TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e76b750b691988447a844fe5d589559bd2019102 / . / library / x509.c
blob: acdb0bc2b500f8dd74bbbcb3e674e0c7258dd780 [file] [log] [blame]
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]37#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]38#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]39#else
40#include POLARSSL_CONFIG_FILE
41#endif
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]42
43#if defined(POLARSSL_X509_USE_C)
44
45#include "polarssl/x509.h"
46#include "polarssl/asn1.h"
47#include "polarssl/oid.h"
48#if defined(POLARSSL_PEM_PARSE_C)
49#include "polarssl/pem.h"
50#endif
51
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#if defined(POLARSSL_PLATFORM_C)
53#include "polarssl/platform.h"
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]54#else
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55#define polarssl_printf printf
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]56#define polarssl_malloc malloc
57#define polarssl_free free
58#endif
59
60#include <string.h>
61#include <stdlib.h>
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]62#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]63#include <windows.h>
64#else
65#include <time.h>
66#endif
67
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]68#if defined(EFIX64) || defined(EFI32)
69#include <stdio.h>
70#endif
71
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]72#if defined(POLARSSL_FS_IO)
73#include <stdio.h>
74#if !defined(_WIN32)
75#include <sys/types.h>
76#include <sys/stat.h>
77#include <dirent.h>
78#endif
79#endif
80
81/*
82 * CertificateSerialNumber ::= INTEGER
83 */
84int x509_get_serial( unsigned char **p, const unsigned char *end,
85 x509_buf *serial )
86{
87 int ret;
88
89 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]90 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]91 POLARSSL_ERR_ASN1_OUT_OF_DATA );
92
93 if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
94 **p != ASN1_INTEGER )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]95 return( POLARSSL_ERR_X509_INVALID_SERIAL +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]96 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
97
98 serial->tag = *(*p)++;
99
100 if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]101 return( POLARSSL_ERR_X509_INVALID_SERIAL + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]102
103 serial->p = *p;
104 *p += serial->len;
105
106 return( 0 );
107}
108
109/* Get an algorithm identifier without parameters (eg for signatures)
110 *
111 * AlgorithmIdentifier ::= SEQUENCE {
112 * algorithm OBJECT IDENTIFIER,
113 * parameters ANY DEFINED BY algorithm OPTIONAL }
114 */
115int x509_get_alg_null( unsigned char **p, const unsigned char *end,
116 x509_buf *alg )
117{
118 int ret;
119
120 if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]121 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]122
123 return( 0 );
124}
125
126/*
Manuel Pégourié-Gonnard59a75d52014-01-22 10:12:57 +0100[diff] [blame]127 * Parse an algorithm identifier with (optional) paramaters
128 */
129int x509_get_alg( unsigned char **p, const unsigned char *end,
130 x509_buf *alg, x509_buf *params )
131{
132 int ret;
133
134 if( ( ret = asn1_get_alg( p, end, alg, params ) ) != 0 )
135 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
136
137 return( 0 );
138}
139
140/*
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]141 * HashAlgorithm ::= AlgorithmIdentifier
142 *
143 * AlgorithmIdentifier ::= SEQUENCE {
144 * algorithm OBJECT IDENTIFIER,
145 * parameters ANY DEFINED BY algorithm OPTIONAL }
146 *
147 * For HashAlgorithm, parameters MUST be NULL or absent.
148 */
149static int x509_get_hash_alg( const x509_buf *alg, md_type_t *md_alg )
150{
151 int ret;
152 unsigned char *p;
153 const unsigned char *end;
154 x509_buf md_oid;
155 size_t len;
156
157 /* Make sure we got a SEQUENCE and setup bounds */
158 if( alg->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
159 return( POLARSSL_ERR_X509_INVALID_ALG +
160 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
161
162 p = (unsigned char *) alg->p;
163 end = p + alg->len;
164
165 if( p >= end )
166 return( POLARSSL_ERR_X509_INVALID_ALG +
167 POLARSSL_ERR_ASN1_OUT_OF_DATA );
168
169 /* Parse md_oid */
170 md_oid.tag = *p;
171
172 if( ( ret = asn1_get_tag( &p, end, &md_oid.len, ASN1_OID ) ) != 0 )
173 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
174
175 md_oid.p = p;
176 p += md_oid.len;
177
178 /* Get md_alg from md_oid */
179 if( ( ret = oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
180 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
181
182 /* Make sure params is absent of NULL */
183 if( p == end )
184 return( 0 );
185
186 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_NULL ) ) != 0 )
187 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
188
189 if( p != end )
190 return( POLARSSL_ERR_X509_INVALID_ALG +
191 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
192
193 return( 0 );
194}
195
196/*
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]197 * RSASSA-PSS-params ::= SEQUENCE {
198 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
199 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
200 * saltLength [2] INTEGER DEFAULT 20,
201 * trailerField [3] INTEGER DEFAULT 1 }
202 * -- Note that the tags in this Sequence are explicit.
203 */
204int x509_get_rsassa_pss_params( const x509_buf *params,
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]205 md_type_t *md_alg, md_type_t *mgf_md,
206 int *salt_len, int *trailer_field )
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]207{
208 int ret;
209 unsigned char *p;
210 const unsigned char *end;
211 size_t len;
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]212 x509_buf alg_id, alg_params;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]213
214 /* First set everything to defaults */
215 *md_alg = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]216 *mgf_md = POLARSSL_MD_SHA1;
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]217 *salt_len = 20;
218 *trailer_field = 1;
219
220 /* Make sure params is a SEQUENCE and setup bounds */
221 if( params->tag != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
222 return( POLARSSL_ERR_X509_INVALID_ALG +
223 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
224
225 p = (unsigned char *) params->p;
226 end = p + params->len;
227
228 if( p == end )
229 return( 0 );
230
231 if( ( ret = asn1_get_tag( &p, end, &len,
232 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
233 {
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]234 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
235 if( ( ret = x509_get_alg_null( &p, p + len, &alg_id ) ) != 0 )
236 return( ret );
237
238 if( ( ret = oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
239 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]240 }
241 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
242 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
243
244 if( ( ret = asn1_get_tag( &p, end, &len,
245 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
246 {
Manuel Pégourié-Gonnarde76b7502014-01-23 19:15:29 +0100[diff] [blame^]247 /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
248 if( ( ret = x509_get_alg( &p, p + len, &alg_id, &alg_params ) ) != 0 )
249 return( ret );
250
251 /* Only MFG1 is recognised for now */
252 if( ! OID_CMP( OID_MGF1, &alg_id ) )
253 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE +
254 POLARSSL_ERR_OID_NOT_FOUND );
255
256 /* Parse HashAlgorithm */
257 if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
258 return( ret );
Manuel Pégourié-Gonnardf346bab2014-01-23 16:24:44 +0100[diff] [blame]259 }
260 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
261 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
262
263 if( p == end )
264 return( 0 );
265
266 if( ( ret = asn1_get_tag( &p, end, &len,
267 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2 ) ) == 0 )
268 {
269 /* salt_len */
270 if( ( ret = asn1_get_int( &p, p + len, salt_len ) ) != 0 )
271 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
272 }
273 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
274 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
275
276 if( p == end )
277 return( 0 );
278
279 if( ( ret = asn1_get_tag( &p, end, &len,
280 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3 ) ) == 0 )
281 {
282 /* trailer_field */
283 if( ( ret = asn1_get_int( &p, p + len, trailer_field ) ) != 0 )
284 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
285 }
286 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
287 return( POLARSSL_ERR_X509_INVALID_ALG + ret );
288
289 if( p != end )
290 return( POLARSSL_ERR_X509_INVALID_ALG +
291 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
292
293 return( 0 );
294}
295
296/*
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]297 * AttributeTypeAndValue ::= SEQUENCE {
298 * type AttributeType,
299 * value AttributeValue }
300 *
301 * AttributeType ::= OBJECT IDENTIFIER
302 *
303 * AttributeValue ::= ANY DEFINED BY AttributeType
304 */
305static int x509_get_attr_type_value( unsigned char **p,
306 const unsigned char *end,
307 x509_name *cur )
308{
309 int ret;
310 size_t len;
311 x509_buf *oid;
312 x509_buf *val;
313
314 if( ( ret = asn1_get_tag( p, end, &len,
315 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]316 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]317
318 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]319 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]320 POLARSSL_ERR_ASN1_OUT_OF_DATA );
321
322 oid = &cur->oid;
323 oid->tag = **p;
324
325 if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]326 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]327
328 oid->p = *p;
329 *p += oid->len;
330
331 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]332 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]333 POLARSSL_ERR_ASN1_OUT_OF_DATA );
334
335 if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
336 **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
337 **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]338 return( POLARSSL_ERR_X509_INVALID_NAME +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]339 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
340
341 val = &cur->val;
342 val->tag = *(*p)++;
343
344 if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]345 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]346
347 val->p = *p;
348 *p += val->len;
349
350 cur->next = NULL;
351
352 return( 0 );
353}
354
355/*
356 * RelativeDistinguishedName ::=
357 * SET OF AttributeTypeAndValue
358 *
359 * AttributeTypeAndValue ::= SEQUENCE {
360 * type AttributeType,
361 * value AttributeValue }
362 *
363 * AttributeType ::= OBJECT IDENTIFIER
364 *
365 * AttributeValue ::= ANY DEFINED BY AttributeType
366 */
367int x509_get_name( unsigned char **p, const unsigned char *end,
368 x509_name *cur )
369{
370 int ret;
371 size_t len;
372 const unsigned char *end2;
373 x509_name *use;
374
375 if( ( ret = asn1_get_tag( p, end, &len,
376 ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]377 return( POLARSSL_ERR_X509_INVALID_NAME + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]378
379 end2 = end;
380 end = *p + len;
381 use = cur;
382
383 do
384 {
385 if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
386 return( ret );
387
388 if( *p != end )
389 {
390 use->next = (x509_name *) polarssl_malloc(
391 sizeof( x509_name ) );
392
393 if( use->next == NULL )
394 return( POLARSSL_ERR_X509_MALLOC_FAILED );
395
396 memset( use->next, 0, sizeof( x509_name ) );
397
398 use = use->next;
399 }
400 }
401 while( *p != end );
402
403 /*
404 * recurse until end of SEQUENCE is reached
405 */
406 if( *p == end2 )
407 return( 0 );
408
409 cur->next = (x509_name *) polarssl_malloc(
410 sizeof( x509_name ) );
411
412 if( cur->next == NULL )
413 return( POLARSSL_ERR_X509_MALLOC_FAILED );
414
415 memset( cur->next, 0, sizeof( x509_name ) );
416
417 return( x509_get_name( p, end2, cur->next ) );
418}
419
420/*
421 * Time ::= CHOICE {
422 * utcTime UTCTime,
423 * generalTime GeneralizedTime }
424 */
425int x509_get_time( unsigned char **p, const unsigned char *end,
426 x509_time *time )
427{
428 int ret;
429 size_t len;
430 char date[64];
431 unsigned char tag;
432
433 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]434 return( POLARSSL_ERR_X509_INVALID_DATE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]435 POLARSSL_ERR_ASN1_OUT_OF_DATA );
436
437 tag = **p;
438
439 if ( tag == ASN1_UTC_TIME )
440 {
441 (*p)++;
442 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]443
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]444 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]445 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]446
447 memset( date, 0, sizeof( date ) );
448 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
449 len : sizeof( date ) - 1 );
450
Manuel Pégourié-Gonnard9655e452014-04-11 12:29:49 +0200[diff] [blame]451 if( sscanf( date, "%2d%2d%2d%2d%2d%2dZ",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]452 &time->year, &time->mon, &time->day,
453 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]454 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]455
456 time->year += 100 * ( time->year < 50 );
457 time->year += 1900;
458
459 *p += len;
460
461 return( 0 );
462 }
463 else if ( tag == ASN1_GENERALIZED_TIME )
464 {
465 (*p)++;
466 ret = asn1_get_len( p, end, &len );
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]467
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]468 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]469 return( POLARSSL_ERR_X509_INVALID_DATE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]470
471 memset( date, 0, sizeof( date ) );
472 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
473 len : sizeof( date ) - 1 );
474
Manuel Pégourié-Gonnard9655e452014-04-11 12:29:49 +0200[diff] [blame]475 if( sscanf( date, "%4d%2d%2d%2d%2d%2dZ",
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]476 &time->year, &time->mon, &time->day,
477 &time->hour, &time->min, &time->sec ) < 5 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]478 return( POLARSSL_ERR_X509_INVALID_DATE );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]479
480 *p += len;
481
482 return( 0 );
483 }
484 else
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]485 return( POLARSSL_ERR_X509_INVALID_DATE +
486 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]487}
488
489int x509_get_sig( unsigned char **p, const unsigned char *end, x509_buf *sig )
490{
491 int ret;
492 size_t len;
493
494 if( ( end - *p ) < 1 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]495 return( POLARSSL_ERR_X509_INVALID_SIGNATURE +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]496 POLARSSL_ERR_ASN1_OUT_OF_DATA );
497
498 sig->tag = **p;
499
500 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]501 return( POLARSSL_ERR_X509_INVALID_SIGNATURE + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]502
503 sig->len = len;
504 sig->p = *p;
505
506 *p += len;
507
508 return( 0 );
509}
510
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]511int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg,
512 pk_type_t *pk_alg )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]513{
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]514 int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]515
Manuel Pégourié-Gonnardc9093082014-02-12 09:39:59 +0100[diff] [blame]516 if( ret != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]517 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]518
519 return( 0 );
520}
521
522/*
523 * X.509 Extensions (No parsing of extensions, pointer should
524 * be either manually updated or extensions should be parsed!
525 */
526int x509_get_ext( unsigned char **p, const unsigned char *end,
527 x509_buf *ext, int tag )
528{
529 int ret;
530 size_t len;
531
532 if( *p == end )
533 return( 0 );
534
535 ext->tag = **p;
536
537 if( ( ret = asn1_get_tag( p, end, &ext->len,
538 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
539 return( ret );
540
541 ext->p = *p;
542 end = *p + ext->len;
543
544 /*
545 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
546 *
547 * Extension ::= SEQUENCE {
548 * extnID OBJECT IDENTIFIER,
549 * critical BOOLEAN DEFAULT FALSE,
550 * extnValue OCTET STRING }
551 */
552 if( ( ret = asn1_get_tag( p, end, &len,
553 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]554 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]555
556 if( end != *p + len )
Paul Bakker51876562013-09-17 14:36:05 +0200[diff] [blame]557 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]558 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
559
560 return( 0 );
561}
562
563#if defined(POLARSSL_FS_IO)
564/*
565 * Load all data from a file into a given buffer.
566 */
567int x509_load_file( const char *path, unsigned char **buf, size_t *n )
568{
569 FILE *f;
570 long size;
571
572 if( ( f = fopen( path, "rb" ) ) == NULL )
573 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
574
575 fseek( f, 0, SEEK_END );
576 if( ( size = ftell( f ) ) == -1 )
577 {
578 fclose( f );
579 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
580 }
581 fseek( f, 0, SEEK_SET );
582
583 *n = (size_t) size;
584
585 if( *n + 1 == 0 ||
586 ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
587 {
588 fclose( f );
589 return( POLARSSL_ERR_X509_MALLOC_FAILED );
590 }
591
592 if( fread( *buf, 1, *n, f ) != *n )
593 {
594 fclose( f );
595 polarssl_free( *buf );
596 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
597 }
598
599 fclose( f );
600
601 (*buf)[*n] = '\0';
602
603 return( 0 );
604}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]605#endif /* POLARSSL_FS_IO */
606
Paul Bakker6edcd412013-10-29 15:22:54 +0100[diff] [blame]607#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
608 !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]609#include <stdarg.h>
610
611#if !defined vsnprintf
612#define vsnprintf _vsnprintf
613#endif // vsnprintf
614
615/*
616 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
617 * Result value is not size of buffer needed, but -1 if no fit is possible.
618 *
619 * This fuction tries to 'fix' this by at least suggesting enlarging the
620 * size by 20.
621 */
622static int compat_snprintf(char *str, size_t size, const char *format, ...)
623{
624 va_list ap;
625 int res = -1;
626
627 va_start( ap, format );
628
629 res = vsnprintf( str, size, format, ap );
630
631 va_end( ap );
632
633 // No quick fix possible
634 if ( res < 0 )
635 return( (int) size + 20 );
636
637 return res;
638}
639
640#define snprintf compat_snprintf
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]641#endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]642
643#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
644
645#define SAFE_SNPRINTF() \
646{ \
647 if( ret == -1 ) \
648 return( -1 ); \
649 \
650 if ( (unsigned int) ret > n ) { \
651 p[n - 1] = '\0'; \
652 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
653 } \
654 \
655 n -= (unsigned int) ret; \
656 p += (unsigned int) ret; \
657}
658
659/*
660 * Store the name in printable form into buf; no more
661 * than size characters will be written
662 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]663int x509_dn_gets( char *buf, size_t size, const x509_name *dn )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]664{
665 int ret;
666 size_t i, n;
667 unsigned char c;
668 const x509_name *name;
669 const char *short_name = NULL;
670 char s[128], *p;
671
672 memset( s, 0, sizeof( s ) );
673
674 name = dn;
675 p = buf;
676 n = size;
677
678 while( name != NULL )
679 {
680 if( !name->oid.p )
681 {
682 name = name->next;
683 continue;
684 }
685
686 if( name != dn )
687 {
688 ret = snprintf( p, n, ", " );
689 SAFE_SNPRINTF();
690 }
691
692 ret = oid_get_attr_short_name( &name->oid, &short_name );
693
694 if( ret == 0 )
695 ret = snprintf( p, n, "%s=", short_name );
696 else
697 ret = snprintf( p, n, "\?\?=" );
698 SAFE_SNPRINTF();
699
700 for( i = 0; i < name->val.len; i++ )
701 {
702 if( i >= sizeof( s ) - 1 )
703 break;
704
705 c = name->val.p[i];
706 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
707 s[i] = '?';
708 else s[i] = c;
709 }
710 s[i] = '\0';
711 ret = snprintf( p, n, "%s", s );
712 SAFE_SNPRINTF();
713 name = name->next;
714 }
715
716 return( (int) ( size - n ) );
717}
718
719/*
720 * Store the serial in printable form into buf; no more
721 * than size characters will be written
722 */
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]723int x509_serial_gets( char *buf, size_t size, const x509_buf *serial )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]724{
725 int ret;
726 size_t i, n, nr;
727 char *p;
728
729 p = buf;
730 n = size;
731
732 nr = ( serial->len <= 32 )
733 ? serial->len : 28;
734
735 for( i = 0; i < nr; i++ )
736 {
737 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
738 continue;
739
740 ret = snprintf( p, n, "%02X%s",
741 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
742 SAFE_SNPRINTF();
743 }
744
745 if( nr != serial->len )
746 {
747 ret = snprintf( p, n, "...." );
748 SAFE_SNPRINTF();
749 }
750
751 return( (int) ( size - n ) );
752}
753
754/*
755 * Helper for writing "RSA key size", "EC key size", etc
756 */
757int x509_key_size_helper( char *buf, size_t size, const char *name )
758{
759 char *p = buf;
760 size_t n = size;
761 int ret;
762
763 if( strlen( name ) + sizeof( " key size" ) > size )
764 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;
765
766 ret = snprintf( p, n, "%s key size", name );
767 SAFE_SNPRINTF();
768
769 return( 0 );
770}
771
772/*
773 * Return an informational string describing the given OID
774 */
775const char *x509_oid_get_description( x509_buf *oid )
776{
777 const char *desc = NULL;
778 int ret;
779
780 ret = oid_get_extended_key_usage( oid, &desc );
781
782 if( ret != 0 )
783 return( NULL );
784
785 return( desc );
786}
787
788/* Return the x.y.z.... style numeric string for the given OID */
789int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
790{
791 return oid_get_numeric_string( buf, size, oid );
792}
793
794/*
795 * Return 0 if the x509_time is still valid, or 1 otherwise.
796 */
797#if defined(POLARSSL_HAVE_TIME)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]798
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]799static void x509_get_current_time( x509_time *now )
800{
Paul Bakkerfa6a6202013-10-28 18:48:30 +0100[diff] [blame]801#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]802 SYSTEMTIME st;
803
Manuel Pégourié-Gonnard0776a432014-04-11 12:25:45 +0200[diff] [blame]804 GetSystemTime(&st);
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]805
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]806 now->year = st.wYear;
807 now->mon = st.wMonth;
808 now->day = st.wDay;
809 now->hour = st.wHour;
810 now->min = st.wMinute;
811 now->sec = st.wSecond;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]812#else
Paul Bakker5fff23b2014-03-26 15:34:54 +0100[diff] [blame]813 struct tm lt;
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]814 time_t tt;
815
816 tt = time( NULL );
Manuel Pégourié-Gonnard0776a432014-04-11 12:25:45 +0200[diff] [blame]817 gmtime_r( &tt, &lt );
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]818
Paul Bakker5fff23b2014-03-26 15:34:54 +0100[diff] [blame]819 now->year = lt.tm_year + 1900;
820 now->mon = lt.tm_mon + 1;
821 now->day = lt.tm_mday;
822 now->hour = lt.tm_hour;
823 now->min = lt.tm_min;
824 now->sec = lt.tm_sec;
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]825#endif /* _WIN32 && !EFIX64 && !EFI32 */
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]826}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]827
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]828/*
829 * Return 0 if before <= after, 1 otherwise
830 */
831static int x509_check_time( const x509_time *before, const x509_time *after )
832{
833 if( before->year > after->year )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]834 return( 1 );
835
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]836 if( before->year == after->year &&
837 before->mon > after->mon )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]838 return( 1 );
839
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]840 if( before->year == after->year &&
841 before->mon == after->mon &&
842 before->day > after->day )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]843 return( 1 );
844
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]845 if( before->year == after->year &&
846 before->mon == after->mon &&
847 before->day == after->day &&
848 before->hour > after->hour )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]849 return( 1 );
850
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]851 if( before->year == after->year &&
852 before->mon == after->mon &&
853 before->day == after->day &&
854 before->hour == after->hour &&
855 before->min > after->min )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]856 return( 1 );
857
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]858 if( before->year == after->year &&
859 before->mon == after->mon &&
860 before->day == after->day &&
861 before->hour == after->hour &&
862 before->min == after->min &&
863 before->sec > after->sec )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]864 return( 1 );
865
866 return( 0 );
867}
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]868
869int x509_time_expired( const x509_time *to )
870{
871 x509_time now;
872
873 x509_get_current_time( &now );
874
875 return( x509_check_time( &now, to ) );
876}
877
878int x509_time_future( const x509_time *from )
879{
880 x509_time now;
881
882 x509_get_current_time( &now );
883
884 return( x509_check_time( from, &now ) );
885}
886
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]887#else /* POLARSSL_HAVE_TIME */
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]888
Paul Bakker86d0c192013-09-18 11:11:02 +0200[diff] [blame]889int x509_time_expired( const x509_time *to )
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]890{
891 ((void) to);
892 return( 0 );
893}
Manuel Pégourié-Gonnard6304f782014-03-10 12:26:11 +0100[diff] [blame]894
895int x509_time_future( const x509_time *from )
896{
897 ((void) from);
898 return( 0 );
899}
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]900#endif /* POLARSSL_HAVE_TIME */
901
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]902#if defined(POLARSSL_SELF_TEST)
903
904#include "polarssl/x509_crt.h"
905#include "polarssl/certs.h"
906
907/*
908 * Checkup routine
909 */
910int x509_self_test( int verbose )
911{
Manuel Pégourié-Gonnard3d413702014-04-29 15:29:41 +0200[diff] [blame]912#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_SHA1_C)
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]913 int ret;
914 int flags;
Paul Bakkerc559c7a2013-09-18 14:13:26 +0200[diff] [blame]915 x509_crt cacert;
916 x509_crt clicert;
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]917
918 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]919 polarssl_printf( " X.509 certificate load: " );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]920
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]921 x509_crt_init( &clicert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]922
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]923 ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt,
924 strlen( test_cli_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]925 if( ret != 0 )
926 {
927 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]928 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]929
930 return( ret );
931 }
932
Paul Bakkerb6b09562013-09-18 14:17:41 +0200[diff] [blame]933 x509_crt_init( &cacert );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]934
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]935 ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_crt,
936 strlen( test_ca_crt ) );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]937 if( ret != 0 )
938 {
939 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]940 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]941
942 return( ret );
943 }
944
945 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]946 polarssl_printf( "passed\n X.509 signature verify: ");
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]947
Paul Bakkerddf26b42013-09-18 13:46:23 +0200[diff] [blame]948 ret = x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]949 if( ret != 0 )
950 {
951 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]952 polarssl_printf( "failed\n" );
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]953
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]954 polarssl_printf("ret = %d, &flags = %04x\n", ret, flags);
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]955
956 return( ret );
957 }
958
959 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]960 polarssl_printf( "passed\n\n");
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]961
962 x509_crt_free( &cacert );
963 x509_crt_free( &clicert );
964
965 return( 0 );
966#else
967 ((void) verbose);
968 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]969#endif /* POLARSSL_CERTS_C && POLARSSL_SHA1_C */
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]970}
971
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]972#endif /* POLARSSL_SELF_TEST */
Paul Bakkere9e6ae32013-09-16 22:53:25 +0200[diff] [blame]973
Paul Bakker7c6b2c32013-09-16 13:49:26 +0200[diff] [blame]974#endif /* POLARSSL_X509_USE_C */