Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 | /* |
| 2 | * X.509 certificate and private key decoding |
| 3 | * |
Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 4 | * Copyright (C) 2006-2013, Brainspark B.V. |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 5 | * |
| 6 | * This file is part of PolarSSL (http://www.polarssl.org) |
Paul Bakker | 84f12b7 | 2010-07-18 10:13:04 +0000 | [diff] [blame] | 7 | * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org> |
Paul Bakker | b96f154 | 2010-07-18 20:36:00 +0000 | [diff] [blame] | 8 | * |
Paul Bakker | 77b385e | 2009-07-28 17:23:11 +0000 | [diff] [blame] | 9 | * All rights reserved. |
Paul Bakker | e0ccd0a | 2009-01-04 16:27:10 +0000 | [diff] [blame] | 10 | * |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 11 | * This program is free software; you can redistribute it and/or modify |
| 12 | * it under the terms of the GNU General Public License as published by |
| 13 | * the Free Software Foundation; either version 2 of the License, or |
| 14 | * (at your option) any later version. |
| 15 | * |
| 16 | * This program is distributed in the hope that it will be useful, |
| 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 19 | * GNU General Public License for more details. |
| 20 | * |
| 21 | * You should have received a copy of the GNU General Public License along |
| 22 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 24 | */ |
| 25 | /* |
Paul Bakker | ad8d354 | 2012-02-16 15:28:14 +0000 | [diff] [blame] | 26 | * The ITU-T X.509 standard defines a certificate format for PKI. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 27 | * |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 28 | * http://www.ietf.org/rfc/rfc3279.txt |
Paul Bakker | ad8d354 | 2012-02-16 15:28:14 +0000 | [diff] [blame] | 29 | * http://www.ietf.org/rfc/rfc3280.txt |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 30 | * |
| 31 | * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc |
| 32 | * |
| 33 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf |
| 34 | * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf |
| 35 | */ |
| 36 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 37 | #include "polarssl/config.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 38 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 39 | #if defined(POLARSSL_X509_PARSE_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 40 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 41 | #include "polarssl/x509.h" |
Paul Bakker | efc3029 | 2011-11-10 14:43:23 +0000 | [diff] [blame] | 42 | #include "polarssl/asn1.h" |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 43 | #include "polarssl/oid.h" |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 44 | #include "polarssl/pem.h" |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 45 | #include "polarssl/dhm.h" |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 46 | #if defined(POLARSSL_PKCS5_C) |
| 47 | #include "polarssl/pkcs5.h" |
| 48 | #endif |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 49 | #if defined(POLARSSL_PKCS12_C) |
| 50 | #include "polarssl/pkcs12.h" |
| 51 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 52 | |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 53 | #if defined(POLARSSL_MEMORY_C) |
| 54 | #include "polarssl/memory.h" |
| 55 | #else |
| 56 | #define polarssl_malloc malloc |
| 57 | #define polarssl_free free |
| 58 | #endif |
| 59 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 60 | #include <string.h> |
| 61 | #include <stdlib.h> |
Paul Bakker | 4f229e5 | 2011-12-04 22:11:35 +0000 | [diff] [blame] | 62 | #if defined(_WIN32) |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 63 | #include <windows.h> |
| 64 | #else |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 65 | #include <time.h> |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 66 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 67 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 68 | #if defined(POLARSSL_FS_IO) |
| 69 | #include <stdio.h> |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 70 | #if !defined(_WIN32) |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 71 | #include <sys/types.h> |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 72 | #include <sys/stat.h> |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 73 | #include <dirent.h> |
| 74 | #endif |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 75 | #endif |
| 76 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 77 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 78 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| 79 | */ |
| 80 | static int x509_get_version( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 81 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 82 | int *ver ) |
| 83 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 84 | int ret; |
| 85 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 86 | |
| 87 | if( ( ret = asn1_get_tag( p, end, &len, |
| 88 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) != 0 ) |
| 89 | { |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 90 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 2a1c5f5 | 2011-10-19 14:15:17 +0000 | [diff] [blame] | 91 | { |
| 92 | *ver = 0; |
| 93 | return( 0 ); |
| 94 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 95 | |
| 96 | return( ret ); |
| 97 | } |
| 98 | |
| 99 | end = *p + len; |
| 100 | |
| 101 | if( ( ret = asn1_get_int( p, end, ver ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 102 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 103 | |
| 104 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 105 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 106 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 107 | |
| 108 | return( 0 ); |
| 109 | } |
| 110 | |
| 111 | /* |
Paul Bakker | fae618f | 2011-10-12 11:53:52 +0000 | [diff] [blame] | 112 | * Version ::= INTEGER { v1(0), v2(1) } |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 113 | */ |
| 114 | static int x509_crl_get_version( unsigned char **p, |
| 115 | const unsigned char *end, |
| 116 | int *ver ) |
| 117 | { |
| 118 | int ret; |
| 119 | |
| 120 | if( ( ret = asn1_get_int( p, end, ver ) ) != 0 ) |
| 121 | { |
| 122 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 2a1c5f5 | 2011-10-19 14:15:17 +0000 | [diff] [blame] | 123 | { |
| 124 | *ver = 0; |
| 125 | return( 0 ); |
| 126 | } |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 127 | |
| 128 | return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret ); |
| 129 | } |
| 130 | |
| 131 | return( 0 ); |
| 132 | } |
| 133 | |
| 134 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 135 | * CertificateSerialNumber ::= INTEGER |
| 136 | */ |
| 137 | static int x509_get_serial( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 138 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 139 | x509_buf *serial ) |
| 140 | { |
| 141 | int ret; |
| 142 | |
| 143 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 144 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 145 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 146 | |
| 147 | if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) && |
| 148 | **p != ASN1_INTEGER ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 149 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 150 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 151 | |
| 152 | serial->tag = *(*p)++; |
| 153 | |
| 154 | if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 155 | return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 156 | |
| 157 | serial->p = *p; |
| 158 | *p += serial->len; |
| 159 | |
| 160 | return( 0 ); |
| 161 | } |
| 162 | |
| 163 | /* |
| 164 | * AlgorithmIdentifier ::= SEQUENCE { |
| 165 | * algorithm OBJECT IDENTIFIER, |
| 166 | * parameters ANY DEFINED BY algorithm OPTIONAL } |
| 167 | */ |
| 168 | static int x509_get_alg( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 169 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 170 | x509_buf *alg ) |
| 171 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 172 | int ret; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 173 | |
Paul Bakker | f8d018a | 2013-06-29 12:16:17 +0200 | [diff] [blame] | 174 | if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 175 | return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 176 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 177 | return( 0 ); |
| 178 | } |
| 179 | |
| 180 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 181 | * AttributeTypeAndValue ::= SEQUENCE { |
| 182 | * type AttributeType, |
| 183 | * value AttributeValue } |
| 184 | * |
| 185 | * AttributeType ::= OBJECT IDENTIFIER |
| 186 | * |
| 187 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| 188 | */ |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 189 | static int x509_get_attr_type_value( unsigned char **p, |
| 190 | const unsigned char *end, |
| 191 | x509_name *cur ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 192 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 193 | int ret; |
| 194 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 195 | x509_buf *oid; |
| 196 | x509_buf *val; |
| 197 | |
| 198 | if( ( ret = asn1_get_tag( p, end, &len, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 199 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 200 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 201 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 202 | oid = &cur->oid; |
| 203 | oid->tag = **p; |
| 204 | |
| 205 | if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 206 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 207 | |
| 208 | oid->p = *p; |
| 209 | *p += oid->len; |
| 210 | |
| 211 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 212 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 213 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 214 | |
| 215 | if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING && |
| 216 | **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING && |
| 217 | **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 218 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 219 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 220 | |
| 221 | val = &cur->val; |
| 222 | val->tag = *(*p)++; |
| 223 | |
| 224 | if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 225 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 226 | |
| 227 | val->p = *p; |
| 228 | *p += val->len; |
| 229 | |
| 230 | cur->next = NULL; |
| 231 | |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 232 | return( 0 ); |
| 233 | } |
| 234 | |
| 235 | /* |
| 236 | * RelativeDistinguishedName ::= |
| 237 | * SET OF AttributeTypeAndValue |
| 238 | * |
| 239 | * AttributeTypeAndValue ::= SEQUENCE { |
| 240 | * type AttributeType, |
| 241 | * value AttributeValue } |
| 242 | * |
| 243 | * AttributeType ::= OBJECT IDENTIFIER |
| 244 | * |
| 245 | * AttributeValue ::= ANY DEFINED BY AttributeType |
| 246 | */ |
| 247 | static int x509_get_name( unsigned char **p, |
| 248 | const unsigned char *end, |
| 249 | x509_name *cur ) |
| 250 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 251 | int ret; |
| 252 | size_t len; |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 253 | const unsigned char *end2; |
| 254 | x509_name *use; |
| 255 | |
| 256 | if( ( ret = asn1_get_tag( p, end, &len, |
| 257 | ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 258 | return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret ); |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 259 | |
| 260 | end2 = end; |
| 261 | end = *p + len; |
| 262 | use = cur; |
| 263 | |
| 264 | do |
| 265 | { |
| 266 | if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 ) |
| 267 | return( ret ); |
| 268 | |
| 269 | if( *p != end ) |
| 270 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 271 | use->next = (x509_name *) polarssl_malloc( |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 272 | sizeof( x509_name ) ); |
| 273 | |
| 274 | if( use->next == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 275 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 276 | |
| 277 | memset( use->next, 0, sizeof( x509_name ) ); |
| 278 | |
| 279 | use = use->next; |
| 280 | } |
| 281 | } |
| 282 | while( *p != end ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 283 | |
| 284 | /* |
| 285 | * recurse until end of SEQUENCE is reached |
| 286 | */ |
| 287 | if( *p == end2 ) |
| 288 | return( 0 ); |
| 289 | |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 290 | cur->next = (x509_name *) polarssl_malloc( |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 291 | sizeof( x509_name ) ); |
| 292 | |
| 293 | if( cur->next == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 294 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 295 | |
Paul Bakker | 430ffbe | 2012-05-01 08:14:20 +0000 | [diff] [blame] | 296 | memset( cur->next, 0, sizeof( x509_name ) ); |
| 297 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 298 | return( x509_get_name( p, end2, cur->next ) ); |
| 299 | } |
| 300 | |
| 301 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 302 | * Time ::= CHOICE { |
| 303 | * utcTime UTCTime, |
| 304 | * generalTime GeneralizedTime } |
| 305 | */ |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 306 | static int x509_get_time( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 307 | const unsigned char *end, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 308 | x509_time *time ) |
| 309 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 310 | int ret; |
| 311 | size_t len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 312 | char date[64]; |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 313 | unsigned char tag; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 314 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 315 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 316 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
| 317 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 318 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 319 | tag = **p; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 320 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 321 | if ( tag == ASN1_UTC_TIME ) |
| 322 | { |
| 323 | (*p)++; |
| 324 | ret = asn1_get_len( p, end, &len ); |
| 325 | |
| 326 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 327 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 328 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 329 | memset( date, 0, sizeof( date ) ); |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 330 | memcpy( date, *p, ( len < sizeof( date ) - 1 ) ? |
| 331 | len : sizeof( date ) - 1 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 332 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 333 | if( sscanf( date, "%2d%2d%2d%2d%2d%2d", |
| 334 | &time->year, &time->mon, &time->day, |
| 335 | &time->hour, &time->min, &time->sec ) < 5 ) |
| 336 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 337 | |
Paul Bakker | 400ff6f | 2011-02-20 10:40:16 +0000 | [diff] [blame] | 338 | time->year += 100 * ( time->year < 50 ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 339 | time->year += 1900; |
| 340 | |
| 341 | *p += len; |
| 342 | |
| 343 | return( 0 ); |
| 344 | } |
| 345 | else if ( tag == ASN1_GENERALIZED_TIME ) |
| 346 | { |
| 347 | (*p)++; |
| 348 | ret = asn1_get_len( p, end, &len ); |
| 349 | |
| 350 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 351 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 352 | |
| 353 | memset( date, 0, sizeof( date ) ); |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 354 | memcpy( date, *p, ( len < sizeof( date ) - 1 ) ? |
| 355 | len : sizeof( date ) - 1 ); |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 356 | |
| 357 | if( sscanf( date, "%4d%2d%2d%2d%2d%2d", |
| 358 | &time->year, &time->mon, &time->day, |
| 359 | &time->hour, &time->min, &time->sec ) < 5 ) |
| 360 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE ); |
| 361 | |
| 362 | *p += len; |
| 363 | |
| 364 | return( 0 ); |
| 365 | } |
| 366 | else |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 367 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 368 | } |
| 369 | |
| 370 | |
| 371 | /* |
| 372 | * Validity ::= SEQUENCE { |
| 373 | * notBefore Time, |
| 374 | * notAfter Time } |
| 375 | */ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 376 | static int x509_get_dates( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 377 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 378 | x509_time *from, |
| 379 | x509_time *to ) |
| 380 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 381 | int ret; |
| 382 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 383 | |
| 384 | if( ( ret = asn1_get_tag( p, end, &len, |
| 385 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 386 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 387 | |
| 388 | end = *p + len; |
| 389 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 390 | if( ( ret = x509_get_time( p, end, from ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 391 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 392 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 393 | if( ( ret = x509_get_time( p, end, to ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 394 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 395 | |
| 396 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 397 | return( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 398 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 399 | |
| 400 | return( 0 ); |
| 401 | } |
| 402 | |
| 403 | /* |
| 404 | * SubjectPublicKeyInfo ::= SEQUENCE { |
| 405 | * algorithm AlgorithmIdentifier, |
| 406 | * subjectPublicKey BIT STRING } |
| 407 | */ |
| 408 | static int x509_get_pubkey( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 409 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 410 | x509_buf *pk_alg_oid, |
| 411 | mpi *N, mpi *E ) |
| 412 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 413 | int ret; |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 414 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 415 | unsigned char *end2; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 416 | pk_type_t pk_alg = POLARSSL_PK_NONE; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 417 | |
Paul Bakker | f8d018a | 2013-06-29 12:16:17 +0200 | [diff] [blame] | 418 | if( ( ret = asn1_get_alg_null( p, end, pk_alg_oid ) ) != 0 ) |
| 419 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 420 | |
| 421 | /* |
| 422 | * only RSA public keys handled at this time |
| 423 | */ |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 424 | if( oid_get_pk_alg( pk_alg_oid, &pk_alg ) != 0 ) |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 425 | return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 426 | |
| 427 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 428 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 429 | |
| 430 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 431 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 432 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 433 | |
| 434 | end2 = *p + len; |
| 435 | |
| 436 | if( *(*p)++ != 0 ) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 437 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 438 | |
| 439 | /* |
| 440 | * RSAPublicKey ::= SEQUENCE { |
| 441 | * modulus INTEGER, -- n |
| 442 | * publicExponent INTEGER -- e |
| 443 | * } |
| 444 | */ |
| 445 | if( ( ret = asn1_get_tag( p, end2, &len, |
| 446 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 447 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 448 | |
| 449 | if( *p + len != end2 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 450 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 451 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 452 | |
| 453 | if( ( ret = asn1_get_mpi( p, end2, N ) ) != 0 || |
| 454 | ( ret = asn1_get_mpi( p, end2, E ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 455 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 456 | |
| 457 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 458 | return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 459 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 460 | |
| 461 | return( 0 ); |
| 462 | } |
| 463 | |
| 464 | static int x509_get_sig( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 465 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 466 | x509_buf *sig ) |
| 467 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 468 | int ret; |
| 469 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 470 | |
Paul Bakker | 8afa70d | 2012-02-11 18:42:45 +0000 | [diff] [blame] | 471 | if( ( end - *p ) < 1 ) |
| 472 | return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + |
| 473 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 474 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 475 | sig->tag = **p; |
| 476 | |
| 477 | if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 478 | return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 479 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 480 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 481 | if( --len < 1 || *(*p)++ != 0 ) |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 482 | return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 483 | |
| 484 | sig->len = len; |
| 485 | sig->p = *p; |
| 486 | |
| 487 | *p += len; |
| 488 | |
| 489 | return( 0 ); |
| 490 | } |
| 491 | |
| 492 | /* |
| 493 | * X.509 v2/v3 unique identifier (not parsed) |
| 494 | */ |
| 495 | static int x509_get_uid( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 496 | const unsigned char *end, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 497 | x509_buf *uid, int n ) |
| 498 | { |
| 499 | int ret; |
| 500 | |
| 501 | if( *p == end ) |
| 502 | return( 0 ); |
| 503 | |
| 504 | uid->tag = **p; |
| 505 | |
| 506 | if( ( ret = asn1_get_tag( p, end, &uid->len, |
| 507 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n ) ) != 0 ) |
| 508 | { |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 509 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 510 | return( 0 ); |
| 511 | |
| 512 | return( ret ); |
| 513 | } |
| 514 | |
| 515 | uid->p = *p; |
| 516 | *p += uid->len; |
| 517 | |
| 518 | return( 0 ); |
| 519 | } |
| 520 | |
| 521 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 522 | * X.509 Extensions (No parsing of extensions, pointer should |
| 523 | * be either manually updated or extensions should be parsed! |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 524 | */ |
| 525 | static int x509_get_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 526 | const unsigned char *end, |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 527 | x509_buf *ext, int tag ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 528 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 529 | int ret; |
| 530 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 531 | |
| 532 | if( *p == end ) |
| 533 | return( 0 ); |
| 534 | |
| 535 | ext->tag = **p; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 536 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 537 | if( ( ret = asn1_get_tag( p, end, &ext->len, |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 538 | ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 539 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 540 | |
| 541 | ext->p = *p; |
| 542 | end = *p + ext->len; |
| 543 | |
| 544 | /* |
| 545 | * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
| 546 | * |
| 547 | * Extension ::= SEQUENCE { |
| 548 | * extnID OBJECT IDENTIFIER, |
| 549 | * critical BOOLEAN DEFAULT FALSE, |
| 550 | * extnValue OCTET STRING } |
| 551 | */ |
| 552 | if( ( ret = asn1_get_tag( p, end, &len, |
| 553 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 554 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 555 | |
| 556 | if( end != *p + len ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 557 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 558 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 559 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 560 | return( 0 ); |
| 561 | } |
| 562 | |
| 563 | /* |
| 564 | * X.509 CRL v2 extensions (no extensions parsed yet.) |
| 565 | */ |
| 566 | static int x509_get_crl_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 567 | const unsigned char *end, |
| 568 | x509_buf *ext ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 569 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 570 | int ret; |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 571 | size_t len = 0; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 572 | |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 573 | /* Get explicit tag */ |
| 574 | if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 575 | { |
| 576 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 577 | return( 0 ); |
| 578 | |
| 579 | return( ret ); |
| 580 | } |
| 581 | |
| 582 | while( *p < end ) |
| 583 | { |
| 584 | if( ( ret = asn1_get_tag( p, end, &len, |
| 585 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 586 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 587 | |
| 588 | *p += len; |
| 589 | } |
| 590 | |
| 591 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 592 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 593 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 594 | |
| 595 | return( 0 ); |
| 596 | } |
| 597 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 598 | /* |
| 599 | * X.509 CRL v2 entry extensions (no extensions parsed yet.) |
| 600 | */ |
| 601 | static int x509_get_crl_entry_ext( unsigned char **p, |
| 602 | const unsigned char *end, |
| 603 | x509_buf *ext ) |
| 604 | { |
| 605 | int ret; |
| 606 | size_t len = 0; |
| 607 | |
| 608 | /* OPTIONAL */ |
| 609 | if (end <= *p) |
| 610 | return( 0 ); |
| 611 | |
| 612 | ext->tag = **p; |
| 613 | ext->p = *p; |
| 614 | |
| 615 | /* |
| 616 | * Get CRL-entry extension sequence header |
| 617 | * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 |
| 618 | */ |
| 619 | if( ( ret = asn1_get_tag( p, end, &ext->len, |
| 620 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 621 | { |
| 622 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 623 | { |
| 624 | ext->p = NULL; |
| 625 | return( 0 ); |
| 626 | } |
| 627 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 628 | } |
| 629 | |
| 630 | end = *p + ext->len; |
| 631 | |
| 632 | if( end != *p + ext->len ) |
| 633 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 634 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 635 | |
| 636 | while( *p < end ) |
| 637 | { |
| 638 | if( ( ret = asn1_get_tag( p, end, &len, |
| 639 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 640 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 641 | |
| 642 | *p += len; |
| 643 | } |
| 644 | |
| 645 | if( *p != end ) |
| 646 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 647 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 648 | |
| 649 | return( 0 ); |
| 650 | } |
| 651 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 652 | static int x509_get_basic_constraints( unsigned char **p, |
| 653 | const unsigned char *end, |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 654 | int *ca_istrue, |
| 655 | int *max_pathlen ) |
| 656 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 657 | int ret; |
| 658 | size_t len; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 659 | |
| 660 | /* |
| 661 | * BasicConstraints ::= SEQUENCE { |
| 662 | * cA BOOLEAN DEFAULT FALSE, |
| 663 | * pathLenConstraint INTEGER (0..MAX) OPTIONAL } |
| 664 | */ |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 665 | *ca_istrue = 0; /* DEFAULT FALSE */ |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 666 | *max_pathlen = 0; /* endless */ |
| 667 | |
| 668 | if( ( ret = asn1_get_tag( p, end, &len, |
| 669 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 670 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 671 | |
| 672 | if( *p == end ) |
| 673 | return 0; |
| 674 | |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 675 | if( ( ret = asn1_get_bool( p, end, ca_istrue ) ) != 0 ) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 676 | { |
| 677 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 678 | ret = asn1_get_int( p, end, ca_istrue ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 679 | |
| 680 | if( ret != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 681 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 682 | |
Paul Bakker | 3cccddb | 2011-01-16 21:46:31 +0000 | [diff] [blame] | 683 | if( *ca_istrue != 0 ) |
| 684 | *ca_istrue = 1; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 685 | } |
| 686 | |
| 687 | if( *p == end ) |
| 688 | return 0; |
| 689 | |
| 690 | if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 691 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 692 | |
| 693 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 694 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 695 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 696 | |
| 697 | (*max_pathlen)++; |
| 698 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 699 | return 0; |
| 700 | } |
| 701 | |
| 702 | static int x509_get_ns_cert_type( unsigned char **p, |
| 703 | const unsigned char *end, |
| 704 | unsigned char *ns_cert_type) |
| 705 | { |
| 706 | int ret; |
Paul Bakker | d61e7d9 | 2011-01-18 16:17:47 +0000 | [diff] [blame] | 707 | x509_bitstring bs = { 0, 0, NULL }; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 708 | |
| 709 | if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 710 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 711 | |
| 712 | if( bs.len != 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 713 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 714 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 715 | |
| 716 | /* Get actual bitstring */ |
| 717 | *ns_cert_type = *bs.p; |
| 718 | return 0; |
| 719 | } |
| 720 | |
| 721 | static int x509_get_key_usage( unsigned char **p, |
| 722 | const unsigned char *end, |
| 723 | unsigned char *key_usage) |
| 724 | { |
| 725 | int ret; |
Paul Bakker | d61e7d9 | 2011-01-18 16:17:47 +0000 | [diff] [blame] | 726 | x509_bitstring bs = { 0, 0, NULL }; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 727 | |
| 728 | if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 729 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 730 | |
Paul Bakker | 94a6796 | 2012-08-23 13:03:52 +0000 | [diff] [blame] | 731 | if( bs.len < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 732 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 733 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 734 | |
| 735 | /* Get actual bitstring */ |
| 736 | *key_usage = *bs.p; |
| 737 | return 0; |
| 738 | } |
| 739 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 740 | /* |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 741 | * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId |
| 742 | * |
| 743 | * KeyPurposeId ::= OBJECT IDENTIFIER |
| 744 | */ |
| 745 | static int x509_get_ext_key_usage( unsigned char **p, |
| 746 | const unsigned char *end, |
| 747 | x509_sequence *ext_key_usage) |
| 748 | { |
| 749 | int ret; |
| 750 | |
| 751 | if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 752 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 753 | |
| 754 | /* Sequence length must be >= 1 */ |
| 755 | if( ext_key_usage->buf.p == NULL ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 756 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 757 | POLARSSL_ERR_ASN1_INVALID_LENGTH ); |
| 758 | |
| 759 | return 0; |
| 760 | } |
| 761 | |
| 762 | /* |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 763 | * SubjectAltName ::= GeneralNames |
| 764 | * |
| 765 | * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName |
| 766 | * |
| 767 | * GeneralName ::= CHOICE { |
| 768 | * otherName [0] OtherName, |
| 769 | * rfc822Name [1] IA5String, |
| 770 | * dNSName [2] IA5String, |
| 771 | * x400Address [3] ORAddress, |
| 772 | * directoryName [4] Name, |
| 773 | * ediPartyName [5] EDIPartyName, |
| 774 | * uniformResourceIdentifier [6] IA5String, |
| 775 | * iPAddress [7] OCTET STRING, |
| 776 | * registeredID [8] OBJECT IDENTIFIER } |
| 777 | * |
| 778 | * OtherName ::= SEQUENCE { |
| 779 | * type-id OBJECT IDENTIFIER, |
| 780 | * value [0] EXPLICIT ANY DEFINED BY type-id } |
| 781 | * |
| 782 | * EDIPartyName ::= SEQUENCE { |
| 783 | * nameAssigner [0] DirectoryString OPTIONAL, |
| 784 | * partyName [1] DirectoryString } |
| 785 | * |
| 786 | * NOTE: PolarSSL only parses and uses dNSName at this point. |
| 787 | */ |
| 788 | static int x509_get_subject_alt_name( unsigned char **p, |
| 789 | const unsigned char *end, |
| 790 | x509_sequence *subject_alt_name ) |
| 791 | { |
| 792 | int ret; |
| 793 | size_t len, tag_len; |
| 794 | asn1_buf *buf; |
| 795 | unsigned char tag; |
| 796 | asn1_sequence *cur = subject_alt_name; |
| 797 | |
| 798 | /* Get main sequence tag */ |
| 799 | if( ( ret = asn1_get_tag( p, end, &len, |
| 800 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 801 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 802 | |
| 803 | if( *p + len != end ) |
| 804 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 805 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 806 | |
| 807 | while( *p < end ) |
| 808 | { |
| 809 | if( ( end - *p ) < 1 ) |
| 810 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 811 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 812 | |
| 813 | tag = **p; |
| 814 | (*p)++; |
| 815 | if( ( ret = asn1_get_len( p, end, &tag_len ) ) != 0 ) |
| 816 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
| 817 | |
| 818 | if( ( tag & ASN1_CONTEXT_SPECIFIC ) != ASN1_CONTEXT_SPECIFIC ) |
| 819 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 820 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| 821 | |
| 822 | if( tag != ( ASN1_CONTEXT_SPECIFIC | 2 ) ) |
| 823 | { |
| 824 | *p += tag_len; |
| 825 | continue; |
| 826 | } |
| 827 | |
| 828 | buf = &(cur->buf); |
| 829 | buf->tag = tag; |
| 830 | buf->p = *p; |
| 831 | buf->len = tag_len; |
| 832 | *p += buf->len; |
| 833 | |
| 834 | /* Allocate and assign next pointer */ |
| 835 | if (*p < end) |
| 836 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 837 | cur->next = (asn1_sequence *) polarssl_malloc( |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 838 | sizeof( asn1_sequence ) ); |
| 839 | |
| 840 | if( cur->next == NULL ) |
| 841 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 842 | POLARSSL_ERR_ASN1_MALLOC_FAILED ); |
| 843 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 844 | memset( cur->next, 0, sizeof( asn1_sequence ) ); |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 845 | cur = cur->next; |
| 846 | } |
| 847 | } |
| 848 | |
| 849 | /* Set final sequence entry's next pointer to NULL */ |
| 850 | cur->next = NULL; |
| 851 | |
| 852 | if( *p != end ) |
| 853 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
| 854 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 855 | |
| 856 | return( 0 ); |
| 857 | } |
| 858 | |
| 859 | /* |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 860 | * X.509 v3 extensions |
| 861 | * |
| 862 | * TODO: Perform all of the basic constraints tests required by the RFC |
| 863 | * TODO: Set values for undetected extensions to a sane default? |
| 864 | * |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 865 | */ |
| 866 | static int x509_get_crt_ext( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 867 | const unsigned char *end, |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 868 | x509_cert *crt ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 869 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 870 | int ret; |
| 871 | size_t len; |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 872 | unsigned char *end_ext_data, *end_ext_octet; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 873 | |
Paul Bakker | fbc09f3 | 2011-10-12 09:56:41 +0000 | [diff] [blame] | 874 | if( ( ret = x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 875 | { |
| 876 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 877 | return( 0 ); |
| 878 | |
| 879 | return( ret ); |
| 880 | } |
| 881 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 882 | while( *p < end ) |
| 883 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 884 | /* |
| 885 | * Extension ::= SEQUENCE { |
| 886 | * extnID OBJECT IDENTIFIER, |
| 887 | * critical BOOLEAN DEFAULT FALSE, |
| 888 | * extnValue OCTET STRING } |
| 889 | */ |
| 890 | x509_buf extn_oid = {0, 0, NULL}; |
| 891 | int is_critical = 0; /* DEFAULT FALSE */ |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 892 | int ext_type = 0; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 893 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 894 | if( ( ret = asn1_get_tag( p, end, &len, |
| 895 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 896 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 897 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 898 | end_ext_data = *p + len; |
| 899 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 900 | /* Get extension ID */ |
| 901 | extn_oid.tag = **p; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 902 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 903 | if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 904 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 905 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 906 | extn_oid.p = *p; |
| 907 | *p += extn_oid.len; |
| 908 | |
| 909 | if( ( end - *p ) < 1 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 910 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 911 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 912 | |
| 913 | /* Get optional critical */ |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 914 | if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 915 | ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 916 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 917 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 918 | /* Data should be octet string type */ |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 919 | if( ( ret = asn1_get_tag( p, end_ext_data, &len, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 920 | ASN1_OCTET_STRING ) ) != 0 ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 921 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 922 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 923 | end_ext_octet = *p + len; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 924 | |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 925 | if( end_ext_octet != end_ext_data ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 926 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | c6ce838 | 2009-07-27 21:34:45 +0000 | [diff] [blame] | 927 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 928 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 929 | /* |
| 930 | * Detect supported extensions |
| 931 | */ |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 932 | ret = oid_get_x509_ext_type( &extn_oid, &ext_type ); |
| 933 | |
| 934 | if( ret != 0 ) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 935 | { |
| 936 | /* No parser found, skip extension */ |
| 937 | *p = end_ext_octet; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 938 | |
Paul Bakker | 5c721f9 | 2011-07-27 16:51:09 +0000 | [diff] [blame] | 939 | #if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 940 | if( is_critical ) |
| 941 | { |
| 942 | /* Data is marked as critical: fail */ |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 943 | return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 944 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ); |
| 945 | } |
Paul Bakker | 5c721f9 | 2011-07-27 16:51:09 +0000 | [diff] [blame] | 946 | #endif |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 947 | continue; |
| 948 | } |
| 949 | |
| 950 | crt->ext_types |= ext_type; |
| 951 | |
| 952 | switch( ext_type ) |
| 953 | { |
| 954 | case EXT_BASIC_CONSTRAINTS: |
| 955 | /* Parse basic constraints */ |
| 956 | if( ( ret = x509_get_basic_constraints( p, end_ext_octet, |
| 957 | &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) |
| 958 | return ( ret ); |
| 959 | break; |
| 960 | |
| 961 | case EXT_KEY_USAGE: |
| 962 | /* Parse key usage */ |
| 963 | if( ( ret = x509_get_key_usage( p, end_ext_octet, |
| 964 | &crt->key_usage ) ) != 0 ) |
| 965 | return ( ret ); |
| 966 | break; |
| 967 | |
| 968 | case EXT_EXTENDED_KEY_USAGE: |
| 969 | /* Parse extended key usage */ |
| 970 | if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, |
| 971 | &crt->ext_key_usage ) ) != 0 ) |
| 972 | return ( ret ); |
| 973 | break; |
| 974 | |
| 975 | case EXT_SUBJECT_ALT_NAME: |
| 976 | /* Parse subject alt name */ |
| 977 | if( ( ret = x509_get_subject_alt_name( p, end_ext_octet, |
| 978 | &crt->subject_alt_names ) ) != 0 ) |
| 979 | return ( ret ); |
| 980 | break; |
| 981 | |
| 982 | case EXT_NS_CERT_TYPE: |
| 983 | /* Parse netscape certificate type */ |
| 984 | if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, |
| 985 | &crt->ns_cert_type ) ) != 0 ) |
| 986 | return ( ret ); |
| 987 | break; |
| 988 | |
| 989 | default: |
| 990 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 991 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 992 | } |
| 993 | |
| 994 | if( *p != end ) |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 995 | return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 996 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 997 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 998 | return( 0 ); |
| 999 | } |
| 1000 | |
| 1001 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1002 | * X.509 CRL Entries |
| 1003 | */ |
| 1004 | static int x509_get_entries( unsigned char **p, |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1005 | const unsigned char *end, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1006 | x509_crl_entry *entry ) |
| 1007 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1008 | int ret; |
| 1009 | size_t entry_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1010 | x509_crl_entry *cur_entry = entry; |
| 1011 | |
| 1012 | if( *p == end ) |
| 1013 | return( 0 ); |
| 1014 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1015 | if( ( ret = asn1_get_tag( p, end, &entry_len, |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1016 | ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 ) |
| 1017 | { |
| 1018 | if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) |
| 1019 | return( 0 ); |
| 1020 | |
| 1021 | return( ret ); |
| 1022 | } |
| 1023 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1024 | end = *p + entry_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1025 | |
| 1026 | while( *p < end ) |
| 1027 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1028 | size_t len2; |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 1029 | const unsigned char *end2; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1030 | |
| 1031 | if( ( ret = asn1_get_tag( p, end, &len2, |
| 1032 | ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 ) |
| 1033 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1034 | return( ret ); |
| 1035 | } |
| 1036 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1037 | cur_entry->raw.tag = **p; |
| 1038 | cur_entry->raw.p = *p; |
| 1039 | cur_entry->raw.len = len2; |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 1040 | end2 = *p + len2; |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1041 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 1042 | if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1043 | return( ret ); |
| 1044 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 1045 | if( ( ret = x509_get_time( p, end2, &cur_entry->revocation_date ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1046 | return( ret ); |
| 1047 | |
Paul Bakker | b5a11ab | 2011-10-12 09:58:41 +0000 | [diff] [blame] | 1048 | if( ( ret = x509_get_crl_entry_ext( p, end2, &cur_entry->entry_ext ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1049 | return( ret ); |
| 1050 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 1051 | if ( *p < end ) |
| 1052 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1053 | cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) ); |
Paul Bakker | b15b851 | 2012-01-13 13:44:06 +0000 | [diff] [blame] | 1054 | |
| 1055 | if( cur_entry->next == NULL ) |
| 1056 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
| 1057 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1058 | cur_entry = cur_entry->next; |
| 1059 | memset( cur_entry, 0, sizeof( x509_crl_entry ) ); |
| 1060 | } |
| 1061 | } |
| 1062 | |
| 1063 | return( 0 ); |
| 1064 | } |
| 1065 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1066 | static int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg, |
| 1067 | pk_type_t *pk_alg ) |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1068 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1069 | int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ); |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1070 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1071 | if( ret != 0 ) |
| 1072 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG + ret ); |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1073 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1074 | return( 0 ); |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1075 | } |
| 1076 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1077 | /* |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1078 | * Parse and fill a single X.509 certificate in DER format |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1079 | */ |
Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 1080 | static int x509parse_crt_der_core( x509_cert *crt, const unsigned char *buf, |
| 1081 | size_t buflen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1082 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1083 | int ret; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1084 | size_t len; |
Paul Bakker | b00ca42 | 2012-09-25 12:10:00 +0000 | [diff] [blame] | 1085 | unsigned char *p, *end, *crt_end; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1086 | |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1087 | /* |
| 1088 | * Check for valid input |
| 1089 | */ |
| 1090 | if( crt == NULL || buf == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1091 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1092 | |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1093 | p = (unsigned char *) polarssl_malloc( len = buflen ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1094 | |
| 1095 | if( p == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1096 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1097 | |
| 1098 | memcpy( p, buf, buflen ); |
| 1099 | |
| 1100 | buflen = 0; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1101 | |
| 1102 | crt->raw.p = p; |
| 1103 | crt->raw.len = len; |
| 1104 | end = p + len; |
| 1105 | |
| 1106 | /* |
| 1107 | * Certificate ::= SEQUENCE { |
| 1108 | * tbsCertificate TBSCertificate, |
| 1109 | * signatureAlgorithm AlgorithmIdentifier, |
| 1110 | * signatureValue BIT STRING } |
| 1111 | */ |
| 1112 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1113 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1114 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1115 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1116 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1117 | } |
| 1118 | |
Paul Bakker | b00ca42 | 2012-09-25 12:10:00 +0000 | [diff] [blame] | 1119 | if( len > (size_t) ( end - p ) ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1120 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1121 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1122 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1123 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1124 | } |
Paul Bakker | b00ca42 | 2012-09-25 12:10:00 +0000 | [diff] [blame] | 1125 | crt_end = p + len; |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1126 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1127 | /* |
| 1128 | * TBSCertificate ::= SEQUENCE { |
| 1129 | */ |
| 1130 | crt->tbs.p = p; |
| 1131 | |
| 1132 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1133 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1134 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1135 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1136 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1137 | } |
| 1138 | |
| 1139 | end = p + len; |
| 1140 | crt->tbs.len = end - crt->tbs.p; |
| 1141 | |
| 1142 | /* |
| 1143 | * Version ::= INTEGER { v1(0), v2(1), v3(2) } |
| 1144 | * |
| 1145 | * CertificateSerialNumber ::= INTEGER |
| 1146 | * |
| 1147 | * signature AlgorithmIdentifier |
| 1148 | */ |
| 1149 | if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || |
| 1150 | ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 || |
| 1151 | ( ret = x509_get_alg( &p, end, &crt->sig_oid1 ) ) != 0 ) |
| 1152 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1153 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1154 | return( ret ); |
| 1155 | } |
| 1156 | |
| 1157 | crt->version++; |
| 1158 | |
| 1159 | if( crt->version > 3 ) |
| 1160 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1161 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1162 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1163 | } |
| 1164 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1165 | if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_md, |
| 1166 | &crt->sig_pk ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1167 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1168 | x509_free( crt ); |
Paul Bakker | 27d6616 | 2010-03-17 06:56:01 +0000 | [diff] [blame] | 1169 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1170 | } |
| 1171 | |
| 1172 | /* |
| 1173 | * issuer Name |
| 1174 | */ |
| 1175 | crt->issuer_raw.p = p; |
| 1176 | |
| 1177 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1178 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1179 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1180 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1181 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1182 | } |
| 1183 | |
| 1184 | if( ( ret = x509_get_name( &p, p + len, &crt->issuer ) ) != 0 ) |
| 1185 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1186 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1187 | return( ret ); |
| 1188 | } |
| 1189 | |
| 1190 | crt->issuer_raw.len = p - crt->issuer_raw.p; |
| 1191 | |
| 1192 | /* |
| 1193 | * Validity ::= SEQUENCE { |
| 1194 | * notBefore Time, |
| 1195 | * notAfter Time } |
| 1196 | * |
| 1197 | */ |
| 1198 | if( ( ret = x509_get_dates( &p, end, &crt->valid_from, |
| 1199 | &crt->valid_to ) ) != 0 ) |
| 1200 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1201 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1202 | return( ret ); |
| 1203 | } |
| 1204 | |
| 1205 | /* |
| 1206 | * subject Name |
| 1207 | */ |
| 1208 | crt->subject_raw.p = p; |
| 1209 | |
| 1210 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1211 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1212 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1213 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1214 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1215 | } |
| 1216 | |
Paul Bakker | cefb396 | 2012-06-27 11:51:09 +0000 | [diff] [blame] | 1217 | if( len && ( ret = x509_get_name( &p, p + len, &crt->subject ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1218 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1219 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1220 | return( ret ); |
| 1221 | } |
| 1222 | |
| 1223 | crt->subject_raw.len = p - crt->subject_raw.p; |
| 1224 | |
| 1225 | /* |
| 1226 | * SubjectPublicKeyInfo ::= SEQUENCE |
| 1227 | * algorithm AlgorithmIdentifier, |
| 1228 | * subjectPublicKey BIT STRING } |
| 1229 | */ |
| 1230 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1231 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1232 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1233 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1234 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1235 | } |
| 1236 | |
| 1237 | if( ( ret = x509_get_pubkey( &p, p + len, &crt->pk_oid, |
| 1238 | &crt->rsa.N, &crt->rsa.E ) ) != 0 ) |
| 1239 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1240 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1241 | return( ret ); |
| 1242 | } |
| 1243 | |
| 1244 | if( ( ret = rsa_check_pubkey( &crt->rsa ) ) != 0 ) |
| 1245 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1246 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1247 | return( ret ); |
| 1248 | } |
| 1249 | |
| 1250 | crt->rsa.len = mpi_size( &crt->rsa.N ); |
| 1251 | |
| 1252 | /* |
| 1253 | * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, |
| 1254 | * -- If present, version shall be v2 or v3 |
| 1255 | * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, |
| 1256 | * -- If present, version shall be v2 or v3 |
| 1257 | * extensions [3] EXPLICIT Extensions OPTIONAL |
| 1258 | * -- If present, version shall be v3 |
| 1259 | */ |
| 1260 | if( crt->version == 2 || crt->version == 3 ) |
| 1261 | { |
| 1262 | ret = x509_get_uid( &p, end, &crt->issuer_id, 1 ); |
| 1263 | if( ret != 0 ) |
| 1264 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1265 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1266 | return( ret ); |
| 1267 | } |
| 1268 | } |
| 1269 | |
| 1270 | if( crt->version == 2 || crt->version == 3 ) |
| 1271 | { |
| 1272 | ret = x509_get_uid( &p, end, &crt->subject_id, 2 ); |
| 1273 | if( ret != 0 ) |
| 1274 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1275 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1276 | return( ret ); |
| 1277 | } |
| 1278 | } |
| 1279 | |
| 1280 | if( crt->version == 3 ) |
| 1281 | { |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 1282 | ret = x509_get_crt_ext( &p, end, crt); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1283 | if( ret != 0 ) |
| 1284 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1285 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1286 | return( ret ); |
| 1287 | } |
| 1288 | } |
| 1289 | |
| 1290 | if( p != end ) |
| 1291 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1292 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1293 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1294 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1295 | } |
| 1296 | |
Paul Bakker | b00ca42 | 2012-09-25 12:10:00 +0000 | [diff] [blame] | 1297 | end = crt_end; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1298 | |
| 1299 | /* |
| 1300 | * signatureAlgorithm AlgorithmIdentifier, |
| 1301 | * signatureValue BIT STRING |
| 1302 | */ |
| 1303 | if( ( ret = x509_get_alg( &p, end, &crt->sig_oid2 ) ) != 0 ) |
| 1304 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1305 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1306 | return( ret ); |
| 1307 | } |
| 1308 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 1309 | if( crt->sig_oid1.len != crt->sig_oid2.len || |
| 1310 | memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1311 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1312 | x509_free( crt ); |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1313 | return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1314 | } |
| 1315 | |
| 1316 | if( ( ret = x509_get_sig( &p, end, &crt->sig ) ) != 0 ) |
| 1317 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1318 | x509_free( crt ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1319 | return( ret ); |
| 1320 | } |
| 1321 | |
| 1322 | if( p != end ) |
| 1323 | { |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1324 | x509_free( crt ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1325 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 1326 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1327 | } |
| 1328 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1329 | return( 0 ); |
| 1330 | } |
| 1331 | |
| 1332 | /* |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1333 | * Parse one X.509 certificate in DER format from a buffer and add them to a |
| 1334 | * chained list |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1335 | */ |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1336 | int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1337 | { |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1338 | int ret; |
| 1339 | x509_cert *crt = chain, *prev = NULL; |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1340 | |
| 1341 | /* |
| 1342 | * Check for valid input |
| 1343 | */ |
| 1344 | if( crt == NULL || buf == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1345 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1346 | |
| 1347 | while( crt->version != 0 && crt->next != NULL ) |
| 1348 | { |
| 1349 | prev = crt; |
| 1350 | crt = crt->next; |
| 1351 | } |
| 1352 | |
| 1353 | /* |
| 1354 | * Add new certificate on the end of the chain if needed. |
| 1355 | */ |
| 1356 | if ( crt->version != 0 && crt->next == NULL) |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1357 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1358 | crt->next = (x509_cert *) polarssl_malloc( sizeof( x509_cert ) ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1359 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1360 | if( crt->next == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1361 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1362 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1363 | prev = crt; |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1364 | crt = crt->next; |
| 1365 | memset( crt, 0, sizeof( x509_cert ) ); |
Paul Bakker | 320a4b5 | 2009-03-28 18:52:39 +0000 | [diff] [blame] | 1366 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1367 | |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1368 | if( ( ret = x509parse_crt_der_core( crt, buf, buflen ) ) != 0 ) |
| 1369 | { |
| 1370 | if( prev ) |
| 1371 | prev->next = NULL; |
| 1372 | |
| 1373 | if( crt != chain ) |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1374 | polarssl_free( crt ); |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1375 | |
| 1376 | return( ret ); |
| 1377 | } |
| 1378 | |
| 1379 | return( 0 ); |
| 1380 | } |
| 1381 | |
| 1382 | /* |
| 1383 | * Parse one or more PEM certificates from a buffer and add them to the chained list |
| 1384 | */ |
| 1385 | int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) |
| 1386 | { |
| 1387 | int ret, success = 0, first_error = 0, total_failed = 0; |
| 1388 | int buf_format = X509_FORMAT_DER; |
| 1389 | |
| 1390 | /* |
| 1391 | * Check for valid input |
| 1392 | */ |
| 1393 | if( chain == NULL || buf == NULL ) |
| 1394 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
| 1395 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1396 | /* |
| 1397 | * Determine buffer content. Buffer contains either one DER certificate or |
| 1398 | * one or more PEM certificates. |
| 1399 | */ |
| 1400 | #if defined(POLARSSL_PEM_C) |
Paul Bakker | 3c2122f | 2013-06-24 19:03:14 +0200 | [diff] [blame] | 1401 | if( strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1402 | buf_format = X509_FORMAT_PEM; |
| 1403 | #endif |
| 1404 | |
| 1405 | if( buf_format == X509_FORMAT_DER ) |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1406 | return x509parse_crt_der( chain, buf, buflen ); |
| 1407 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1408 | #if defined(POLARSSL_PEM_C) |
| 1409 | if( buf_format == X509_FORMAT_PEM ) |
| 1410 | { |
| 1411 | pem_context pem; |
| 1412 | |
| 1413 | while( buflen > 0 ) |
| 1414 | { |
| 1415 | size_t use_len; |
| 1416 | pem_init( &pem ); |
| 1417 | |
| 1418 | ret = pem_read_buffer( &pem, |
| 1419 | "-----BEGIN CERTIFICATE-----", |
| 1420 | "-----END CERTIFICATE-----", |
| 1421 | buf, NULL, 0, &use_len ); |
| 1422 | |
| 1423 | if( ret == 0 ) |
| 1424 | { |
| 1425 | /* |
| 1426 | * Was PEM encoded |
| 1427 | */ |
| 1428 | buflen -= use_len; |
| 1429 | buf += use_len; |
| 1430 | } |
Paul Bakker | 5ed3b34 | 2013-06-24 19:05:46 +0200 | [diff] [blame] | 1431 | else if( ret == POLARSSL_ERR_PEM_BAD_INPUT_DATA ) |
| 1432 | { |
| 1433 | return( ret ); |
| 1434 | } |
Paul Bakker | 00b2860 | 2013-06-24 13:02:41 +0200 | [diff] [blame] | 1435 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1436 | { |
| 1437 | pem_free( &pem ); |
| 1438 | |
Paul Bakker | 5ed3b34 | 2013-06-24 19:05:46 +0200 | [diff] [blame] | 1439 | /* |
| 1440 | * PEM header and footer were found |
| 1441 | */ |
| 1442 | buflen -= use_len; |
| 1443 | buf += use_len; |
| 1444 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1445 | if( first_error == 0 ) |
| 1446 | first_error = ret; |
| 1447 | |
| 1448 | continue; |
| 1449 | } |
| 1450 | else |
| 1451 | break; |
| 1452 | |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1453 | ret = x509parse_crt_der( chain, pem.buf, pem.buflen ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1454 | |
| 1455 | pem_free( &pem ); |
| 1456 | |
| 1457 | if( ret != 0 ) |
| 1458 | { |
| 1459 | /* |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1460 | * Quit parsing on a memory error |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1461 | */ |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1462 | if( ret == POLARSSL_ERR_X509_MALLOC_FAILED ) |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1463 | return( ret ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1464 | |
| 1465 | if( first_error == 0 ) |
| 1466 | first_error = ret; |
| 1467 | |
Paul Bakker | 42c6581 | 2013-06-24 19:21:59 +0200 | [diff] [blame] | 1468 | total_failed++; |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1469 | continue; |
| 1470 | } |
| 1471 | |
| 1472 | success = 1; |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1473 | } |
| 1474 | } |
| 1475 | #endif |
| 1476 | |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1477 | if( success ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1478 | return( total_failed ); |
Paul Bakker | 6c0ceb3 | 2011-12-04 12:24:18 +0000 | [diff] [blame] | 1479 | else if( first_error ) |
| 1480 | return( first_error ); |
| 1481 | else |
| 1482 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1483 | } |
| 1484 | |
| 1485 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1486 | * Parse one or more CRLs and add them to the chained list |
| 1487 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1488 | int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1489 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1490 | int ret; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1491 | size_t len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1492 | unsigned char *p, *end; |
| 1493 | x509_crl *crl; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1494 | #if defined(POLARSSL_PEM_C) |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 1495 | size_t use_len; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1496 | pem_context pem; |
| 1497 | #endif |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1498 | |
| 1499 | crl = chain; |
| 1500 | |
| 1501 | /* |
| 1502 | * Check for valid input |
| 1503 | */ |
| 1504 | if( crl == NULL || buf == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1505 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1506 | |
| 1507 | while( crl->version != 0 && crl->next != NULL ) |
| 1508 | crl = crl->next; |
| 1509 | |
| 1510 | /* |
| 1511 | * Add new CRL on the end of the chain if needed. |
| 1512 | */ |
| 1513 | if ( crl->version != 0 && crl->next == NULL) |
| 1514 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1515 | crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1516 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1517 | if( crl->next == NULL ) |
| 1518 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1519 | x509_crl_free( crl ); |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1520 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1521 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1522 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1523 | crl = crl->next; |
| 1524 | memset( crl, 0, sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1525 | } |
| 1526 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1527 | #if defined(POLARSSL_PEM_C) |
| 1528 | pem_init( &pem ); |
| 1529 | ret = pem_read_buffer( &pem, |
| 1530 | "-----BEGIN X509 CRL-----", |
| 1531 | "-----END X509 CRL-----", |
| 1532 | buf, NULL, 0, &use_len ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1533 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1534 | if( ret == 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1535 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1536 | /* |
| 1537 | * Was PEM encoded |
| 1538 | */ |
| 1539 | buflen -= use_len; |
| 1540 | buf += use_len; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1541 | |
| 1542 | /* |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1543 | * Steal PEM buffer |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1544 | */ |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1545 | p = pem.buf; |
| 1546 | pem.buf = NULL; |
| 1547 | len = pem.buflen; |
| 1548 | pem_free( &pem ); |
| 1549 | } |
Paul Bakker | 00b2860 | 2013-06-24 13:02:41 +0200 | [diff] [blame] | 1550 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1551 | { |
| 1552 | pem_free( &pem ); |
| 1553 | return( ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1554 | } |
| 1555 | else |
| 1556 | { |
| 1557 | /* |
| 1558 | * nope, copy the raw DER data |
| 1559 | */ |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1560 | p = (unsigned char *) polarssl_malloc( len = buflen ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1561 | |
| 1562 | if( p == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1563 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1564 | |
| 1565 | memcpy( p, buf, buflen ); |
| 1566 | |
| 1567 | buflen = 0; |
| 1568 | } |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1569 | #else |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1570 | p = (unsigned char *) polarssl_malloc( len = buflen ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1571 | |
| 1572 | if( p == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1573 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 1574 | |
| 1575 | memcpy( p, buf, buflen ); |
| 1576 | |
| 1577 | buflen = 0; |
| 1578 | #endif |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1579 | |
| 1580 | crl->raw.p = p; |
| 1581 | crl->raw.len = len; |
| 1582 | end = p + len; |
| 1583 | |
| 1584 | /* |
| 1585 | * CertificateList ::= SEQUENCE { |
| 1586 | * tbsCertList TBSCertList, |
| 1587 | * signatureAlgorithm AlgorithmIdentifier, |
| 1588 | * signatureValue BIT STRING } |
| 1589 | */ |
| 1590 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1591 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1592 | { |
| 1593 | x509_crl_free( crl ); |
| 1594 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT ); |
| 1595 | } |
| 1596 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 1597 | if( len != (size_t) ( end - p ) ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1598 | { |
| 1599 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1600 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1601 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1602 | } |
| 1603 | |
| 1604 | /* |
| 1605 | * TBSCertList ::= SEQUENCE { |
| 1606 | */ |
| 1607 | crl->tbs.p = p; |
| 1608 | |
| 1609 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1610 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1611 | { |
| 1612 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1613 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1614 | } |
| 1615 | |
| 1616 | end = p + len; |
| 1617 | crl->tbs.len = end - crl->tbs.p; |
| 1618 | |
| 1619 | /* |
| 1620 | * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } |
| 1621 | * -- if present, MUST be v2 |
| 1622 | * |
| 1623 | * signature AlgorithmIdentifier |
| 1624 | */ |
Paul Bakker | 3329d1f | 2011-10-12 09:55:01 +0000 | [diff] [blame] | 1625 | if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1626 | ( ret = x509_get_alg( &p, end, &crl->sig_oid1 ) ) != 0 ) |
| 1627 | { |
| 1628 | x509_crl_free( crl ); |
| 1629 | return( ret ); |
| 1630 | } |
| 1631 | |
| 1632 | crl->version++; |
| 1633 | |
| 1634 | if( crl->version > 2 ) |
| 1635 | { |
| 1636 | x509_crl_free( crl ); |
| 1637 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION ); |
| 1638 | } |
| 1639 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 1640 | if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md, |
| 1641 | &crl->sig_pk ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1642 | { |
| 1643 | x509_crl_free( crl ); |
| 1644 | return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG ); |
| 1645 | } |
| 1646 | |
| 1647 | /* |
| 1648 | * issuer Name |
| 1649 | */ |
| 1650 | crl->issuer_raw.p = p; |
| 1651 | |
| 1652 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 1653 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 1654 | { |
| 1655 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1656 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1657 | } |
| 1658 | |
| 1659 | if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 ) |
| 1660 | { |
| 1661 | x509_crl_free( crl ); |
| 1662 | return( ret ); |
| 1663 | } |
| 1664 | |
| 1665 | crl->issuer_raw.len = p - crl->issuer_raw.p; |
| 1666 | |
| 1667 | /* |
| 1668 | * thisUpdate Time |
| 1669 | * nextUpdate Time OPTIONAL |
| 1670 | */ |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 1671 | if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1672 | { |
| 1673 | x509_crl_free( crl ); |
| 1674 | return( ret ); |
| 1675 | } |
| 1676 | |
Paul Bakker | 9120018 | 2010-02-18 21:26:15 +0000 | [diff] [blame] | 1677 | if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1678 | { |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1679 | if ( ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1680 | POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) && |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1681 | ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE + |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 1682 | POLARSSL_ERR_ASN1_OUT_OF_DATA ) ) |
Paul Bakker | 635f4b4 | 2009-07-20 20:34:41 +0000 | [diff] [blame] | 1683 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1684 | x509_crl_free( crl ); |
| 1685 | return( ret ); |
| 1686 | } |
| 1687 | } |
| 1688 | |
| 1689 | /* |
| 1690 | * revokedCertificates SEQUENCE OF SEQUENCE { |
| 1691 | * userCertificate CertificateSerialNumber, |
| 1692 | * revocationDate Time, |
| 1693 | * crlEntryExtensions Extensions OPTIONAL |
| 1694 | * -- if present, MUST be v2 |
| 1695 | * } OPTIONAL |
| 1696 | */ |
| 1697 | if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 ) |
| 1698 | { |
| 1699 | x509_crl_free( crl ); |
| 1700 | return( ret ); |
| 1701 | } |
| 1702 | |
| 1703 | /* |
| 1704 | * crlExtensions EXPLICIT Extensions OPTIONAL |
| 1705 | * -- if present, MUST be v2 |
| 1706 | */ |
| 1707 | if( crl->version == 2 ) |
| 1708 | { |
| 1709 | ret = x509_get_crl_ext( &p, end, &crl->crl_ext ); |
| 1710 | |
| 1711 | if( ret != 0 ) |
| 1712 | { |
| 1713 | x509_crl_free( crl ); |
| 1714 | return( ret ); |
| 1715 | } |
| 1716 | } |
| 1717 | |
| 1718 | if( p != end ) |
| 1719 | { |
| 1720 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1721 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1722 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1723 | } |
| 1724 | |
| 1725 | end = crl->raw.p + crl->raw.len; |
| 1726 | |
| 1727 | /* |
| 1728 | * signatureAlgorithm AlgorithmIdentifier, |
| 1729 | * signatureValue BIT STRING |
| 1730 | */ |
| 1731 | if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2 ) ) != 0 ) |
| 1732 | { |
| 1733 | x509_crl_free( crl ); |
| 1734 | return( ret ); |
| 1735 | } |
| 1736 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 1737 | if( crl->sig_oid1.len != crl->sig_oid2.len || |
| 1738 | memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1739 | { |
| 1740 | x509_crl_free( crl ); |
| 1741 | return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH ); |
| 1742 | } |
| 1743 | |
| 1744 | if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 ) |
| 1745 | { |
| 1746 | x509_crl_free( crl ); |
| 1747 | return( ret ); |
| 1748 | } |
| 1749 | |
| 1750 | if( p != end ) |
| 1751 | { |
| 1752 | x509_crl_free( crl ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 1753 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1754 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 1755 | } |
| 1756 | |
| 1757 | if( buflen > 0 ) |
| 1758 | { |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1759 | crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1760 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1761 | if( crl->next == NULL ) |
| 1762 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1763 | x509_crl_free( crl ); |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1764 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1765 | } |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1766 | |
Paul Bakker | 7d06ad2 | 2009-05-02 15:53:56 +0000 | [diff] [blame] | 1767 | crl = crl->next; |
| 1768 | memset( crl, 0, sizeof( x509_crl ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1769 | |
| 1770 | return( x509parse_crl( crl, buf, buflen ) ); |
| 1771 | } |
| 1772 | |
| 1773 | return( 0 ); |
| 1774 | } |
| 1775 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1776 | #if defined(POLARSSL_FS_IO) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1777 | /* |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1778 | * Load all data from a file into a given buffer. |
| 1779 | */ |
Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 1780 | static int load_file( const char *path, unsigned char **buf, size_t *n ) |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1781 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1782 | FILE *f; |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1783 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1784 | if( ( f = fopen( path, "rb" ) ) == NULL ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1785 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1786 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1787 | fseek( f, 0, SEEK_END ); |
| 1788 | *n = (size_t) ftell( f ); |
| 1789 | fseek( f, 0, SEEK_SET ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1790 | |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1791 | if( ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL ) |
Paul Bakker | f6a19bd | 2013-05-14 13:26:51 +0200 | [diff] [blame] | 1792 | { |
| 1793 | fclose( f ); |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1794 | return( POLARSSL_ERR_X509_MALLOC_FAILED ); |
Paul Bakker | f6a19bd | 2013-05-14 13:26:51 +0200 | [diff] [blame] | 1795 | } |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1796 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1797 | if( fread( *buf, 1, *n, f ) != *n ) |
| 1798 | { |
| 1799 | fclose( f ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1800 | polarssl_free( *buf ); |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1801 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1802 | } |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1803 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1804 | fclose( f ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1805 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1806 | (*buf)[*n] = '\0'; |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1807 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1808 | return( 0 ); |
Paul Bakker | 2b245eb | 2009-04-19 18:44:26 +0000 | [diff] [blame] | 1809 | } |
| 1810 | |
| 1811 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1812 | * Load one or more certificates and add them to the chained list |
| 1813 | */ |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1814 | int x509parse_crtfile( x509_cert *chain, const char *path ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1815 | { |
| 1816 | int ret; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1817 | size_t n; |
| 1818 | unsigned char *buf; |
| 1819 | |
Manuel Pégourié-Gonnard | 4250a1f | 2013-06-27 13:00:00 +0200 | [diff] [blame] | 1820 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1821 | return( ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1822 | |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1823 | ret = x509parse_crt( chain, buf, n ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1824 | |
| 1825 | memset( buf, 0, n + 1 ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1826 | polarssl_free( buf ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1827 | |
| 1828 | return( ret ); |
| 1829 | } |
| 1830 | |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1831 | int x509parse_crtpath( x509_cert *chain, const char *path ) |
| 1832 | { |
| 1833 | int ret = 0; |
| 1834 | #if defined(_WIN32) |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1835 | int w_ret; |
| 1836 | WCHAR szDir[MAX_PATH]; |
| 1837 | char filename[MAX_PATH]; |
| 1838 | char *p; |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1839 | int len = strlen( path ); |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1840 | |
Paul Bakker | 97872ac | 2012-11-02 12:53:26 +0000 | [diff] [blame] | 1841 | WIN32_FIND_DATAW file_data; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1842 | HANDLE hFind; |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1843 | |
| 1844 | if( len > MAX_PATH - 3 ) |
| 1845 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1846 | |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1847 | memset( szDir, 0, sizeof(szDir) ); |
| 1848 | memset( filename, 0, MAX_PATH ); |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1849 | memcpy( filename, path, len ); |
| 1850 | filename[len++] = '\\'; |
| 1851 | p = filename + len; |
| 1852 | filename[len++] = '*'; |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1853 | |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1854 | w_ret = MultiByteToWideChar( CP_ACP, 0, path, len, szDir, MAX_PATH - 3 ); |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1855 | |
Paul Bakker | 97872ac | 2012-11-02 12:53:26 +0000 | [diff] [blame] | 1856 | hFind = FindFirstFileW( szDir, &file_data ); |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1857 | if (hFind == INVALID_HANDLE_VALUE) |
| 1858 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
| 1859 | |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1860 | len = MAX_PATH - len; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1861 | do |
| 1862 | { |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1863 | memset( p, 0, len ); |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1864 | |
Paul Bakker | e4791f3 | 2012-06-04 21:29:15 +0000 | [diff] [blame] | 1865 | if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY ) |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1866 | continue; |
| 1867 | |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1868 | w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, |
| 1869 | lstrlenW(file_data.cFileName), |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1870 | p, len - 1, |
| 1871 | NULL, NULL ); |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1872 | |
Paul Bakker | 3338b79 | 2012-10-01 21:13:10 +0000 | [diff] [blame] | 1873 | w_ret = x509parse_crtfile( chain, filename ); |
| 1874 | if( w_ret < 0 ) |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1875 | ret++; |
| 1876 | else |
| 1877 | ret += w_ret; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1878 | } |
Paul Bakker | 97872ac | 2012-11-02 12:53:26 +0000 | [diff] [blame] | 1879 | while( FindNextFileW( hFind, &file_data ) != 0 ); |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1880 | |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1881 | if (GetLastError() != ERROR_NO_MORE_FILES) |
| 1882 | ret = POLARSSL_ERR_X509_FILE_IO_ERROR; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1883 | |
Paul Bakker | 4a2bd0d | 2012-11-02 11:06:08 +0000 | [diff] [blame] | 1884 | cleanup: |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1885 | FindClose( hFind ); |
| 1886 | #else |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1887 | int t_ret, i; |
| 1888 | struct stat sb; |
| 1889 | struct dirent entry, *result = NULL; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1890 | char entry_name[255]; |
| 1891 | DIR *dir = opendir( path ); |
| 1892 | |
| 1893 | if( dir == NULL) |
| 1894 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
| 1895 | |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1896 | while( ( t_ret = readdir_r( dir, &entry, &result ) ) == 0 ) |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1897 | { |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1898 | if( result == NULL ) |
| 1899 | break; |
| 1900 | |
| 1901 | snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry.d_name ); |
| 1902 | |
| 1903 | i = stat( entry_name, &sb ); |
| 1904 | |
| 1905 | if( i == -1 ) |
| 1906 | return( POLARSSL_ERR_X509_FILE_IO_ERROR ); |
| 1907 | |
| 1908 | if( !S_ISREG( sb.st_mode ) ) |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1909 | continue; |
| 1910 | |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1911 | // Ignore parse errors |
| 1912 | // |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1913 | t_ret = x509parse_crtfile( chain, entry_name ); |
| 1914 | if( t_ret < 0 ) |
Paul Bakker | 2c8cdd2 | 2013-06-24 19:22:42 +0200 | [diff] [blame] | 1915 | ret++; |
| 1916 | else |
| 1917 | ret += t_ret; |
Paul Bakker | 8d91458 | 2012-06-04 12:46:42 +0000 | [diff] [blame] | 1918 | } |
| 1919 | closedir( dir ); |
| 1920 | #endif |
| 1921 | |
| 1922 | return( ret ); |
| 1923 | } |
| 1924 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1925 | /* |
| 1926 | * Load one or more CRLs and add them to the chained list |
| 1927 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 1928 | int x509parse_crlfile( x509_crl *chain, const char *path ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1929 | { |
| 1930 | int ret; |
| 1931 | size_t n; |
| 1932 | unsigned char *buf; |
| 1933 | |
Manuel Pégourié-Gonnard | 4250a1f | 2013-06-27 13:00:00 +0200 | [diff] [blame] | 1934 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1935 | return( ret ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1936 | |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 1937 | ret = x509parse_crl( chain, buf, n ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1938 | |
| 1939 | memset( buf, 0, n + 1 ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1940 | polarssl_free( buf ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 1941 | |
| 1942 | return( ret ); |
| 1943 | } |
| 1944 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1945 | /* |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1946 | * Load and parse a private RSA key |
| 1947 | */ |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 1948 | int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd ) |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1949 | { |
| 1950 | int ret; |
| 1951 | size_t n; |
| 1952 | unsigned char *buf; |
| 1953 | |
Manuel Pégourié-Gonnard | 4250a1f | 2013-06-27 13:00:00 +0200 | [diff] [blame] | 1954 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1955 | return( ret ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1956 | |
| 1957 | if( pwd == NULL ) |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 1958 | ret = x509parse_key_rsa( rsa, buf, n, NULL, 0 ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1959 | else |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 1960 | ret = x509parse_key_rsa( rsa, buf, n, |
Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 1961 | (const unsigned char *) pwd, strlen( pwd ) ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1962 | |
| 1963 | memset( buf, 0, n + 1 ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1964 | polarssl_free( buf ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1965 | |
| 1966 | return( ret ); |
| 1967 | } |
| 1968 | |
| 1969 | /* |
| 1970 | * Load and parse a public RSA key |
| 1971 | */ |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 1972 | int x509parse_public_keyfile_rsa( rsa_context *rsa, const char *path ) |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1973 | { |
| 1974 | int ret; |
| 1975 | size_t n; |
| 1976 | unsigned char *buf; |
| 1977 | |
Manuel Pégourié-Gonnard | 4250a1f | 2013-06-27 13:00:00 +0200 | [diff] [blame] | 1978 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 1979 | return( ret ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1980 | |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 1981 | ret = x509parse_public_key_rsa( rsa, buf, n ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1982 | |
| 1983 | memset( buf, 0, n + 1 ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 1984 | polarssl_free( buf ); |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 1985 | |
| 1986 | return( ret ); |
| 1987 | } |
Manuel Pégourié-Gonnard | 26833c2 | 2013-06-27 11:27:58 +0200 | [diff] [blame^] | 1988 | |
| 1989 | #if defined(POLARSSL_ECP_C) |
| 1990 | /* |
| 1991 | * Load and parse a private EC key |
| 1992 | */ |
| 1993 | int x509parse_keyfile_ec( ecp_keypair *eckey, |
| 1994 | const char *path, const char *pwd ) |
| 1995 | { |
| 1996 | int ret; |
| 1997 | size_t n; |
| 1998 | unsigned char *buf; |
| 1999 | |
| 2000 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 2001 | return( ret ); |
| 2002 | |
| 2003 | if( pwd == NULL ) |
| 2004 | ret = x509parse_key_ec( eckey, buf, n, NULL, 0 ); |
| 2005 | else |
| 2006 | ret = x509parse_key_ec( eckey, buf, n, |
| 2007 | (const unsigned char *) pwd, strlen( pwd ) ); |
| 2008 | |
| 2009 | memset( buf, 0, n + 1 ); |
| 2010 | free( buf ); |
| 2011 | |
| 2012 | return( ret ); |
| 2013 | } |
| 2014 | |
| 2015 | /* |
| 2016 | * Load and parse a public EC key |
| 2017 | */ |
| 2018 | int x509parse_public_keyfile_ec( ecp_keypair *eckey, const char *path ) |
| 2019 | { |
| 2020 | int ret; |
| 2021 | size_t n; |
| 2022 | unsigned char *buf; |
| 2023 | |
| 2024 | if ( (ret = load_file( path, &buf, &n ) ) != 0 ) |
| 2025 | return( ret ); |
| 2026 | |
| 2027 | ret = x509parse_public_key_ec( eckey, buf, n ); |
| 2028 | |
| 2029 | memset( buf, 0, n + 1 ); |
| 2030 | free( buf ); |
| 2031 | |
| 2032 | return( ret ); |
| 2033 | } |
| 2034 | #endif /* defined(POLARSSL_ECP_C) */ |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 2035 | #endif /* POLARSSL_FS_IO */ |
| 2036 | |
| 2037 | /* |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2038 | * Parse a PKCS#1 encoded private RSA key |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2039 | */ |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2040 | static int x509parse_key_pkcs1_der( rsa_context *rsa, |
| 2041 | const unsigned char *key, |
| 2042 | size_t keylen ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2043 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2044 | int ret; |
| 2045 | size_t len; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2046 | unsigned char *p, *end; |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 2047 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2048 | p = (unsigned char *) key; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2049 | end = p + keylen; |
| 2050 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2051 | /* |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2052 | * This function parses the RSAPrivateKey (PKCS#1) |
Paul Bakker | ed56b22 | 2011-07-13 11:26:43 +0000 | [diff] [blame] | 2053 | * |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2054 | * RSAPrivateKey ::= SEQUENCE { |
| 2055 | * version Version, |
| 2056 | * modulus INTEGER, -- n |
| 2057 | * publicExponent INTEGER, -- e |
| 2058 | * privateExponent INTEGER, -- d |
| 2059 | * prime1 INTEGER, -- p |
| 2060 | * prime2 INTEGER, -- q |
| 2061 | * exponent1 INTEGER, -- d mod (p-1) |
| 2062 | * exponent2 INTEGER, -- d mod (q-1) |
| 2063 | * coefficient INTEGER, -- (inverse of q) mod p |
| 2064 | * otherPrimeInfos OtherPrimeInfos OPTIONAL |
| 2065 | * } |
| 2066 | */ |
| 2067 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2068 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2069 | { |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2070 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2071 | } |
| 2072 | |
| 2073 | end = p + len; |
| 2074 | |
| 2075 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) |
| 2076 | { |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2077 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2078 | } |
| 2079 | |
| 2080 | if( rsa->ver != 0 ) |
| 2081 | { |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2082 | return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2083 | } |
| 2084 | |
| 2085 | if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 || |
| 2086 | ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 || |
| 2087 | ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 || |
| 2088 | ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 || |
| 2089 | ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 || |
| 2090 | ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 || |
| 2091 | ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 || |
| 2092 | ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 ) |
| 2093 | { |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2094 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2095 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2096 | } |
| 2097 | |
| 2098 | rsa->len = mpi_size( &rsa->N ); |
| 2099 | |
| 2100 | if( p != end ) |
| 2101 | { |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2102 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2103 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 2104 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2105 | } |
| 2106 | |
| 2107 | if( ( ret = rsa_check_privkey( rsa ) ) != 0 ) |
| 2108 | { |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2109 | rsa_free( rsa ); |
| 2110 | return( ret ); |
| 2111 | } |
| 2112 | |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2113 | return( 0 ); |
| 2114 | } |
| 2115 | |
| 2116 | /* |
| 2117 | * Parse an unencrypted PKCS#8 encoded private RSA key |
| 2118 | */ |
| 2119 | static int x509parse_key_pkcs8_unencrypted_der( |
| 2120 | rsa_context *rsa, |
| 2121 | const unsigned char *key, |
| 2122 | size_t keylen ) |
| 2123 | { |
| 2124 | int ret; |
| 2125 | size_t len; |
| 2126 | unsigned char *p, *end; |
| 2127 | x509_buf pk_alg_oid; |
| 2128 | pk_type_t pk_alg = POLARSSL_PK_NONE; |
| 2129 | |
| 2130 | p = (unsigned char *) key; |
| 2131 | end = p + keylen; |
| 2132 | |
| 2133 | /* |
| 2134 | * This function parses the PrivatKeyInfo object (PKCS#8) |
| 2135 | * |
| 2136 | * PrivateKeyInfo ::= SEQUENCE { |
| 2137 | * version Version, |
| 2138 | * algorithm AlgorithmIdentifier, |
| 2139 | * PrivateKey BIT STRING |
| 2140 | * } |
| 2141 | * |
| 2142 | * AlgorithmIdentifier ::= SEQUENCE { |
| 2143 | * algorithm OBJECT IDENTIFIER, |
| 2144 | * parameters ANY DEFINED BY algorithm OPTIONAL |
| 2145 | * } |
| 2146 | * |
| 2147 | * The PrivateKey BIT STRING is a PKCS#1 RSAPrivateKey |
| 2148 | */ |
| 2149 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2150 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2151 | { |
| 2152 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2153 | } |
| 2154 | |
| 2155 | end = p + len; |
| 2156 | |
| 2157 | if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 ) |
| 2158 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2159 | |
| 2160 | if( rsa->ver != 0 ) |
| 2161 | return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret ); |
| 2162 | |
Paul Bakker | f8d018a | 2013-06-29 12:16:17 +0200 | [diff] [blame] | 2163 | if( ( ret = asn1_get_alg_null( &p, end, &pk_alg_oid ) ) != 0 ) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2164 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2165 | |
| 2166 | /* |
| 2167 | * only RSA keys handled at this time |
| 2168 | */ |
| 2169 | if( oid_get_pk_alg( &pk_alg_oid, &pk_alg ) != 0 ) |
| 2170 | return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG ); |
| 2171 | |
| 2172 | /* |
| 2173 | * Get the OCTET STRING and parse the PKCS#1 format inside |
| 2174 | */ |
| 2175 | if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 ) |
| 2176 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2177 | |
| 2178 | if( ( end - p ) < 1 ) |
| 2179 | { |
| 2180 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
| 2181 | POLARSSL_ERR_ASN1_OUT_OF_DATA ); |
| 2182 | } |
| 2183 | |
| 2184 | end = p + len; |
| 2185 | |
| 2186 | if( ( ret = x509parse_key_pkcs1_der( rsa, p, end - p ) ) != 0 ) |
| 2187 | return( ret ); |
| 2188 | |
| 2189 | return( 0 ); |
| 2190 | } |
| 2191 | |
| 2192 | /* |
Paul Bakker | bda7cb7 | 2013-06-24 19:34:25 +0200 | [diff] [blame] | 2193 | * Parse an encrypted PKCS#8 encoded private RSA key |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2194 | */ |
| 2195 | static int x509parse_key_pkcs8_encrypted_der( |
| 2196 | rsa_context *rsa, |
| 2197 | const unsigned char *key, |
| 2198 | size_t keylen, |
| 2199 | const unsigned char *pwd, |
| 2200 | size_t pwdlen ) |
| 2201 | { |
| 2202 | int ret; |
| 2203 | size_t len; |
Paul Bakker | f8d018a | 2013-06-29 12:16:17 +0200 | [diff] [blame] | 2204 | unsigned char *p, *end; |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2205 | x509_buf pbe_alg_oid, pbe_params; |
| 2206 | unsigned char buf[2048]; |
Paul Bakker | 7749a22 | 2013-06-28 17:28:20 +0200 | [diff] [blame] | 2207 | #if defined(POLARSSL_PKCS12_C) |
| 2208 | cipher_type_t cipher_alg; |
| 2209 | md_type_t md_alg; |
| 2210 | #endif |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2211 | |
| 2212 | memset(buf, 0, 2048); |
| 2213 | |
| 2214 | p = (unsigned char *) key; |
| 2215 | end = p + keylen; |
| 2216 | |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2217 | if( pwdlen == 0 ) |
| 2218 | return( POLARSSL_ERR_X509_PASSWORD_REQUIRED ); |
| 2219 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2220 | /* |
| 2221 | * This function parses the EncryptedPrivatKeyInfo object (PKCS#8) |
| 2222 | * |
| 2223 | * EncryptedPrivateKeyInfo ::= SEQUENCE { |
| 2224 | * encryptionAlgorithm EncryptionAlgorithmIdentifier, |
| 2225 | * encryptedData EncryptedData |
| 2226 | * } |
| 2227 | * |
| 2228 | * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier |
| 2229 | * |
| 2230 | * EncryptedData ::= OCTET STRING |
| 2231 | * |
| 2232 | * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo |
| 2233 | */ |
| 2234 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2235 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2236 | { |
| 2237 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2238 | } |
| 2239 | |
| 2240 | end = p + len; |
| 2241 | |
Paul Bakker | f8d018a | 2013-06-29 12:16:17 +0200 | [diff] [blame] | 2242 | if( ( ret = asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 ) |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2243 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2244 | |
| 2245 | if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 ) |
| 2246 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
| 2247 | |
| 2248 | // buf has been sized to 2048 bytes |
| 2249 | if( len > 2048 ) |
| 2250 | return( POLARSSL_ERR_X509_INVALID_INPUT ); |
| 2251 | |
| 2252 | /* |
| 2253 | * Decrypt EncryptedData with appropriate PDE |
| 2254 | */ |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2255 | #if defined(POLARSSL_PKCS12_C) |
Paul Bakker | 7749a22 | 2013-06-28 17:28:20 +0200 | [diff] [blame] | 2256 | if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 ) |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2257 | { |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2258 | if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT, |
Paul Bakker | 7749a22 | 2013-06-28 17:28:20 +0200 | [diff] [blame] | 2259 | cipher_alg, md_alg, |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2260 | pwd, pwdlen, p, len, buf ) ) != 0 ) |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2261 | { |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2262 | if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH ) |
| 2263 | return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); |
| 2264 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2265 | return( ret ); |
| 2266 | } |
| 2267 | } |
| 2268 | else if( OID_CMP( OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) ) |
| 2269 | { |
| 2270 | if( ( ret = pkcs12_pbe_sha1_rc4_128( &pbe_params, |
| 2271 | PKCS12_PBE_DECRYPT, |
| 2272 | pwd, pwdlen, |
| 2273 | p, len, buf ) ) != 0 ) |
| 2274 | { |
| 2275 | return( ret ); |
| 2276 | } |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2277 | |
| 2278 | // Best guess for password mismatch when using RC4. If first tag is |
| 2279 | // not ASN1_CONSTRUCTED | ASN1_SEQUENCE |
| 2280 | // |
| 2281 | if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) |
| 2282 | return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2283 | } |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2284 | else |
| 2285 | #endif /* POLARSSL_PKCS12_C */ |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2286 | #if defined(POLARSSL_PKCS5_C) |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2287 | if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) ) |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2288 | { |
| 2289 | if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen, |
| 2290 | p, len, buf ) ) != 0 ) |
| 2291 | { |
| 2292 | if( ret == POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH ) |
| 2293 | return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); |
| 2294 | |
| 2295 | return( ret ); |
| 2296 | } |
| 2297 | } |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2298 | else |
Paul Bakker | 38b50d7 | 2013-06-24 19:33:27 +0200 | [diff] [blame] | 2299 | #endif /* POLARSSL_PKCS5_C */ |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2300 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); |
| 2301 | |
| 2302 | return x509parse_key_pkcs8_unencrypted_der( rsa, buf, len ); |
| 2303 | } |
| 2304 | |
| 2305 | /* |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2306 | * Parse a private RSA key |
| 2307 | */ |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 2308 | int x509parse_key_rsa( rsa_context *rsa, |
| 2309 | const unsigned char *key, size_t keylen, |
| 2310 | const unsigned char *pwd, size_t pwdlen ) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2311 | { |
| 2312 | int ret; |
| 2313 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2314 | #if defined(POLARSSL_PEM_C) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2315 | size_t len; |
| 2316 | pem_context pem; |
| 2317 | |
| 2318 | pem_init( &pem ); |
| 2319 | ret = pem_read_buffer( &pem, |
| 2320 | "-----BEGIN RSA PRIVATE KEY-----", |
| 2321 | "-----END RSA PRIVATE KEY-----", |
| 2322 | key, pwd, pwdlen, &len ); |
| 2323 | if( ret == 0 ) |
| 2324 | { |
| 2325 | if( ( ret = x509parse_key_pkcs1_der( rsa, pem.buf, pem.buflen ) ) != 0 ) |
| 2326 | { |
| 2327 | rsa_free( rsa ); |
| 2328 | } |
| 2329 | |
| 2330 | pem_free( &pem ); |
| 2331 | return( ret ); |
| 2332 | } |
Paul Bakker | a4232a7 | 2013-06-24 19:32:25 +0200 | [diff] [blame] | 2333 | else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH ) |
| 2334 | return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); |
| 2335 | else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED ) |
| 2336 | return( POLARSSL_ERR_X509_PASSWORD_REQUIRED ); |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2337 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2338 | return( ret ); |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2339 | |
| 2340 | ret = pem_read_buffer( &pem, |
| 2341 | "-----BEGIN PRIVATE KEY-----", |
| 2342 | "-----END PRIVATE KEY-----", |
| 2343 | key, NULL, 0, &len ); |
| 2344 | if( ret == 0 ) |
| 2345 | { |
| 2346 | if( ( ret = x509parse_key_pkcs8_unencrypted_der( rsa, |
| 2347 | pem.buf, pem.buflen ) ) != 0 ) |
| 2348 | { |
| 2349 | rsa_free( rsa ); |
| 2350 | } |
| 2351 | |
| 2352 | pem_free( &pem ); |
| 2353 | return( ret ); |
| 2354 | } |
| 2355 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2356 | return( ret ); |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2357 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2358 | ret = pem_read_buffer( &pem, |
| 2359 | "-----BEGIN ENCRYPTED PRIVATE KEY-----", |
| 2360 | "-----END ENCRYPTED PRIVATE KEY-----", |
| 2361 | key, NULL, 0, &len ); |
| 2362 | if( ret == 0 ) |
| 2363 | { |
| 2364 | if( ( ret = x509parse_key_pkcs8_encrypted_der( rsa, |
| 2365 | pem.buf, pem.buflen, |
| 2366 | pwd, pwdlen ) ) != 0 ) |
| 2367 | { |
| 2368 | rsa_free( rsa ); |
| 2369 | } |
| 2370 | |
| 2371 | pem_free( &pem ); |
| 2372 | return( ret ); |
| 2373 | } |
| 2374 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2375 | return( ret ); |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2376 | #else |
| 2377 | ((void) pwd); |
| 2378 | ((void) pwdlen); |
| 2379 | #endif /* POLARSSL_PEM_C */ |
| 2380 | |
| 2381 | // At this point we only know it's not a PEM formatted key. Could be any |
| 2382 | // of the known DER encoded private key formats |
| 2383 | // |
| 2384 | // We try the different DER format parsers to see if one passes without |
| 2385 | // error |
| 2386 | // |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2387 | if( ( ret = x509parse_key_pkcs8_encrypted_der( rsa, key, keylen, |
| 2388 | pwd, pwdlen ) ) == 0 ) |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2389 | { |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2390 | return( 0 ); |
Paul Bakker | e2f5040 | 2013-06-24 19:00:59 +0200 | [diff] [blame] | 2391 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2392 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2393 | rsa_free( rsa ); |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2394 | |
| 2395 | if( ret == POLARSSL_ERR_X509_PASSWORD_MISMATCH ) |
| 2396 | { |
| 2397 | return( ret ); |
| 2398 | } |
| 2399 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2400 | if( ( ret = x509parse_key_pkcs8_unencrypted_der( rsa, key, keylen ) ) == 0 ) |
| 2401 | return( 0 ); |
| 2402 | |
| 2403 | rsa_free( rsa ); |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2404 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2405 | if( ( ret = x509parse_key_pkcs1_der( rsa, key, keylen ) ) == 0 ) |
| 2406 | return( 0 ); |
| 2407 | |
| 2408 | rsa_free( rsa ); |
Paul Bakker | 28144de | 2013-06-24 19:28:55 +0200 | [diff] [blame] | 2409 | |
Paul Bakker | f1f21fe | 2013-06-24 19:17:19 +0200 | [diff] [blame] | 2410 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2411 | } |
| 2412 | |
| 2413 | /* |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2414 | * Parse a public RSA key |
| 2415 | */ |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 2416 | int x509parse_public_key_rsa( rsa_context *rsa, |
| 2417 | const unsigned char *key, size_t keylen ) |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2418 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2419 | int ret; |
| 2420 | size_t len; |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2421 | unsigned char *p, *end; |
| 2422 | x509_buf alg_oid; |
| 2423 | #if defined(POLARSSL_PEM_C) |
| 2424 | pem_context pem; |
| 2425 | |
| 2426 | pem_init( &pem ); |
| 2427 | ret = pem_read_buffer( &pem, |
| 2428 | "-----BEGIN PUBLIC KEY-----", |
| 2429 | "-----END PUBLIC KEY-----", |
| 2430 | key, NULL, 0, &len ); |
| 2431 | |
| 2432 | if( ret == 0 ) |
| 2433 | { |
| 2434 | /* |
| 2435 | * Was PEM encoded |
| 2436 | */ |
| 2437 | keylen = pem.buflen; |
| 2438 | } |
Paul Bakker | 00b2860 | 2013-06-24 13:02:41 +0200 | [diff] [blame] | 2439 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2440 | { |
| 2441 | pem_free( &pem ); |
| 2442 | return( ret ); |
| 2443 | } |
| 2444 | |
| 2445 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) key; |
| 2446 | #else |
| 2447 | p = (unsigned char *) key; |
| 2448 | #endif |
| 2449 | end = p + keylen; |
| 2450 | |
| 2451 | /* |
| 2452 | * PublicKeyInfo ::= SEQUENCE { |
| 2453 | * algorithm AlgorithmIdentifier, |
| 2454 | * PublicKey BIT STRING |
| 2455 | * } |
| 2456 | * |
| 2457 | * AlgorithmIdentifier ::= SEQUENCE { |
| 2458 | * algorithm OBJECT IDENTIFIER, |
| 2459 | * parameters ANY DEFINED BY algorithm OPTIONAL |
| 2460 | * } |
| 2461 | * |
| 2462 | * RSAPublicKey ::= SEQUENCE { |
| 2463 | * modulus INTEGER, -- n |
| 2464 | * publicExponent INTEGER -- e |
| 2465 | * } |
| 2466 | */ |
| 2467 | |
| 2468 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2469 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2470 | { |
| 2471 | #if defined(POLARSSL_PEM_C) |
| 2472 | pem_free( &pem ); |
| 2473 | #endif |
| 2474 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2475 | return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret ); |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2476 | } |
| 2477 | |
| 2478 | if( ( ret = x509_get_pubkey( &p, end, &alg_oid, &rsa->N, &rsa->E ) ) != 0 ) |
| 2479 | { |
| 2480 | #if defined(POLARSSL_PEM_C) |
| 2481 | pem_free( &pem ); |
| 2482 | #endif |
| 2483 | rsa_free( rsa ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2484 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2485 | } |
| 2486 | |
| 2487 | if( ( ret = rsa_check_pubkey( rsa ) ) != 0 ) |
| 2488 | { |
| 2489 | #if defined(POLARSSL_PEM_C) |
| 2490 | pem_free( &pem ); |
| 2491 | #endif |
| 2492 | rsa_free( rsa ); |
| 2493 | return( ret ); |
| 2494 | } |
| 2495 | |
| 2496 | rsa->len = mpi_size( &rsa->N ); |
| 2497 | |
| 2498 | #if defined(POLARSSL_PEM_C) |
| 2499 | pem_free( &pem ); |
| 2500 | #endif |
| 2501 | |
| 2502 | return( 0 ); |
| 2503 | } |
| 2504 | |
Manuel Pégourié-Gonnard | 26833c2 | 2013-06-27 11:27:58 +0200 | [diff] [blame^] | 2505 | #if defined(POLARSSL_ECP_C) |
| 2506 | /* |
| 2507 | * Parse a private EC key |
| 2508 | */ |
| 2509 | int x509parse_key_ec( ecp_keypair *eckey, |
| 2510 | const unsigned char *key, size_t keylen, |
| 2511 | const unsigned char *pwd, size_t pwdlen ) |
| 2512 | { |
| 2513 | int ret; |
| 2514 | |
| 2515 | #if defined(POLARSSL_PEM_C) |
| 2516 | size_t len; |
| 2517 | pem_context pem; |
| 2518 | |
| 2519 | pem_init( &pem ); |
| 2520 | /* TODO: get list of correct PEM headers */ |
| 2521 | ret = pem_read_buffer( &pem, |
| 2522 | "-----BEGIN EC PRIVATE KEY-----", |
| 2523 | "-----END EC PRIVATE KEY-----", |
| 2524 | key, pwd, pwdlen, &len ); |
| 2525 | if( ret == 0 ) |
| 2526 | { |
| 2527 | /* TODO: write der decoding function |
| 2528 | if( ( ret = x509parse_key_pkcs8_encrypted_der( eckey, |
| 2529 | pem.buf, pem.buflen, |
| 2530 | pwd, pwdlen ) ) != 0 ) |
| 2531 | { |
| 2532 | ecp_keypair_free( eckey ); |
| 2533 | } |
| 2534 | */ |
| 2535 | |
| 2536 | pem_free( &pem ); |
| 2537 | return( ret ); |
| 2538 | } |
| 2539 | else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH ) |
| 2540 | return( POLARSSL_ERR_X509_PASSWORD_MISMATCH ); |
| 2541 | else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED ) |
| 2542 | return( POLARSSL_ERR_X509_PASSWORD_REQUIRED ); |
| 2543 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
| 2544 | return( ret ); |
| 2545 | |
| 2546 | /* TODO: now repeat with other valid PEM headers */ |
| 2547 | |
| 2548 | #else |
| 2549 | ((void) pwd); |
| 2550 | ((void) pwdlen); |
| 2551 | #endif /* POLARSSL_PEM_C */ |
| 2552 | |
| 2553 | ((void) keylen); |
| 2554 | /* TODO: write der decoding functions (encrypted, unencnrypted) |
| 2555 | if( ( ret = x509parse_key_pkcs8_encrypted_der( eckey, key, keylen, |
| 2556 | pwd, pwdlen ) ) == 0 ) |
| 2557 | { |
| 2558 | return( 0 ); |
| 2559 | } |
| 2560 | |
| 2561 | ecp_keypair_free( eckey ); |
| 2562 | |
| 2563 | if( ret == POLARSSL_ERR_X509_PASSWORD_MISMATCH ) |
| 2564 | { |
| 2565 | return( ret ); |
| 2566 | } |
| 2567 | |
| 2568 | if( ( ret = x509parse_key_pkcs8_unencrypted_der( eckey, key, keylen ) ) |
| 2569 | == 0 ) |
| 2570 | { |
| 2571 | return( 0 ); |
| 2572 | } |
| 2573 | */ |
| 2574 | |
| 2575 | ecp_keypair_free( eckey ); |
| 2576 | |
| 2577 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT ); |
| 2578 | } |
| 2579 | |
| 2580 | /* |
| 2581 | * Parse a public EC key |
| 2582 | */ |
| 2583 | int x509parse_public_key_ec( ecp_keypair *eckey, |
| 2584 | const unsigned char *key, size_t keylen ) |
| 2585 | { |
| 2586 | int ret; |
| 2587 | size_t len; |
| 2588 | unsigned char *p, *end; |
| 2589 | x509_buf alg_oid; |
| 2590 | #if defined(POLARSSL_PEM_C) |
| 2591 | pem_context pem; |
| 2592 | |
| 2593 | pem_init( &pem ); |
| 2594 | ret = pem_read_buffer( &pem, /* TODO: check header */ |
| 2595 | "-----BEGIN PUBLIC KEY-----", |
| 2596 | "-----END PUBLIC KEY-----", |
| 2597 | key, NULL, 0, &len ); |
| 2598 | |
| 2599 | if( ret == 0 ) |
| 2600 | { |
| 2601 | /* |
| 2602 | * Was PEM encoded |
| 2603 | */ |
| 2604 | keylen = pem.buflen; |
| 2605 | } |
| 2606 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
| 2607 | { |
| 2608 | pem_free( &pem ); |
| 2609 | return( ret ); |
| 2610 | } |
| 2611 | |
| 2612 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) key; |
| 2613 | #else |
| 2614 | p = (unsigned char *) key; |
| 2615 | #endif |
| 2616 | end = p + keylen; |
| 2617 | |
| 2618 | /* TODO: parse key */ |
| 2619 | (void) alg_oid; |
| 2620 | (void) end; |
| 2621 | (void) eckey; |
| 2622 | |
| 2623 | if( ( ret = ecp_check_pubkey( &eckey->grp, &eckey->Q ) ) != 0 ) |
| 2624 | { |
| 2625 | #if defined(POLARSSL_PEM_C) |
| 2626 | pem_free( &pem ); |
| 2627 | #endif |
| 2628 | ecp_keypair_free( eckey ); |
| 2629 | return( ret ); |
| 2630 | } |
| 2631 | |
| 2632 | #if defined(POLARSSL_PEM_C) |
| 2633 | pem_free( &pem ); |
| 2634 | #endif |
| 2635 | |
| 2636 | return( 0 ); |
| 2637 | } |
| 2638 | #endif /* defined(POLARSSL_ECP_C) */ |
| 2639 | |
Paul Bakker | eaa89f8 | 2011-04-04 21:36:15 +0000 | [diff] [blame] | 2640 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 53019ae | 2011-03-25 13:58:48 +0000 | [diff] [blame] | 2641 | /* |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2642 | * Parse DHM parameters |
| 2643 | */ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2644 | int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2645 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2646 | int ret; |
| 2647 | size_t len; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2648 | unsigned char *p, *end; |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2649 | #if defined(POLARSSL_PEM_C) |
| 2650 | pem_context pem; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2651 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2652 | pem_init( &pem ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2653 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2654 | ret = pem_read_buffer( &pem, |
| 2655 | "-----BEGIN DH PARAMETERS-----", |
| 2656 | "-----END DH PARAMETERS-----", |
| 2657 | dhmin, NULL, 0, &dhminlen ); |
| 2658 | |
| 2659 | if( ret == 0 ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2660 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2661 | /* |
| 2662 | * Was PEM encoded |
| 2663 | */ |
| 2664 | dhminlen = pem.buflen; |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2665 | } |
Paul Bakker | 00b2860 | 2013-06-24 13:02:41 +0200 | [diff] [blame] | 2666 | else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2667 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2668 | pem_free( &pem ); |
| 2669 | return( ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2670 | } |
| 2671 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2672 | p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin; |
| 2673 | #else |
| 2674 | p = (unsigned char *) dhmin; |
| 2675 | #endif |
| 2676 | end = p + dhminlen; |
| 2677 | |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2678 | memset( dhm, 0, sizeof( dhm_context ) ); |
| 2679 | |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2680 | /* |
| 2681 | * DHParams ::= SEQUENCE { |
| 2682 | * prime INTEGER, -- P |
| 2683 | * generator INTEGER, -- g |
| 2684 | * } |
| 2685 | */ |
| 2686 | if( ( ret = asn1_get_tag( &p, end, &len, |
| 2687 | ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 ) |
| 2688 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2689 | #if defined(POLARSSL_PEM_C) |
| 2690 | pem_free( &pem ); |
| 2691 | #endif |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2692 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2693 | } |
| 2694 | |
| 2695 | end = p + len; |
| 2696 | |
| 2697 | if( ( ret = asn1_get_mpi( &p, end, &dhm->P ) ) != 0 || |
| 2698 | ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 ) |
| 2699 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2700 | #if defined(POLARSSL_PEM_C) |
| 2701 | pem_free( &pem ); |
| 2702 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2703 | dhm_free( dhm ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2704 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2705 | } |
| 2706 | |
| 2707 | if( p != end ) |
| 2708 | { |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2709 | #if defined(POLARSSL_PEM_C) |
| 2710 | pem_free( &pem ); |
| 2711 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2712 | dhm_free( dhm ); |
Paul Bakker | 9d78140 | 2011-05-09 16:17:09 +0000 | [diff] [blame] | 2713 | return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2714 | POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); |
| 2715 | } |
| 2716 | |
Paul Bakker | 96743fc | 2011-02-12 14:30:57 +0000 | [diff] [blame] | 2717 | #if defined(POLARSSL_PEM_C) |
| 2718 | pem_free( &pem ); |
| 2719 | #endif |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2720 | |
| 2721 | return( 0 ); |
| 2722 | } |
| 2723 | |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 2724 | #if defined(POLARSSL_FS_IO) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2725 | /* |
Manuel Pégourié-Gonnard | 4250a1f | 2013-06-27 13:00:00 +0200 | [diff] [blame] | 2726 | * Load and parse DHM parameters |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2727 | */ |
| 2728 | int x509parse_dhmfile( dhm_context *dhm, const char *path ) |
| 2729 | { |
| 2730 | int ret; |
| 2731 | size_t n; |
| 2732 | unsigned char *buf; |
| 2733 | |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 2734 | if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) |
| 2735 | return( ret ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2736 | |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 2737 | ret = x509parse_dhm( dhm, buf, n ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2738 | |
| 2739 | memset( buf, 0, n + 1 ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 2740 | polarssl_free( buf ); |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2741 | |
| 2742 | return( ret ); |
| 2743 | } |
Paul Bakker | 335db3f | 2011-04-25 15:28:35 +0000 | [diff] [blame] | 2744 | #endif /* POLARSSL_FS_IO */ |
Paul Bakker | eaa89f8 | 2011-04-04 21:36:15 +0000 | [diff] [blame] | 2745 | #endif /* POLARSSL_DHM_C */ |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 2746 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2747 | #if defined _MSC_VER && !defined snprintf |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2748 | #include <stdarg.h> |
| 2749 | |
| 2750 | #if !defined vsnprintf |
| 2751 | #define vsnprintf _vsnprintf |
| 2752 | #endif // vsnprintf |
| 2753 | |
| 2754 | /* |
| 2755 | * Windows _snprintf and _vsnprintf are not compatible to linux versions. |
| 2756 | * Result value is not size of buffer needed, but -1 if no fit is possible. |
| 2757 | * |
| 2758 | * This fuction tries to 'fix' this by at least suggesting enlarging the |
| 2759 | * size by 20. |
| 2760 | */ |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2761 | static int compat_snprintf(char *str, size_t size, const char *format, ...) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2762 | { |
| 2763 | va_list ap; |
| 2764 | int res = -1; |
| 2765 | |
| 2766 | va_start( ap, format ); |
| 2767 | |
| 2768 | res = vsnprintf( str, size, format, ap ); |
| 2769 | |
| 2770 | va_end( ap ); |
| 2771 | |
| 2772 | // No quick fix possible |
| 2773 | if ( res < 0 ) |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2774 | return( (int) size + 20 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2775 | |
| 2776 | return res; |
| 2777 | } |
| 2778 | |
| 2779 | #define snprintf compat_snprintf |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2780 | #endif |
| 2781 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2782 | #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2 |
| 2783 | |
| 2784 | #define SAFE_SNPRINTF() \ |
| 2785 | { \ |
| 2786 | if( ret == -1 ) \ |
| 2787 | return( -1 ); \ |
| 2788 | \ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2789 | if ( (unsigned int) ret > n ) { \ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2790 | p[n - 1] = '\0'; \ |
| 2791 | return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\ |
| 2792 | } \ |
| 2793 | \ |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2794 | n -= (unsigned int) ret; \ |
| 2795 | p += (unsigned int) ret; \ |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2796 | } |
| 2797 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2798 | /* |
| 2799 | * Store the name in printable form into buf; no more |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2800 | * than size characters will be written |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2801 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2802 | int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2803 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2804 | int ret; |
| 2805 | size_t i, n; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2806 | unsigned char c; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2807 | const x509_name *name; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2808 | const char *short_name = NULL; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2809 | char s[128], *p; |
| 2810 | |
| 2811 | memset( s, 0, sizeof( s ) ); |
| 2812 | |
| 2813 | name = dn; |
| 2814 | p = buf; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2815 | n = size; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2816 | |
| 2817 | while( name != NULL ) |
| 2818 | { |
Paul Bakker | cefb396 | 2012-06-27 11:51:09 +0000 | [diff] [blame] | 2819 | if( !name->oid.p ) |
| 2820 | { |
| 2821 | name = name->next; |
| 2822 | continue; |
| 2823 | } |
| 2824 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2825 | if( name != dn ) |
| 2826 | { |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2827 | ret = snprintf( p, n, ", " ); |
| 2828 | SAFE_SNPRINTF(); |
| 2829 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2830 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2831 | ret = oid_get_attr_short_name( &name->oid, &short_name ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2832 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2833 | if( ret == 0 ) |
| 2834 | ret = snprintf( p, n, "%s=", short_name ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2835 | else |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2836 | ret = snprintf( p, n, "\?\?=" ); |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2837 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2838 | |
| 2839 | for( i = 0; i < name->val.len; i++ ) |
| 2840 | { |
Paul Bakker | 27fdf46 | 2011-06-09 13:55:13 +0000 | [diff] [blame] | 2841 | if( i >= sizeof( s ) - 1 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2842 | break; |
| 2843 | |
| 2844 | c = name->val.p[i]; |
| 2845 | if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) |
| 2846 | s[i] = '?'; |
| 2847 | else s[i] = c; |
| 2848 | } |
| 2849 | s[i] = '\0'; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2850 | ret = snprintf( p, n, "%s", s ); |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2851 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2852 | name = name->next; |
| 2853 | } |
| 2854 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2855 | return( (int) ( size - n ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2856 | } |
| 2857 | |
| 2858 | /* |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2859 | * Store the serial in printable form into buf; no more |
| 2860 | * than size characters will be written |
| 2861 | */ |
| 2862 | int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ) |
| 2863 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2864 | int ret; |
| 2865 | size_t i, n, nr; |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2866 | char *p; |
| 2867 | |
| 2868 | p = buf; |
| 2869 | n = size; |
| 2870 | |
| 2871 | nr = ( serial->len <= 32 ) |
Paul Bakker | 03c7c25 | 2011-11-25 12:37:37 +0000 | [diff] [blame] | 2872 | ? serial->len : 28; |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2873 | |
| 2874 | for( i = 0; i < nr; i++ ) |
| 2875 | { |
Paul Bakker | 9304880 | 2011-12-05 14:38:06 +0000 | [diff] [blame] | 2876 | if( i == 0 && nr > 1 && serial->p[i] == 0x0 ) |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2877 | continue; |
| 2878 | |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2879 | ret = snprintf( p, n, "%02X%s", |
| 2880 | serial->p[i], ( i < nr - 1 ) ? ":" : "" ); |
| 2881 | SAFE_SNPRINTF(); |
| 2882 | } |
| 2883 | |
Paul Bakker | 03c7c25 | 2011-11-25 12:37:37 +0000 | [diff] [blame] | 2884 | if( nr != serial->len ) |
| 2885 | { |
| 2886 | ret = snprintf( p, n, "...." ); |
| 2887 | SAFE_SNPRINTF(); |
| 2888 | } |
| 2889 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2890 | return( (int) ( size - n ) ); |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2891 | } |
| 2892 | |
| 2893 | /* |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2894 | * Return an informational string about the certificate. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2895 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2896 | int x509parse_cert_info( char *buf, size_t size, const char *prefix, |
| 2897 | const x509_cert *crt ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2898 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2899 | int ret; |
| 2900 | size_t n; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2901 | char *p; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2902 | const char *desc = NULL; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2903 | |
| 2904 | p = buf; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2905 | n = size; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2906 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2907 | ret = snprintf( p, n, "%scert. version : %d\n", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2908 | prefix, crt->version ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2909 | SAFE_SNPRINTF(); |
| 2910 | ret = snprintf( p, n, "%sserial number : ", |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2911 | prefix ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2912 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2913 | |
Paul Bakker | dd47699 | 2011-01-16 21:34:59 +0000 | [diff] [blame] | 2914 | ret = x509parse_serial_gets( p, n, &crt->serial); |
| 2915 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2916 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2917 | ret = snprintf( p, n, "\n%sissuer name : ", prefix ); |
| 2918 | SAFE_SNPRINTF(); |
| 2919 | ret = x509parse_dn_gets( p, n, &crt->issuer ); |
| 2920 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2921 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2922 | ret = snprintf( p, n, "\n%ssubject name : ", prefix ); |
| 2923 | SAFE_SNPRINTF(); |
| 2924 | ret = x509parse_dn_gets( p, n, &crt->subject ); |
| 2925 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2926 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2927 | ret = snprintf( p, n, "\n%sissued on : " \ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2928 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2929 | crt->valid_from.year, crt->valid_from.mon, |
| 2930 | crt->valid_from.day, crt->valid_from.hour, |
| 2931 | crt->valid_from.min, crt->valid_from.sec ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2932 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2933 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2934 | ret = snprintf( p, n, "\n%sexpires on : " \ |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2935 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 2936 | crt->valid_to.year, crt->valid_to.mon, |
| 2937 | crt->valid_to.day, crt->valid_to.hour, |
| 2938 | crt->valid_to.min, crt->valid_to.sec ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2939 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2940 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2941 | ret = snprintf( p, n, "\n%ssigned using : ", prefix ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2942 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 2943 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2944 | ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc ); |
| 2945 | if( ret != 0 ) |
| 2946 | ret = snprintf( p, n, "???" ); |
| 2947 | else |
| 2948 | ret = snprintf( p, n, desc ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2949 | SAFE_SNPRINTF(); |
| 2950 | |
| 2951 | ret = snprintf( p, n, "\n%sRSA key size : %d bits\n", prefix, |
Paul Bakker | 5c2364c | 2012-10-01 14:41:15 +0000 | [diff] [blame] | 2952 | (int) crt->rsa.N.n * (int) sizeof( t_uint ) * 8 ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2953 | SAFE_SNPRINTF(); |
| 2954 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2955 | return( (int) ( size - n ) ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2956 | } |
| 2957 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2958 | /* |
| 2959 | * Return an informational string describing the given OID |
| 2960 | */ |
| 2961 | const char *x509_oid_get_description( x509_buf *oid ) |
| 2962 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2963 | const char *desc = NULL; |
| 2964 | int ret; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2965 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2966 | ret = oid_get_extended_key_usage( oid, &desc ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2967 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2968 | if( ret != 0 ) |
| 2969 | return( NULL ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2970 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2971 | return( desc ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2972 | } |
| 2973 | |
| 2974 | /* Return the x.y.z.... style numeric string for the given OID */ |
| 2975 | int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid ) |
| 2976 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2977 | return oid_get_numeric_string( buf, size, oid ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 2978 | } |
| 2979 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2980 | /* |
| 2981 | * Return an informational string about the CRL. |
| 2982 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2983 | int x509parse_crl_info( char *buf, size_t size, const char *prefix, |
| 2984 | const x509_crl *crl ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2985 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 2986 | int ret; |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 2987 | size_t n; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2988 | char *p; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 2989 | const char *desc; |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 2990 | const x509_crl_entry *entry; |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 2991 | |
| 2992 | p = buf; |
| 2993 | n = size; |
| 2994 | |
| 2995 | ret = snprintf( p, n, "%sCRL version : %d", |
| 2996 | prefix, crl->version ); |
| 2997 | SAFE_SNPRINTF(); |
| 2998 | |
| 2999 | ret = snprintf( p, n, "\n%sissuer name : ", prefix ); |
| 3000 | SAFE_SNPRINTF(); |
| 3001 | ret = x509parse_dn_gets( p, n, &crl->issuer ); |
| 3002 | SAFE_SNPRINTF(); |
| 3003 | |
| 3004 | ret = snprintf( p, n, "\n%sthis update : " \ |
| 3005 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 3006 | crl->this_update.year, crl->this_update.mon, |
| 3007 | crl->this_update.day, crl->this_update.hour, |
| 3008 | crl->this_update.min, crl->this_update.sec ); |
| 3009 | SAFE_SNPRINTF(); |
| 3010 | |
| 3011 | ret = snprintf( p, n, "\n%snext update : " \ |
| 3012 | "%04d-%02d-%02d %02d:%02d:%02d", prefix, |
| 3013 | crl->next_update.year, crl->next_update.mon, |
| 3014 | crl->next_update.day, crl->next_update.hour, |
| 3015 | crl->next_update.min, crl->next_update.sec ); |
| 3016 | SAFE_SNPRINTF(); |
| 3017 | |
| 3018 | entry = &crl->entry; |
| 3019 | |
| 3020 | ret = snprintf( p, n, "\n%sRevoked certificates:", |
| 3021 | prefix ); |
| 3022 | SAFE_SNPRINTF(); |
| 3023 | |
Paul Bakker | 9be1937 | 2009-07-27 20:21:53 +0000 | [diff] [blame] | 3024 | while( entry != NULL && entry->raw.len != 0 ) |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3025 | { |
| 3026 | ret = snprintf( p, n, "\n%sserial number: ", |
| 3027 | prefix ); |
| 3028 | SAFE_SNPRINTF(); |
| 3029 | |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 3030 | ret = x509parse_serial_gets( p, n, &entry->serial); |
| 3031 | SAFE_SNPRINTF(); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3032 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3033 | ret = snprintf( p, n, " revocation date: " \ |
| 3034 | "%04d-%02d-%02d %02d:%02d:%02d", |
| 3035 | entry->revocation_date.year, entry->revocation_date.mon, |
| 3036 | entry->revocation_date.day, entry->revocation_date.hour, |
| 3037 | entry->revocation_date.min, entry->revocation_date.sec ); |
Paul Bakker | c8ffbe7 | 2011-12-05 14:22:49 +0000 | [diff] [blame] | 3038 | SAFE_SNPRINTF(); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3039 | |
| 3040 | entry = entry->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3041 | } |
| 3042 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3043 | ret = snprintf( p, n, "\n%ssigned using : ", prefix ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3044 | SAFE_SNPRINTF(); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3045 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3046 | ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc ); |
| 3047 | if( ret != 0 ) |
| 3048 | ret = snprintf( p, n, "???" ); |
| 3049 | else |
| 3050 | ret = snprintf( p, n, desc ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3051 | SAFE_SNPRINTF(); |
| 3052 | |
Paul Bakker | 1e27bb2 | 2009-07-19 20:25:25 +0000 | [diff] [blame] | 3053 | ret = snprintf( p, n, "\n" ); |
| 3054 | SAFE_SNPRINTF(); |
| 3055 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3056 | return( (int) ( size - n ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3057 | } |
| 3058 | |
| 3059 | /* |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3060 | * Return 0 if the x509_time is still valid, or 1 otherwise. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3061 | */ |
Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 3062 | #if defined(POLARSSL_HAVE_TIME) |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 3063 | int x509parse_time_expired( const x509_time *to ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3064 | { |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3065 | int year, mon, day; |
| 3066 | int hour, min, sec; |
| 3067 | |
| 3068 | #if defined(_WIN32) |
| 3069 | SYSTEMTIME st; |
| 3070 | |
| 3071 | GetLocalTime(&st); |
| 3072 | |
| 3073 | year = st.wYear; |
| 3074 | mon = st.wMonth; |
| 3075 | day = st.wDay; |
| 3076 | hour = st.wHour; |
| 3077 | min = st.wMinute; |
| 3078 | sec = st.wSecond; |
| 3079 | #else |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3080 | struct tm *lt; |
| 3081 | time_t tt; |
| 3082 | |
| 3083 | tt = time( NULL ); |
| 3084 | lt = localtime( &tt ); |
| 3085 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3086 | year = lt->tm_year + 1900; |
| 3087 | mon = lt->tm_mon + 1; |
| 3088 | day = lt->tm_mday; |
| 3089 | hour = lt->tm_hour; |
| 3090 | min = lt->tm_min; |
| 3091 | sec = lt->tm_sec; |
| 3092 | #endif |
| 3093 | |
| 3094 | if( year > to->year ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3095 | return( 1 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3096 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3097 | if( year == to->year && |
| 3098 | mon > to->mon ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3099 | return( 1 ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3100 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3101 | if( year == to->year && |
| 3102 | mon == to->mon && |
| 3103 | day > to->day ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3104 | return( 1 ); |
| 3105 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3106 | if( year == to->year && |
| 3107 | mon == to->mon && |
| 3108 | day == to->day && |
| 3109 | hour > to->hour ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 3110 | return( 1 ); |
| 3111 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3112 | if( year == to->year && |
| 3113 | mon == to->mon && |
| 3114 | day == to->day && |
| 3115 | hour == to->hour && |
| 3116 | min > to->min ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 3117 | return( 1 ); |
| 3118 | |
Paul Bakker | cce9d77 | 2011-11-18 14:26:47 +0000 | [diff] [blame] | 3119 | if( year == to->year && |
| 3120 | mon == to->mon && |
| 3121 | day == to->day && |
| 3122 | hour == to->hour && |
| 3123 | min == to->min && |
| 3124 | sec > to->sec ) |
Paul Bakker | b619499 | 2011-01-16 21:40:22 +0000 | [diff] [blame] | 3125 | return( 1 ); |
| 3126 | |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3127 | return( 0 ); |
| 3128 | } |
Paul Bakker | fa9b100 | 2013-07-03 15:31:03 +0200 | [diff] [blame] | 3129 | #else /* POLARSSL_HAVE_TIME */ |
| 3130 | int x509parse_time_expired( const x509_time *to ) |
| 3131 | { |
| 3132 | ((void) to); |
| 3133 | return( 0 ); |
| 3134 | } |
| 3135 | #endif /* POLARSSL_HAVE_TIME */ |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3136 | |
| 3137 | /* |
| 3138 | * Return 1 if the certificate is revoked, or 0 otherwise. |
| 3139 | */ |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 3140 | int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3141 | { |
Paul Bakker | ff60ee6 | 2010-03-16 21:09:09 +0000 | [diff] [blame] | 3142 | const x509_crl_entry *cur = &crl->entry; |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3143 | |
| 3144 | while( cur != NULL && cur->serial.len != 0 ) |
| 3145 | { |
Paul Bakker | a056efc | 2011-01-16 21:38:35 +0000 | [diff] [blame] | 3146 | if( crt->serial.len == cur->serial.len && |
| 3147 | memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 ) |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3148 | { |
| 3149 | if( x509parse_time_expired( &cur->revocation_date ) ) |
| 3150 | return( 1 ); |
| 3151 | } |
| 3152 | |
| 3153 | cur = cur->next; |
| 3154 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3155 | |
| 3156 | return( 0 ); |
| 3157 | } |
| 3158 | |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 3159 | /* |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3160 | * Check that the given certificate is valid accoring to the CRL. |
| 3161 | */ |
| 3162 | static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, |
| 3163 | x509_crl *crl_list) |
| 3164 | { |
| 3165 | int flags = 0; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3166 | unsigned char hash[POLARSSL_MD_MAX_SIZE]; |
| 3167 | const md_info_t *md_info; |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3168 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3169 | if( ca == NULL ) |
| 3170 | return( flags ); |
| 3171 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3172 | /* |
| 3173 | * TODO: What happens if no CRL is present? |
| 3174 | * Suggestion: Revocation state should be unknown if no CRL is present. |
| 3175 | * For backwards compatibility this is not yet implemented. |
| 3176 | */ |
| 3177 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3178 | while( crl_list != NULL ) |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3179 | { |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3180 | if( crl_list->version == 0 || |
| 3181 | crl_list->issuer_raw.len != ca->subject_raw.len || |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3182 | memcmp( crl_list->issuer_raw.p, ca->subject_raw.p, |
| 3183 | crl_list->issuer_raw.len ) != 0 ) |
| 3184 | { |
| 3185 | crl_list = crl_list->next; |
| 3186 | continue; |
| 3187 | } |
| 3188 | |
| 3189 | /* |
| 3190 | * Check if CRL is correctly signed by the trusted CA |
| 3191 | */ |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3192 | md_info = md_info_from_type( crl_list->sig_md ); |
| 3193 | if( md_info == NULL ) |
| 3194 | { |
| 3195 | /* |
| 3196 | * Cannot check 'unknown' hash |
| 3197 | */ |
| 3198 | flags |= BADCRL_NOT_TRUSTED; |
| 3199 | break; |
| 3200 | } |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3201 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3202 | md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3203 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3204 | if( !rsa_pkcs1_verify( &ca->rsa, RSA_PUBLIC, crl_list->sig_md, |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3205 | 0, hash, crl_list->sig.p ) == 0 ) |
| 3206 | { |
| 3207 | /* |
| 3208 | * CRL is not trusted |
| 3209 | */ |
| 3210 | flags |= BADCRL_NOT_TRUSTED; |
| 3211 | break; |
| 3212 | } |
| 3213 | |
| 3214 | /* |
| 3215 | * Check for validity of CRL (Do not drop out) |
| 3216 | */ |
| 3217 | if( x509parse_time_expired( &crl_list->next_update ) ) |
| 3218 | flags |= BADCRL_EXPIRED; |
| 3219 | |
| 3220 | /* |
| 3221 | * Check if certificate is revoked |
| 3222 | */ |
| 3223 | if( x509parse_revoked(crt, crl_list) ) |
| 3224 | { |
| 3225 | flags |= BADCERT_REVOKED; |
| 3226 | break; |
| 3227 | } |
| 3228 | |
| 3229 | crl_list = crl_list->next; |
| 3230 | } |
| 3231 | return flags; |
| 3232 | } |
| 3233 | |
Paul Bakker | b6c5d2e | 2013-06-25 16:25:17 +0200 | [diff] [blame] | 3234 | static int x509_wildcard_verify( const char *cn, x509_buf *name ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3235 | { |
| 3236 | size_t i; |
| 3237 | size_t cn_idx = 0; |
| 3238 | |
Paul Bakker | 57b1298 | 2012-02-11 17:38:38 +0000 | [diff] [blame] | 3239 | if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3240 | return( 0 ); |
| 3241 | |
| 3242 | for( i = 0; i < strlen( cn ); ++i ) |
| 3243 | { |
| 3244 | if( cn[i] == '.' ) |
| 3245 | { |
| 3246 | cn_idx = i; |
| 3247 | break; |
| 3248 | } |
| 3249 | } |
| 3250 | |
| 3251 | if( cn_idx == 0 ) |
| 3252 | return( 0 ); |
| 3253 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 3254 | if( strlen( cn ) - cn_idx == name->len - 1 && |
| 3255 | memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3256 | { |
| 3257 | return( 1 ); |
| 3258 | } |
| 3259 | |
| 3260 | return( 0 ); |
| 3261 | } |
| 3262 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3263 | static int x509parse_verify_top( |
| 3264 | x509_cert *child, x509_cert *trust_ca, |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3265 | x509_crl *ca_crl, int path_cnt, int *flags, |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3266 | int (*f_vrfy)(void *, x509_cert *, int, int *), |
| 3267 | void *p_vrfy ) |
| 3268 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3269 | int ret; |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3270 | int ca_flags = 0, check_path_cnt = path_cnt + 1; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3271 | unsigned char hash[POLARSSL_MD_MAX_SIZE]; |
| 3272 | const md_info_t *md_info; |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3273 | |
| 3274 | if( x509parse_time_expired( &child->valid_to ) ) |
| 3275 | *flags |= BADCERT_EXPIRED; |
| 3276 | |
| 3277 | /* |
| 3278 | * Child is the top of the chain. Check against the trust_ca list. |
| 3279 | */ |
| 3280 | *flags |= BADCERT_NOT_TRUSTED; |
| 3281 | |
| 3282 | while( trust_ca != NULL ) |
| 3283 | { |
| 3284 | if( trust_ca->version == 0 || |
| 3285 | child->issuer_raw.len != trust_ca->subject_raw.len || |
| 3286 | memcmp( child->issuer_raw.p, trust_ca->subject_raw.p, |
| 3287 | child->issuer_raw.len ) != 0 ) |
| 3288 | { |
| 3289 | trust_ca = trust_ca->next; |
| 3290 | continue; |
| 3291 | } |
| 3292 | |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3293 | /* |
| 3294 | * Reduce path_len to check against if top of the chain is |
| 3295 | * the same as the trusted CA |
| 3296 | */ |
| 3297 | if( child->subject_raw.len == trust_ca->subject_raw.len && |
| 3298 | memcmp( child->subject_raw.p, trust_ca->subject_raw.p, |
| 3299 | child->issuer_raw.len ) == 0 ) |
| 3300 | { |
| 3301 | check_path_cnt--; |
| 3302 | } |
| 3303 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3304 | if( trust_ca->max_pathlen > 0 && |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3305 | trust_ca->max_pathlen < check_path_cnt ) |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3306 | { |
| 3307 | trust_ca = trust_ca->next; |
| 3308 | continue; |
| 3309 | } |
| 3310 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3311 | md_info = md_info_from_type( child->sig_md ); |
| 3312 | if( md_info == NULL ) |
| 3313 | { |
| 3314 | /* |
| 3315 | * Cannot check 'unknown' hash |
| 3316 | */ |
| 3317 | continue; |
| 3318 | } |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3319 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3320 | md( md_info, child->tbs.p, child->tbs.len, hash ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3321 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3322 | if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, child->sig_md, |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3323 | 0, hash, child->sig.p ) != 0 ) |
| 3324 | { |
| 3325 | trust_ca = trust_ca->next; |
| 3326 | continue; |
| 3327 | } |
| 3328 | |
| 3329 | /* |
| 3330 | * Top of chain is signed by a trusted CA |
| 3331 | */ |
| 3332 | *flags &= ~BADCERT_NOT_TRUSTED; |
| 3333 | break; |
| 3334 | } |
| 3335 | |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3336 | /* |
Paul Bakker | 3497d8c | 2012-11-24 11:53:17 +0100 | [diff] [blame] | 3337 | * If top of chain is not the same as the trusted CA send a verify request |
| 3338 | * to the callback for any issues with validity and CRL presence for the |
| 3339 | * trusted CA certificate. |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3340 | */ |
| 3341 | if( trust_ca != NULL && |
| 3342 | ( child->subject_raw.len != trust_ca->subject_raw.len || |
| 3343 | memcmp( child->subject_raw.p, trust_ca->subject_raw.p, |
| 3344 | child->issuer_raw.len ) != 0 ) ) |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3345 | { |
| 3346 | /* Check trusted CA's CRL for then chain's top crt */ |
| 3347 | *flags |= x509parse_verifycrl( child, trust_ca, ca_crl ); |
| 3348 | |
| 3349 | if( x509parse_time_expired( &trust_ca->valid_to ) ) |
| 3350 | ca_flags |= BADCERT_EXPIRED; |
| 3351 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3352 | if( NULL != f_vrfy ) |
| 3353 | { |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3354 | if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 ) |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3355 | return( ret ); |
| 3356 | } |
| 3357 | } |
| 3358 | |
| 3359 | /* Call callback on top cert */ |
| 3360 | if( NULL != f_vrfy ) |
| 3361 | { |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3362 | if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 ) |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3363 | return( ret ); |
| 3364 | } |
| 3365 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3366 | *flags |= ca_flags; |
| 3367 | |
| 3368 | return( 0 ); |
| 3369 | } |
| 3370 | |
| 3371 | static int x509parse_verify_child( |
| 3372 | x509_cert *child, x509_cert *parent, x509_cert *trust_ca, |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3373 | x509_crl *ca_crl, int path_cnt, int *flags, |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3374 | int (*f_vrfy)(void *, x509_cert *, int, int *), |
| 3375 | void *p_vrfy ) |
| 3376 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3377 | int ret; |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3378 | int parent_flags = 0; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3379 | unsigned char hash[POLARSSL_MD_MAX_SIZE]; |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3380 | x509_cert *grandparent; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3381 | const md_info_t *md_info; |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3382 | |
| 3383 | if( x509parse_time_expired( &child->valid_to ) ) |
| 3384 | *flags |= BADCERT_EXPIRED; |
| 3385 | |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3386 | md_info = md_info_from_type( child->sig_md ); |
| 3387 | if( md_info == NULL ) |
| 3388 | { |
| 3389 | /* |
| 3390 | * Cannot check 'unknown' hash |
| 3391 | */ |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3392 | *flags |= BADCERT_NOT_TRUSTED; |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3393 | } |
| 3394 | else |
| 3395 | { |
| 3396 | md( md_info, child->tbs.p, child->tbs.len, hash ); |
| 3397 | |
| 3398 | if( rsa_pkcs1_verify( &parent->rsa, RSA_PUBLIC, child->sig_md, 0, hash, |
| 3399 | child->sig.p ) != 0 ) |
| 3400 | *flags |= BADCERT_NOT_TRUSTED; |
| 3401 | } |
| 3402 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3403 | /* Check trusted CA's CRL for the given crt */ |
| 3404 | *flags |= x509parse_verifycrl(child, parent, ca_crl); |
| 3405 | |
| 3406 | grandparent = parent->next; |
| 3407 | |
| 3408 | while( grandparent != NULL ) |
| 3409 | { |
| 3410 | if( grandparent->version == 0 || |
| 3411 | grandparent->ca_istrue == 0 || |
| 3412 | parent->issuer_raw.len != grandparent->subject_raw.len || |
| 3413 | memcmp( parent->issuer_raw.p, grandparent->subject_raw.p, |
| 3414 | parent->issuer_raw.len ) != 0 ) |
| 3415 | { |
| 3416 | grandparent = grandparent->next; |
| 3417 | continue; |
| 3418 | } |
| 3419 | break; |
| 3420 | } |
| 3421 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3422 | if( grandparent != NULL ) |
| 3423 | { |
| 3424 | /* |
| 3425 | * Part of the chain |
| 3426 | */ |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3427 | ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3428 | if( ret != 0 ) |
| 3429 | return( ret ); |
| 3430 | } |
| 3431 | else |
| 3432 | { |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3433 | ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3434 | if( ret != 0 ) |
| 3435 | return( ret ); |
| 3436 | } |
| 3437 | |
| 3438 | /* child is verified to be a child of the parent, call verify callback */ |
| 3439 | if( NULL != f_vrfy ) |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3440 | if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3441 | return( ret ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3442 | |
| 3443 | *flags |= parent_flags; |
| 3444 | |
| 3445 | return( 0 ); |
| 3446 | } |
| 3447 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3448 | /* |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3449 | * Verify the certificate validity |
| 3450 | */ |
| 3451 | int x509parse_verify( x509_cert *crt, |
| 3452 | x509_cert *trust_ca, |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3453 | x509_crl *ca_crl, |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3454 | const char *cn, int *flags, |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3455 | int (*f_vrfy)(void *, x509_cert *, int, int *), |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3456 | void *p_vrfy ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3457 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3458 | size_t cn_len; |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3459 | int ret; |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3460 | int pathlen = 0; |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3461 | x509_cert *parent; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3462 | x509_name *name; |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3463 | x509_sequence *cur = NULL; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3464 | |
Paul Bakker | 40ea7de | 2009-05-03 10:18:48 +0000 | [diff] [blame] | 3465 | *flags = 0; |
| 3466 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3467 | if( cn != NULL ) |
| 3468 | { |
| 3469 | name = &crt->subject; |
| 3470 | cn_len = strlen( cn ); |
| 3471 | |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3472 | if( crt->ext_types & EXT_SUBJECT_ALT_NAME ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3473 | { |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3474 | cur = &crt->subject_alt_names; |
| 3475 | |
| 3476 | while( cur != NULL ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3477 | { |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 3478 | if( cur->buf.len == cn_len && |
| 3479 | memcmp( cn, cur->buf.p, cn_len ) == 0 ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3480 | break; |
| 3481 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 3482 | if( cur->buf.len > 2 && |
| 3483 | memcmp( cur->buf.p, "*.", 2 ) == 0 && |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3484 | x509_wildcard_verify( cn, &cur->buf ) ) |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3485 | break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3486 | |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3487 | cur = cur->next; |
Paul Bakker | a8cd239 | 2012-02-11 16:09:32 +0000 | [diff] [blame] | 3488 | } |
| 3489 | |
| 3490 | if( cur == NULL ) |
| 3491 | *flags |= BADCERT_CN_MISMATCH; |
| 3492 | } |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3493 | else |
| 3494 | { |
| 3495 | while( name != NULL ) |
| 3496 | { |
Paul Bakker | c70b982 | 2013-04-07 22:00:46 +0200 | [diff] [blame] | 3497 | if( OID_CMP( OID_AT_CN, &name->oid ) ) |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3498 | { |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 3499 | if( name->val.len == cn_len && |
| 3500 | memcmp( name->val.p, cn, cn_len ) == 0 ) |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3501 | break; |
| 3502 | |
Paul Bakker | 535e97d | 2012-08-23 10:49:55 +0000 | [diff] [blame] | 3503 | if( name->val.len > 2 && |
| 3504 | memcmp( name->val.p, "*.", 2 ) == 0 && |
Paul Bakker | 4d2c124 | 2012-05-10 14:12:46 +0000 | [diff] [blame] | 3505 | x509_wildcard_verify( cn, &name->val ) ) |
| 3506 | break; |
| 3507 | } |
| 3508 | |
| 3509 | name = name->next; |
| 3510 | } |
| 3511 | |
| 3512 | if( name == NULL ) |
| 3513 | *flags |= BADCERT_CN_MISMATCH; |
| 3514 | } |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3515 | } |
| 3516 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3517 | /* |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3518 | * Iterate upwards in the given cert chain, to find our crt parent. |
| 3519 | * Ignore any upper cert with CA != TRUE. |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3520 | */ |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3521 | parent = crt->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3522 | |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3523 | while( parent != NULL && parent->version != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3524 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3525 | if( parent->ca_istrue == 0 || |
| 3526 | crt->issuer_raw.len != parent->subject_raw.len || |
| 3527 | memcmp( crt->issuer_raw.p, parent->subject_raw.p, |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3528 | crt->issuer_raw.len ) != 0 ) |
| 3529 | { |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3530 | parent = parent->next; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3531 | continue; |
| 3532 | } |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3533 | break; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3534 | } |
| 3535 | |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3536 | if( parent != NULL ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3537 | { |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3538 | /* |
| 3539 | * Part of the chain |
| 3540 | */ |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3541 | ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3542 | if( ret != 0 ) |
| 3543 | return( ret ); |
| 3544 | } |
| 3545 | else |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3546 | { |
Paul Bakker | 9a73632 | 2012-11-14 12:39:52 +0000 | [diff] [blame] | 3547 | ret = x509parse_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3548 | if( ret != 0 ) |
| 3549 | return( ret ); |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3550 | } |
Paul Bakker | 915275b | 2012-09-28 07:10:55 +0000 | [diff] [blame] | 3551 | |
| 3552 | if( *flags != 0 ) |
Paul Bakker | 76fd75a | 2011-01-16 21:12:10 +0000 | [diff] [blame] | 3553 | return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED ); |
Paul Bakker | b63b0af | 2011-01-13 17:54:59 +0000 | [diff] [blame] | 3554 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3555 | return( 0 ); |
| 3556 | } |
| 3557 | |
| 3558 | /* |
| 3559 | * Unallocate all certificate data |
| 3560 | */ |
| 3561 | void x509_free( x509_cert *crt ) |
| 3562 | { |
| 3563 | x509_cert *cert_cur = crt; |
| 3564 | x509_cert *cert_prv; |
| 3565 | x509_name *name_cur; |
| 3566 | x509_name *name_prv; |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3567 | x509_sequence *seq_cur; |
| 3568 | x509_sequence *seq_prv; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3569 | |
| 3570 | if( crt == NULL ) |
| 3571 | return; |
| 3572 | |
| 3573 | do |
| 3574 | { |
| 3575 | rsa_free( &cert_cur->rsa ); |
| 3576 | |
| 3577 | name_cur = cert_cur->issuer.next; |
| 3578 | while( name_cur != NULL ) |
| 3579 | { |
| 3580 | name_prv = name_cur; |
| 3581 | name_cur = name_cur->next; |
| 3582 | memset( name_prv, 0, sizeof( x509_name ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3583 | polarssl_free( name_prv ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3584 | } |
| 3585 | |
| 3586 | name_cur = cert_cur->subject.next; |
| 3587 | while( name_cur != NULL ) |
| 3588 | { |
| 3589 | name_prv = name_cur; |
| 3590 | name_cur = name_cur->next; |
| 3591 | memset( name_prv, 0, sizeof( x509_name ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3592 | polarssl_free( name_prv ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3593 | } |
| 3594 | |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3595 | seq_cur = cert_cur->ext_key_usage.next; |
| 3596 | while( seq_cur != NULL ) |
| 3597 | { |
| 3598 | seq_prv = seq_cur; |
| 3599 | seq_cur = seq_cur->next; |
| 3600 | memset( seq_prv, 0, sizeof( x509_sequence ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3601 | polarssl_free( seq_prv ); |
Paul Bakker | 74111d3 | 2011-01-15 16:57:55 +0000 | [diff] [blame] | 3602 | } |
| 3603 | |
Paul Bakker | 8afa70d | 2012-02-11 18:42:45 +0000 | [diff] [blame] | 3604 | seq_cur = cert_cur->subject_alt_names.next; |
| 3605 | while( seq_cur != NULL ) |
| 3606 | { |
| 3607 | seq_prv = seq_cur; |
| 3608 | seq_cur = seq_cur->next; |
| 3609 | memset( seq_prv, 0, sizeof( x509_sequence ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3610 | polarssl_free( seq_prv ); |
Paul Bakker | 8afa70d | 2012-02-11 18:42:45 +0000 | [diff] [blame] | 3611 | } |
| 3612 | |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3613 | if( cert_cur->raw.p != NULL ) |
| 3614 | { |
| 3615 | memset( cert_cur->raw.p, 0, cert_cur->raw.len ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3616 | polarssl_free( cert_cur->raw.p ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3617 | } |
| 3618 | |
| 3619 | cert_cur = cert_cur->next; |
| 3620 | } |
| 3621 | while( cert_cur != NULL ); |
| 3622 | |
| 3623 | cert_cur = crt; |
| 3624 | do |
| 3625 | { |
| 3626 | cert_prv = cert_cur; |
| 3627 | cert_cur = cert_cur->next; |
| 3628 | |
| 3629 | memset( cert_prv, 0, sizeof( x509_cert ) ); |
| 3630 | if( cert_prv != crt ) |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3631 | polarssl_free( cert_prv ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3632 | } |
| 3633 | while( cert_cur != NULL ); |
| 3634 | } |
| 3635 | |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3636 | /* |
| 3637 | * Unallocate all CRL data |
| 3638 | */ |
| 3639 | void x509_crl_free( x509_crl *crl ) |
| 3640 | { |
| 3641 | x509_crl *crl_cur = crl; |
| 3642 | x509_crl *crl_prv; |
| 3643 | x509_name *name_cur; |
| 3644 | x509_name *name_prv; |
| 3645 | x509_crl_entry *entry_cur; |
| 3646 | x509_crl_entry *entry_prv; |
| 3647 | |
| 3648 | if( crl == NULL ) |
| 3649 | return; |
| 3650 | |
| 3651 | do |
| 3652 | { |
| 3653 | name_cur = crl_cur->issuer.next; |
| 3654 | while( name_cur != NULL ) |
| 3655 | { |
| 3656 | name_prv = name_cur; |
| 3657 | name_cur = name_cur->next; |
| 3658 | memset( name_prv, 0, sizeof( x509_name ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3659 | polarssl_free( name_prv ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3660 | } |
| 3661 | |
| 3662 | entry_cur = crl_cur->entry.next; |
| 3663 | while( entry_cur != NULL ) |
| 3664 | { |
| 3665 | entry_prv = entry_cur; |
| 3666 | entry_cur = entry_cur->next; |
| 3667 | memset( entry_prv, 0, sizeof( x509_crl_entry ) ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3668 | polarssl_free( entry_prv ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3669 | } |
| 3670 | |
| 3671 | if( crl_cur->raw.p != NULL ) |
| 3672 | { |
| 3673 | memset( crl_cur->raw.p, 0, crl_cur->raw.len ); |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3674 | polarssl_free( crl_cur->raw.p ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3675 | } |
| 3676 | |
| 3677 | crl_cur = crl_cur->next; |
| 3678 | } |
| 3679 | while( crl_cur != NULL ); |
| 3680 | |
| 3681 | crl_cur = crl; |
| 3682 | do |
| 3683 | { |
| 3684 | crl_prv = crl_cur; |
| 3685 | crl_cur = crl_cur->next; |
| 3686 | |
| 3687 | memset( crl_prv, 0, sizeof( x509_crl ) ); |
| 3688 | if( crl_prv != crl ) |
Paul Bakker | 6e339b5 | 2013-07-03 13:37:05 +0200 | [diff] [blame] | 3689 | polarssl_free( crl_prv ); |
Paul Bakker | d98030e | 2009-05-02 15:13:40 +0000 | [diff] [blame] | 3690 | } |
| 3691 | while( crl_cur != NULL ); |
| 3692 | } |
| 3693 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3694 | #if defined(POLARSSL_SELF_TEST) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3695 | |
Paul Bakker | 40e4694 | 2009-01-03 21:51:57 +0000 | [diff] [blame] | 3696 | #include "polarssl/certs.h" |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3697 | |
| 3698 | /* |
| 3699 | * Checkup routine |
| 3700 | */ |
| 3701 | int x509_self_test( int verbose ) |
| 3702 | { |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3703 | #if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C) |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3704 | int ret; |
| 3705 | int flags; |
| 3706 | size_t i, j; |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3707 | x509_cert cacert; |
| 3708 | x509_cert clicert; |
| 3709 | rsa_context rsa; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3710 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3711 | dhm_context dhm; |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3712 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3713 | |
| 3714 | if( verbose != 0 ) |
| 3715 | printf( " X.509 certificate load: " ); |
| 3716 | |
| 3717 | memset( &clicert, 0, sizeof( x509_cert ) ); |
| 3718 | |
Paul Bakker | 3c2122f | 2013-06-24 19:03:14 +0200 | [diff] [blame] | 3719 | ret = x509parse_crt( &clicert, (const unsigned char *) test_cli_crt, |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 3720 | strlen( test_cli_crt ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3721 | if( ret != 0 ) |
| 3722 | { |
| 3723 | if( verbose != 0 ) |
| 3724 | printf( "failed\n" ); |
| 3725 | |
| 3726 | return( ret ); |
| 3727 | } |
| 3728 | |
| 3729 | memset( &cacert, 0, sizeof( x509_cert ) ); |
| 3730 | |
Paul Bakker | 3c2122f | 2013-06-24 19:03:14 +0200 | [diff] [blame] | 3731 | ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt, |
Paul Bakker | 69e095c | 2011-12-10 21:55:01 +0000 | [diff] [blame] | 3732 | strlen( test_ca_crt ) ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3733 | if( ret != 0 ) |
| 3734 | { |
| 3735 | if( verbose != 0 ) |
| 3736 | printf( "failed\n" ); |
| 3737 | |
| 3738 | return( ret ); |
| 3739 | } |
| 3740 | |
| 3741 | if( verbose != 0 ) |
| 3742 | printf( "passed\n X.509 private key load: " ); |
| 3743 | |
| 3744 | i = strlen( test_ca_key ); |
| 3745 | j = strlen( test_ca_pwd ); |
| 3746 | |
Paul Bakker | 66b78b2 | 2011-03-25 14:22:50 +0000 | [diff] [blame] | 3747 | rsa_init( &rsa, RSA_PKCS_V15, 0 ); |
| 3748 | |
Manuel Pégourié-Gonnard | ba4878a | 2013-06-27 10:51:01 +0200 | [diff] [blame] | 3749 | if( ( ret = x509parse_key_rsa( &rsa, |
Paul Bakker | 3c2122f | 2013-06-24 19:03:14 +0200 | [diff] [blame] | 3750 | (const unsigned char *) test_ca_key, i, |
| 3751 | (const unsigned char *) test_ca_pwd, j ) ) != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3752 | { |
| 3753 | if( verbose != 0 ) |
| 3754 | printf( "failed\n" ); |
| 3755 | |
| 3756 | return( ret ); |
| 3757 | } |
| 3758 | |
| 3759 | if( verbose != 0 ) |
| 3760 | printf( "passed\n X.509 signature verify: "); |
| 3761 | |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3762 | ret = x509parse_verify( &clicert, &cacert, NULL, "PolarSSL Client 2", &flags, NULL, NULL ); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3763 | if( ret != 0 ) |
| 3764 | { |
Paul Bakker | 23986e5 | 2011-04-24 08:57:21 +0000 | [diff] [blame] | 3765 | printf("%02x", flags); |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3766 | if( verbose != 0 ) |
| 3767 | printf( "failed\n" ); |
| 3768 | |
| 3769 | return( ret ); |
| 3770 | } |
| 3771 | |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3772 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3773 | if( verbose != 0 ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3774 | printf( "passed\n X.509 DHM parameter load: " ); |
| 3775 | |
| 3776 | i = strlen( test_dhm_params ); |
| 3777 | j = strlen( test_ca_pwd ); |
| 3778 | |
Paul Bakker | 3c2122f | 2013-06-24 19:03:14 +0200 | [diff] [blame] | 3779 | if( ( ret = x509parse_dhm( &dhm, (const unsigned char *) test_dhm_params, i ) ) != 0 ) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3780 | { |
| 3781 | if( verbose != 0 ) |
| 3782 | printf( "failed\n" ); |
| 3783 | |
| 3784 | return( ret ); |
| 3785 | } |
| 3786 | |
| 3787 | if( verbose != 0 ) |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3788 | printf( "passed\n\n" ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3789 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3790 | |
| 3791 | x509_free( &cacert ); |
| 3792 | x509_free( &clicert ); |
| 3793 | rsa_free( &rsa ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3794 | #if defined(POLARSSL_DHM_C) |
Paul Bakker | 1b57b06 | 2011-01-06 15:48:19 +0000 | [diff] [blame] | 3795 | dhm_free( &dhm ); |
Paul Bakker | 5690efc | 2011-05-26 13:16:06 +0000 | [diff] [blame] | 3796 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3797 | |
| 3798 | return( 0 ); |
Paul Bakker | de4d2ea | 2009-10-03 19:58:52 +0000 | [diff] [blame] | 3799 | #else |
| 3800 | ((void) verbose); |
| 3801 | return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); |
| 3802 | #endif |
Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 3803 | } |
| 3804 | |
| 3805 | #endif |
| 3806 | |
| 3807 | #endif |