
nexpaq	0:6c56fb4bc5f0	2069
nexpaq	0:6c56fb4bc5f0	2070	if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	2071	*flags \|= MBEDTLS_X509_BADCERT_BAD_KEY;
nexpaq	0:6c56fb4bc5f0	2072
nexpaq	0:6c56fb4bc5f0	2073	if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
nexpaq	0:6c56fb4bc5f0	2074	child->sig_md, hash, mbedtls_md_get_size( md_info ),
nexpaq	0:6c56fb4bc5f0	2075	child->sig.p, child->sig.len ) != 0 )
nexpaq	0:6c56fb4bc5f0	2076	{
nexpaq	0:6c56fb4bc5f0	2077	*flags \|= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
nexpaq	0:6c56fb4bc5f0	2078	}
nexpaq	0:6c56fb4bc5f0	2079	}
nexpaq	0:6c56fb4bc5f0	2080
nexpaq	0:6c56fb4bc5f0	2081	#if defined(MBEDTLS_X509_CRL_PARSE_C)
nexpaq	0:6c56fb4bc5f0	2082	/* Check trusted CA's CRL for the given crt */
nexpaq	0:6c56fb4bc5f0	2083	*flags \|= x509_crt_verifycrl(child, parent, ca_crl, profile );
nexpaq	0:6c56fb4bc5f0	2084	#endif
nexpaq	0:6c56fb4bc5f0	2085
nexpaq	0:6c56fb4bc5f0	2086	/* Look for a grandparent in trusted CAs */
nexpaq	0:6c56fb4bc5f0	2087	for( grandparent = trust_ca;
nexpaq	0:6c56fb4bc5f0	2088	grandparent != NULL;
nexpaq	0:6c56fb4bc5f0	2089	grandparent = grandparent->next )
nexpaq	0:6c56fb4bc5f0	2090	{
nexpaq	0:6c56fb4bc5f0	2091	if( x509_crt_check_parent( parent, grandparent,
nexpaq	0:6c56fb4bc5f0	2092	0, path_cnt == 0 ) == 0 )
nexpaq	0:6c56fb4bc5f0	2093	break;
nexpaq	0:6c56fb4bc5f0	2094	}
nexpaq	0:6c56fb4bc5f0	2095
nexpaq	0:6c56fb4bc5f0	2096	if( grandparent != NULL )
nexpaq	0:6c56fb4bc5f0	2097	{
nexpaq	0:6c56fb4bc5f0	2098	ret = x509_crt_verify_top( parent, grandparent, ca_crl, profile,
nexpaq	0:6c56fb4bc5f0	2099	path_cnt + 1, self_cnt, &parent_flags, f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2100	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2101	return( ret );
nexpaq	0:6c56fb4bc5f0	2102	}
nexpaq	0:6c56fb4bc5f0	2103	else
nexpaq	0:6c56fb4bc5f0	2104	{
nexpaq	0:6c56fb4bc5f0	2105	/* Look for a grandparent upwards the chain */
nexpaq	0:6c56fb4bc5f0	2106	for( grandparent = parent->next;
nexpaq	0:6c56fb4bc5f0	2107	grandparent != NULL;
nexpaq	0:6c56fb4bc5f0	2108	grandparent = grandparent->next )
nexpaq	0:6c56fb4bc5f0	2109	{
nexpaq	0:6c56fb4bc5f0	2110	/* +2 because the current step is not yet accounted for
nexpaq	0:6c56fb4bc5f0	2111	* and because max_pathlen is one higher than it should be.
nexpaq	0:6c56fb4bc5f0	2112	* Also self signed certificates do not count to the limit. */
nexpaq	0:6c56fb4bc5f0	2113	if( grandparent->max_pathlen > 0 &&
nexpaq	0:6c56fb4bc5f0	2114	grandparent->max_pathlen < 2 + path_cnt - self_cnt )
nexpaq	0:6c56fb4bc5f0	2115	{
nexpaq	0:6c56fb4bc5f0	2116	continue;
nexpaq	0:6c56fb4bc5f0	2117	}
nexpaq	0:6c56fb4bc5f0	2118
nexpaq	0:6c56fb4bc5f0	2119	if( x509_crt_check_parent( parent, grandparent,
nexpaq	0:6c56fb4bc5f0	2120	0, path_cnt == 0 ) == 0 )
nexpaq	0:6c56fb4bc5f0	2121	break;
nexpaq	0:6c56fb4bc5f0	2122	}
nexpaq	0:6c56fb4bc5f0	2123
nexpaq	0:6c56fb4bc5f0	2124	/* Is our parent part of the chain or at the top? */
nexpaq	0:6c56fb4bc5f0	2125	if( grandparent != NULL )
nexpaq	0:6c56fb4bc5f0	2126	{
nexpaq	0:6c56fb4bc5f0	2127	ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
nexpaq	0:6c56fb4bc5f0	2128	profile, path_cnt + 1, self_cnt, &parent_flags,
nexpaq	0:6c56fb4bc5f0	2129	f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2130	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2131	return( ret );
nexpaq	0:6c56fb4bc5f0	2132	}
nexpaq	0:6c56fb4bc5f0	2133	else
nexpaq	0:6c56fb4bc5f0	2134	{
nexpaq	0:6c56fb4bc5f0	2135	ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile,
nexpaq	0:6c56fb4bc5f0	2136	path_cnt + 1, self_cnt, &parent_flags,
nexpaq	0:6c56fb4bc5f0	2137	f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2138	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2139	return( ret );
nexpaq	0:6c56fb4bc5f0	2140	}
nexpaq	0:6c56fb4bc5f0	2141	}
nexpaq	0:6c56fb4bc5f0	2142
nexpaq	0:6c56fb4bc5f0	2143	/* child is verified to be a child of the parent, call verify callback */
nexpaq	0:6c56fb4bc5f0	2144	if( NULL != f_vrfy )
nexpaq	0:6c56fb4bc5f0	2145	if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
nexpaq	0:6c56fb4bc5f0	2146	return( ret );
nexpaq	0:6c56fb4bc5f0	2147
nexpaq	0:6c56fb4bc5f0	2148	*flags \|= parent_flags;
nexpaq	0:6c56fb4bc5f0	2149
nexpaq	0:6c56fb4bc5f0	2150	return( 0 );
nexpaq	0:6c56fb4bc5f0	2151	}
nexpaq	0:6c56fb4bc5f0	2152
nexpaq	0:6c56fb4bc5f0	2153	/*
nexpaq	0:6c56fb4bc5f0	2154	* Verify the certificate validity
nexpaq	0:6c56fb4bc5f0	2155	*/
nexpaq	0:6c56fb4bc5f0	2156	int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
nexpaq	0:6c56fb4bc5f0	2157	mbedtls_x509_crt *trust_ca,
nexpaq	0:6c56fb4bc5f0	2158	mbedtls_x509_crl *ca_crl,
nexpaq	0:6c56fb4bc5f0	2159	const char cn, uint32_t flags,
nexpaq	0:6c56fb4bc5f0	2160	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
nexpaq	0:6c56fb4bc5f0	2161	void *p_vrfy )
nexpaq	0:6c56fb4bc5f0	2162	{
nexpaq	0:6c56fb4bc5f0	2163	return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
nexpaq	0:6c56fb4bc5f0	2164	&mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
nexpaq	0:6c56fb4bc5f0	2165	}
nexpaq	0:6c56fb4bc5f0	2166
nexpaq	0:6c56fb4bc5f0	2167
nexpaq	0:6c56fb4bc5f0	2168	/*
nexpaq	0:6c56fb4bc5f0	2169	* Verify the certificate validity, with profile
nexpaq	0:6c56fb4bc5f0	2170	*/
nexpaq	0:6c56fb4bc5f0	2171	int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
nexpaq	0:6c56fb4bc5f0	2172	mbedtls_x509_crt *trust_ca,
nexpaq	0:6c56fb4bc5f0	2173	mbedtls_x509_crl *ca_crl,
nexpaq	0:6c56fb4bc5f0	2174	const mbedtls_x509_crt_profile *profile,
nexpaq	0:6c56fb4bc5f0	2175	const char cn, uint32_t flags,
nexpaq	0:6c56fb4bc5f0	2176	int (f_vrfy)(void , mbedtls_x509_crt , int, uint32_t ),
nexpaq	0:6c56fb4bc5f0	2177	void *p_vrfy )
nexpaq	0:6c56fb4bc5f0	2178	{
nexpaq	0:6c56fb4bc5f0	2179	size_t cn_len;
nexpaq	0:6c56fb4bc5f0	2180	int ret;
nexpaq	0:6c56fb4bc5f0	2181	int pathlen = 0, selfsigned = 0;
nexpaq	0:6c56fb4bc5f0	2182	mbedtls_x509_crt *parent;
nexpaq	0:6c56fb4bc5f0	2183	mbedtls_x509_name *name;
nexpaq	0:6c56fb4bc5f0	2184	mbedtls_x509_sequence *cur = NULL;
nexpaq	0:6c56fb4bc5f0	2185	mbedtls_pk_type_t pk_type;
nexpaq	0:6c56fb4bc5f0	2186
nexpaq	0:6c56fb4bc5f0	2187	if( profile == NULL )
nexpaq	0:6c56fb4bc5f0	2188	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
nexpaq	0:6c56fb4bc5f0	2189
nexpaq	0:6c56fb4bc5f0	2190	*flags = 0;
nexpaq	0:6c56fb4bc5f0	2191
nexpaq	0:6c56fb4bc5f0	2192	if( cn != NULL )
nexpaq	0:6c56fb4bc5f0	2193	{
nexpaq	0:6c56fb4bc5f0	2194	name = &crt->subject;
nexpaq	0:6c56fb4bc5f0	2195	cn_len = strlen( cn );
nexpaq	0:6c56fb4bc5f0	2196
nexpaq	0:6c56fb4bc5f0	2197	if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
nexpaq	0:6c56fb4bc5f0	2198	{
nexpaq	0:6c56fb4bc5f0	2199	cur = &crt->subject_alt_names;
nexpaq	0:6c56fb4bc5f0	2200
nexpaq	0:6c56fb4bc5f0	2201	while( cur != NULL )
nexpaq	0:6c56fb4bc5f0	2202	{
nexpaq	0:6c56fb4bc5f0	2203	if( cur->buf.len == cn_len &&
nexpaq	0:6c56fb4bc5f0	2204	x509_memcasecmp( cn, cur->buf.p, cn_len ) == 0 )
nexpaq	0:6c56fb4bc5f0	2205	break;
nexpaq	0:6c56fb4bc5f0	2206
nexpaq	0:6c56fb4bc5f0	2207	if( cur->buf.len > 2 &&
nexpaq	0:6c56fb4bc5f0	2208	memcmp( cur->buf.p, "*.", 2 ) == 0 &&
nexpaq	0:6c56fb4bc5f0	2209	x509_check_wildcard( cn, &cur->buf ) == 0 )
nexpaq	0:6c56fb4bc5f0	2210	{
nexpaq	0:6c56fb4bc5f0	2211	break;
nexpaq	0:6c56fb4bc5f0	2212	}
nexpaq	0:6c56fb4bc5f0	2213
nexpaq	0:6c56fb4bc5f0	2214	cur = cur->next;
nexpaq	0:6c56fb4bc5f0	2215	}
nexpaq	0:6c56fb4bc5f0	2216
nexpaq	0:6c56fb4bc5f0	2217	if( cur == NULL )
nexpaq	0:6c56fb4bc5f0	2218	*flags \|= MBEDTLS_X509_BADCERT_CN_MISMATCH;
nexpaq	0:6c56fb4bc5f0	2219	}
nexpaq	0:6c56fb4bc5f0	2220	else
nexpaq	0:6c56fb4bc5f0	2221	{
nexpaq	0:6c56fb4bc5f0	2222	while( name != NULL )
nexpaq	0:6c56fb4bc5f0	2223	{
nexpaq	0:6c56fb4bc5f0	2224	if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 )
nexpaq	0:6c56fb4bc5f0	2225	{
nexpaq	0:6c56fb4bc5f0	2226	if( name->val.len == cn_len &&
nexpaq	0:6c56fb4bc5f0	2227	x509_memcasecmp( name->val.p, cn, cn_len ) == 0 )
nexpaq	0:6c56fb4bc5f0	2228	break;
nexpaq	0:6c56fb4bc5f0	2229
nexpaq	0:6c56fb4bc5f0	2230	if( name->val.len > 2 &&
nexpaq	0:6c56fb4bc5f0	2231	memcmp( name->val.p, "*.", 2 ) == 0 &&
nexpaq	0:6c56fb4bc5f0	2232	x509_check_wildcard( cn, &name->val ) == 0 )
nexpaq	0:6c56fb4bc5f0	2233	break;
nexpaq	0:6c56fb4bc5f0	2234	}
nexpaq	0:6c56fb4bc5f0	2235
nexpaq	0:6c56fb4bc5f0	2236	name = name->next;
nexpaq	0:6c56fb4bc5f0	2237	}
nexpaq	0:6c56fb4bc5f0	2238
nexpaq	0:6c56fb4bc5f0	2239	if( name == NULL )
nexpaq	0:6c56fb4bc5f0	2240	*flags \|= MBEDTLS_X509_BADCERT_CN_MISMATCH;
nexpaq	0:6c56fb4bc5f0	2241	}
nexpaq	0:6c56fb4bc5f0	2242	}
nexpaq	0:6c56fb4bc5f0	2243
nexpaq	0:6c56fb4bc5f0	2244	/* Check the type and size of the key */
nexpaq	0:6c56fb4bc5f0	2245	pk_type = mbedtls_pk_get_type( &crt->pk );
nexpaq	0:6c56fb4bc5f0	2246
nexpaq	0:6c56fb4bc5f0	2247	if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
nexpaq	0:6c56fb4bc5f0	2248	*flags \|= MBEDTLS_X509_BADCERT_BAD_PK;
nexpaq	0:6c56fb4bc5f0	2249
nexpaq	0:6c56fb4bc5f0	2250	if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
nexpaq	0:6c56fb4bc5f0	2251	*flags \|= MBEDTLS_X509_BADCERT_BAD_KEY;
nexpaq	0:6c56fb4bc5f0	2252
nexpaq	0:6c56fb4bc5f0	2253	/* Look for a parent in trusted CAs */
nexpaq	0:6c56fb4bc5f0	2254	for( parent = trust_ca; parent != NULL; parent = parent->next )
nexpaq	0:6c56fb4bc5f0	2255	{
nexpaq	0:6c56fb4bc5f0	2256	if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
nexpaq	0:6c56fb4bc5f0	2257	break;
nexpaq	0:6c56fb4bc5f0	2258	}
nexpaq	0:6c56fb4bc5f0	2259
nexpaq	0:6c56fb4bc5f0	2260	if( parent != NULL )
nexpaq	0:6c56fb4bc5f0	2261	{
nexpaq	0:6c56fb4bc5f0	2262	ret = x509_crt_verify_top( crt, parent, ca_crl, profile,
nexpaq	0:6c56fb4bc5f0	2263	pathlen, selfsigned, flags, f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2264	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2265	return( ret );
nexpaq	0:6c56fb4bc5f0	2266	}
nexpaq	0:6c56fb4bc5f0	2267	else
nexpaq	0:6c56fb4bc5f0	2268	{
nexpaq	0:6c56fb4bc5f0	2269	/* Look for a parent upwards the chain */
nexpaq	0:6c56fb4bc5f0	2270	for( parent = crt->next; parent != NULL; parent = parent->next )
nexpaq	0:6c56fb4bc5f0	2271	if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
nexpaq	0:6c56fb4bc5f0	2272	break;
nexpaq	0:6c56fb4bc5f0	2273
nexpaq	0:6c56fb4bc5f0	2274	/* Are we part of the chain or at the top? */
nexpaq	0:6c56fb4bc5f0	2275	if( parent != NULL )
nexpaq	0:6c56fb4bc5f0	2276	{
nexpaq	0:6c56fb4bc5f0	2277	ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile,
nexpaq	0:6c56fb4bc5f0	2278	pathlen, selfsigned, flags, f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2279	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2280	return( ret );
nexpaq	0:6c56fb4bc5f0	2281	}
nexpaq	0:6c56fb4bc5f0	2282	else
nexpaq	0:6c56fb4bc5f0	2283	{
nexpaq	0:6c56fb4bc5f0	2284	ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile,
nexpaq	0:6c56fb4bc5f0	2285	pathlen, selfsigned, flags, f_vrfy, p_vrfy );
nexpaq	0:6c56fb4bc5f0	2286	if( ret != 0 )
nexpaq	0:6c56fb4bc5f0	2287	return( ret );
nexpaq	0:6c56fb4bc5f0	2288	}
nexpaq	0:6c56fb4bc5f0	2289	}
nexpaq	0:6c56fb4bc5f0	2290
nexpaq	0:6c56fb4bc5f0	2291	if( *flags != 0 )
nexpaq	0:6c56fb4bc5f0	2292	return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
nexpaq	0:6c56fb4bc5f0	2293
nexpaq	0:6c56fb4bc5f0	2294	return( 0 );
nexpaq	0:6c56fb4bc5f0	2295	}
nexpaq	0:6c56fb4bc5f0	2296
nexpaq	0:6c56fb4bc5f0	2297	/*
nexpaq	0:6c56fb4bc5f0	2298	* Initialize a certificate chain
nexpaq	0:6c56fb4bc5f0	2299	*/
nexpaq	0:6c56fb4bc5f0	2300	void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
nexpaq	0:6c56fb4bc5f0	2301	{
nexpaq	0:6c56fb4bc5f0	2302	memset( crt, 0, sizeof(mbedtls_x509_crt) );
nexpaq	0:6c56fb4bc5f0	2303	}
nexpaq	0:6c56fb4bc5f0	2304
nexpaq	0:6c56fb4bc5f0	2305	/*
nexpaq	0:6c56fb4bc5f0	2306	* Unallocate all certificate data
nexpaq	0:6c56fb4bc5f0	2307	*/
nexpaq	0:6c56fb4bc5f0	2308	void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
nexpaq	0:6c56fb4bc5f0	2309	{
nexpaq	0:6c56fb4bc5f0	2310	mbedtls_x509_crt *cert_cur = crt;
nexpaq	0:6c56fb4bc5f0	2311	mbedtls_x509_crt *cert_prv;
nexpaq	0:6c56fb4bc5f0	2312	mbedtls_x509_name *name_cur;
nexpaq	0:6c56fb4bc5f0	2313	mbedtls_x509_name *name_prv;
nexpaq	0:6c56fb4bc5f0	2314	mbedtls_x509_sequence *seq_cur;
nexpaq	0:6c56fb4bc5f0	2315	mbedtls_x509_sequence *seq_prv;
nexpaq	0:6c56fb4bc5f0	2316
nexpaq	0:6c56fb4bc5f0	2317	if( crt == NULL )
nexpaq	0:6c56fb4bc5f0	2318	return;
nexpaq	0:6c56fb4bc5f0	2319
nexpaq	0:6c56fb4bc5f0	2320	do
nexpaq	0:6c56fb4bc5f0	2321	{
nexpaq	0:6c56fb4bc5f0	2322	mbedtls_pk_free( &cert_cur->pk );
nexpaq	0:6c56fb4bc5f0	2323
nexpaq	0:6c56fb4bc5f0	2324	#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
nexpaq	0:6c56fb4bc5f0	2325	mbedtls_free( cert_cur->sig_opts );
nexpaq	0:6c56fb4bc5f0	2326	#endif
nexpaq	0:6c56fb4bc5f0	2327
nexpaq	0:6c56fb4bc5f0	2328	name_cur = cert_cur->issuer.next;
nexpaq	0:6c56fb4bc5f0	2329	while( name_cur != NULL )
nexpaq	0:6c56fb4bc5f0	2330	{
nexpaq	0:6c56fb4bc5f0	2331	name_prv = name_cur;
nexpaq	0:6c56fb4bc5f0	2332	name_cur = name_cur->next;
nexpaq	0:6c56fb4bc5f0	2333	mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
nexpaq	0:6c56fb4bc5f0	2334	mbedtls_free( name_prv );
nexpaq	0:6c56fb4bc5f0	2335	}
nexpaq	0:6c56fb4bc5f0	2336
nexpaq	0:6c56fb4bc5f0	2337	name_cur = cert_cur->subject.next;
nexpaq	0:6c56fb4bc5f0	2338	while( name_cur != NULL )
nexpaq	0:6c56fb4bc5f0	2339	{
nexpaq	0:6c56fb4bc5f0	2340	name_prv = name_cur;
nexpaq	0:6c56fb4bc5f0	2341	name_cur = name_cur->next;
nexpaq	0:6c56fb4bc5f0	2342	mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
nexpaq	0:6c56fb4bc5f0	2343	mbedtls_free( name_prv );
nexpaq	0:6c56fb4bc5f0	2344	}
nexpaq	0:6c56fb4bc5f0	2345
nexpaq	0:6c56fb4bc5f0	2346	seq_cur = cert_cur->ext_key_usage.next;
nexpaq	0:6c56fb4bc5f0	2347	while( seq_cur != NULL )
nexpaq	0:6c56fb4bc5f0	2348	{
nexpaq	0:6c56fb4bc5f0	2349	seq_prv = seq_cur;
nexpaq	0:6c56fb4bc5f0	2350	seq_cur = seq_cur->next;
nexpaq	0:6c56fb4bc5f0	2351	mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
nexpaq	0:6c56fb4bc5f0	2352	mbedtls_free( seq_prv );
nexpaq	0:6c56fb4bc5f0	2353	}
nexpaq	0:6c56fb4bc5f0	2354
nexpaq	0:6c56fb4bc5f0	2355	seq_cur = cert_cur->subject_alt_names.next;
nexpaq	0:6c56fb4bc5f0	2356	while( seq_cur != NULL )
nexpaq	0:6c56fb4bc5f0	2357	{
nexpaq	0:6c56fb4bc5f0	2358	seq_prv = seq_cur;
nexpaq	0:6c56fb4bc5f0	2359	seq_cur = seq_cur->next;
nexpaq	0:6c56fb4bc5f0	2360	mbedtls_zeroize( seq_prv, sizeof( mbedtls_x509_sequence ) );
nexpaq	0:6c56fb4bc5f0	2361	mbedtls_free( seq_prv );
nexpaq	0:6c56fb4bc5f0	2362	}
nexpaq	0:6c56fb4bc5f0	2363
nexpaq	0:6c56fb4bc5f0	2364	if( cert_cur->raw.p != NULL )
nexpaq	0:6c56fb4bc5f0	2365	{
nexpaq	0:6c56fb4bc5f0	2366	mbedtls_zeroize( cert_cur->raw.p, cert_cur->raw.len );
nexpaq	0:6c56fb4bc5f0	2367	mbedtls_free( cert_cur->raw.p );
nexpaq	0:6c56fb4bc5f0	2368	}
nexpaq	0:6c56fb4bc5f0	2369
nexpaq	0:6c56fb4bc5f0	2370	cert_cur = cert_cur->next;
nexpaq	0:6c56fb4bc5f0	2371	}
nexpaq	0:6c56fb4bc5f0	2372	while( cert_cur != NULL );
nexpaq	0:6c56fb4bc5f0	2373
nexpaq	0:6c56fb4bc5f0	2374	cert_cur = crt;
nexpaq	0:6c56fb4bc5f0	2375	do
nexpaq	0:6c56fb4bc5f0	2376	{
nexpaq	0:6c56fb4bc5f0	2377	cert_prv = cert_cur;
nexpaq	0:6c56fb4bc5f0	2378	cert_cur = cert_cur->next;
nexpaq	0:6c56fb4bc5f0	2379
nexpaq	0:6c56fb4bc5f0	2380	mbedtls_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
nexpaq	0:6c56fb4bc5f0	2381	if( cert_prv != crt )
nexpaq	0:6c56fb4bc5f0	2382	mbedtls_free( cert_prv );
nexpaq	0:6c56fb4bc5f0	2383	}
nexpaq	0:6c56fb4bc5f0	2384	while( cert_cur != NULL );
nexpaq	0:6c56fb4bc5f0	2385	}
nexpaq	0:6c56fb4bc5f0	2386
nexpaq	0:6c56fb4bc5f0	2387	#endif /* MBEDTLS_X509_CRT_PARSE_C */

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	04 Nov 2016
Imports:	5
Forks:	0
Commits:	2
Dependents:	0
Dependencies:	0
Followers:	1

This repository is Public (Unlisted).

features/mbedtls/src/x509_crt.c@0:6c56fb4bc5f0, 2016-11-04 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning