TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7c02d13746e8cefd9a7553f8ae4fc67d03b14e2d / . / library / x509.c
blob: cb6fc6ca2f204763dbc313e9915a5cd6e1643b76 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]2 * X.509 common functions for parsing and verification
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]6 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]7 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The ITU-T X.509 standard defines a certificate format for PKI.
24 *
Manuel Pégourié-Gonnard1c082f32014-06-12 22:34:55 +0200[diff] [blame]25 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
26 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
27 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]28 *
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
30 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
31 */
32
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]33#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]34#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]35#else
36#include POLARSSL_CONFIG_FILE
37#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38
39#if defined(POLARSSL_X509_USE_C)
40
41#include "polarssl/x509.h"
42#include "polarssl/asn1.h"
43#include "polarssl/oid.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]44
Rich Evans36796df2015-02-12 18:27:14 +0000[diff] [blame]45#include <stdio.h>
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]46#include <string.h>
47
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]48#if defined(POLARSSL_PEM_PARSE_C)
49#include "polarssl/pem.h"
50#endif
51
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#if defined(POLARSSL_PLATFORM_C)
53#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]55#include <stdio.h>
56#include <stdlib.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]57#define polarssl_free free
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]58#define polarssl_malloc malloc
59#define polarssl_printf printf
60#define polarssl_snprintf snprintf
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]61#endif
62
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]63#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]64#include <windows.h>
65#else
66#include <time.h>
67#endif
68
69#if defined(POLARSSL_FS_IO)
Rich Evans36796df2015-02-12 18:27:14 +0000[diff] [blame]70#include <stdio.h>
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]71#if !defined(_WIN32)
72#include <sys/types.h>
73#include <sys/stat.h>
74#include <dirent.h>
75#endif
76#endif
77
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]78#define CHECK(code) if( ( ret = code ) != 0 ){ return( ret ); }
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]79#define CHECK_RANGE(min, max, val) if( val < min || val > max ){ return( ret ); }
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]80
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]81/*
82 * CertificateSerialNumber ::= INTEGER
83 */
84int x509_get_serial( unsigned char **p, const unsigned char *end,
85 x509_buf *serial )
86{
87 int ret;
88
89 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]90 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]91 POLARSSL_ERR_ASN1_OUT_OF_DATA );
92
93 if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
94 **p != ASN1_INTEGER )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]95 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]96 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
97
98 serial->tag = *(*p)++;
99
100 if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]101 return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]102
103 serial->p = *p;
104 *p += serial->len;
105
106 return( 0 );
107}
108
109/* Get an algorithm identifier without parameters (eg for signatures)
110 *
111 * AlgorithmIdentifier ::= SEQUENCE {
112 * algorithm OBJECT IDENTIFIER,
113 * parameters ANY DEFINED BY algorithm OPTIONAL }
114 */
115int x509_get_alg_null( unsigned char **p, const unsigned char *end,
116 x509_buf *alg )
117{
118 int ret;
119
120 if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]121 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]122
123 return( 0 );
124}
125
126/*
Manuel Pégourié-Gonnard59a75d52014-01-22 10:12:57 +0100[diff] [blame]127 * Parse an algorithm identifier with (optional) paramaters
128 */
129int x509_get_alg( unsigned char **p, const unsigned char *end,
130 x509_buf *alg, x509_buf *params )
131{
132 int ret;
133
134 if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
135 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
136
137 return( 0 );
138}
139
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]140#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnard59a75d52014-01-22 10:12:57 +0100[diff] [blame]141/*
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]142 * HashAlgorithm ::= AlgorithmIdentifier
143 *
144 * AlgorithmIdentifier ::= SEQUENCE {
145 * algorithm OBJECT IDENTIFIER,
146 * parameters ANY DEFINED BY algorithm OPTIONAL }
147 *
148 * For HashAlgorithm, parameters MUST be NULL or absent.
149 */
150static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg )
151{
152 int ret;
153 unsigned char *p;
154 const unsigned char *end;
155 x509_buf md_oid;
156 size_t len;
157
158 /* Make sure we got a SEQUENCE and setup bounds */
159 if( alg->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
160 return( POLARSSL_ERR_X509_INVALID_ALG +
161 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
162
163 p = (unsigned char *) alg->p;
164 end = p + alg->len;
165
166 if( p >= end )
167 return( POLARSSL_ERR_X509_INVALID_ALG +
168 POLARSSL_ERR_ASN1_OUT_OF_DATA );
169
170 /* Parse md_oid */
171 md_oid.tag = *p;
172
173 if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 )
174 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
175
176 md_oid.p = p;
177 p += md_oid.len;
178
179 /* Get md_alg from md_oid */
180 if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
181 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
182
183 /* Make sure params is absent of NULL */
184 if( p == end )
185 return( 0 );
186
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]187 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 || len != 0 )
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]188 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
189
190 if( p != end )
191 return( POLARSSL_ERR_X509_INVALID_ALG +
192 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
193
194 return( 0 );
195}
196
197/*
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]198 * RSASSA-PSS-params ::= SEQUENCE {
199 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
200 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
201 * saltLength [2] INTEGER DEFAULT 20,
202 * trailerField [3] INTEGER DEFAULT 1 }
203 * -- Note that the tags in this Sequence are explicit.
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]204 *
205 * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
206 * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
207 * option. Enfore this at parsing time.
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]208 */
209int x509_get_rsassa_pss_params( const x509_buf *params,
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]210 md_type_t *md_alg, md_type_t *mgf_md,
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]211 int *salt_len )
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]212{
213 int ret;
214 unsigned char *p;
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]215 const unsigned char *end, *end2;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]216 size_t len;
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]217 x509_buf alg_id, alg_params;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]218
219 /* First set everything to defaults */
220 *md_alg = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]221 *mgf_md = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]222 *salt_len = 20;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]223
224 /* Make sure params is a SEQUENCE and setup bounds */
225 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
226 return( POLARSSL_ERR_X509_INVALID_ALG +
227 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
228
229 p = (unsigned char *) params->p;
230 end = p + params->len;
231
232 if( p == end )
233 return( 0 );
234
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]235 /*
236 * HashAlgorithm
237 */
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]238 if( ( ret = asn1_get_tag( &p, end, &len,
239 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
240 {
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]241 end2 = p + len;
242
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]243 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]244 if( ( ret = x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]245 return( ret );
246
247 if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
248 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]249
250 if( p != end2 )
251 return( POLARSSL_ERR_X509_INVALID_ALG +
252 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]253 }
254 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
255 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
256
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]257 if( p == end )
258 return( 0 );
259
260 /*
261 * MaskGenAlgorithm
262 */
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]263 if( ( ret = asn1_get_tag( &p, end, &len,
264 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
265 {
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]266 end2 = p + len;
267
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]268 /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]269 if( ( ret = x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame]270 return( ret );
271
272 /* Only MFG1 is recognised for now */
273 if( ! OID_CMP( OID_MGF1, &alg_id ) )
274 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE +
275 POLARSSL_ERR_OID_NOT_FOUND );
276
277 /* Parse HashAlgorithm */
278 if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
279 return( ret );
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]280
281 if( p != end2 )
282 return( POLARSSL_ERR_X509_INVALID_ALG +
283 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]284 }
285 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
286 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
287
288 if( p == end )
289 return( 0 );
290
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]291 /*
292 * salt_len
293 */
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]294 if( ( ret = asn1_get_tag( &p, end, &len,
295 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 )
296 {
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]297 end2 = p + len;
298
299 if( ( ret = asn1_get_int( &p, end2, salt_len ) ) != 0 )
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]300 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]301
302 if( p != end2 )
303 return( POLARSSL_ERR_X509_INVALID_ALG +
304 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]305 }
306 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
307 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
308
309 if( p == end )
310 return( 0 );
311
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]312 /*
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]313 * trailer_field (if present, must be 1)
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]314 */
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]315 if( ( ret = asn1_get_tag( &p, end, &len,
316 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 )
317 {
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]318 int trailer_field;
319
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]320 end2 = p + len;
321
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]322 if( ( ret = asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]323 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnard9c9cf5b2014-01-24 14:15:20 +0100[diff] [blame]324
325 if( p != end2 )
326 return( POLARSSL_ERR_X509_INVALID_ALG +
327 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Manuel Pégourié-Gonnard78117d52014-05-31 17:08:16 +0200[diff] [blame]328
329 if( trailer_field != 1 )
330 return( POLARSSL_ERR_X509_INVALID_ALG );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]331 }
332 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
333 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
334
335 if( p != end )
336 return( POLARSSL_ERR_X509_INVALID_ALG +
337 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
338
339 return( 0 );
340}
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]341#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]342
343/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]344 * AttributeTypeAndValue ::= SEQUENCE {
345 * type AttributeType,
346 * value AttributeValue }
347 *
348 * AttributeType ::= OBJECT IDENTIFIER
349 *
350 * AttributeValue ::= ANY DEFINED BY AttributeType
351 */
352static int x509_get_attr_type_value( unsigned char **p,
353 const unsigned char *end,
354 x509_name *cur )
355{
356 int ret;
357 size_t len;
358 x509_buf *oid;
359 x509_buf *val;
360
361 if( ( ret = asn1_get_tag( p, end, &len,
362 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]363 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]364
365 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]366 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]367 POLARSSL_ERR_ASN1_OUT_OF_DATA );
368
369 oid = &cur->oid;
370 oid->tag = **p;
371
372 if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]373 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]374
375 oid->p = *p;
376 *p += oid->len;
377
378 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]379 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]380 POLARSSL_ERR_ASN1_OUT_OF_DATA );
381
382 if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
383 **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
Manuel Pégourié-Gonnarddd5dbca2015-03-27 13:03:09 +0100[diff] [blame]384 **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING &&
385 **p != ASN1_BIT_STRING )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]386 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]387 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
388
389 val = &cur->val;
390 val->tag = *(*p)++;
391
392 if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]393 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]394
395 val->p = *p;
396 *p += val->len;
397
398 cur->next = NULL;
399
400 return( 0 );
401}
402
403/*
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]404 * Name ::= CHOICE { -- only one possibility for now --
405 * rdnSequence RDNSequence }
406 *
407 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
408 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]409 * RelativeDistinguishedName ::=
410 * SET OF AttributeTypeAndValue
411 *
412 * AttributeTypeAndValue ::= SEQUENCE {
413 * type AttributeType,
414 * value AttributeValue }
415 *
416 * AttributeType ::= OBJECT IDENTIFIER
417 *
418 * AttributeValue ::= ANY DEFINED BY AttributeType
Manuel Pégourié-Gonnard5d861852014-10-17 12:41:41 +0200[diff] [blame]419 *
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]420 * The data structure is optimized for the common case where each RDN has only
421 * one element, which is represented as a list of AttributeTypeAndValue.
422 * For the general case we still use a flat list, but we mark elements of the
423 * same set so that they are "merged" together in the functions that consume
424 * this list, eg x509_dn_gets().
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]425 */
426int x509_get_name( unsigned char **p, const unsigned char *end,
427 x509_name *cur )
428{
429 int ret;
Manuel Pégourié-Gonnard5d861852014-10-17 12:41:41 +0200[diff] [blame]430 size_t set_len;
431 const unsigned char *end_set;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]432
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]433 /* don't use recursion, we'd risk stack overflow if not optimized */
434 while( 1 )
435 {
436 /*
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]437 * parse SET
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]438 */
439 if( ( ret = asn1_get_tag( p, end, &set_len,
440 ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
441 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]442
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]443 end_set = *p + set_len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]444
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]445 while( 1 )
446 {
447 if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
448 return( ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]449
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]450 if( *p == end_set )
451 break;
452
Nicholas Wilsond0fa5cc2015-05-11 10:39:49 +0100[diff] [blame]453 /* Mark this item as being not the only one in a set */
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]454 cur->next_merged = 1;
455
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500[diff] [blame]456 cur->next = polarssl_malloc( sizeof( x509_name ) );
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]457
458 if( cur->next == NULL )
459 return( POLARSSL_ERR_X509_MALLOC_FAILED );
460
461 memset( cur->next, 0, sizeof( x509_name ) );
462
463 cur = cur->next;
464 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]465
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]466 /*
467 * continue until end of SEQUENCE is reached
468 */
469 if( *p == end )
470 return( 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]471
Mansour Moufidc531b4a2015-02-15 17:35:38 -0500[diff] [blame]472 cur->next = polarssl_malloc( sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]473
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]474 if( cur->next == NULL )
475 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]476
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]477 memset( cur->next, 0, sizeof( x509_name ) );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]478
Manuel Pégourié-Gonnardd6814432014-11-12 01:25:31 +0100[diff] [blame]479 cur = cur->next;
480 }
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]481}
482
Andres Amaya Garciacf428732017-07-31 16:40:12 +0100[diff] [blame]483static int x509_parse_int( unsigned char **p, size_t n, int *res )
484{
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]485 *res = 0;
Andres Amaya Garciacf428732017-07-31 16:40:12 +0100[diff] [blame]486
487 for( ; n > 0; --n )
488 {
489 if( ( **p < '0') || ( **p > '9' ) )
490 return( POLARSSL_ERR_X509_INVALID_DATE );
491
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]492 *res *= 10;
Andres Amaya Garciacf428732017-07-31 16:40:12 +0100[diff] [blame]493 *res += ( *(*p)++ - '0' );
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]494 }
Andres Amaya Garciacf428732017-07-31 16:40:12 +0100[diff] [blame]495
496 return( 0 );
Rich Evans7d5a55a2015-02-13 11:48:02 +0000[diff] [blame]497}
498
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]499static int x509_date_is_valid(const x509_time *t)
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]500{
501 int ret = POLARSSL_ERR_X509_INVALID_DATE;
Andres AG7c02d132016-11-21 15:38:02 +0000[diff] [blame^]502 int month_len;
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]503
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]504 CHECK_RANGE( 0, 9999, t->year );
505 CHECK_RANGE( 0, 23, t->hour );
506 CHECK_RANGE( 0, 59, t->min );
507 CHECK_RANGE( 0, 59, t->sec );
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]508
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]509 switch( t->mon )
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]510 {
511 case 1: case 3: case 5: case 7: case 8: case 10: case 12:
Andres AG7c02d132016-11-21 15:38:02 +0000[diff] [blame^]512 month_len = 31;
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]513 break;
514 case 4: case 6: case 9: case 11:
Andres AG7c02d132016-11-21 15:38:02 +0000[diff] [blame^]515 month_len = 30;
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]516 break;
517 case 2:
Andres AG7c02d132016-11-21 15:38:02 +0000[diff] [blame^]518 if( ( !( t->year % 4 ) && t->year % 100 ) ||
519 !( t->year % 400 ) )
520 month_len = 29;
521 else
522 month_len = 28;
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]523 break;
524 default:
525 return( ret );
526 }
Andres AG7c02d132016-11-21 15:38:02 +0000[diff] [blame^]527 CHECK_RANGE( 1, month_len, t->day );
Andres AG0da3e442016-09-23 13:16:02 +0100[diff] [blame]528
529 return( 0 );
530}
531
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]532/*
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]533 * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4) field.
534 */
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]535static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
536 x509_time *tm )
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]537{
538 int ret;
539
540 /*
541 * minimum length is 10 or 12 depending on yearlen
542 */
543 if ( len < yearlen + 8 )
544 return POLARSSL_ERR_X509_INVALID_DATE;
545 len -= yearlen + 8;
546
547 /*
548 * parse year, month, day, hour, minute
549 */
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]550 CHECK( x509_parse_int( p, yearlen, &tm->year ) );
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]551 if ( 2 == yearlen )
552 {
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]553 if ( tm->year < 50 )
554 tm->year += 100;
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]555
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]556 tm->year += 1900;
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]557 }
558
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]559 CHECK( x509_parse_int( p, 2, &tm->mon ) );
560 CHECK( x509_parse_int( p, 2, &tm->day ) );
561 CHECK( x509_parse_int( p, 2, &tm->hour ) );
562 CHECK( x509_parse_int( p, 2, &tm->min ) );
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]563
564 /*
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]565 * parse seconds if present
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]566 */
567 if ( len >= 2 && **p >= '0' && **p <= '9' )
568 {
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]569 CHECK( x509_parse_int( p, 2, &tm->sec ) );
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]570 len -= 2;
571 }
572 else
573 {
574#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
575 /*
576 * if relaxed mode, allow seconds to be absent
577 */
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]578 tm->sec = 0;
Janos Follath17da9dd2016-09-19 09:35:18 +0100[diff] [blame]579#else
580 return POLARSSL_ERR_X509_INVALID_DATE;
581#endif
582 }
583
584 /*
585 * parse trailing 'Z' if present
586 */
587 if ( 1 == len && 'Z' == **p )
588 {
589 (*p)++;
590 return 0;
591 }
592#if defined(POLARSSL_X509_ALLOW_RELAXED_DATE)
593 /*
594 * if relaxed mode, allow timezone to be present
595 */
596 else if ( 5 == len && ( '+' == **p || '-' == **p ) )
597 {
598 int tz; /* throwaway timezone */
599
600 (*p)++;
601 CHECK( x509_parse_int( p, 4, &tz ) );
602
603 return 0;
604 }
605#endif
606 /*
607 * okay if no trailing 'Z' or timezone specified
608 */
609 else if ( 0 == len )
610 return 0;
611 else
612 return POLARSSL_ERR_X509_INVALID_DATE;
613}
614
615/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]616 * Time ::= CHOICE {
617 * utcTime UTCTime,
618 * generalTime GeneralizedTime }
619 */
620int x509_get_time( unsigned char **p, const unsigned char *end,
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]621 x509_time *tm )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]622{
623 int ret;
624 size_t len;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]625 unsigned char tag;
626
627 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]628 return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]629 POLARSSL_ERR_ASN1_OUT_OF_DATA );
630
631 tag = **p;
632
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]633 if( tag == ASN1_UTC_TIME )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]634 {
635 (*p)++;
636 ret = asn1_get_len( p, end, &len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]637 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]638 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]639
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]640 CHECK( x509_parse_time( p, len, 2, tm ) );
Simon Butcher2d0ffbb2016-10-17 22:32:47 +0100[diff] [blame]641
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]642 CHECK( x509_date_is_valid( tm ) );
Simon Butcher2d0ffbb2016-10-17 22:32:47 +0100[diff] [blame]643
644 return( 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]645 }
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]646 else if( tag == ASN1_GENERALIZED_TIME )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]647 {
648 (*p)++;
649 ret = asn1_get_len( p, end, &len );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]650 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]651 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]652
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]653 CHECK( x509_parse_time( p, len, 4, tm ) );
Simon Butcher2d0ffbb2016-10-17 22:32:47 +0100[diff] [blame]654
Hanno Beckerab3fbc22017-04-26 15:01:23 +0100[diff] [blame]655 CHECK( x509_date_is_valid( tm ) );
Simon Butcher2d0ffbb2016-10-17 22:32:47 +0100[diff] [blame]656
657 return( 0 );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]658 }
659 else
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]660 return( POLARSSL_ERR_X509_INVALID_DATE +
661 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]662}
663
664int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig )
665{
666 int ret;
667 size_t len;
Andres AG67ae0b92016-09-19 16:58:45 +0100[diff] [blame]668 int tag_type;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]669
670 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]671 return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]672 POLARSSL_ERR_ASN1_OUT_OF_DATA );
673
Andres AG67ae0b92016-09-19 16:58:45 +0100[diff] [blame]674 tag_type = **p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]675
676 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]677 return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]678
Andres AG67ae0b92016-09-19 16:58:45 +0100[diff] [blame]679 sig->tag = tag_type;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]680 sig->len = len;
681 sig->p = *p;
682
683 *p += len;
684
685 return( 0 );
686}
687
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]688/*
689 * Get signature algorithm from alg OID and optional parameters
690 */
691int x509_get_sig_alg( const x509_buf *sig_oid, const x509_buf *sig_params,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]692 md_type_t *md_alg, pk_type_t *pk_alg,
693 void **sig_opts )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]694{
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]695 int ret;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]696
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]697 if( *sig_opts != NULL )
698 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
699
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]700 if( ( ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]701 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]702
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]703#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]704 if( *pk_alg == POLARSSL_PK_RSASSA_PSS )
705 {
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]706 pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]707
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]708 pss_opts = polarssl_malloc( sizeof( pk_rsassa_pss_options ) );
709 if( pss_opts == NULL )
710 return( POLARSSL_ERR_X509_MALLOC_FAILED );
711
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]712 ret = x509_get_rsassa_pss_params( sig_params,
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]713 md_alg,
714 &pss_opts->mgf1_hash_id,
715 &pss_opts->expected_salt_len );
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]716 if( ret != 0 )
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]717 {
718 polarssl_free( pss_opts );
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]719 return( ret );
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]720 }
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]721
Manuel Pégourié-Gonnardf75f2f72014-06-05 15:14:28 +0200[diff] [blame]722 *sig_opts = (void *) pss_opts;
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]723 }
724 else
Paul Bakkerdb20c102014-06-17 14:34:44 +0200[diff] [blame]725#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnardcf975a32014-01-24 19:28:43 +0100[diff] [blame]726 {
727 /* Make sure parameters are absent or NULL */
728 if( ( sig_params->tag != ASN1_NULL && sig_params->tag != 0 ) ||
729 sig_params->len != 0 )
730 return( POLARSSL_ERR_X509_INVALID_ALG );
731 }
732
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]733 return( 0 );
734}
735
736/*
737 * X.509 Extensions (No parsing of extensions, pointer should
738 * be either manually updated or extensions should be parsed!
739 */
740int x509_get_ext( unsigned char **p, const unsigned char *end,
741 x509_buf *ext, int tag )
742{
743 int ret;
744 size_t len;
745
746 if( *p == end )
747 return( 0 );
748
749 ext->tag = **p;
750
751 if( ( ret = asn1_get_tag( p, end, &ext->len,
752 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
753 return( ret );
754
755 ext->p = *p;
756 end = *p + ext->len;
757
758 /*
759 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
760 *
761 * Extension ::= SEQUENCE {
762 * extnID OBJECT IDENTIFIER,
763 * critical BOOLEAN DEFAULT FALSE,
764 * extnValue OCTET STRING }
765 */
766 if( ( ret = asn1_get_tag( p, end, &len,
767 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]768 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]769
770 if( end != *p + len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]771 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]772 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
773
774 return( 0 );
775}
776
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]777#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
778 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]779#include <stdarg.h>
780
781#if !defined vsnprintf
782#define vsnprintf _vsnprintf
783#endif // vsnprintf
784
785/*
786 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
787 * Result value is not size of buffer needed, but -1 if no fit is possible.
788 *
789 * This fuction tries to 'fix' this by at least suggesting enlarging the
790 * size by 20.
791 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]792static int compat_snprintf( char *str, size_t size, const char *format, ... )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]793{
794 va_list ap;
795 int res = -1;
796
797 va_start( ap, format );
798
799 res = vsnprintf( str, size, format, ap );
800
801 va_end( ap );
802
803 // No quick fix possible
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]804 if( res < 0 )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]805 return( (int) size + 20 );
806
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]807 return( res );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]808}
809
810#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]811#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]812
813#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
814
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]815#define SAFE_SNPRINTF() \
816{ \
817 if( ret == -1 ) \
818 return( -1 ); \
819 \
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]820 if( (unsigned int) ret > n ) { \
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]821 p[n - 1] = '\0'; \
822 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
823 } \
824 \
825 n -= (unsigned int) ret; \
826 p += (unsigned int) ret; \
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]827}
828
829/*
830 * Store the name in printable form into buf; no more
831 * than size characters will be written
832 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]833int x509_dn_gets( char *buf, size_t size, const x509_name *dn )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]834{
835 int ret;
836 size_t i, n;
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]837 unsigned char c, merge = 0;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]838 const x509_name *name;
839 const char *short_name = NULL;
Paul Bakker8dcb2d72014-08-08 12:22:30 +0200[diff] [blame]840 char s[X509_MAX_DN_NAME_SIZE], *p;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]841
842 memset( s, 0, sizeof( s ) );
843
844 name = dn;
845 p = buf;
846 n = size;
847
848 while( name != NULL )
849 {
850 if( !name->oid.p )
851 {
852 name = name->next;
853 continue;
854 }
855
856 if( name != dn )
857 {
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]858 ret = polarssl_snprintf( p, n, merge ? " + " : ", " );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]859 SAFE_SNPRINTF();
860 }
861
862 ret = oid_get_attr_short_name( &name->oid, &short_name );
863
864 if( ret == 0 )
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]865 ret = polarssl_snprintf( p, n, "%s=", short_name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]866 else
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]867 ret = polarssl_snprintf( p, n, "\?\?=" );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]868 SAFE_SNPRINTF();
869
870 for( i = 0; i < name->val.len; i++ )
871 {
872 if( i >= sizeof( s ) - 1 )
873 break;
874
875 c = name->val.p[i];
876 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
877 s[i] = '?';
878 else s[i] = c;
879 }
880 s[i] = '\0';
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]881 ret = polarssl_snprintf( p, n, "%s", s );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]882 SAFE_SNPRINTF();
Manuel Pégourié-Gonnard555fbf82015-02-04 17:11:55 +0000[diff] [blame]883
884 merge = name->next_merged;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]885 name = name->next;
886 }
887
888 return( (int) ( size - n ) );
889}
890
891/*
892 * Store the serial in printable form into buf; no more
893 * than size characters will be written
894 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]895int x509_serial_gets( char *buf, size_t size, const x509_buf *serial )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]896{
897 int ret;
898 size_t i, n, nr;
899 char *p;
900
901 p = buf;
902 n = size;
903
904 nr = ( serial->len <= 32 )
905 ? serial->len : 28;
906
907 for( i = 0; i < nr; i++ )
908 {
909 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
910 continue;
911
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]912 ret = polarssl_snprintf( p, n, "%02X%s",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]913 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
914 SAFE_SNPRINTF();
915 }
916
917 if( nr != serial->len )
918 {
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]919 ret = polarssl_snprintf( p, n, "...." );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]920 SAFE_SNPRINTF();
921 }
922
923 return( (int) ( size - n ) );
924}
925
926/*
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]927 * Helper for writing signature algorithms
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]928 */
929int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid,
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]930 pk_type_t pk_alg, md_type_t md_alg,
931 const void *sig_opts )
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]932{
933 int ret;
934 char *p = buf;
935 size_t n = size;
936 const char *desc = NULL;
937
938 ret = oid_get_sig_alg_desc( sig_oid, &desc );
939 if( ret != 0 )
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]940 ret = polarssl_snprintf( p, n, "???" );
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]941 else
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]942 ret = polarssl_snprintf( p, n, "%s", desc );
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]943 SAFE_SNPRINTF();
944
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]945#if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]946 if( pk_alg == POLARSSL_PK_RSASSA_PSS )
947 {
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]948 const pk_rsassa_pss_options *pss_opts;
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]949 const md_info_t *md_info, *mgf_md_info;
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]950
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]951 pss_opts = (const pk_rsassa_pss_options *) sig_opts;
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]952
953 md_info = md_info_from_type( md_alg );
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]954 mgf_md_info = md_info_from_type( pss_opts->mgf1_hash_id );
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]955
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]956 ret = polarssl_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]957 md_info ? md_info->name : "???",
958 mgf_md_info ? mgf_md_info->name : "???",
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]959 pss_opts->expected_salt_len );
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]960 SAFE_SNPRINTF();
961 }
962#else
963 ((void) pk_alg);
Manuel Pégourié-Gonnard91136032014-06-05 15:41:39 +0200[diff] [blame]964 ((void) md_alg);
965 ((void) sig_opts);
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +0200[diff] [blame]966#endif /* POLARSSL_X509_RSASSA_PSS_SUPPORT */
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]967
Sander Niemeijeref5087d2014-08-16 12:45:52 +0200[diff] [blame]968 return( (int)( size - n ) );
Manuel Pégourié-Gonnardcac31ee2014-01-25 11:50:59 +0100[diff] [blame]969}
970
971/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]972 * Helper for writing "RSA key size", "EC key size", etc
973 */
974int x509_key_size_helper( char *buf, size_t size, const char *name )
975{
976 char *p = buf;
977 size_t n = size;
978 int ret;
979
980 if( strlen( name ) + sizeof( " key size" ) > size )
Paul Bakkerd8bb8262014-06-17 14:06:49 +0200[diff] [blame]981 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]982
Rich Evansfac657f2015-01-30 11:00:01 +0000[diff] [blame]983 ret = polarssl_snprintf( p, n, "%s key size", name );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]984 SAFE_SNPRINTF();
985
986 return( 0 );
987}
988
989/*
990 * Return an informational string describing the given OID
991 */
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100[diff] [blame]992#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]993const char *x509_oid_get_description( x509_buf *oid )
994{
995 const char *desc = NULL;
996 int ret;
997
998 ret = oid_get_extended_key_usage( oid, &desc );
999
1000 if( ret != 0 )
1001 return( NULL );
1002
1003 return( desc );
1004}
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100[diff] [blame]1005#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1006
1007/* Return the x.y.z.... style numeric string for the given OID */
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100[diff] [blame]1008#if ! defined(POLARSSL_DEPRECATED_REMOVED)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1009int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
1010{
1011 return oid_get_numeric_string( buf, size, oid );
1012}
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100[diff] [blame]1013#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1014
1015/*
1016 * Return 0 if the x509_time is still valid, or 1 otherwise.
1017 */
1018#if defined(POLARSSL_HAVE_TIME)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1019
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1020static void x509_get_current_time( x509_time *now )
1021{
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]1022#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1023 SYSTEMTIME st;
1024
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1025 GetSystemTime( &st );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1026
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1027 now->year = st.wYear;
1028 now->mon = st.wMonth;
1029 now->day = st.wDay;
1030 now->hour = st.wHour;
1031 now->min = st.wMinute;
1032 now->sec = st.wSecond;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1033#else
Paul Bakker5fff23b2014-03-26 15:34:54 +0100[diff] [blame]1034 struct tm lt;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1035 time_t tt;
1036
1037 tt = time( NULL );
Manuel Pégourié-Gonnard0776a432014-04-11 12:25:45 +0200[diff] [blame]1038 gmtime_r( &tt, &lt );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1039
Paul Bakker5fff23b2014-03-26 15:34:54 +0100[diff] [blame]1040 now->year = lt.tm_year + 1900;
1041 now->mon = lt.tm_mon + 1;
1042 now->day = lt.tm_mday;
1043 now->hour = lt.tm_hour;
1044 now->min = lt.tm_min;
1045 now->sec = lt.tm_sec;
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1046#endif /* _WIN32 && !EFIX64 && !EFI32 */
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1047}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1048
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1049/*
1050 * Return 0 if before <= after, 1 otherwise
1051 */
1052static int x509_check_time( const x509_time *before, const x509_time *after )
1053{
1054 if( before->year > after->year )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1055 return( 1 );
1056
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1057 if( before->year == after->year &&
1058 before->mon > after->mon )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1059 return( 1 );
1060
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1061 if( before->year == after->year &&
1062 before->mon == after->mon &&
1063 before->day > after->day )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1064 return( 1 );
1065
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1066 if( before->year == after->year &&
1067 before->mon == after->mon &&
1068 before->day == after->day &&
1069 before->hour > after->hour )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1070 return( 1 );
1071
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1072 if( before->year == after->year &&
1073 before->mon == after->mon &&
1074 before->day == after->day &&
1075 before->hour == after->hour &&
1076 before->min > after->min )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1077 return( 1 );
1078
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1079 if( before->year == after->year &&
1080 before->mon == after->mon &&
1081 before->day == after->day &&
1082 before->hour == after->hour &&
1083 before->min == after->min &&
1084 before->sec > after->sec )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1085 return( 1 );
1086
1087 return( 0 );
1088}
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1089
1090int x509_time_expired( const x509_time *to )
1091{
1092 x509_time now;
1093
1094 x509_get_current_time( &now );
1095
1096 return( x509_check_time( &now, to ) );
1097}
1098
1099int x509_time_future( const x509_time *from )
1100{
1101 x509_time now;
1102
1103 x509_get_current_time( &now );
1104
1105 return( x509_check_time( from, &now ) );
1106}
1107
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1108#else /* POLARSSL_HAVE_TIME */
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1109
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]1110int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1111{
1112 ((void) to);
1113 return( 0 );
1114}
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]1115
1116int x509_time_future( const x509_time *from )
1117{
1118 ((void) from);
1119 return( 0 );
1120}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1121#endif /* POLARSSL_HAVE_TIME */
1122
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1123#if defined(POLARSSL_SELF_TEST)
1124
1125#include "polarssl/x509_crt.h"
1126#include "polarssl/certs.h"
1127
1128/*
1129 * Checkup routine
1130 */
1131int x509_self_test( int verbose )
1132{
Manuel Pégourié-Gonnard3d413702014-04-29 15:29:41 +0200[diff] [blame]1133#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C)
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1134 int ret;
1135 int flags;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]1136 x509_crt cacert;
1137 x509_crt clicert;
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1138
1139 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1140 polarssl_printf( " X.509 certificate load: " );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1141
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]1142 x509_crt_init( &clicert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1143
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]1144 ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
1145 strlen( test_cli_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1146 if( ret != 0 )
1147 {
1148 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1149 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1150
1151 return( ret );
1152 }
1153
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]1154 x509_crt_init( &cacert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1155
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]1156 ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
1157 strlen( test_ca_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1158 if( ret != 0 )
1159 {
1160 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1161 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1162
1163 return( ret );
1164 }
1165
1166 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1167 polarssl_printf( "passed\n X.509 signature verify: ");
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1168
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]1169 ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1170 if( ret != 0 )
1171 {
1172 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1173 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1174
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1175 polarssl_printf( "ret = %d, &flags = %04x\n", ret, flags );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1176
1177 return( ret );
1178 }
1179
1180 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1181 polarssl_printf( "passed\n\n");
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1182
1183 x509_crt_free( &cacert );
1184 x509_crt_free( &clicert );
1185
1186 return( 0 );
1187#else
1188 ((void) verbose);
1189 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1190#endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1191}
1192
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1193#endif /* POLARSSL_SELF_TEST */
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]1194
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1195#endif /* POLARSSL_X509_USE_C */