TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 53c6e96ce7c20385d3731af95f2a867b5c4de106 / . / library / x509_crl.c
blob: 7f8600dbf1775737c1a56799ab17c9e9d7ecf640 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]37#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]39#else
40#include POLARSSL_CONFIG_FILE
41#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]42
43#if defined(POLARSSL_X509_CRL_PARSE_C)
44
45#include "polarssl/x509_crl.h"
46#include "polarssl/oid.h"
47#if defined(POLARSSL_PEM_PARSE_C)
48#include "polarssl/pem.h"
49#endif
50
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#if defined(POLARSSL_PLATFORM_C)
52#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]53#else
54#define polarssl_malloc malloc
55#define polarssl_free free
56#endif
57
58#include <string.h>
59#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]60#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
61
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]62#include <windows.h>
63#else
64#include <time.h>
65#endif
66
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]67#if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]68#include <stdio.h>
69#endif
70
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]71/* Implementation that should never be optimized out by the compiler */
72static void polarssl_zeroize( void *v, size_t n ) {
73 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
74}
75
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]76/*
77 * Version ::= INTEGER { v1(0), v2(1) }
78 */
79static int x509_crl_get_version( unsigned char **p,
80 const unsigned char *end,
81 int *ver )
82{
83 int ret;
84
85 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
86 {
87 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
88 {
89 *ver = 0;
90 return( 0 );
91 }
92
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]93 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]94 }
95
96 return( 0 );
97}
98
99/*
100 * X.509 CRL v2 extensions (no extensions parsed yet.)
101 */
102static int x509_get_crl_ext( unsigned char **p,
103 const unsigned char *end,
104 x509_buf *ext )
105{
106 int ret;
107 size_t len = 0;
108
109 /* Get explicit tag */
110 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
111 {
112 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
113 return( 0 );
114
115 return( ret );
116 }
117
118 while( *p < end )
119 {
120 if( ( ret = asn1_get_tag( p, end, &len,
121 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]122 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]123
124 *p += len;
125 }
126
127 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]128 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]129 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
130
131 return( 0 );
132}
133
134/*
135 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
136 */
137static int x509_get_crl_entry_ext( unsigned char **p,
138 const unsigned char *end,
139 x509_buf *ext )
140{
141 int ret;
142 size_t len = 0;
143
144 /* OPTIONAL */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]145 if( end <= *p )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]146 return( 0 );
147
148 ext->tag = **p;
149 ext->p = *p;
150
151 /*
152 * Get CRL-entry extension sequence header
153 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
154 */
155 if( ( ret = asn1_get_tag( p, end, &ext->len,
156 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
157 {
158 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
159 {
160 ext->p = NULL;
161 return( 0 );
162 }
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]163 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]164 }
165
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]166 end = *p + ext->len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]167
168 if( end != *p + ext->len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]169 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]170 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
171
172 while( *p < end )
173 {
174 if( ( ret = asn1_get_tag( p, end, &len,
175 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]176 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]177
178 *p += len;
179 }
180
181 if( *p != end )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]182 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]183 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
184
185 return( 0 );
186}
187
188/*
189 * X.509 CRL Entries
190 */
191static int x509_get_entries( unsigned char **p,
192 const unsigned char *end,
193 x509_crl_entry *entry )
194{
195 int ret;
196 size_t entry_len;
197 x509_crl_entry *cur_entry = entry;
198
199 if( *p == end )
200 return( 0 );
201
202 if( ( ret = asn1_get_tag( p, end, &entry_len,
203 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
204 {
205 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
206 return( 0 );
207
208 return( ret );
209 }
210
211 end = *p + entry_len;
212
213 while( *p < end )
214 {
215 size_t len2;
216 const unsigned char *end2;
217
218 if( ( ret = asn1_get_tag( p, end, &len2,
219 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
220 {
221 return( ret );
222 }
223
224 cur_entry->raw.tag = **p;
225 cur_entry->raw.p = *p;
226 cur_entry->raw.len = len2;
227 end2 = *p + len2;
228
229 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
230 return( ret );
231
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]232 if( ( ret = x509_get_time( p, end2,
233 &cur_entry->revocation_date ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]234 return( ret );
235
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]236 if( ( ret = x509_get_crl_entry_ext( p, end2,
237 &cur_entry->entry_ext ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]238 return( ret );
239
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]240 if( *p < end )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]241 {
242 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
243
244 if( cur_entry->next == NULL )
245 return( POLARSSL_ERR_X509_MALLOC_FAILED );
246
247 cur_entry = cur_entry->next;
248 memset( cur_entry, 0, sizeof( x509_crl_entry ) );
249 }
250 }
251
252 return( 0 );
253}
254
255/*
256 * Parse one or more CRLs and add them to the chained list
257 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]258int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]259{
260 int ret;
261 size_t len;
262 unsigned char *p, *end;
263 x509_crl *crl;
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]264 x509_buf sig_params1, sig_params2;
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame]265
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]266#if defined(POLARSSL_PEM_PARSE_C)
267 size_t use_len;
268 pem_context pem;
269#endif
270
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]271 memset( &sig_params1, 0, sizeof( x509_buf ) );
272 memset( &sig_params2, 0, sizeof( x509_buf ) );
Manuel Pégourié-Gonnard8e42ff62014-01-24 15:56:20 +0100[diff] [blame]273
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]274 crl = chain;
275
276 /*
277 * Check for valid input
278 */
279 if( crl == NULL || buf == NULL )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]280 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]281
282 while( crl->version != 0 && crl->next != NULL )
283 crl = crl->next;
284
285 /*
286 * Add new CRL on the end of the chain if needed.
287 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]288 if( crl->version != 0 && crl->next == NULL )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]289 {
290 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
291
292 if( crl->next == NULL )
293 {
294 x509_crl_free( crl );
295 return( POLARSSL_ERR_X509_MALLOC_FAILED );
296 }
297
298 crl = crl->next;
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]299 x509_crl_init( crl );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]300 }
301
302#if defined(POLARSSL_PEM_PARSE_C)
303 pem_init( &pem );
304 ret = pem_read_buffer( &pem,
305 "-----BEGIN X509 CRL-----",
306 "-----END X509 CRL-----",
307 buf, NULL, 0, &use_len );
308
309 if( ret == 0 )
310 {
311 /*
312 * Was PEM encoded
313 */
314 buflen -= use_len;
315 buf += use_len;
316
317 /*
318 * Steal PEM buffer
319 */
320 p = pem.buf;
321 pem.buf = NULL;
322 len = pem.buflen;
323 pem_free( &pem );
324 }
325 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
326 {
327 pem_free( &pem );
328 return( ret );
329 }
330 else
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]331#endif /* POLARSSL_PEM_PARSE_C */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]332 {
333 /*
334 * nope, copy the raw DER data
335 */
336 p = (unsigned char *) polarssl_malloc( len = buflen );
337
338 if( p == NULL )
339 return( POLARSSL_ERR_X509_MALLOC_FAILED );
340
341 memcpy( p, buf, buflen );
342
343 buflen = 0;
344 }
345
346 crl->raw.p = p;
347 crl->raw.len = len;
348 end = p + len;
349
350 /*
351 * CertificateList ::= SEQUENCE {
352 * tbsCertList TBSCertList,
353 * signatureAlgorithm AlgorithmIdentifier,
354 * signatureValue BIT STRING }
355 */
356 if( ( ret = asn1_get_tag( &p, end, &len,
357 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
358 {
359 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]360 return( POLARSSL_ERR_X509_INVALID_FORMAT );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]361 }
362
363 if( len != (size_t) ( end - p ) )
364 {
365 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]366 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]367 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
368 }
369
370 /*
371 * TBSCertList ::= SEQUENCE {
372 */
373 crl->tbs.p = p;
374
375 if( ( ret = asn1_get_tag( &p, end, &len,
376 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
377 {
378 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]379 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]380 }
381
382 end = p + len;
383 crl->tbs.len = end - crl->tbs.p;
384
385 /*
386 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
387 * -- if present, MUST be v2
388 *
389 * signature AlgorithmIdentifier
390 */
391 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]392 ( ret = x509_get_alg( &p, end, &crl->sig_oid1, &sig_params1 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]393 {
394 x509_crl_free( crl );
395 return( ret );
396 }
397
398 crl->version++;
399
400 if( crl->version > 2 )
401 {
402 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]403 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]404 }
405
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]406 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &sig_params1,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]407 &crl->sig_md, &crl->sig_pk,
408 &crl->sig_opts ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]409 {
410 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]411 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]412 }
413
414 /*
415 * issuer Name
416 */
417 crl->issuer_raw.p = p;
418
419 if( ( ret = asn1_get_tag( &p, end, &len,
420 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
421 {
422 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]423 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]424 }
425
426 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
427 {
428 x509_crl_free( crl );
429 return( ret );
430 }
431
432 crl->issuer_raw.len = p - crl->issuer_raw.p;
433
434 /*
435 * thisUpdate Time
436 * nextUpdate Time OPTIONAL
437 */
438 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
439 {
440 x509_crl_free( crl );
441 return( ret );
442 }
443
444 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
445 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]446 if( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]447 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]448 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]449 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
450 {
451 x509_crl_free( crl );
452 return( ret );
453 }
454 }
455
456 /*
457 * revokedCertificates SEQUENCE OF SEQUENCE {
458 * userCertificate CertificateSerialNumber,
459 * revocationDate Time,
460 * crlEntryExtensions Extensions OPTIONAL
461 * -- if present, MUST be v2
462 * } OPTIONAL
463 */
464 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
465 {
466 x509_crl_free( crl );
467 return( ret );
468 }
469
470 /*
471 * crlExtensions EXPLICIT Extensions OPTIONAL
472 * -- if present, MUST be v2
473 */
474 if( crl->version == 2 )
475 {
476 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
477
478 if( ret != 0 )
479 {
480 x509_crl_free( crl );
481 return( ret );
482 }
483 }
484
485 if( p != end )
486 {
487 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]488 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]489 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
490 }
491
492 end = crl->raw.p + crl->raw.len;
493
494 /*
495 * signatureAlgorithm AlgorithmIdentifier,
496 * signatureValue BIT STRING
497 */
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]498 if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2, &sig_params2 ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]499 {
500 x509_crl_free( crl );
501 return( ret );
502 }
503
504 if( crl->sig_oid1.len != crl->sig_oid2.len ||
Manuel Pégourié-Gonnarddddbb1d2014-06-05 17:02:24 +0200[diff] [blame]505 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 ||
506 sig_params1.len != sig_params2.len ||
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]507 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]508 {
509 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]510 return( POLARSSL_ERR_X509_SIG_MISMATCH );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]511 }
512
513 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
514 {
515 x509_crl_free( crl );
516 return( ret );
517 }
518
519 if( p != end )
520 {
521 x509_crl_free( crl );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]522 return( POLARSSL_ERR_X509_INVALID_FORMAT +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]523 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
524 }
525
526 if( buflen > 0 )
527 {
528 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
529
530 if( crl->next == NULL )
531 {
532 x509_crl_free( crl );
533 return( POLARSSL_ERR_X509_MALLOC_FAILED );
534 }
535
536 crl = crl->next;
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]537 x509_crl_init( crl );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]538
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]539 return( x509_crl_parse( crl, buf, buflen ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]540 }
541
542 return( 0 );
543}
544
545#if defined(POLARSSL_FS_IO)
546/*
547 * Load one or more CRLs and add them to the chained list
548 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]549int x509_crl_parse_file( x509_crl *chain, const char *path )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]550{
551 int ret;
552 size_t n;
553 unsigned char *buf;
554
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]555 if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]556 return( ret );
557
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]558 ret = x509_crl_parse( chain, buf, n );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]559
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]560 polarssl_zeroize( buf, n + 1 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]561 polarssl_free( buf );
562
563 return( ret );
564}
565#endif /* POLARSSL_FS_IO */
566
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]567#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
568 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]569#include <stdarg.h>
570
571#if !defined vsnprintf
572#define vsnprintf _vsnprintf
573#endif // vsnprintf
574
575/*
576 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
577 * Result value is not size of buffer needed, but -1 if no fit is possible.
578 *
579 * This fuction tries to 'fix' this by at least suggesting enlarging the
580 * size by 20.
581 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]582static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]583{
584 va_list ap;
585 int res = -1;
586
587 va_start( ap, format );
588
589 res = vsnprintf( str, size, format, ap );
590
591 va_end( ap );
592
593 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]594 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]595 return( (int) size + 20 );
596
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]597 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]598}
599
600#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]601#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]602
603#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
604
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]605#define SAFE_SNPRINTF() \
606{ \
607 if( ret == -1 ) \
608 return( -1 ); \
609 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]610 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]611 p[n - 1] = '\0'; \
612 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
613 } \
614 \
615 n -= (unsigned int) ret; \
616 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]617}
618
619/*
620 * Return an informational string about the certificate.
621 */
622#define BEFORE_COLON 14
623#define BC "14"
624/*
625 * Return an informational string about the CRL.
626 */
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]627int x509_crl_info( char *buf, size_t size, const char *prefix,
628 const x509_crl *crl )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]629{
630 int ret;
631 size_t n;
632 char *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]633 const x509_crl_entry *entry;
634
635 p = buf;
636 n = size;
637
638 ret = snprintf( p, n, "%sCRL version : %d",
639 prefix, crl->version );
640 SAFE_SNPRINTF();
641
642 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
643 SAFE_SNPRINTF();
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]644 ret = x509_dn_gets( p, n, &crl->issuer );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]645 SAFE_SNPRINTF();
646
647 ret = snprintf( p, n, "\n%sthis update : " \
648 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
649 crl->this_update.year, crl->this_update.mon,
650 crl->this_update.day, crl->this_update.hour,
651 crl->this_update.min, crl->this_update.sec );
652 SAFE_SNPRINTF();
653
654 ret = snprintf( p, n, "\n%snext update : " \
655 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
656 crl->next_update.year, crl->next_update.mon,
657 crl->next_update.day, crl->next_update.hour,
658 crl->next_update.min, crl->next_update.sec );
659 SAFE_SNPRINTF();
660
661 entry = &crl->entry;
662
663 ret = snprintf( p, n, "\n%sRevoked certificates:",
664 prefix );
665 SAFE_SNPRINTF();
666
667 while( entry != NULL && entry->raw.len != 0 )
668 {
669 ret = snprintf( p, n, "\n%sserial number: ",
670 prefix );
671 SAFE_SNPRINTF();
672
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]673 ret = x509_serial_gets( p, n, &entry->serial );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]674 SAFE_SNPRINTF();
675
676 ret = snprintf( p, n, " revocation date: " \
677 "%04d-%02d-%02d %02d:%02d:%02d",
678 entry->revocation_date.year, entry->revocation_date.mon,
679 entry->revocation_date.day, entry->revocation_date.hour,
680 entry->revocation_date.min, entry->revocation_date.sec );
681 SAFE_SNPRINTF();
682
683 entry = entry->next;
684 }
685
686 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
687 SAFE_SNPRINTF();
688
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]689 ret = x509_sig_alg_gets( p, n, &crl->sig_oid1, crl->sig_pk, crl->sig_md,
Manuel Pégourié-Gonnardbf696d02014-06-05 17:07:30 +0200[diff] [blame]690 crl->sig_opts );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]691 SAFE_SNPRINTF();
692
693 ret = snprintf( p, n, "\n" );
694 SAFE_SNPRINTF();
695
696 return( (int) ( size - n ) );
697}
698
699/*
Paul Bakker369d2eb2013-09-18 11:58:25 +0200[diff] [blame]700 * Initialize a CRL chain
701 */
702void x509_crl_init( x509_crl *crl )
703{
704 memset( crl, 0, sizeof(x509_crl) );
705}
706
707/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]708 * Unallocate all CRL data
709 */
710void x509_crl_free( x509_crl *crl )
711{
712 x509_crl *crl_cur = crl;
713 x509_crl *crl_prv;
714 x509_name *name_cur;
715 x509_name *name_prv;
716 x509_crl_entry *entry_cur;
717 x509_crl_entry *entry_prv;
718
719 if( crl == NULL )
720 return;
721
722 do
723 {
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]724#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]725 polarssl_free( crl_cur->sig_opts );
726#endif
727
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]728 name_cur = crl_cur->issuer.next;
729 while( name_cur != NULL )
730 {
731 name_prv = name_cur;
732 name_cur = name_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]733 polarssl_zeroize( name_prv, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]734 polarssl_free( name_prv );
735 }
736
737 entry_cur = crl_cur->entry.next;
738 while( entry_cur != NULL )
739 {
740 entry_prv = entry_cur;
741 entry_cur = entry_cur->next;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]742 polarssl_zeroize( entry_prv, sizeof( x509_crl_entry ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]743 polarssl_free( entry_prv );
744 }
745
746 if( crl_cur->raw.p != NULL )
747 {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]748 polarssl_zeroize( crl_cur->raw.p, crl_cur->raw.len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]749 polarssl_free( crl_cur->raw.p );
750 }
751
752 crl_cur = crl_cur->next;
753 }
754 while( crl_cur != NULL );
755
756 crl_cur = crl;
757 do
758 {
759 crl_prv = crl_cur;
760 crl_cur = crl_cur->next;
761
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]762 polarssl_zeroize( crl_prv, sizeof( x509_crl ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]763 if( crl_prv != crl )
764 polarssl_free( crl_prv );
765 }
766 while( crl_cur != NULL );
767}
768
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]769#endif /* POLARSSL_X509_CRL_PARSE_C */