Blame - library/x509.c - mirror/mbed-tls - TrustedFirmware Git Browser

blob: 5466ca5e516b847a41be0ed7869fad3353998fb2 [file] [log] [blame]

Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1	/*
Manuel Pégourié-Gonnard	1c082f3	2014-06-12 22:34:55 +0200	[diff] [blame]	2	* X.509 common functions for parsing and verification
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	3	*
Manuel Pégourié-Gonnard	a658a40	2015-01-23 09:45:19 +0000	[diff] [blame]	4	* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	5	*
Manuel Pégourié-Gonnard	fe44643	2015-03-06 13:17:10 +0000	[diff] [blame]	6	* This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	7	*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	8	* This program is free software; you can redistribute it and/or modify
				9	* it under the terms of the GNU General Public License as published by
				10	* the Free Software Foundation; either version 2 of the License, or
				11	* (at your option) any later version.
				12	*
				13	* This program is distributed in the hope that it will be useful,
				14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				16	* GNU General Public License for more details.
				17	*
				18	* You should have received a copy of the GNU General Public License along
				19	* with this program; if not, write to the Free Software Foundation, Inc.,
				20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				21	*/
				22	/*
				23	* The ITU-T X.509 standard defines a certificate format for PKI.
				24	*
Manuel Pégourié-Gonnard	1c082f3	2014-06-12 22:34:55 +0200	[diff] [blame]	25	* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
				26	* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
				27	* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	28	*
				29	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
				30	* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
				31	*/
				32
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	33	#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	34	#include "polarssl/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	35	#else
				36	#include POLARSSL_CONFIG_FILE
				37	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	38
				39	#if defined(POLARSSL_X509_USE_C)
				40
				41	#include "polarssl/x509.h"
				42	#include "polarssl/asn1.h"
				43	#include "polarssl/oid.h"
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	44
Rich Evans	36796df	2015-02-12 18:27:14 +0000	[diff] [blame]	45	#include <stdio.h>
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	46	#include <string.h>
				47
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	48	#if defined(POLARSSL_PEM_PARSE_C)
				49	#include "polarssl/pem.h"
				50	#endif
				51
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	52	#if defined(POLARSSL_PLATFORM_C)
				53	#include "polarssl/platform.h"
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	54	#else
Rich Evans	00ab470	2015-02-06 13:43:58 +0000	[diff] [blame]	55	#include <stdio.h>
				56	#include <stdlib.h>
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	57	#define polarssl_free free
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	58	#define polarssl_malloc malloc
				59	#define polarssl_printf printf
				60	#define polarssl_snprintf snprintf
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	61	#endif
				62
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	63	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	64	#include <windows.h>
				65	#else
				66	#include <time.h>
				67	#endif
				68
				69	#if defined(POLARSSL_FS_IO)
Rich Evans	36796df	2015-02-12 18:27:14 +0000	[diff] [blame]	70	#include <stdio.h>
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	71	#if !defined(_WIN32)
				72	#include <sys/types.h>
				73	#include <sys/stat.h>
				74	#include <dirent.h>
				75	#endif
				76	#endif
				77
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	78	#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
Andres AG	0da3e44	2016-09-23 13:16:02 +0100	[diff] [blame]	79	#define CHECK_RANGE(min, max, val) if( val < min \|\| val > max ){ return( ret ); }
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	80
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	81	/*
				82	* CertificateSerialNumber ::= INTEGER
				83	*/
				84	int x509_get_serial( unsigned char *p, const unsigned char end,
				85	x509_buf *serial )
				86	{
				87	int ret;
				88
				89	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	90	return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	91	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				92
				93	if( **p != ( ASN1_CONTEXT_SPECIFIC \| ASN1_PRIMITIVE \| 2 ) &&
				94	**p != ASN1_INTEGER )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	95	return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	96	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				97
				98	serial->tag = (p)++;
				99
				100	if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	101	return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	102
				103	serial->p = *p;
				104	*p += serial->len;
				105
				106	return( 0 );
				107	}
				108
				109	/* Get an algorithm identifier without parameters (eg for signatures)
				110	*
				111	* AlgorithmIdentifier ::= SEQUENCE {
				112	* algorithm OBJECT IDENTIFIER,
				113	* parameters ANY DEFINED BY algorithm OPTIONAL }
				114	*/
				115	int x509_get_alg_null( unsigned char *p, const unsigned char end,
				116	x509_buf *alg )
				117	{
				118	int ret;
				119
				120	if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	121	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	122
				123	return( 0 );
				124	}
				125
				126	/*
Manuel Pégourié-Gonnard	59a75d5	2014-01-22 10:12:57 +0100	[diff] [blame]	127	* Parse an algorithm identifier with (optional) paramaters
				128	*/
				129	int x509_get_alg( unsigned char *p, const unsigned char end,
				130	x509_buf alg, x509_buf params )
				131	{
				132	int ret;
				133
				134	if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
				135	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				136
				137	return( 0 );
				138	}
				139
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	140	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	59a75d5	2014-01-22 10:12:57 +0100	[diff] [blame]	141	/*
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	142	* HashAlgorithm ::= AlgorithmIdentifier
				143	*
				144	* AlgorithmIdentifier ::= SEQUENCE {
				145	* algorithm OBJECT IDENTIFIER,
				146	* parameters ANY DEFINED BY algorithm OPTIONAL }
				147	*
				148	* For HashAlgorithm, parameters MUST be NULL or absent.
				149	*/
				150	static int x509_get_hash_alg( const x509_buf alg, md_type_t md_alg )
				151	{
				152	int ret;
				153	unsigned char *p;
				154	const unsigned char *end;
				155	x509_buf md_oid;
				156	size_t len;
				157
				158	/* Make sure we got a SEQUENCE and setup bounds */
				159	if( alg->tag != ( ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) )
				160	return( POLARSSL_ERR_X509_INVALID_ALG +
				161	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				162
				163	p = (unsigned char *) alg->p;
				164	end = p + alg->len;
				165
				166	if( p >= end )
				167	return( POLARSSL_ERR_X509_INVALID_ALG +
				168	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				169
				170	/* Parse md_oid */
				171	md_oid.tag = *p;
				172
				173	if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 )
				174	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				175
				176	md_oid.p = p;
				177	p += md_oid.len;
				178
				179	/* Get md_alg from md_oid */
				180	if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
				181	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				182
				183	/* Make sure params is absent of NULL */
				184	if( p == end )
				185	return( 0 );
				186
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	187	if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 \|\| len != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	188	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				189
				190	if( p != end )
				191	return( POLARSSL_ERR_X509_INVALID_ALG +
				192	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				193
				194	return( 0 );
				195	}
				196
				197	/*
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	198	* RSASSA-PSS-params ::= SEQUENCE {
				199	* hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
				200	* maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
				201	* saltLength [2] INTEGER DEFAULT 20,
				202	* trailerField [3] INTEGER DEFAULT 1 }
				203	* -- Note that the tags in this Sequence are explicit.
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	204	*
				205	* RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
				206	* of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
				207	* option. Enfore this at parsing time.
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	208	*/
				209	int x509_get_rsassa_pss_params( const x509_buf *params,
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	210	md_type_t md_alg, md_type_t mgf_md,
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	211	int *salt_len )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	212	{
				213	int ret;
				214	unsigned char *p;
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	215	const unsigned char end, end2;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	216	size_t len;
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	217	x509_buf alg_id, alg_params;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	218
				219	/* First set everything to defaults */
				220	*md_alg = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	221	*mgf_md = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	222	*salt_len = 20;
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	223
				224	/* Make sure params is a SEQUENCE and setup bounds */
				225	if( params->tag != ( ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) )
				226	return( POLARSSL_ERR_X509_INVALID_ALG +
				227	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				228
				229	p = (unsigned char *) params->p;
				230	end = p + params->len;
				231
				232	if( p == end )
				233	return( 0 );
				234
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	235	/*
				236	* HashAlgorithm
				237	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	238	if( ( ret = asn1_get_tag( &p, end, &len,
				239	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 0 ) ) == 0 )
				240	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	241	end2 = p + len;
				242
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	243	/* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	244	if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	245	return( ret );
				246
				247	if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
				248	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	249
				250	if( p != end2 )
				251	return( POLARSSL_ERR_X509_INVALID_ALG +
				252	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	253	}
				254	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				255	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				256
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	257	if( p == end )
				258	return( 0 );
				259
				260	/*
				261	* MaskGenAlgorithm
				262	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	263	if( ( ret = asn1_get_tag( &p, end, &len,
				264	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 1 ) ) == 0 )
				265	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	266	end2 = p + len;
				267
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	268	/* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	269	if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
Manuel Pégourié-Gonnard	e76b750	2014-01-23 19:15:29 +0100	[diff] [blame]	270	return( ret );
				271
				272	/* Only MFG1 is recognised for now */
				273	if( ! OID_CMP( OID_MGF1, &alg_id ) )
				274	return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE +
				275	POLARSSL_ERR_OID_NOT_FOUND );
				276
				277	/* Parse HashAlgorithm */
				278	if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
				279	return( ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	280
				281	if( p != end2 )
				282	return( POLARSSL_ERR_X509_INVALID_ALG +
				283	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	284	}
				285	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				286	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				287
				288	if( p == end )
				289	return( 0 );
				290
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	291	/*
				292	* salt_len
				293	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	294	if( ( ret = asn1_get_tag( &p, end, &len,
				295	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 2 ) ) == 0 )
				296	{
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	297	end2 = p + len;
				298
				299	if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	300	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	301
				302	if( p != end2 )
				303	return( POLARSSL_ERR_X509_INVALID_ALG +
				304	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	305	}
				306	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				307	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				308
				309	if( p == end )
				310	return( 0 );
				311
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	312	/*
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	313	* trailer_field (if present, must be 1)
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	314	*/
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	315	if( ( ret = asn1_get_tag( &p, end, &len,
				316	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| 3 ) ) == 0 )
				317	{
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	318	int trailer_field;
				319
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	320	end2 = p + len;
				321
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	322	if( ( ret = asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	323	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard	9c9cf5b	2014-01-24 14:15:20 +0100	[diff] [blame]	324
				325	if( p != end2 )
				326	return( POLARSSL_ERR_X509_INVALID_ALG +
				327	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard	78117d5	2014-05-31 17:08:16 +0200	[diff] [blame]	328
				329	if( trailer_field != 1 )
				330	return( POLARSSL_ERR_X509_INVALID_ALG );
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	331	}
				332	else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
				333	return( POLARSSL_ERR_X509_INVALID_ALG + ret );
				334
				335	if( p != end )
				336	return( POLARSSL_ERR_X509_INVALID_ALG +
				337	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				338
				339	return( 0 );
				340	}
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	341	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	f346bab	2014-01-23 16:24:44 +0100	[diff] [blame]	342
				343	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	344	* AttributeTypeAndValue ::= SEQUENCE {
				345	* type AttributeType,
				346	* value AttributeValue }
				347	*
				348	* AttributeType ::= OBJECT IDENTIFIER
				349	*
				350	* AttributeValue ::= ANY DEFINED BY AttributeType
				351	*/
				352	static int x509_get_attr_type_value( unsigned char **p,
				353	const unsigned char *end,
				354	x509_name *cur )
				355	{
				356	int ret;
				357	size_t len;
				358	x509_buf *oid;
				359	x509_buf *val;
				360
				361	if( ( ret = asn1_get_tag( p, end, &len,
				362	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	363	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	364
				365	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	366	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	367	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				368
				369	oid = &cur->oid;
				370	oid->tag = **p;
				371
				372	if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	373	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	374
				375	oid->p = *p;
				376	*p += oid->len;
				377
				378	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	379	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	380	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				381
				382	if( p != ASN1_BMP_STRING && p != ASN1_UTF8_STRING &&
				383	p != ASN1_T61_STRING && p != ASN1_PRINTABLE_STRING &&
Manuel Pégourié-Gonnard	dd5dbca	2015-03-27 13:03:09 +0100	[diff] [blame]	384	p != ASN1_IA5_STRING && p != ASN1_UNIVERSAL_STRING &&
				385	**p != ASN1_BIT_STRING )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	386	return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	387	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
				388
				389	val = &cur->val;
				390	val->tag = (p)++;
				391
				392	if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	393	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	394
				395	val->p = *p;
				396	*p += val->len;
				397
				398	cur->next = NULL;
				399
				400	return( 0 );
				401	}
				402
				403	/*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	404	* Name ::= CHOICE { -- only one possibility for now --
				405	* rdnSequence RDNSequence }
				406	*
				407	* RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
				408	*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	409	* RelativeDistinguishedName ::=
				410	* SET OF AttributeTypeAndValue
				411	*
				412	* AttributeTypeAndValue ::= SEQUENCE {
				413	* type AttributeType,
				414	* value AttributeValue }
				415	*
				416	* AttributeType ::= OBJECT IDENTIFIER
				417	*
				418	* AttributeValue ::= ANY DEFINED BY AttributeType
Manuel Pégourié-Gonnard	5d86185	2014-10-17 12:41:41 +0200	[diff] [blame]	419	*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	420	* The data structure is optimized for the common case where each RDN has only
				421	* one element, which is represented as a list of AttributeTypeAndValue.
				422	* For the general case we still use a flat list, but we mark elements of the
				423	* same set so that they are "merged" together in the functions that consume
				424	* this list, eg x509_dn_gets().
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	425	*/
				426	int x509_get_name( unsigned char *p, const unsigned char end,
				427	x509_name *cur )
				428	{
				429	int ret;
Manuel Pégourié-Gonnard	5d86185	2014-10-17 12:41:41 +0200	[diff] [blame]	430	size_t set_len;
				431	const unsigned char *end_set;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	432
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	433	/* don't use recursion, we'd risk stack overflow if not optimized */
				434	while( 1 )
				435	{
				436	/*
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	437	* parse SET
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	438	*/
				439	if( ( ret = asn1_get_tag( p, end, &set_len,
				440	ASN1_CONSTRUCTED \| ASN1_SET ) ) != 0 )
				441	return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	442
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	443	end_set = *p + set_len;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	444
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	445	while( 1 )
				446	{
				447	if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
				448	return( ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	449
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	450	if( *p == end_set )
				451	break;
				452
Nicholas Wilson	d0fa5cc	2015-05-11 10:39:49 +0100	[diff] [blame]	453	/* Mark this item as being not the only one in a set */
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	454	cur->next_merged = 1;
				455
Mansour Moufid	c531b4a	2015-02-15 17:35:38 -0500	[diff] [blame]	456	cur->next = polarssl_malloc( sizeof( x509_name ) );
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	457
				458	if( cur->next == NULL )
				459	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				460
				461	memset( cur->next, 0, sizeof( x509_name ) );
				462
				463	cur = cur->next;
				464	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	465
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	466	/*
				467	* continue until end of SEQUENCE is reached
				468	*/
				469	if( *p == end )
				470	return( 0 );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	471
Mansour Moufid	c531b4a	2015-02-15 17:35:38 -0500	[diff] [blame]	472	cur->next = polarssl_malloc( sizeof( x509_name ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	473
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	474	if( cur->next == NULL )
				475	return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	476
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	477	memset( cur->next, 0, sizeof( x509_name ) );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	478
Manuel Pégourié-Gonnard	d681443	2014-11-12 01:25:31 +0100	[diff] [blame]	479	cur = cur->next;
				480	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	481	}
				482
Rich Evans	7d5a55a	2015-02-13 11:48:02 +0000	[diff] [blame]	483	static int x509_parse_int(unsigned char *p, unsigned n, int res){
				484	*res = 0;
				485	for( ; n > 0; --n ){
				486	if( ( p < '0') \|\| ( p > '9' ) ) return POLARSSL_ERR_X509_INVALID_DATE;
				487	res = 10;
				488	res += ((*p)++ - '0');
				489	}
				490	return 0;
				491	}
				492
Andres AG	0da3e44	2016-09-23 13:16:02 +0100	[diff] [blame]	493	static int x509_date_is_valid(const x509_time *time)
				494	{
				495	int ret = POLARSSL_ERR_X509_INVALID_DATE;
				496
				497	CHECK_RANGE( 0, 9999, time->year );
				498	CHECK_RANGE( 0, 23, time->hour );
				499	CHECK_RANGE( 0, 59, time->min );
				500	CHECK_RANGE( 0, 59, time->sec );
				501
				502	switch( time->mon )
				503	{
				504	case 1: case 3: case 5: case 7: case 8: case 10: case 12:
				505	CHECK_RANGE( 1, 31, time->day );
				506	break;
				507	case 4: case 6: case 9: case 11:
				508	CHECK_RANGE( 1, 30, time->day );
				509	break;
				510	case 2:
				511	CHECK_RANGE( 1, 28 + (time->year % 4 == 0), time->day );
				512	break;
				513	default:
				514	return( ret );
				515	}
				516
				517	return( 0 );
				518	}
				519
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	520	/*
Janos Follath	17da9dd	2016-09-19 09:35:18 +0100	[diff] [blame]	521	* Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4) field.
				522	*/
				523	static int x509_parse_time( unsigned char *p, size_t len, unsigned int yearlen, x509_time time )
				524	{
				525	int ret;
				526
				527	/*
				528	* minimum length is 10 or 12 depending on yearlen
				529	*/
				530	if ( len < yearlen + 8 )
				531	return POLARSSL_ERR_X509_INVALID_DATE;
				532	len -= yearlen + 8;
				533
				534	/*
				535	* parse year, month, day, hour, minute
				536	*/
				537	CHECK( x509_parse_int( p, yearlen, &time->year ) );
				538	if ( 2 == yearlen )
				539	{
				540	if ( time->year < 50 )
				541	time->year += 100;
				542
				543	time->year += 1900;
				544	}
				545
				546	CHECK( x509_parse_int( p, 2, &time->mon ) );
				547	CHECK( x509_parse_int( p, 2, &time->day ) );
				548	CHECK( x509_parse_int( p, 2, &time->hour ) );
				549	CHECK( x509_parse_int( p, 2, &time->min ) );
				550
				551	/*
				552	* parse seconds if present
				553	*/
				554	if ( len >= 2 && p >= '0' && p <= '9' )
				555	{
				556	CHECK( x509_parse_int( p, 2, &time->sec ) );
				557	len -= 2;
				558	}
				559	else
				560	{
				561	#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
				562	/*
				563	* if relaxed mode, allow seconds to be absent
				564	*/
				565	time->sec = 0;
				566	#else
				567	return POLARSSL_ERR_X509_INVALID_DATE;
				568	#endif
				569	}
				570
				571	/*
				572	* parse trailing 'Z' if present
				573	*/
				574	if ( 1 == len && 'Z' == **p )
				575	{
				576	(*p)++;
				577	return 0;
				578	}
				579	#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
				580	/*
				581	* if relaxed mode, allow timezone to be present
				582	*/
				583	else if ( 5 == len && ( '+' == p \|\| '-' == p ) )
				584	{
				585	int tz; /* throwaway timezone */
				586
				587	(*p)++;
				588	CHECK( x509_parse_int( p, 4, &tz ) );
				589
				590	return 0;
				591	}
				592	#endif
				593	/*
				594	* okay if no trailing 'Z' or timezone specified
				595	*/
				596	else if ( 0 == len )
				597	return 0;
				598	else
				599	return POLARSSL_ERR_X509_INVALID_DATE;
				600	}
				601
				602	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	603	* Time ::= CHOICE {
				604	* utcTime UTCTime,
				605	* generalTime GeneralizedTime }
				606	*/
				607	int x509_get_time( unsigned char *p, const unsigned char end,
				608	x509_time *time )
				609	{
				610	int ret;
				611	size_t len;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	612	unsigned char tag;
				613
				614	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	615	return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	616	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				617
				618	tag = **p;
				619
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	620	if( tag == ASN1_UTC_TIME )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	621	{
				622	(*p)++;
				623	ret = asn1_get_len( p, end, &len );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	624	if( ret != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	625	return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	626
Simon Butcher	2d0ffbb	2016-10-17 22:32:47 +0100	[diff] [blame^]	627	CHECK( x509_parse_time( p, len, 2, time ) );
				628
				629	CHECK( x509_date_is_valid( time ) );
				630
				631	return( 0 );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	632	}
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	633	else if( tag == ASN1_GENERALIZED_TIME )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	634	{
				635	(*p)++;
				636	ret = asn1_get_len( p, end, &len );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	637	if( ret != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	638	return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	639
Simon Butcher	2d0ffbb	2016-10-17 22:32:47 +0100	[diff] [blame^]	640	CHECK( x509_parse_time( p, len, 4, time ) );
				641
				642	CHECK( x509_date_is_valid( time ) );
				643
				644	return( 0 );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	645	}
				646	else
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	647	return( POLARSSL_ERR_X509_INVALID_DATE +
				648	POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	649	}
				650
				651	int x509_get_sig( unsigned char *p, const unsigned char end, x509_buf *sig )
				652	{
				653	int ret;
				654	size_t len;
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	655	int tag_type;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	656
				657	if( ( end - *p ) < 1 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	658	return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	659	POLARSSL_ERR_ASN1_OUT_OF_DATA );
				660
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	661	tag_type = **p;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	662
				663	if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	664	return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	665
Andres AG	67ae0b9	2016-09-19 16:58:45 +0100	[diff] [blame]	666	sig->tag = tag_type;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	667	sig->len = len;
				668	sig->p = *p;
				669
				670	*p += len;
				671
				672	return( 0 );
				673	}
				674
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	675	/*
				676	* Get signature algorithm from alg OID and optional parameters
				677	*/
				678	int x509_get_sig_alg( const x509_buf sig_oid, const x509_buf sig_params,
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	679	md_type_t md_alg, pk_type_t pk_alg,
				680	void **sig_opts )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	681	{
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	682	int ret;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	683
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	684	if( *sig_opts != NULL )
				685	return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
				686
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	687	if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	688	return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	689
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	690	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	691	if( *pk_alg == POLARSSL_PK_RSASSA_PSS )
				692	{
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	693	pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	694
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	695	pss_opts = polarssl_malloc( sizeof( pk_rsassa_pss_options ) );
				696	if( pss_opts == NULL )
				697	return( POLARSSL_ERR_X509_MALLOC_FAILED );
				698
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	699	ret = x509_get_rsassa_pss_params( sig_params,
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	700	md_alg,
				701	&pss_opts->mgf1_hash_id,
				702	&pss_opts->expected_salt_len );
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	703	if( ret != 0 )
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	704	{
				705	polarssl_free( pss_opts );
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	706	return( ret );
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	707	}
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	708
Manuel Pégourié-Gonnard	f75f2f7	2014-06-05 15:14:28 +0200	[diff] [blame]	709	sig_opts = (void ) pss_opts;
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	710	}
				711	else
Paul Bakker	db20c10	2014-06-17 14:34:44 +0200	[diff] [blame]	712	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	cf975a3	2014-01-24 19:28:43 +0100	[diff] [blame]	713	{
				714	/* Make sure parameters are absent or NULL */
				715	if( ( sig_params->tag != ASN1_NULL && sig_params->tag != 0 ) \|\|
				716	sig_params->len != 0 )
				717	return( POLARSSL_ERR_X509_INVALID_ALG );
				718	}
				719
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	720	return( 0 );
				721	}
				722
				723	/*
				724	* X.509 Extensions (No parsing of extensions, pointer should
				725	* be either manually updated or extensions should be parsed!
				726	*/
				727	int x509_get_ext( unsigned char *p, const unsigned char end,
				728	x509_buf *ext, int tag )
				729	{
				730	int ret;
				731	size_t len;
				732
				733	if( *p == end )
				734	return( 0 );
				735
				736	ext->tag = **p;
				737
				738	if( ( ret = asn1_get_tag( p, end, &ext->len,
				739	ASN1_CONTEXT_SPECIFIC \| ASN1_CONSTRUCTED \| tag ) ) != 0 )
				740	return( ret );
				741
				742	ext->p = *p;
				743	end = *p + ext->len;
				744
				745	/*
				746	* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
				747	*
				748	* Extension ::= SEQUENCE {
				749	* extnID OBJECT IDENTIFIER,
				750	* critical BOOLEAN DEFAULT FALSE,
				751	* extnValue OCTET STRING }
				752	*/
				753	if( ( ret = asn1_get_tag( p, end, &len,
				754	ASN1_CONSTRUCTED \| ASN1_SEQUENCE ) ) != 0 )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	755	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	756
				757	if( end != *p + len )
Paul Bakker	5187656	2013-09-17 14:36:05 +0200	[diff] [blame]	758	return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	759	POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
				760
				761	return( 0 );
				762	}
				763
Paul Bakker	6edcd41	2013-10-29 15:22:54 +0100	[diff] [blame]	764	#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
				765	!defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	766	#include <stdarg.h>
				767
				768	#if !defined vsnprintf
				769	#define vsnprintf _vsnprintf
				770	#endif // vsnprintf
				771
				772	/*
				773	* Windows _snprintf and _vsnprintf are not compatible to linux versions.
				774	* Result value is not size of buffer needed, but -1 if no fit is possible.
				775	*
				776	* This fuction tries to 'fix' this by at least suggesting enlarging the
				777	* size by 20.
				778	*/
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	779	static int compat_snprintf( char str, size_t size, const char format, ... )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	780	{
				781	va_list ap;
				782	int res = -1;
				783
				784	va_start( ap, format );
				785
				786	res = vsnprintf( str, size, format, ap );
				787
				788	va_end( ap );
				789
				790	// No quick fix possible
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	791	if( res < 0 )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	792	return( (int) size + 20 );
				793
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	794	return( res );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	795	}
				796
				797	#define snprintf compat_snprintf
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	798	#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	799
				800	#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
				801
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	802	#define SAFE_SNPRINTF() \
				803	{ \
				804	if( ret == -1 ) \
				805	return( -1 ); \
				806	\
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	807	if( (unsigned int) ret > n ) { \
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	808	p[n - 1] = '\0'; \
				809	return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
				810	} \
				811	\
				812	n -= (unsigned int) ret; \
				813	p += (unsigned int) ret; \
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	814	}
				815
				816	/*
				817	* Store the name in printable form into buf; no more
				818	* than size characters will be written
				819	*/
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	820	int x509_dn_gets( char buf, size_t size, const x509_name dn )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	821	{
				822	int ret;
				823	size_t i, n;
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	824	unsigned char c, merge = 0;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	825	const x509_name *name;
				826	const char *short_name = NULL;
Paul Bakker	8dcb2d7	2014-08-08 12:22:30 +0200	[diff] [blame]	827	char s[X509_MAX_DN_NAME_SIZE], *p;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	828
				829	memset( s, 0, sizeof( s ) );
				830
				831	name = dn;
				832	p = buf;
				833	n = size;
				834
				835	while( name != NULL )
				836	{
				837	if( !name->oid.p )
				838	{
				839	name = name->next;
				840	continue;
				841	}
				842
				843	if( name != dn )
				844	{
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	845	ret = polarssl_snprintf( p, n, merge ? " + " : ", " );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	846	SAFE_SNPRINTF();
				847	}
				848
				849	ret = oid_get_attr_short_name( &name->oid, &short_name );
				850
				851	if( ret == 0 )
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	852	ret = polarssl_snprintf( p, n, "%s=", short_name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	853	else
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	854	ret = polarssl_snprintf( p, n, "\?\?=" );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	855	SAFE_SNPRINTF();
				856
				857	for( i = 0; i < name->val.len; i++ )
				858	{
				859	if( i >= sizeof( s ) - 1 )
				860	break;
				861
				862	c = name->val.p[i];
				863	if( c < 32 \|\| c == 127 \|\| ( c > 128 && c < 160 ) )
				864	s[i] = '?';
				865	else s[i] = c;
				866	}
				867	s[i] = '\0';
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	868	ret = polarssl_snprintf( p, n, "%s", s );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	869	SAFE_SNPRINTF();
Manuel Pégourié-Gonnard	555fbf8	2015-02-04 17:11:55 +0000	[diff] [blame]	870
				871	merge = name->next_merged;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	872	name = name->next;
				873	}
				874
				875	return( (int) ( size - n ) );
				876	}
				877
				878	/*
				879	* Store the serial in printable form into buf; no more
				880	* than size characters will be written
				881	*/
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	882	int x509_serial_gets( char buf, size_t size, const x509_buf serial )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	883	{
				884	int ret;
				885	size_t i, n, nr;
				886	char *p;
				887
				888	p = buf;
				889	n = size;
				890
				891	nr = ( serial->len <= 32 )
				892	? serial->len : 28;
				893
				894	for( i = 0; i < nr; i++ )
				895	{
				896	if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
				897	continue;
				898
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	899	ret = polarssl_snprintf( p, n, "%02X%s",
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	900	serial->p[i], ( i < nr - 1 ) ? ":" : "" );
				901	SAFE_SNPRINTF();
				902	}
				903
				904	if( nr != serial->len )
				905	{
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	906	ret = polarssl_snprintf( p, n, "...." );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	907	SAFE_SNPRINTF();
				908	}
				909
				910	return( (int) ( size - n ) );
				911	}
				912
				913	/*
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	914	* Helper for writing signature algorithms
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	915	*/
				916	int x509_sig_alg_gets( char buf, size_t size, const x509_buf sig_oid,
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	917	pk_type_t pk_alg, md_type_t md_alg,
				918	const void *sig_opts )
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	919	{
				920	int ret;
				921	char *p = buf;
				922	size_t n = size;
				923	const char *desc = NULL;
				924
				925	ret = oid_get_sig_alg_desc( sig_oid, &desc );
				926	if( ret != 0 )
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	927	ret = polarssl_snprintf( p, n, "???" );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	928	else
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	929	ret = polarssl_snprintf( p, n, "%s", desc );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	930	SAFE_SNPRINTF();
				931
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	932	#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	933	if( pk_alg == POLARSSL_PK_RSASSA_PSS )
				934	{
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	935	const pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	936	const md_info_t md_info, mgf_md_info;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	937
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	938	pss_opts = (const pk_rsassa_pss_options *) sig_opts;
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	939
				940	md_info = md_info_from_type( md_alg );
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	941	mgf_md_info = md_info_from_type( pss_opts->mgf1_hash_id );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	942
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	943	ret = polarssl_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	944	md_info ? md_info->name : "???",
				945	mgf_md_info ? mgf_md_info->name : "???",
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	946	pss_opts->expected_salt_len );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	947	SAFE_SNPRINTF();
				948	}
				949	#else
				950	((void) pk_alg);
Manuel Pégourié-Gonnard	9113603	2014-06-05 15:41:39 +0200	[diff] [blame]	951	((void) md_alg);
				952	((void) sig_opts);
Manuel Pégourié-Gonnard	d1539b1	2014-06-06 16:42:37 +0200	[diff] [blame]	953	#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	954
Sander Niemeijer	ef5087d	2014-08-16 12:45:52 +0200	[diff] [blame]	955	return( (int)( size - n ) );
Manuel Pégourié-Gonnard	cac31ee	2014-01-25 11:50:59 +0100	[diff] [blame]	956	}
				957
				958	/*
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	959	* Helper for writing "RSA key size", "EC key size", etc
				960	*/
				961	int x509_key_size_helper( char buf, size_t size, const char name )
				962	{
				963	char *p = buf;
				964	size_t n = size;
				965	int ret;
				966
				967	if( strlen( name ) + sizeof( " key size" ) > size )
Paul Bakker	d8bb826	2014-06-17 14:06:49 +0200	[diff] [blame]	968	return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	969
Rich Evans	fac657f	2015-01-30 11:00:01 +0000	[diff] [blame]	970	ret = polarssl_snprintf( p, n, "%s key size", name );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	971	SAFE_SNPRINTF();
				972
				973	return( 0 );
				974	}
				975
				976	/*
				977	* Return an informational string describing the given OID
				978	*/
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	979	#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	980	const char x509_oid_get_description( x509_buf oid )
				981	{
				982	const char *desc = NULL;
				983	int ret;
				984
				985	ret = oid_get_extended_key_usage( oid, &desc );
				986
				987	if( ret != 0 )
				988	return( NULL );
				989
				990	return( desc );
				991	}
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	992	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	993
				994	/* Return the x.y.z.... style numeric string for the given OID */
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	995	#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	996	int x509_oid_get_numeric_string( char buf, size_t size, x509_buf oid )
				997	{
				998	return oid_get_numeric_string( buf, size, oid );
				999	}
Manuel Pégourié-Gonnard	c70581c	2015-03-23 13:58:27 +0100	[diff] [blame]	1000	#endif
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1001
				1002	/*
				1003	* Return 0 if the x509_time is still valid, or 1 otherwise.
				1004	*/
				1005	#if defined(POLARSSL_HAVE_TIME)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1006
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1007	static void x509_get_current_time( x509_time *now )
				1008	{
Paul Bakker	fa6a620	2013-10-28 18:48:30 +0100	[diff] [blame]	1009	#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1010	SYSTEMTIME st;
				1011
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1012	GetSystemTime( &st );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1013
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1014	now->year = st.wYear;
				1015	now->mon = st.wMonth;
				1016	now->day = st.wDay;
				1017	now->hour = st.wHour;
				1018	now->min = st.wMinute;
				1019	now->sec = st.wSecond;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1020	#else
Paul Bakker	5fff23b	2014-03-26 15:34:54 +0100	[diff] [blame]	1021	struct tm lt;
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1022	time_t tt;
				1023
				1024	tt = time( NULL );
Manuel Pégourié-Gonnard	0776a43	2014-04-11 12:25:45 +0200	[diff] [blame]	1025	gmtime_r( &tt, &lt );
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1026
Paul Bakker	5fff23b	2014-03-26 15:34:54 +0100	[diff] [blame]	1027	now->year = lt.tm_year + 1900;
				1028	now->mon = lt.tm_mon + 1;
				1029	now->day = lt.tm_mday;
				1030	now->hour = lt.tm_hour;
				1031	now->min = lt.tm_min;
				1032	now->sec = lt.tm_sec;
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1033	#endif /* _WIN32 && !EFIX64 && !EFI32 */
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1034	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1035
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1036	/*
				1037	* Return 0 if before <= after, 1 otherwise
				1038	*/
				1039	static int x509_check_time( const x509_time before, const x509_time after )
				1040	{
				1041	if( before->year > after->year )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1042	return( 1 );
				1043
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1044	if( before->year == after->year &&
				1045	before->mon > after->mon )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1046	return( 1 );
				1047
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1048	if( before->year == after->year &&
				1049	before->mon == after->mon &&
				1050	before->day > after->day )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1051	return( 1 );
				1052
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1053	if( before->year == after->year &&
				1054	before->mon == after->mon &&
				1055	before->day == after->day &&
				1056	before->hour > after->hour )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1057	return( 1 );
				1058
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1059	if( before->year == after->year &&
				1060	before->mon == after->mon &&
				1061	before->day == after->day &&
				1062	before->hour == after->hour &&
				1063	before->min > after->min )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1064	return( 1 );
				1065
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1066	if( before->year == after->year &&
				1067	before->mon == after->mon &&
				1068	before->day == after->day &&
				1069	before->hour == after->hour &&
				1070	before->min == after->min &&
				1071	before->sec > after->sec )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1072	return( 1 );
				1073
				1074	return( 0 );
				1075	}
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1076
				1077	int x509_time_expired( const x509_time *to )
				1078	{
				1079	x509_time now;
				1080
				1081	x509_get_current_time( &now );
				1082
				1083	return( x509_check_time( &now, to ) );
				1084	}
				1085
				1086	int x509_time_future( const x509_time *from )
				1087	{
				1088	x509_time now;
				1089
				1090	x509_get_current_time( &now );
				1091
				1092	return( x509_check_time( from, &now ) );
				1093	}
				1094
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1095	#else /* POLARSSL_HAVE_TIME */
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1096
Paul Bakker	86d0c19	2013-09-18 11:11:02 +0200	[diff] [blame]	1097	int x509_time_expired( const x509_time *to )
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1098	{
				1099	((void) to);
				1100	return( 0 );
				1101	}
Manuel Pégourié-Gonnard	6304f78	2014-03-10 12:26:11 +0100	[diff] [blame]	1102
				1103	int x509_time_future( const x509_time *from )
				1104	{
				1105	((void) from);
				1106	return( 0 );
				1107	}
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1108	#endif /* POLARSSL_HAVE_TIME */
				1109
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1110	#if defined(POLARSSL_SELF_TEST)
				1111
				1112	#include "polarssl/x509_crt.h"
				1113	#include "polarssl/certs.h"
				1114
				1115	/*
				1116	* Checkup routine
				1117	*/
				1118	int x509_self_test( int verbose )
				1119	{
Manuel Pégourié-Gonnard	3d41370	2014-04-29 15:29:41 +0200	[diff] [blame]	1120	#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C)
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1121	int ret;
				1122	int flags;
Paul Bakker	c559c7a	2013-09-18 14:13:26 +0200	[diff] [blame]	1123	x509_crt cacert;
				1124	x509_crt clicert;
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1125
				1126	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1127	polarssl_printf( " X.509 certificate load: " );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1128
Paul Bakker	b6b0956	2013-09-18 14:17:41 +0200	[diff] [blame]	1129	x509_crt_init( &clicert );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1130
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1131	ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
				1132	strlen( test_cli_crt ) );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1133	if( ret != 0 )
				1134	{
				1135	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1136	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1137
				1138	return( ret );
				1139	}
				1140
Paul Bakker	b6b0956	2013-09-18 14:17:41 +0200	[diff] [blame]	1141	x509_crt_init( &cacert );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1142
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1143	ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
				1144	strlen( test_ca_crt ) );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1145	if( ret != 0 )
				1146	{
				1147	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1148	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1149
				1150	return( ret );
				1151	}
				1152
				1153	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1154	polarssl_printf( "passed\n X.509 signature verify: ");
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1155
Paul Bakker	ddf26b4	2013-09-18 13:46:23 +0200	[diff] [blame]	1156	ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1157	if( ret != 0 )
				1158	{
				1159	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1160	polarssl_printf( "failed\n" );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1161
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	1162	polarssl_printf( "ret = %d, &flags = %04x\n", ret, flags );
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1163
				1164	return( ret );
				1165	}
				1166
				1167	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1168	polarssl_printf( "passed\n\n");
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1169
				1170	x509_crt_free( &cacert );
				1171	x509_crt_free( &clicert );
				1172
				1173	return( 0 );
				1174	#else
				1175	((void) verbose);
				1176	return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1177	#endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1178	}
				1179
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1180	#endif /* POLARSSL_SELF_TEST */
Paul Bakker	e9e6ae3	2013-09-16 22:53:25 +0200	[diff] [blame]	1181
Paul Bakker	7c6b2c3	2013-09-16 13:49:26 +0200	[diff] [blame]	1182	#endif /* POLARSSL_X509_USE_C */