TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ab2d9836b4dec6e36f189ac2548db7af7bc21f21 / . / library / x509parse.c
blob: a11c064888fe0560d46dc7427144aa061fbefefb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * X.509 certificate and private key decoding
3 *
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
Paul Bakkerad8d3542012-02-16 15:28:14 +0000[diff] [blame]26 * The ITU-T X.509 standard defines a certificate format for PKI.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]28 * http://www.ietf.org/rfc/rfc3279.txt
Paul Bakkerad8d3542012-02-16 15:28:14 +0000[diff] [blame]29 * http://www.ietf.org/rfc/rfc3280.txt
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]37#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]39#if defined(POLARSSL_X509_PARSE_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/x509.h"
Paul Bakkerefc30292011-11-10 14:43:23 +0000[diff] [blame]42#include "polarssl/asn1.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]43#include "polarssl/oid.h"
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]44#include "polarssl/pem.h"
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]45#include "polarssl/dhm.h"
Paul Bakker28144de2013-06-24 19:28:55 +0200[diff] [blame]46#if defined(POLARSSL_PKCS5_C)
47#include "polarssl/pkcs5.h"
48#endif
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]49#if defined(POLARSSL_PKCS12_C)
50#include "polarssl/pkcs12.h"
51#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]53#if defined(POLARSSL_MEMORY_C)
54#include "polarssl/memory.h"
55#else
56#define polarssl_malloc malloc
57#define polarssl_free free
58#endif
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60#include <string.h>
61#include <stdlib.h>
Paul Bakker4f229e52011-12-04 22:11:35 +0000[diff] [blame]62#if defined(_WIN32)
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]63#include <windows.h>
64#else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65#include <time.h>
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]66#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]68#if defined(POLARSSL_FS_IO)
69#include <stdio.h>
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]70#if !defined(_WIN32)
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]71#include <sys/types.h>
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]72#include <sys/stat.h>
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]73#include <dirent.h>
74#endif
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]75#endif
76
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
79 */
80static int x509_get_version( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]81 const unsigned char *end,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82 int *ver )
83{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]84 int ret;
85 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86
87 if( ( ret = asn1_get_tag( p, end, &len,
88 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) != 0 )
89 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]90 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
Paul Bakker2a1c5f52011-10-19 14:15:17 +0000[diff] [blame]91 {
92 *ver = 0;
93 return( 0 );
94 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95
96 return( ret );
97 }
98
99 end = *p + len;
100
101 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]102 return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]103
104 if( *p != end )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]105 return( POLARSSL_ERR_X509_CERT_INVALID_VERSION +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]106 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]107
108 return( 0 );
109}
110
111/*
Paul Bakkerfae618f2011-10-12 11:53:52 +0000[diff] [blame]112 * Version ::= INTEGER { v1(0), v2(1) }
Paul Bakker3329d1f2011-10-12 09:55:01 +0000[diff] [blame]113 */
114static int x509_crl_get_version( unsigned char **p,
115 const unsigned char *end,
116 int *ver )
117{
118 int ret;
119
120 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
121 {
122 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
Paul Bakker2a1c5f52011-10-19 14:15:17 +0000[diff] [blame]123 {
124 *ver = 0;
125 return( 0 );
126 }
Paul Bakker3329d1f2011-10-12 09:55:01 +0000[diff] [blame]127
128 return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret );
129 }
130
131 return( 0 );
132}
133
134/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]135 * CertificateSerialNumber ::= INTEGER
136 */
137static int x509_get_serial( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]138 const unsigned char *end,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]139 x509_buf *serial )
140{
141 int ret;
142
143 if( ( end - *p ) < 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]144 return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]145 POLARSSL_ERR_ASN1_OUT_OF_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]146
147 if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
148 **p != ASN1_INTEGER )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]149 return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]150 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]151
152 serial->tag = *(*p)++;
153
154 if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]155 return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]156
157 serial->p = *p;
158 *p += serial->len;
159
160 return( 0 );
161}
162
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]163/* Get a PK algorithm identifier
Manuel Pégourié-Gonnard0a64e8f2013-07-08 18:26:18 +0200[diff] [blame]164 *
165 * AlgorithmIdentifier ::= SEQUENCE {
166 * algorithm OBJECT IDENTIFIER,
167 * parameters ANY DEFINED BY algorithm OPTIONAL }
168 */
Manuel Pégourié-Gonnard7a287c42013-07-10 12:55:08 +0200[diff] [blame]169static int x509_get_pk_alg( unsigned char **p,
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]170 const unsigned char *end,
171 pk_type_t *pk_alg, x509_buf *params )
Manuel Pégourié-Gonnard0a64e8f2013-07-08 18:26:18 +0200[diff] [blame]172{
173 int ret;
174 x509_buf alg_oid;
175
176 memset( params, 0, sizeof(asn1_buf) );
177
178 if( ( ret = asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
179 return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
180
181 if( oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
182 return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG );
183
184 /*
185 * No parameters with RSA (only for EC)
186 */
187 if( *pk_alg == POLARSSL_PK_RSA &&
188 ( ( params->tag != ASN1_NULL && params->tag != 0 ) ||
189 params->len != 0 ) )
190 {
191 return( POLARSSL_ERR_X509_CERT_INVALID_ALG );
192 }
193
194 return( 0 );
195}
196
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]197/* Get an algorithm identifier without parameters (eg for signatures)
198 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199 * AlgorithmIdentifier ::= SEQUENCE {
200 * algorithm OBJECT IDENTIFIER,
201 * parameters ANY DEFINED BY algorithm OPTIONAL }
202 */
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]203static int x509_get_alg_null( unsigned char **p, const unsigned char *end,
204 x509_buf *alg )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]206 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]207
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]208 if( ( ret = asn1_get_alg_null( p, end, alg ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]209 return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211 return( 0 );
212}
213
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]214
215#if defined(POLARSSL_ECP_C)
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]216/* Get an EC group id from an ECParameters buffer
217 *
218 * ECParameters ::= CHOICE {
219 * namedCurve OBJECT IDENTIFIER
220 * -- implicitCurve NULL
221 * -- specifiedCurve SpecifiedECDomain
222 * }
223 */
224static int x509_get_ecparams( unsigned char **p, const unsigned char *end,
Manuel Pégourié-Gonnard1c808a02013-07-11 13:17:43 +0200[diff] [blame]225 x509_buf *params )
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]226{
227 int ret;
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]228
Manuel Pégourié-Gonnard1c808a02013-07-11 13:17:43 +0200[diff] [blame]229 params->tag = **p;
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]230
Manuel Pégourié-Gonnard1c808a02013-07-11 13:17:43 +0200[diff] [blame]231 if( ( ret = asn1_get_tag( p, end, &params->len, ASN1_OID ) ) != 0 )
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]232 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
233
Manuel Pégourié-Gonnard1c808a02013-07-11 13:17:43 +0200[diff] [blame]234 params->p = *p;
235 *p += params->len;
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]236
237 if( *p != end )
238 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
239 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
240
Manuel Pégourié-Gonnard1c808a02013-07-11 13:17:43 +0200[diff] [blame]241 return( 0 );
242}
243
244/*
245 * Use EC parameters to initialise an EC group
246 */
247static int x509_use_ecparams( const x509_buf *params, ecp_group *grp )
248{
249 int ret;
250 ecp_group_id grp_id;
251
252 if( oid_get_ec_grp( params, &grp_id ) != 0 )
253 return( POLARSSL_ERR_X509_UNKNOWN_NAMED_CURVE );
254
255 /*
256 * grp may already be initilialized; if so, make sure IDs match
257 */
258 if( grp->id != POLARSSL_ECP_DP_NONE && grp->id != grp_id )
259 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT );
260
261 if( ( ret = ecp_use_known_dp( grp, grp_id ) ) != 0 )
262 return( ret );
263
264 return( 0 );
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]265}
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]266#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnardf838eed2013-07-02 14:56:43 +0200[diff] [blame]267
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]268/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]269 * AttributeTypeAndValue ::= SEQUENCE {
270 * type AttributeType,
271 * value AttributeValue }
272 *
273 * AttributeType ::= OBJECT IDENTIFIER
274 *
275 * AttributeValue ::= ANY DEFINED BY AttributeType
276 */
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]277static int x509_get_attr_type_value( unsigned char **p,
278 const unsigned char *end,
279 x509_name *cur )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]281 int ret;
282 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]283 x509_buf *oid;
284 x509_buf *val;
285
286 if( ( ret = asn1_get_tag( p, end, &len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]287 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]288 return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]289
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]290 oid = &cur->oid;
291 oid->tag = **p;
292
293 if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]294 return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295
296 oid->p = *p;
297 *p += oid->len;
298
299 if( ( end - *p ) < 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]300 return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]301 POLARSSL_ERR_ASN1_OUT_OF_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]302
303 if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING &&
304 **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
305 **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]306 return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]307 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308
309 val = &cur->val;
310 val->tag = *(*p)++;
311
312 if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]313 return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314
315 val->p = *p;
316 *p += val->len;
317
318 cur->next = NULL;
319
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]320 return( 0 );
321}
322
323/*
324 * RelativeDistinguishedName ::=
325 * SET OF AttributeTypeAndValue
326 *
327 * AttributeTypeAndValue ::= SEQUENCE {
328 * type AttributeType,
329 * value AttributeValue }
330 *
331 * AttributeType ::= OBJECT IDENTIFIER
332 *
333 * AttributeValue ::= ANY DEFINED BY AttributeType
334 */
335static int x509_get_name( unsigned char **p,
336 const unsigned char *end,
337 x509_name *cur )
338{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]339 int ret;
340 size_t len;
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]341 const unsigned char *end2;
342 x509_name *use;
343
344 if( ( ret = asn1_get_tag( p, end, &len,
345 ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]346 return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]347
348 end2 = end;
349 end = *p + len;
350 use = cur;
351
352 do
353 {
354 if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
355 return( ret );
356
357 if( *p != end )
358 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]359 use->next = (x509_name *) polarssl_malloc(
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]360 sizeof( x509_name ) );
361
362 if( use->next == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]363 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]364
365 memset( use->next, 0, sizeof( x509_name ) );
366
367 use = use->next;
368 }
369 }
370 while( *p != end );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372 /*
373 * recurse until end of SEQUENCE is reached
374 */
375 if( *p == end2 )
376 return( 0 );
377
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]378 cur->next = (x509_name *) polarssl_malloc(
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379 sizeof( x509_name ) );
380
381 if( cur->next == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]382 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383
Paul Bakker430ffbe2012-05-01 08:14:20 +0000[diff] [blame]384 memset( cur->next, 0, sizeof( x509_name ) );
385
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386 return( x509_get_name( p, end2, cur->next ) );
387}
388
389/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 * Time ::= CHOICE {
391 * utcTime UTCTime,
392 * generalTime GeneralizedTime }
393 */
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]394static int x509_get_time( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]395 const unsigned char *end,
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]396 x509_time *time )
397{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]398 int ret;
399 size_t len;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]400 char date[64];
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]401 unsigned char tag;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]402
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]403 if( ( end - *p ) < 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]404 return( POLARSSL_ERR_X509_CERT_INVALID_DATE +
405 POLARSSL_ERR_ASN1_OUT_OF_DATA );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]406
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]407 tag = **p;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]408
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]409 if ( tag == ASN1_UTC_TIME )
410 {
411 (*p)++;
412 ret = asn1_get_len( p, end, &len );
413
414 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]415 return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]416
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]417 memset( date, 0, sizeof( date ) );
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]418 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
419 len : sizeof( date ) - 1 );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]420
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]421 if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
422 &time->year, &time->mon, &time->day,
423 &time->hour, &time->min, &time->sec ) < 5 )
424 return( POLARSSL_ERR_X509_CERT_INVALID_DATE );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]425
Paul Bakker400ff6f2011-02-20 10:40:16 +0000[diff] [blame]426 time->year += 100 * ( time->year < 50 );
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]427 time->year += 1900;
428
429 *p += len;
430
431 return( 0 );
432 }
433 else if ( tag == ASN1_GENERALIZED_TIME )
434 {
435 (*p)++;
436 ret = asn1_get_len( p, end, &len );
437
438 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]439 return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]440
441 memset( date, 0, sizeof( date ) );
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]442 memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
443 len : sizeof( date ) - 1 );
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]444
445 if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
446 &time->year, &time->mon, &time->day,
447 &time->hour, &time->min, &time->sec ) < 5 )
448 return( POLARSSL_ERR_X509_CERT_INVALID_DATE );
449
450 *p += len;
451
452 return( 0 );
453 }
454 else
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]455 return( POLARSSL_ERR_X509_CERT_INVALID_DATE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]456}
457
458
459/*
460 * Validity ::= SEQUENCE {
461 * notBefore Time,
462 * notAfter Time }
463 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464static int x509_get_dates( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]465 const unsigned char *end,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x509_time *from,
467 x509_time *to )
468{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]469 int ret;
470 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471
472 if( ( ret = asn1_get_tag( p, end, &len,
473 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]474 return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
476 end = *p + len;
477
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]478 if( ( ret = x509_get_time( p, end, from ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]479 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]481 if( ( ret = x509_get_time( p, end, to ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]482 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483
484 if( *p != end )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]485 return( POLARSSL_ERR_X509_CERT_INVALID_DATE +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]486 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
488 return( 0 );
489}
490
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]491#if defined(POLARSSL_RSA_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]492/*
Manuel Pégourié-Gonnard094ad9e2013-07-09 12:32:51 +0200[diff] [blame]493 * RSAPublicKey ::= SEQUENCE {
494 * modulus INTEGER, -- n
495 * publicExponent INTEGER -- e
496 * }
497 */
498static int x509_get_rsapubkey( unsigned char **p,
499 const unsigned char *end,
500 rsa_context *rsa )
501{
502 int ret;
503 size_t len;
504
505 if( ( ret = asn1_get_tag( p, end, &len,
506 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
507 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
508
509 if( *p + len != end )
510 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
511 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
512
513 if( ( ret = asn1_get_mpi( p, end, &rsa->N ) ) != 0 ||
514 ( ret = asn1_get_mpi( p, end, &rsa->E ) ) != 0 )
515 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
516
517 if( ( ret = rsa_check_pubkey( rsa ) ) != 0 )
518 return( ret );
519
520 rsa->len = mpi_size( &rsa->N );
521
522 return( 0 );
523}
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]524#endif /* POLARSSL_RSA_C */
Manuel Pégourié-Gonnard094ad9e2013-07-09 12:32:51 +0200[diff] [blame]525
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]526#if defined(POLARSSL_ECP_C)
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]527/*
528 * EC public key is an EC point
529 */
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]530static int x509_get_ecpubkey( unsigned char **p, const unsigned char *end,
Manuel Pégourié-Gonnarda2d4e642013-07-11 13:59:02 +0200[diff] [blame]531 ecp_keypair *key )
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]532{
533 int ret;
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]534
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]535 if( ( ret = ecp_point_read_binary( &key->grp, &key->Q,
Manuel Pégourié-Gonnarda2d4e642013-07-11 13:59:02 +0200[diff] [blame]536 (const unsigned char *) *p, end - *p ) ) != 0 ||
537 ( ret = ecp_check_pubkey( &key->grp, &key->Q ) ) != 0 )
Manuel Pégourié-Gonnard5b18fb02013-07-10 16:07:25 +0200[diff] [blame]538 {
539 ecp_keypair_free( key );
540 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY );
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]541 }
542
Manuel Pégourié-Gonnarda2d4e642013-07-11 13:59:02 +0200[diff] [blame]543 /*
544 * We know ecp_point_read_binary consumed all bytes
545 */
546 *p = (unsigned char *) end;
547
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]548 return( 0 );
549}
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]550#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]551
552/*
553 * SubjectPublicKeyInfo ::= SEQUENCE {
554 * algorithm AlgorithmIdentifier,
555 * subjectPublicKey BIT STRING }
556 */
557static int x509_get_pubkey( unsigned char **p,
558 const unsigned char *end,
559 pk_context *pk )
560{
561 int ret;
562 size_t len;
563 x509_buf alg_params;
564 pk_type_t pk_alg = POLARSSL_PK_NONE;
565
566 if( ( ret = asn1_get_tag( p, end, &len,
567 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
568 {
569 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
570 }
571
572 end = *p + len;
573
Manuel Pégourié-Gonnard7a287c42013-07-10 12:55:08 +0200[diff] [blame]574 if( ( ret = x509_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]575 return( ret );
576
Manuel Pégourié-Gonnarda2d4e642013-07-11 13:59:02 +0200[diff] [blame]577 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]578 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
579
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]580 if( *p + len != end )
581 return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
582 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
583
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]584 if( ( ret = pk_set_type( pk, pk_alg ) ) != 0 )
585 return( ret );
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]586
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]587#if defined(POLARSSL_RSA_C)
588 if( pk_alg == POLARSSL_PK_RSA )
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]589 {
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]590 ret = x509_get_rsapubkey( p, end, pk_rsa( *pk ) );
591 } else
592#endif /* POLARSSL_RSA_C */
593#if defined(POLARSSL_ECP_C)
594 if( pk_alg == POLARSSL_PK_ECKEY_DH || pk_alg == POLARSSL_PK_ECKEY )
595 {
596 ret = x509_use_ecparams( &alg_params, &pk_ec( *pk )->grp ) ||
597 x509_get_ecpubkey( p, end, pk_ec( *pk ) );
598 } else
599#endif /* POLARSSL_ECP_C */
600 ret = POLARSSL_ERR_X509_UNKNOWN_PK_ALG;
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]601
Manuel Pégourié-Gonnard5b18fb02013-07-10 16:07:25 +0200[diff] [blame]602 if( ret == 0 && *p != end )
603 ret = POLARSSL_ERR_X509_CERT_INVALID_PUBKEY
604 POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
605
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]606 if( ret != 0 )
607 pk_free( pk );
608
609 return( ret );
Manuel Pégourié-Gonnardc296c592013-07-09 12:54:04 +0200[diff] [blame]610}
611
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612static int x509_get_sig( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]613 const unsigned char *end,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 x509_buf *sig )
615{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]616 int ret;
617 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618
Paul Bakker8afa70d2012-02-11 18:42:45 +0000[diff] [blame]619 if( ( end - *p ) < 1 )
620 return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE +
621 POLARSSL_ERR_ASN1_OUT_OF_DATA );
622
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623 sig->tag = **p;
624
Manuel Pégourié-Gonnarda2d4e642013-07-11 13:59:02 +0200[diff] [blame]625 if( ( ret = asn1_get_bitstring_null( p, end, &len ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]626 return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628 sig->len = len;
629 sig->p = *p;
630
631 *p += len;
632
633 return( 0 );
634}
635
636/*
637 * X.509 v2/v3 unique identifier (not parsed)
638 */
639static int x509_get_uid( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]640 const unsigned char *end,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641 x509_buf *uid, int n )
642{
643 int ret;
644
645 if( *p == end )
646 return( 0 );
647
648 uid->tag = **p;
649
650 if( ( ret = asn1_get_tag( p, end, &uid->len,
651 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n ) ) != 0 )
652 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]653 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]654 return( 0 );
655
656 return( ret );
657 }
658
659 uid->p = *p;
660 *p += uid->len;
661
662 return( 0 );
663}
664
665/*
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]666 * X.509 Extensions (No parsing of extensions, pointer should
667 * be either manually updated or extensions should be parsed!
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668 */
669static int x509_get_ext( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]670 const unsigned char *end,
Paul Bakkerfbc09f32011-10-12 09:56:41 +0000[diff] [blame]671 x509_buf *ext, int tag )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]673 int ret;
674 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675
676 if( *p == end )
677 return( 0 );
678
679 ext->tag = **p;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]680
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681 if( ( ret = asn1_get_tag( p, end, &ext->len,
Paul Bakkerfbc09f32011-10-12 09:56:41 +0000[diff] [blame]682 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
685 ext->p = *p;
686 end = *p + ext->len;
687
688 /*
689 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
690 *
691 * Extension ::= SEQUENCE {
692 * extnID OBJECT IDENTIFIER,
693 * critical BOOLEAN DEFAULT FALSE,
694 * extnValue OCTET STRING }
695 */
696 if( ( ret = asn1_get_tag( p, end, &len,
697 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]698 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699
700 if( end != *p + len )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]701 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]702 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]704 return( 0 );
705}
706
707/*
708 * X.509 CRL v2 extensions (no extensions parsed yet.)
709 */
710static int x509_get_crl_ext( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]711 const unsigned char *end,
712 x509_buf *ext )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]713{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]714 int ret;
Paul Bakkerfbc09f32011-10-12 09:56:41 +0000[diff] [blame]715 size_t len = 0;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]716
Paul Bakkerfbc09f32011-10-12 09:56:41 +0000[diff] [blame]717 /* Get explicit tag */
718 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]719 {
720 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
721 return( 0 );
722
723 return( ret );
724 }
725
726 while( *p < end )
727 {
728 if( ( ret = asn1_get_tag( p, end, &len,
729 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]730 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]731
732 *p += len;
733 }
734
735 if( *p != end )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]736 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]737 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
738
739 return( 0 );
740}
741
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]742/*
743 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
744 */
745static int x509_get_crl_entry_ext( unsigned char **p,
746 const unsigned char *end,
747 x509_buf *ext )
748{
749 int ret;
750 size_t len = 0;
751
752 /* OPTIONAL */
753 if (end <= *p)
754 return( 0 );
755
756 ext->tag = **p;
757 ext->p = *p;
758
759 /*
760 * Get CRL-entry extension sequence header
761 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
762 */
763 if( ( ret = asn1_get_tag( p, end, &ext->len,
764 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
765 {
766 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
767 {
768 ext->p = NULL;
769 return( 0 );
770 }
771 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
772 }
773
774 end = *p + ext->len;
775
776 if( end != *p + ext->len )
777 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
778 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
779
780 while( *p < end )
781 {
782 if( ( ret = asn1_get_tag( p, end, &len,
783 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
784 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
785
786 *p += len;
787 }
788
789 if( *p != end )
790 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
791 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
792
793 return( 0 );
794}
795
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]796static int x509_get_basic_constraints( unsigned char **p,
797 const unsigned char *end,
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]798 int *ca_istrue,
799 int *max_pathlen )
800{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]801 int ret;
802 size_t len;
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]803
804 /*
805 * BasicConstraints ::= SEQUENCE {
806 * cA BOOLEAN DEFAULT FALSE,
807 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
808 */
Paul Bakker3cccddb2011-01-16 21:46:31 +0000[diff] [blame]809 *ca_istrue = 0; /* DEFAULT FALSE */
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]810 *max_pathlen = 0; /* endless */
811
812 if( ( ret = asn1_get_tag( p, end, &len,
813 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]814 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]815
816 if( *p == end )
817 return 0;
818
Paul Bakker3cccddb2011-01-16 21:46:31 +0000[diff] [blame]819 if( ( ret = asn1_get_bool( p, end, ca_istrue ) ) != 0 )
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]820 {
821 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
Paul Bakker3cccddb2011-01-16 21:46:31 +0000[diff] [blame]822 ret = asn1_get_int( p, end, ca_istrue );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]823
824 if( ret != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]825 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]826
Paul Bakker3cccddb2011-01-16 21:46:31 +0000[diff] [blame]827 if( *ca_istrue != 0 )
828 *ca_istrue = 1;
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]829 }
830
831 if( *p == end )
832 return 0;
833
834 if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]835 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]836
837 if( *p != end )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]838 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]839 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
840
841 (*max_pathlen)++;
842
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]843 return 0;
844}
845
846static int x509_get_ns_cert_type( unsigned char **p,
847 const unsigned char *end,
848 unsigned char *ns_cert_type)
849{
850 int ret;
Paul Bakkerd61e7d92011-01-18 16:17:47 +0000[diff] [blame]851 x509_bitstring bs = { 0, 0, NULL };
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]852
853 if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]854 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]855
856 if( bs.len != 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]857 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]858 POLARSSL_ERR_ASN1_INVALID_LENGTH );
859
860 /* Get actual bitstring */
861 *ns_cert_type = *bs.p;
862 return 0;
863}
864
865static int x509_get_key_usage( unsigned char **p,
866 const unsigned char *end,
867 unsigned char *key_usage)
868{
869 int ret;
Paul Bakkerd61e7d92011-01-18 16:17:47 +0000[diff] [blame]870 x509_bitstring bs = { 0, 0, NULL };
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]871
872 if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]873 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]874
Paul Bakker94a67962012-08-23 13:03:52 +0000[diff] [blame]875 if( bs.len < 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]876 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]877 POLARSSL_ERR_ASN1_INVALID_LENGTH );
878
879 /* Get actual bitstring */
880 *key_usage = *bs.p;
881 return 0;
882}
883
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]884/*
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]885 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
886 *
887 * KeyPurposeId ::= OBJECT IDENTIFIER
888 */
889static int x509_get_ext_key_usage( unsigned char **p,
890 const unsigned char *end,
891 x509_sequence *ext_key_usage)
892{
893 int ret;
894
895 if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]896 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]897
898 /* Sequence length must be >= 1 */
899 if( ext_key_usage->buf.p == NULL )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]900 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]901 POLARSSL_ERR_ASN1_INVALID_LENGTH );
902
903 return 0;
904}
905
906/*
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]907 * SubjectAltName ::= GeneralNames
908 *
909 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
910 *
911 * GeneralName ::= CHOICE {
912 * otherName [0] OtherName,
913 * rfc822Name [1] IA5String,
914 * dNSName [2] IA5String,
915 * x400Address [3] ORAddress,
916 * directoryName [4] Name,
917 * ediPartyName [5] EDIPartyName,
918 * uniformResourceIdentifier [6] IA5String,
919 * iPAddress [7] OCTET STRING,
920 * registeredID [8] OBJECT IDENTIFIER }
921 *
922 * OtherName ::= SEQUENCE {
923 * type-id OBJECT IDENTIFIER,
924 * value [0] EXPLICIT ANY DEFINED BY type-id }
925 *
926 * EDIPartyName ::= SEQUENCE {
927 * nameAssigner [0] DirectoryString OPTIONAL,
928 * partyName [1] DirectoryString }
929 *
930 * NOTE: PolarSSL only parses and uses dNSName at this point.
931 */
932static int x509_get_subject_alt_name( unsigned char **p,
933 const unsigned char *end,
934 x509_sequence *subject_alt_name )
935{
936 int ret;
937 size_t len, tag_len;
938 asn1_buf *buf;
939 unsigned char tag;
940 asn1_sequence *cur = subject_alt_name;
941
942 /* Get main sequence tag */
943 if( ( ret = asn1_get_tag( p, end, &len,
944 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
945 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
946
947 if( *p + len != end )
948 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
949 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
950
951 while( *p < end )
952 {
953 if( ( end - *p ) < 1 )
954 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
955 POLARSSL_ERR_ASN1_OUT_OF_DATA );
956
957 tag = **p;
958 (*p)++;
959 if( ( ret = asn1_get_len( p, end, &tag_len ) ) != 0 )
960 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
961
962 if( ( tag & ASN1_CONTEXT_SPECIFIC ) != ASN1_CONTEXT_SPECIFIC )
963 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
964 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
965
966 if( tag != ( ASN1_CONTEXT_SPECIFIC | 2 ) )
967 {
968 *p += tag_len;
969 continue;
970 }
971
972 buf = &(cur->buf);
973 buf->tag = tag;
974 buf->p = *p;
975 buf->len = tag_len;
976 *p += buf->len;
977
978 /* Allocate and assign next pointer */
979 if (*p < end)
980 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]981 cur->next = (asn1_sequence *) polarssl_malloc(
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]982 sizeof( asn1_sequence ) );
983
984 if( cur->next == NULL )
985 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
986 POLARSSL_ERR_ASN1_MALLOC_FAILED );
987
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]988 memset( cur->next, 0, sizeof( asn1_sequence ) );
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]989 cur = cur->next;
990 }
991 }
992
993 /* Set final sequence entry's next pointer to NULL */
994 cur->next = NULL;
995
996 if( *p != end )
997 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
998 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
999
1000 return( 0 );
1001}
1002
1003/*
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1004 * X.509 v3 extensions
1005 *
1006 * TODO: Perform all of the basic constraints tests required by the RFC
1007 * TODO: Set values for undetected extensions to a sane default?
1008 *
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1009 */
1010static int x509_get_crt_ext( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1011 const unsigned char *end,
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1012 x509_cert *crt )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1013{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1014 int ret;
1015 size_t len;
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1016 unsigned char *end_ext_data, *end_ext_octet;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1017
Paul Bakkerfbc09f32011-10-12 09:56:41 +0000[diff] [blame]1018 if( ( ret = x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1019 {
1020 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
1021 return( 0 );
1022
1023 return( ret );
1024 }
1025
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026 while( *p < end )
1027 {
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1028 /*
1029 * Extension ::= SEQUENCE {
1030 * extnID OBJECT IDENTIFIER,
1031 * critical BOOLEAN DEFAULT FALSE,
1032 * extnValue OCTET STRING }
1033 */
1034 x509_buf extn_oid = {0, 0, NULL};
1035 int is_critical = 0; /* DEFAULT FALSE */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1036 int ext_type = 0;
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1037
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038 if( ( ret = asn1_get_tag( p, end, &len,
1039 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1040 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1042 end_ext_data = *p + len;
1043
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1044 /* Get extension ID */
1045 extn_oid.tag = **p;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1047 if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1048 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1050 extn_oid.p = *p;
1051 *p += extn_oid.len;
1052
1053 if( ( end - *p ) < 1 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1054 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1055 POLARSSL_ERR_ASN1_OUT_OF_DATA );
1056
1057 /* Get optional critical */
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1058 if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1059 ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1060 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1062 /* Data should be octet string type */
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1063 if( ( ret = asn1_get_tag( p, end_ext_data, &len,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 ASN1_OCTET_STRING ) ) != 0 )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1065 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1067 end_ext_octet = *p + len;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1068
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1069 if( end_ext_octet != end_ext_data )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1070 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakkerc6ce8382009-07-27 21:34:45 +0000[diff] [blame]1071 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1073 /*
1074 * Detect supported extensions
1075 */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1076 ret = oid_get_x509_ext_type( &extn_oid, &ext_type );
1077
1078 if( ret != 0 )
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1079 {
1080 /* No parser found, skip extension */
1081 *p = end_ext_octet;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
Paul Bakker5c721f92011-07-27 16:51:09 +0000[diff] [blame]1083#if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1084 if( is_critical )
1085 {
1086 /* Data is marked as critical: fail */
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1087 return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1088 POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
1089 }
Paul Bakker5c721f92011-07-27 16:51:09 +0000[diff] [blame]1090#endif
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1091 continue;
1092 }
1093
1094 crt->ext_types |= ext_type;
1095
1096 switch( ext_type )
1097 {
1098 case EXT_BASIC_CONSTRAINTS:
1099 /* Parse basic constraints */
1100 if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
1101 &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
1102 return ( ret );
1103 break;
1104
1105 case EXT_KEY_USAGE:
1106 /* Parse key usage */
1107 if( ( ret = x509_get_key_usage( p, end_ext_octet,
1108 &crt->key_usage ) ) != 0 )
1109 return ( ret );
1110 break;
1111
1112 case EXT_EXTENDED_KEY_USAGE:
1113 /* Parse extended key usage */
1114 if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
1115 &crt->ext_key_usage ) ) != 0 )
1116 return ( ret );
1117 break;
1118
1119 case EXT_SUBJECT_ALT_NAME:
1120 /* Parse subject alt name */
1121 if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
1122 &crt->subject_alt_names ) ) != 0 )
1123 return ( ret );
1124 break;
1125
1126 case EXT_NS_CERT_TYPE:
1127 /* Parse netscape certificate type */
1128 if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
1129 &crt->ns_cert_type ) ) != 0 )
1130 return ( ret );
1131 break;
1132
1133 default:
1134 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1135 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 }
1137
1138 if( *p != end )
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1139 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1140 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1141
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1142 return( 0 );
1143}
1144
1145/*
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1146 * X.509 CRL Entries
1147 */
1148static int x509_get_entries( unsigned char **p,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1149 const unsigned char *end,
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1150 x509_crl_entry *entry )
1151{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1152 int ret;
1153 size_t entry_len;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1154 x509_crl_entry *cur_entry = entry;
1155
1156 if( *p == end )
1157 return( 0 );
1158
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1159 if( ( ret = asn1_get_tag( p, end, &entry_len,
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1160 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
1161 {
1162 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
1163 return( 0 );
1164
1165 return( ret );
1166 }
1167
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1168 end = *p + entry_len;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1169
1170 while( *p < end )
1171 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1172 size_t len2;
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]1173 const unsigned char *end2;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1174
1175 if( ( ret = asn1_get_tag( p, end, &len2,
1176 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
1177 {
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1178 return( ret );
1179 }
1180
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1181 cur_entry->raw.tag = **p;
1182 cur_entry->raw.p = *p;
1183 cur_entry->raw.len = len2;
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]1184 end2 = *p + len2;
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1185
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]1186 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1187 return( ret );
1188
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]1189 if( ( ret = x509_get_time( p, end2, &cur_entry->revocation_date ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1190 return( ret );
1191
Paul Bakkerb5a11ab2011-10-12 09:58:41 +0000[diff] [blame]1192 if( ( ret = x509_get_crl_entry_ext( p, end2, &cur_entry->entry_ext ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1193 return( ret );
1194
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1195 if ( *p < end )
1196 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1197 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
Paul Bakkerb15b8512012-01-13 13:44:06 +0000[diff] [blame]1198
1199 if( cur_entry->next == NULL )
1200 return( POLARSSL_ERR_X509_MALLOC_FAILED );
1201
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1202 cur_entry = cur_entry->next;
1203 memset( cur_entry, 0, sizeof( x509_crl_entry ) );
1204 }
1205 }
1206
1207 return( 0 );
1208}
1209
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1210static int x509_get_sig_alg( const x509_buf *sig_oid, md_type_t *md_alg,
1211 pk_type_t *pk_alg )
Paul Bakker27d66162010-03-17 06:56:01 +0000[diff] [blame]1212{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1213 int ret = oid_get_sig_alg( sig_oid, md_alg, pk_alg );
Paul Bakker27d66162010-03-17 06:56:01 +0000[diff] [blame]1214
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1215 if( ret != 0 )
1216 return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG + ret );
Paul Bakker27d66162010-03-17 06:56:01 +0000[diff] [blame]1217
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1218 return( 0 );
Paul Bakker27d66162010-03-17 06:56:01 +0000[diff] [blame]1219}
1220
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1221/*
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1222 * Parse and fill a single X.509 certificate in DER format
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1223 */
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]1224static int x509parse_crt_der_core( x509_cert *crt, const unsigned char *buf,
1225 size_t buflen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1227 int ret;
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1228 size_t len;
Paul Bakkerb00ca422012-09-25 12:10:00 +0000[diff] [blame]1229 unsigned char *p, *end, *crt_end;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1231 /*
1232 * Check for valid input
1233 */
1234 if( crt == NULL || buf == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1235 return( POLARSSL_ERR_X509_INVALID_INPUT );
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1236
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1237 p = (unsigned char *) polarssl_malloc( len = buflen );
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1238
1239 if( p == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1240 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1241
1242 memcpy( p, buf, buflen );
1243
1244 buflen = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245
1246 crt->raw.p = p;
1247 crt->raw.len = len;
1248 end = p + len;
1249
1250 /*
1251 * Certificate ::= SEQUENCE {
1252 * tbsCertificate TBSCertificate,
1253 * signatureAlgorithm AlgorithmIdentifier,
1254 * signatureValue BIT STRING }
1255 */
1256 if( ( ret = asn1_get_tag( &p, end, &len,
1257 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1258 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1259 x509_free( crt );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1260 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1261 }
1262
Paul Bakkerb00ca422012-09-25 12:10:00 +0000[diff] [blame]1263 if( len > (size_t) ( end - p ) )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1264 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1265 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1266 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1267 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1268 }
Paul Bakkerb00ca422012-09-25 12:10:00 +0000[diff] [blame]1269 crt_end = p + len;
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1270
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271 /*
1272 * TBSCertificate ::= SEQUENCE {
1273 */
1274 crt->tbs.p = p;
1275
1276 if( ( ret = asn1_get_tag( &p, end, &len,
1277 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1278 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1279 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1280 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281 }
1282
1283 end = p + len;
1284 crt->tbs.len = end - crt->tbs.p;
1285
1286 /*
1287 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1288 *
1289 * CertificateSerialNumber ::= INTEGER
1290 *
1291 * signature AlgorithmIdentifier
1292 */
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]1293 if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 ||
1294 ( ret = x509_get_serial( &p, end, &crt->serial ) ) != 0 ||
1295 ( ret = x509_get_alg_null( &p, end, &crt->sig_oid1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1297 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298 return( ret );
1299 }
1300
1301 crt->version++;
1302
1303 if( crt->version > 3 )
1304 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1305 x509_free( crt );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1306 return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 }
1308
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1309 if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_md,
1310 &crt->sig_pk ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1312 x509_free( crt );
Paul Bakker27d66162010-03-17 06:56:01 +0000[diff] [blame]1313 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314 }
1315
1316 /*
1317 * issuer Name
1318 */
1319 crt->issuer_raw.p = p;
1320
1321 if( ( ret = asn1_get_tag( &p, end, &len,
1322 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1323 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1324 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1325 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 }
1327
1328 if( ( ret = x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
1329 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1330 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 return( ret );
1332 }
1333
1334 crt->issuer_raw.len = p - crt->issuer_raw.p;
1335
1336 /*
1337 * Validity ::= SEQUENCE {
1338 * notBefore Time,
1339 * notAfter Time }
1340 *
1341 */
1342 if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
1343 &crt->valid_to ) ) != 0 )
1344 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1345 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346 return( ret );
1347 }
1348
1349 /*
1350 * subject Name
1351 */
1352 crt->subject_raw.p = p;
1353
1354 if( ( ret = asn1_get_tag( &p, end, &len,
1355 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1356 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1357 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1358 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359 }
1360
Paul Bakkercefb3962012-06-27 11:51:09 +0000[diff] [blame]1361 if( len && ( ret = x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1363 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364 return( ret );
1365 }
1366
1367 crt->subject_raw.len = p - crt->subject_raw.p;
1368
1369 /*
Manuel Pégourié-Gonnard20c12f62013-07-09 12:13:24 +0200[diff] [blame]1370 * SubjectPublicKeyInfo
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371 */
Manuel Pégourié-Gonnard674b2242013-07-10 14:32:58 +0200[diff] [blame]1372 if( ( ret = x509_get_pubkey( &p, end, &crt->pk ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1374 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375 return( ret );
1376 }
1377
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 /*
1379 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1380 * -- If present, version shall be v2 or v3
1381 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1382 * -- If present, version shall be v2 or v3
1383 * extensions [3] EXPLICIT Extensions OPTIONAL
1384 * -- If present, version shall be v3
1385 */
1386 if( crt->version == 2 || crt->version == 3 )
1387 {
1388 ret = x509_get_uid( &p, end, &crt->issuer_id, 1 );
1389 if( ret != 0 )
1390 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1391 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392 return( ret );
1393 }
1394 }
1395
1396 if( crt->version == 2 || crt->version == 3 )
1397 {
1398 ret = x509_get_uid( &p, end, &crt->subject_id, 2 );
1399 if( ret != 0 )
1400 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1401 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402 return( ret );
1403 }
1404 }
1405
1406 if( crt->version == 3 )
1407 {
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]1408 ret = x509_get_crt_ext( &p, end, crt);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409 if( ret != 0 )
1410 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1411 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412 return( ret );
1413 }
1414 }
1415
1416 if( p != end )
1417 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1418 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1419 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1420 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1421 }
1422
Paul Bakkerb00ca422012-09-25 12:10:00 +0000[diff] [blame]1423 end = crt_end;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1424
1425 /*
Manuel Pégourié-Gonnard20c12f62013-07-09 12:13:24 +0200[diff] [blame]1426 * }
1427 * -- end of TBSCertificate
1428 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1429 * signatureAlgorithm AlgorithmIdentifier,
1430 * signatureValue BIT STRING
1431 */
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]1432 if( ( ret = x509_get_alg_null( &p, end, &crt->sig_oid2 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1434 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435 return( ret );
1436 }
1437
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]1438 if( crt->sig_oid1.len != crt->sig_oid2.len ||
1439 memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1440 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1441 x509_free( crt );
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1442 return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1443 }
1444
1445 if( ( ret = x509_get_sig( &p, end, &crt->sig ) ) != 0 )
1446 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1447 x509_free( crt );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1448 return( ret );
1449 }
1450
1451 if( p != end )
1452 {
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1453 x509_free( crt );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1454 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1455 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1456 }
1457
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1458 return( 0 );
1459}
1460
1461/*
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1462 * Parse one X.509 certificate in DER format from a buffer and add them to a
1463 * chained list
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1464 */
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1465int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen )
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1466{
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1467 int ret;
1468 x509_cert *crt = chain, *prev = NULL;
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1469
1470 /*
1471 * Check for valid input
1472 */
1473 if( crt == NULL || buf == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1474 return( POLARSSL_ERR_X509_INVALID_INPUT );
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1475
1476 while( crt->version != 0 && crt->next != NULL )
1477 {
1478 prev = crt;
1479 crt = crt->next;
1480 }
1481
1482 /*
1483 * Add new certificate on the end of the chain if needed.
1484 */
1485 if ( crt->version != 0 && crt->next == NULL)
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1486 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1487 crt->next = (x509_cert *) polarssl_malloc( sizeof( x509_cert ) );
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1488
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1489 if( crt->next == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1490 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1491
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1492 prev = crt;
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1493 crt = crt->next;
1494 memset( crt, 0, sizeof( x509_cert ) );
Paul Bakker320a4b52009-03-28 18:52:39 +0000[diff] [blame]1495 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1497 if( ( ret = x509parse_crt_der_core( crt, buf, buflen ) ) != 0 )
1498 {
1499 if( prev )
1500 prev->next = NULL;
1501
1502 if( crt != chain )
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1503 polarssl_free( crt );
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1504
1505 return( ret );
1506 }
1507
1508 return( 0 );
1509}
1510
1511/*
1512 * Parse one or more PEM certificates from a buffer and add them to the chained list
1513 */
1514int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
1515{
1516 int ret, success = 0, first_error = 0, total_failed = 0;
1517 int buf_format = X509_FORMAT_DER;
1518
1519 /*
1520 * Check for valid input
1521 */
1522 if( chain == NULL || buf == NULL )
1523 return( POLARSSL_ERR_X509_INVALID_INPUT );
1524
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1525 /*
1526 * Determine buffer content. Buffer contains either one DER certificate or
1527 * one or more PEM certificates.
1528 */
1529#if defined(POLARSSL_PEM_C)
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]1530 if( strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1531 buf_format = X509_FORMAT_PEM;
1532#endif
1533
1534 if( buf_format == X509_FORMAT_DER )
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1535 return x509parse_crt_der( chain, buf, buflen );
1536
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1537#if defined(POLARSSL_PEM_C)
1538 if( buf_format == X509_FORMAT_PEM )
1539 {
1540 pem_context pem;
1541
1542 while( buflen > 0 )
1543 {
1544 size_t use_len;
1545 pem_init( &pem );
1546
1547 ret = pem_read_buffer( &pem,
1548 "-----BEGIN CERTIFICATE-----",
1549 "-----END CERTIFICATE-----",
1550 buf, NULL, 0, &use_len );
1551
1552 if( ret == 0 )
1553 {
1554 /*
1555 * Was PEM encoded
1556 */
1557 buflen -= use_len;
1558 buf += use_len;
1559 }
Paul Bakker5ed3b342013-06-24 19:05:46 +0200[diff] [blame]1560 else if( ret == POLARSSL_ERR_PEM_BAD_INPUT_DATA )
1561 {
1562 return( ret );
1563 }
Paul Bakker00b28602013-06-24 13:02:41 +0200[diff] [blame]1564 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1565 {
1566 pem_free( &pem );
1567
Paul Bakker5ed3b342013-06-24 19:05:46 +0200[diff] [blame]1568 /*
1569 * PEM header and footer were found
1570 */
1571 buflen -= use_len;
1572 buf += use_len;
1573
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1574 if( first_error == 0 )
1575 first_error = ret;
1576
1577 continue;
1578 }
1579 else
1580 break;
1581
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1582 ret = x509parse_crt_der( chain, pem.buf, pem.buflen );
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1583
1584 pem_free( &pem );
1585
1586 if( ret != 0 )
1587 {
1588 /*
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1589 * Quit parsing on a memory error
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1590 */
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1591 if( ret == POLARSSL_ERR_X509_MALLOC_FAILED )
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1592 return( ret );
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1593
1594 if( first_error == 0 )
1595 first_error = ret;
1596
Paul Bakker42c65812013-06-24 19:21:59 +0200[diff] [blame]1597 total_failed++;
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1598 continue;
1599 }
1600
1601 success = 1;
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1602 }
1603 }
1604#endif
1605
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1606 if( success )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1607 return( total_failed );
Paul Bakker6c0ceb32011-12-04 12:24:18 +0000[diff] [blame]1608 else if( first_error )
1609 return( first_error );
1610 else
1611 return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1612}
1613
1614/*
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1615 * Parse one or more CRLs and add them to the chained list
1616 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1617int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1618{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1619 int ret;
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1620 size_t len;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1621 unsigned char *p, *end;
1622 x509_crl *crl;
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1623#if defined(POLARSSL_PEM_C)
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]1624 size_t use_len;
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1625 pem_context pem;
1626#endif
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1627
1628 crl = chain;
1629
1630 /*
1631 * Check for valid input
1632 */
1633 if( crl == NULL || buf == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1634 return( POLARSSL_ERR_X509_INVALID_INPUT );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1635
1636 while( crl->version != 0 && crl->next != NULL )
1637 crl = crl->next;
1638
1639 /*
1640 * Add new CRL on the end of the chain if needed.
1641 */
1642 if ( crl->version != 0 && crl->next == NULL)
1643 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1644 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1645
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1646 if( crl->next == NULL )
1647 {
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1648 x509_crl_free( crl );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1649 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1650 }
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1651
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1652 crl = crl->next;
1653 memset( crl, 0, sizeof( x509_crl ) );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1654 }
1655
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1656#if defined(POLARSSL_PEM_C)
1657 pem_init( &pem );
1658 ret = pem_read_buffer( &pem,
1659 "-----BEGIN X509 CRL-----",
1660 "-----END X509 CRL-----",
1661 buf, NULL, 0, &use_len );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1662
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1663 if( ret == 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1664 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1665 /*
1666 * Was PEM encoded
1667 */
1668 buflen -= use_len;
1669 buf += use_len;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1670
1671 /*
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1672 * Steal PEM buffer
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1673 */
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1674 p = pem.buf;
1675 pem.buf = NULL;
1676 len = pem.buflen;
1677 pem_free( &pem );
1678 }
Paul Bakker00b28602013-06-24 13:02:41 +0200[diff] [blame]1679 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1680 {
1681 pem_free( &pem );
1682 return( ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1683 }
1684 else
1685 {
1686 /*
1687 * nope, copy the raw DER data
1688 */
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1689 p = (unsigned char *) polarssl_malloc( len = buflen );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1690
1691 if( p == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1692 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1693
1694 memcpy( p, buf, buflen );
1695
1696 buflen = 0;
1697 }
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1698#else
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1699 p = (unsigned char *) polarssl_malloc( len = buflen );
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1700
1701 if( p == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1702 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]1703
1704 memcpy( p, buf, buflen );
1705
1706 buflen = 0;
1707#endif
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1708
1709 crl->raw.p = p;
1710 crl->raw.len = len;
1711 end = p + len;
1712
1713 /*
1714 * CertificateList ::= SEQUENCE {
1715 * tbsCertList TBSCertList,
1716 * signatureAlgorithm AlgorithmIdentifier,
1717 * signatureValue BIT STRING }
1718 */
1719 if( ( ret = asn1_get_tag( &p, end, &len,
1720 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1721 {
1722 x509_crl_free( crl );
1723 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT );
1724 }
1725
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1726 if( len != (size_t) ( end - p ) )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1727 {
1728 x509_crl_free( crl );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1729 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1730 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
1731 }
1732
1733 /*
1734 * TBSCertList ::= SEQUENCE {
1735 */
1736 crl->tbs.p = p;
1737
1738 if( ( ret = asn1_get_tag( &p, end, &len,
1739 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1740 {
1741 x509_crl_free( crl );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1742 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1743 }
1744
1745 end = p + len;
1746 crl->tbs.len = end - crl->tbs.p;
1747
1748 /*
1749 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
1750 * -- if present, MUST be v2
1751 *
1752 * signature AlgorithmIdentifier
1753 */
Paul Bakker3329d1f2011-10-12 09:55:01 +0000[diff] [blame]1754 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]1755 ( ret = x509_get_alg_null( &p, end, &crl->sig_oid1 ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1756 {
1757 x509_crl_free( crl );
1758 return( ret );
1759 }
1760
1761 crl->version++;
1762
1763 if( crl->version > 2 )
1764 {
1765 x509_crl_free( crl );
1766 return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
1767 }
1768
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]1769 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md,
1770 &crl->sig_pk ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1771 {
1772 x509_crl_free( crl );
1773 return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
1774 }
1775
1776 /*
1777 * issuer Name
1778 */
1779 crl->issuer_raw.p = p;
1780
1781 if( ( ret = asn1_get_tag( &p, end, &len,
1782 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
1783 {
1784 x509_crl_free( crl );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1785 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1786 }
1787
1788 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
1789 {
1790 x509_crl_free( crl );
1791 return( ret );
1792 }
1793
1794 crl->issuer_raw.len = p - crl->issuer_raw.p;
1795
1796 /*
1797 * thisUpdate Time
1798 * nextUpdate Time OPTIONAL
1799 */
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]1800 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1801 {
1802 x509_crl_free( crl );
1803 return( ret );
1804 }
1805
Paul Bakker91200182010-02-18 21:26:15 +0000[diff] [blame]1806 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1807 {
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1808 if ( ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE +
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1809 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1810 ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE +
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]1811 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
Paul Bakker635f4b42009-07-20 20:34:41 +0000[diff] [blame]1812 {
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1813 x509_crl_free( crl );
1814 return( ret );
1815 }
1816 }
1817
1818 /*
1819 * revokedCertificates SEQUENCE OF SEQUENCE {
1820 * userCertificate CertificateSerialNumber,
1821 * revocationDate Time,
1822 * crlEntryExtensions Extensions OPTIONAL
1823 * -- if present, MUST be v2
1824 * } OPTIONAL
1825 */
1826 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
1827 {
1828 x509_crl_free( crl );
1829 return( ret );
1830 }
1831
1832 /*
1833 * crlExtensions EXPLICIT Extensions OPTIONAL
1834 * -- if present, MUST be v2
1835 */
1836 if( crl->version == 2 )
1837 {
1838 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
1839
1840 if( ret != 0 )
1841 {
1842 x509_crl_free( crl );
1843 return( ret );
1844 }
1845 }
1846
1847 if( p != end )
1848 {
1849 x509_crl_free( crl );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1850 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1851 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
1852 }
1853
1854 end = crl->raw.p + crl->raw.len;
1855
1856 /*
1857 * signatureAlgorithm AlgorithmIdentifier,
1858 * signatureValue BIT STRING
1859 */
Manuel Pégourié-Gonnarda1555132013-07-10 13:18:41 +0200[diff] [blame]1860 if( ( ret = x509_get_alg_null( &p, end, &crl->sig_oid2 ) ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1861 {
1862 x509_crl_free( crl );
1863 return( ret );
1864 }
1865
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]1866 if( crl->sig_oid1.len != crl->sig_oid2.len ||
1867 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1868 {
1869 x509_crl_free( crl );
1870 return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
1871 }
1872
1873 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
1874 {
1875 x509_crl_free( crl );
1876 return( ret );
1877 }
1878
1879 if( p != end )
1880 {
1881 x509_crl_free( crl );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]1882 return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1883 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
1884 }
1885
1886 if( buflen > 0 )
1887 {
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1888 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1889
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1890 if( crl->next == NULL )
1891 {
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1892 x509_crl_free( crl );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1893 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1894 }
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1895
Paul Bakker7d06ad22009-05-02 15:53:56 +0000[diff] [blame]1896 crl = crl->next;
1897 memset( crl, 0, sizeof( x509_crl ) );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1898
1899 return( x509parse_crl( crl, buf, buflen ) );
1900 }
1901
1902 return( 0 );
1903}
1904
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]1905#if defined(POLARSSL_FS_IO)
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1906/*
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1907 * Load all data from a file into a given buffer.
1908 */
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]1909static int load_file( const char *path, unsigned char **buf, size_t *n )
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1910{
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1911 FILE *f;
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1912
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1913 if( ( f = fopen( path, "rb" ) ) == NULL )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1914 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1915
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1916 fseek( f, 0, SEEK_END );
1917 *n = (size_t) ftell( f );
1918 fseek( f, 0, SEEK_SET );
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1919
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1920 if( ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
Paul Bakkerf6a19bd2013-05-14 13:26:51 +0200[diff] [blame]1921 {
1922 fclose( f );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1923 return( POLARSSL_ERR_X509_MALLOC_FAILED );
Paul Bakkerf6a19bd2013-05-14 13:26:51 +0200[diff] [blame]1924 }
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1925
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1926 if( fread( *buf, 1, *n, f ) != *n )
1927 {
1928 fclose( f );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1929 polarssl_free( *buf );
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1930 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1931 }
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1932
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1933 fclose( f );
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1934
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1935 (*buf)[*n] = '\0';
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1936
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]1937 return( 0 );
Paul Bakker2b245eb2009-04-19 18:44:26 +0000[diff] [blame]1938}
1939
1940/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941 * Load one or more certificates and add them to the chained list
1942 */
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1943int x509parse_crtfile( x509_cert *chain, const char *path )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944{
1945 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 size_t n;
1947 unsigned char *buf;
1948
Manuel Pégourié-Gonnard4250a1f2013-06-27 13:00:00 +0200[diff] [blame]1949 if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1950 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]1952 ret = x509parse_crt( chain, buf, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953
1954 memset( buf, 0, n + 1 );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]1955 polarssl_free( buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956
1957 return( ret );
1958}
1959
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1960int x509parse_crtpath( x509_cert *chain, const char *path )
1961{
1962 int ret = 0;
1963#if defined(_WIN32)
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1964 int w_ret;
1965 WCHAR szDir[MAX_PATH];
1966 char filename[MAX_PATH];
1967 char *p;
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1968 int len = strlen( path );
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1969
Paul Bakker97872ac2012-11-02 12:53:26 +0000[diff] [blame]1970 WIN32_FIND_DATAW file_data;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1971 HANDLE hFind;
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1972
1973 if( len > MAX_PATH - 3 )
1974 return( POLARSSL_ERR_X509_INVALID_INPUT );
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1975
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1976 memset( szDir, 0, sizeof(szDir) );
1977 memset( filename, 0, MAX_PATH );
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1978 memcpy( filename, path, len );
1979 filename[len++] = '\\';
1980 p = filename + len;
1981 filename[len++] = '*';
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1982
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1983 w_ret = MultiByteToWideChar( CP_ACP, 0, path, len, szDir, MAX_PATH - 3 );
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1984
Paul Bakker97872ac2012-11-02 12:53:26 +0000[diff] [blame]1985 hFind = FindFirstFileW( szDir, &file_data );
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1986 if (hFind == INVALID_HANDLE_VALUE)
1987 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
1988
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1989 len = MAX_PATH - len;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1990 do
1991 {
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1992 memset( p, 0, len );
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1993
Paul Bakkere4791f32012-06-04 21:29:15 +0000[diff] [blame]1994 if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]1995 continue;
1996
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]1997 w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
1998 lstrlenW(file_data.cFileName),
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]1999 p, len - 1,
2000 NULL, NULL );
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2001
Paul Bakker3338b792012-10-01 21:13:10 +0000[diff] [blame]2002 w_ret = x509parse_crtfile( chain, filename );
2003 if( w_ret < 0 )
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2004 ret++;
2005 else
2006 ret += w_ret;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2007 }
Paul Bakker97872ac2012-11-02 12:53:26 +0000[diff] [blame]2008 while( FindNextFileW( hFind, &file_data ) != 0 );
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2009
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]2010 if (GetLastError() != ERROR_NO_MORE_FILES)
2011 ret = POLARSSL_ERR_X509_FILE_IO_ERROR;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2012
Paul Bakker4a2bd0d2012-11-02 11:06:08 +0000[diff] [blame]2013cleanup:
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2014 FindClose( hFind );
2015#else
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2016 int t_ret, i;
2017 struct stat sb;
2018 struct dirent entry, *result = NULL;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2019 char entry_name[255];
2020 DIR *dir = opendir( path );
2021
2022 if( dir == NULL)
2023 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
2024
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2025 while( ( t_ret = readdir_r( dir, &entry, &result ) ) == 0 )
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2026 {
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2027 if( result == NULL )
2028 break;
2029
2030 snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry.d_name );
2031
2032 i = stat( entry_name, &sb );
2033
2034 if( i == -1 )
2035 return( POLARSSL_ERR_X509_FILE_IO_ERROR );
2036
2037 if( !S_ISREG( sb.st_mode ) )
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2038 continue;
2039
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2040 // Ignore parse errors
2041 //
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2042 t_ret = x509parse_crtfile( chain, entry_name );
2043 if( t_ret < 0 )
Paul Bakker2c8cdd22013-06-24 19:22:42 +0200[diff] [blame]2044 ret++;
2045 else
2046 ret += t_ret;
Paul Bakker8d914582012-06-04 12:46:42 +0000[diff] [blame]2047 }
2048 closedir( dir );
2049#endif
2050
2051 return( ret );
2052}
2053
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2054/*
2055 * Load one or more CRLs and add them to the chained list
2056 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2057int x509parse_crlfile( x509_crl *chain, const char *path )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2058{
2059 int ret;
2060 size_t n;
2061 unsigned char *buf;
2062
Manuel Pégourié-Gonnard4250a1f2013-06-27 13:00:00 +0200[diff] [blame]2063 if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2064 return( ret );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2065
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2066 ret = x509parse_crl( chain, buf, n );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2067
2068 memset( buf, 0, n + 1 );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]2069 polarssl_free( buf );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2070
2071 return( ret );
2072}
2073
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2074/*
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2075 * Load and parse a private key
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2076 */
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2077int x509parse_keyfile( pk_context *ctx,
2078 const char *path, const char *pwd )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2079{
2080 int ret;
2081 size_t n;
2082 unsigned char *buf;
2083
2084 if ( (ret = load_file( path, &buf, &n ) ) != 0 )
2085 return( ret );
2086
2087 if( pwd == NULL )
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2088 ret = x509parse_key( ctx, buf, n, NULL, 0 );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2089 else
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2090 ret = x509parse_key( ctx, buf, n,
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2091 (const unsigned char *) pwd, strlen( pwd ) );
2092
2093 memset( buf, 0, n + 1 );
2094 free( buf );
2095
2096 return( ret );
2097}
2098
2099/*
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2100 * Load and parse a public key
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2101 */
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2102int x509parse_public_keyfile( pk_context *ctx, const char *path )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2103{
2104 int ret;
2105 size_t n;
2106 unsigned char *buf;
2107
2108 if ( (ret = load_file( path, &buf, &n ) ) != 0 )
2109 return( ret );
2110
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2111 ret = x509parse_public_key( ctx, buf, n );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2112
2113 memset( buf, 0, n + 1 );
2114 free( buf );
2115
2116 return( ret );
2117}
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2118
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2119#if defined(POLARSSL_RSA_C)
2120/*
2121 * Load and parse a private RSA key
2122 */
2123int x509parse_keyfile_rsa( rsa_context *rsa, const char *path, const char *pwd )
2124{
2125 pk_context pk;
2126
2127 pk_init( &pk );
2128 pk_wrap_rsa( &pk, rsa );
2129
2130 return( x509parse_keyfile( &pk, path, pwd ) );
2131}
2132
2133/*
2134 * Load and parse a public RSA key
2135 */
2136int x509parse_public_keyfile_rsa( rsa_context *rsa, const char *path )
2137{
2138 pk_context pk;
2139
2140 pk_init( &pk );
2141 pk_wrap_rsa( &pk, rsa );
2142
2143 return( x509parse_public_keyfile( &pk, path ) );
2144}
2145#endif /* POLARSSL_RSA_C */
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]2146#endif /* POLARSSL_FS_IO */
2147
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2148#if defined(POLARSSL_RSA_C)
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]2149/*
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2150 * Parse a PKCS#1 encoded private RSA key
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151 */
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2152static int x509parse_key_pkcs1_der( rsa_context *rsa,
2153 const unsigned char *key,
2154 size_t keylen )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2156 int ret;
2157 size_t len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158 unsigned char *p, *end;
Paul Bakkered56b222011-07-13 11:26:43 +0000[diff] [blame]2159
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2160 p = (unsigned char *) key;
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2161 end = p + keylen;
2162
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2163 /*
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2164 * This function parses the RSAPrivateKey (PKCS#1)
Paul Bakkered56b222011-07-13 11:26:43 +0000[diff] [blame]2165 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166 * RSAPrivateKey ::= SEQUENCE {
2167 * version Version,
2168 * modulus INTEGER, -- n
2169 * publicExponent INTEGER, -- e
2170 * privateExponent INTEGER, -- d
2171 * prime1 INTEGER, -- p
2172 * prime2 INTEGER, -- q
2173 * exponent1 INTEGER, -- d mod (p-1)
2174 * exponent2 INTEGER, -- d mod (q-1)
2175 * coefficient INTEGER, -- (inverse of q) mod p
2176 * otherPrimeInfos OtherPrimeInfos OPTIONAL
2177 * }
2178 */
2179 if( ( ret = asn1_get_tag( &p, end, &len,
2180 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
2181 {
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2182 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2183 }
2184
2185 end = p + len;
2186
2187 if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 )
2188 {
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2189 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190 }
2191
2192 if( rsa->ver != 0 )
2193 {
Manuel Pégourié-Gonnarde3663422013-07-03 18:56:37 +0200[diff] [blame]2194 return( POLARSSL_ERR_X509_KEY_INVALID_VERSION );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195 }
2196
2197 if( ( ret = asn1_get_mpi( &p, end, &rsa->N ) ) != 0 ||
2198 ( ret = asn1_get_mpi( &p, end, &rsa->E ) ) != 0 ||
2199 ( ret = asn1_get_mpi( &p, end, &rsa->D ) ) != 0 ||
2200 ( ret = asn1_get_mpi( &p, end, &rsa->P ) ) != 0 ||
2201 ( ret = asn1_get_mpi( &p, end, &rsa->Q ) ) != 0 ||
2202 ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 ||
2203 ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 ||
2204 ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 )
2205 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206 rsa_free( rsa );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2207 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208 }
2209
2210 rsa->len = mpi_size( &rsa->N );
2211
2212 if( p != end )
2213 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2214 rsa_free( rsa );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2215 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]2216 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2217 }
2218
2219 if( ( ret = rsa_check_privkey( rsa ) ) != 0 )
2220 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2221 rsa_free( rsa );
2222 return( ret );
2223 }
2224
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2225 return( 0 );
2226}
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2227#endif /* POLARSSL_RSA_C */
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2228
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2229#if defined(POLARSSL_ECP_C)
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2230/*
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2231 * Parse a SEC1 encoded private EC key
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2232 */
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2233static int x509parse_key_sec1_der( ecp_keypair *eck,
2234 const unsigned char *key,
2235 size_t keylen )
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2236{
2237 int ret;
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2238 int version;
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2239 size_t len;
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2240 x509_buf params;
2241 unsigned char *p = (unsigned char *) key;
2242 unsigned char *end = p + keylen;
2243 unsigned char *end2;
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2244
2245 /*
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2246 * RFC 5915, orf SEC1 Appendix C.4
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2247 *
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2248 * ECPrivateKey ::= SEQUENCE {
2249 * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
2250 * privateKey OCTET STRING,
2251 * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
2252 * publicKey [1] BIT STRING OPTIONAL
2253 * }
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2254 */
2255 if( ( ret = asn1_get_tag( &p, end, &len,
2256 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
2257 {
2258 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2259 }
2260
2261 end = p + len;
2262
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2263 if( ( ret = asn1_get_int( &p, end, &version ) ) != 0 )
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2264 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2265
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2266 if( version != 1 )
2267 return( POLARSSL_ERR_X509_KEY_INVALID_VERSION );
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2268
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2269 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
2270 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2271
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2272 if( ( ret = mpi_read_binary( &eck->d, p, len ) ) != 0 )
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2273 {
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2274 ecp_keypair_free( eck );
2275 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2276 }
2277
2278 p += len;
2279
2280 /*
2281 * Is 'parameters' present?
2282 */
2283 if( ( ret = asn1_get_tag( &p, end, &len,
2284 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) == 0 )
2285 {
2286 if( ( ret = x509_get_ecparams( &p, p + len, &params) ) != 0 ||
2287 ( ret = x509_use_ecparams( &params, &eck->grp ) ) != 0 )
2288 {
2289 ecp_keypair_free( eck );
2290 return( ret );
2291 }
2292 }
2293 else if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
2294 {
2295 ecp_keypair_free( eck );
2296 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2297 }
2298
2299 /*
2300 * Is 'publickey' present?
2301 */
2302 if( ( ret = asn1_get_tag( &p, end, &len,
2303 ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1 ) ) == 0 )
2304 {
2305 end2 = p + len;
2306
2307 if( ( ret = asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
2308 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2309
2310 if( p + len != end2 )
2311 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
2312 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
2313
2314 if( ( ret = x509_get_ecpubkey( &p, end2, eck ) ) != 0 )
2315 return( ret );
2316 }
2317 else if ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
2318 {
2319 ecp_keypair_free( eck );
2320 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2321 }
2322
2323 if( ( ret = ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
2324 {
2325 ecp_keypair_free( eck );
2326 return( ret );
2327 }
2328
2329 return 0;
2330}
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2331#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2332
2333/*
2334 * Parse an unencrypted PKCS#8 encoded private key
2335 */
2336static int x509parse_key_pkcs8_unencrypted_der(
2337 pk_context *pk,
2338 const unsigned char* key,
2339 size_t keylen )
2340{
2341 int ret, version;
2342 size_t len;
2343 x509_buf params;
2344 unsigned char *p = (unsigned char *) key;
2345 unsigned char *end = p + keylen;
2346 pk_type_t pk_alg = POLARSSL_PK_NONE;
2347
2348 /*
2349 * This function parses the PrivatKeyInfo object (PKCS#8 v1.2 = RFC 5208)
2350 *
2351 * PrivateKeyInfo ::= SEQUENCE {
2352 * version Version,
2353 * privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
2354 * privateKey PrivateKey,
2355 * attributes [0] IMPLICIT Attributes OPTIONAL }
2356 *
2357 * Version ::= INTEGER
2358 * PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
2359 * PrivateKey ::= OCTET STRING
2360 *
2361 * The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
2362 */
2363
2364 if( ( ret = asn1_get_tag( &p, end, &len,
2365 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
2366 {
2367 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2368 }
2369
2370 end = p + len;
2371
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2372 if( ( ret = asn1_get_int( &p, end, &version ) ) != 0 )
2373 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2374
2375 if( version != 0 )
2376 return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret );
2377
2378 if( ( ret = x509_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
2379 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2380
2381 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
2382 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2383
2384 if( len < 1 )
2385 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
2386 POLARSSL_ERR_ASN1_OUT_OF_DATA );
2387
2388 if( ( ret = pk_set_type( pk, pk_alg ) ) != 0 )
Paul Bakkere2f50402013-06-24 19:00:59 +0200[diff] [blame]2389 return( ret );
2390
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2391#if defined(POLARSSL_RSA_C)
2392 if( pk_alg == POLARSSL_PK_RSA )
2393 {
2394 if( ( ret = x509parse_key_pkcs1_der( pk_rsa( *pk ), p, len ) ) != 0 )
2395 {
2396 pk_free( pk );
2397 return( ret );
2398 }
2399 } else
2400#endif /* POLARSSL_RSA_C */
2401#if defined(POLARSSL_ECP_C)
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2402 if( pk_alg == POLARSSL_PK_ECKEY || pk_alg == POLARSSL_PK_ECKEY_DH )
2403 {
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2404 if( ( ret = x509_use_ecparams( &params, &pk_ec( *pk )->grp ) ) != 0 ||
2405 ( ret = x509parse_key_sec1_der( pk_ec( *pk ), p, len ) ) != 0 )
2406 {
2407 pk_free( pk );
2408 return( ret );
2409 }
2410 } else
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2411#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnard6e882022013-07-11 14:55:43 +0200[diff] [blame]2412 return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG );
2413
2414 return 0;
2415}
2416
2417/*
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2418 * Parse an encrypted PKCS#8 encoded private key
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2419 */
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2420static int x509parse_key_pkcs8_encrypted_der(
2421 pk_context *pk,
Manuel Pégourié-Gonnarda5d99742013-07-04 11:08:31 +0200[diff] [blame]2422 const unsigned char *key, size_t keylen,
2423 const unsigned char *pwd, size_t pwdlen )
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2424{
2425 int ret;
2426 size_t len;
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2427 unsigned char buf[2048];
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200[diff] [blame]2428 unsigned char *p, *end;
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2429 x509_buf pbe_alg_oid, pbe_params;
Paul Bakker7749a222013-06-28 17:28:20 +0200[diff] [blame]2430#if defined(POLARSSL_PKCS12_C)
2431 cipher_type_t cipher_alg;
2432 md_type_t md_alg;
2433#endif
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2434
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2435 memset( buf, 0, sizeof( buf ) );
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2436
2437 p = (unsigned char *) key;
2438 end = p + keylen;
2439
Paul Bakker28144de2013-06-24 19:28:55 +0200[diff] [blame]2440 if( pwdlen == 0 )
2441 return( POLARSSL_ERR_X509_PASSWORD_REQUIRED );
2442
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2443 /*
2444 * This function parses the EncryptedPrivatKeyInfo object (PKCS#8)
2445 *
2446 * EncryptedPrivateKeyInfo ::= SEQUENCE {
2447 * encryptionAlgorithm EncryptionAlgorithmIdentifier,
2448 * encryptedData EncryptedData
2449 * }
2450 *
2451 * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
2452 *
2453 * EncryptedData ::= OCTET STRING
2454 *
2455 * The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
2456 */
2457 if( ( ret = asn1_get_tag( &p, end, &len,
2458 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
2459 {
2460 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2461 }
2462
2463 end = p + len;
2464
Paul Bakkerf8d018a2013-06-29 12:16:17 +0200[diff] [blame]2465 if( ( ret = asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2466 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2467
2468 if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
2469 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
2470
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2471 if( len > sizeof( buf ) )
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2472 return( POLARSSL_ERR_X509_INVALID_INPUT );
2473
2474 /*
2475 * Decrypt EncryptedData with appropriate PDE
2476 */
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2477#if defined(POLARSSL_PKCS12_C)
Paul Bakker7749a222013-06-28 17:28:20 +0200[diff] [blame]2478 if( oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2479 {
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2480 if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
Paul Bakker7749a222013-06-28 17:28:20 +0200[diff] [blame]2481 cipher_alg, md_alg,
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2482 pwd, pwdlen, p, len, buf ) ) != 0 )
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2483 {
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2484 if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
2485 return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
2486
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2487 return( ret );
2488 }
2489 }
2490 else if( OID_CMP( OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) )
2491 {
2492 if( ( ret = pkcs12_pbe_sha1_rc4_128( &pbe_params,
2493 PKCS12_PBE_DECRYPT,
2494 pwd, pwdlen,
2495 p, len, buf ) ) != 0 )
2496 {
2497 return( ret );
2498 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2499
2500 // Best guess for password mismatch when using RC4. If first tag is
2501 // not ASN1_CONSTRUCTED | ASN1_SEQUENCE
2502 //
2503 if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
2504 return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2505 }
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2506 else
2507#endif /* POLARSSL_PKCS12_C */
Paul Bakker28144de2013-06-24 19:28:55 +0200[diff] [blame]2508#if defined(POLARSSL_PKCS5_C)
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2509 if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
Paul Bakker28144de2013-06-24 19:28:55 +0200[diff] [blame]2510 {
2511 if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen,
2512 p, len, buf ) ) != 0 )
2513 {
2514 if( ret == POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH )
2515 return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
2516
2517 return( ret );
2518 }
2519 }
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2520 else
Paul Bakker38b50d72013-06-24 19:33:27 +0200[diff] [blame]2521#endif /* POLARSSL_PKCS5_C */
Paul Bakkerf1f21fe2013-06-24 19:17:19 +0200[diff] [blame]2522 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
2523
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2524 return( x509parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
Manuel Pégourié-Gonnard416fa8f2013-07-04 10:46:23 +0200[diff] [blame]2525}
2526
2527/*
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2528 * Parse a private key
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2529 */
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2530int x509parse_key( pk_context *pk,
2531 const unsigned char *key, size_t keylen,
2532 const unsigned char *pwd, size_t pwdlen )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2533{
2534 int ret;
2535
2536#if defined(POLARSSL_PEM_C)
2537 size_t len;
2538 pem_context pem;
2539
2540 pem_init( &pem );
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2541
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2542#if defined(POLARSSL_RSA_C)
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2543 ret = pem_read_buffer( &pem,
2544 "-----BEGIN RSA PRIVATE KEY-----",
2545 "-----END RSA PRIVATE KEY-----",
2546 key, pwd, pwdlen, &len );
2547 if( ret == 0 )
2548 {
2549 if( ( ret = pk_set_type( pk, POLARSSL_PK_RSA ) ) != 0 ||
2550 ( ret = x509parse_key_pkcs1_der( pk_rsa( *pk ),
2551 pem.buf, pem.buflen ) ) != 0 )
2552 {
2553 pk_free( pk );
2554 }
2555
2556 pem_free( &pem );
2557 return( ret );
2558 }
2559 else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH )
2560 return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
2561 else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED )
2562 return( POLARSSL_ERR_X509_PASSWORD_REQUIRED );
2563 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
2564 return( ret );
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2565#endif /* POLARSSL_RSA_C */
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2566
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2567#if defined(POLARSSL_ECP_C)
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2568 ret = pem_read_buffer( &pem,
2569 "-----BEGIN EC PRIVATE KEY-----",
2570 "-----END EC PRIVATE KEY-----",
2571 key, pwd, pwdlen, &len );
2572 if( ret == 0 )
2573 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2574 if( ( ret = pk_set_type( pk, POLARSSL_PK_ECKEY ) ) != 0 ||
2575 ( ret = x509parse_key_sec1_der( pk_ec( *pk ),
2576 pem.buf, pem.buflen ) ) != 0 )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2577 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2578 pk_free( pk );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2579 }
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2580
2581 pem_free( &pem );
2582 return( ret );
2583 }
2584 else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH )
2585 return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
2586 else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED )
2587 return( POLARSSL_ERR_X509_PASSWORD_REQUIRED );
2588 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
2589 return( ret );
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2590#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2591
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2592 ret = pem_read_buffer( &pem,
2593 "-----BEGIN PRIVATE KEY-----",
2594 "-----END PRIVATE KEY-----",
2595 key, NULL, 0, &len );
2596 if( ret == 0 )
2597 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2598 if( ( ret = x509parse_key_pkcs8_unencrypted_der( pk,
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2599 pem.buf, pem.buflen ) ) != 0 )
2600 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2601 pk_free( pk );
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2602 }
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2603
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2604 pem_free( &pem );
2605 return( ret );
2606 }
2607 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
2608 return( ret );
2609
2610 ret = pem_read_buffer( &pem,
2611 "-----BEGIN ENCRYPTED PRIVATE KEY-----",
2612 "-----END ENCRYPTED PRIVATE KEY-----",
2613 key, NULL, 0, &len );
2614 if( ret == 0 )
2615 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2616 if( ( ret = x509parse_key_pkcs8_encrypted_der( pk,
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2617 pem.buf, pem.buflen,
2618 pwd, pwdlen ) ) != 0 )
2619 {
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2620 pk_free( pk );
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2621 }
2622
2623 pem_free( &pem );
2624 return( ret );
2625 }
2626 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
2627 return( ret );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2628#else
2629 ((void) pwd);
2630 ((void) pwdlen);
2631#endif /* POLARSSL_PEM_C */
2632
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2633 /*
2634 * At this point we only know it's not a PEM formatted key. Could be any
2635 * of the known DER encoded private key formats
2636 *
2637 * We try the different DER format parsers to see if one passes without
2638 * error
2639 */
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2640 if( ( ret = x509parse_key_pkcs8_encrypted_der( pk, key, keylen,
2641 pwd, pwdlen ) ) == 0 )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2642 {
2643 return( 0 );
2644 }
2645
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2646 pk_free( pk );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2647
2648 if( ret == POLARSSL_ERR_X509_PASSWORD_MISMATCH )
2649 {
2650 return( ret );
2651 }
2652
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2653 if( ( ret = x509parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2654 return( 0 );
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2655
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2656 pk_free( pk );
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2657
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2658#if defined(POLARSSL_RSA_C)
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2659 if( ( ret = pk_set_type( pk, POLARSSL_PK_RSA ) ) == 0 &&
2660 ( ret = x509parse_key_pkcs1_der( pk_rsa( *pk ), key, keylen ) ) == 0 )
2661 {
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2662 return( 0 );
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2663 }
Manuel Pégourié-Gonnard15e8b822013-07-03 11:56:37 +0200[diff] [blame]2664
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2665 pk_free( pk );
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2666#endif /* POLARSSL_RSA_C */
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2667
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2668#if defined(POLARSSL_ECP_C)
Manuel Pégourié-Gonnard8b863cd2013-07-11 15:32:03 +0200[diff] [blame]2669 if( ( ret = pk_set_type( pk, POLARSSL_PK_ECKEY ) ) == 0 &&
2670 ( ret = x509parse_key_sec1_der( pk_ec( *pk ), key, keylen ) ) == 0 )
2671 {
2672 return( 0 );
2673 }
2674
2675 pk_free( pk );
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2676#endif /* POLARSSL_ECP_C */
Manuel Pégourié-Gonnard26833c22013-06-27 11:27:58 +0200[diff] [blame]2677
2678 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT );
2679}
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2680
2681/*
2682 * Parse a public key
2683 */
2684int x509parse_public_key( pk_context *ctx,
2685 const unsigned char *key, size_t keylen )
2686{
2687 int ret;
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2688 unsigned char *p;
2689#if defined(POLARSSL_PEM_C)
2690 size_t len;
2691 pem_context pem;
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2692
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2693 pem_init( &pem );
2694 ret = pem_read_buffer( &pem,
2695 "-----BEGIN PUBLIC KEY-----",
2696 "-----END PUBLIC KEY-----",
2697 key, NULL, 0, &len );
2698
2699 if( ret == 0 )
2700 {
2701 /*
2702 * Was PEM encoded
2703 */
2704 key = pem.buf;
2705 keylen = pem.buflen;
2706 }
2707 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
2708 {
2709 pem_free( &pem );
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2710 return( ret );
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2711 }
2712#endif
2713 p = (unsigned char *) key;
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2714
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2715 ret = x509_get_pubkey( &p, p + keylen, ctx );
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2716
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2717#if defined(POLARSSL_PEM_C)
2718 pem_free( &pem );
2719#endif
Manuel Pégourié-Gonnard374e4b82013-07-09 10:21:34 +0200[diff] [blame]2720
Manuel Pégourié-Gonnard4fa04762013-07-09 13:10:49 +0200[diff] [blame]2721 return( ret );
Manuel Pégourié-Gonnard88380992013-07-04 14:09:57 +0200[diff] [blame]2722}
2723
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]2724#if defined(POLARSSL_RSA_C)
2725/*
2726 * Parse a private RSA key
2727 */
2728int x509parse_key_rsa( rsa_context *rsa,
2729 const unsigned char *key, size_t keylen,
2730 const unsigned char *pwd, size_t pwdlen )
2731{
2732 pk_context pk;
2733
2734 pk_init( &pk );
2735 pk_wrap_rsa( &pk, rsa );
2736
2737 return( x509parse_key( &pk, key, keylen, pwd, pwdlen ) );
2738}
2739
2740/*
2741 * Parse a public RSA key
2742 */
2743int x509parse_public_key_rsa( rsa_context *rsa,
2744 const unsigned char *key, size_t keylen )
2745{
2746 pk_context pk;
2747
2748 pk_init( &pk );
2749 pk_wrap_rsa( &pk, rsa );
2750
2751 return( x509parse_public_key( &pk, key, keylen ) );
2752}
2753#endif /* POLARSSL_RSA_C */
2754
Paul Bakkereaa89f82011-04-04 21:36:15 +0000[diff] [blame]2755#if defined(POLARSSL_DHM_C)
Paul Bakker53019ae2011-03-25 13:58:48 +0000[diff] [blame]2756/*
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2757 * Parse DHM parameters
2758 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2759int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2760{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2761 int ret;
2762 size_t len;
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2763 unsigned char *p, *end;
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2764#if defined(POLARSSL_PEM_C)
2765 pem_context pem;
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2766
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2767 pem_init( &pem );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2768
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2769 ret = pem_read_buffer( &pem,
2770 "-----BEGIN DH PARAMETERS-----",
2771 "-----END DH PARAMETERS-----",
2772 dhmin, NULL, 0, &dhminlen );
2773
2774 if( ret == 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2775 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2776 /*
2777 * Was PEM encoded
2778 */
2779 dhminlen = pem.buflen;
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2780 }
Paul Bakker00b28602013-06-24 13:02:41 +0200[diff] [blame]2781 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2782 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2783 pem_free( &pem );
2784 return( ret );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2785 }
2786
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2787 p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
2788#else
2789 p = (unsigned char *) dhmin;
2790#endif
2791 end = p + dhminlen;
2792
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2793 memset( dhm, 0, sizeof( dhm_context ) );
2794
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2795 /*
2796 * DHParams ::= SEQUENCE {
2797 * prime INTEGER, -- P
2798 * generator INTEGER, -- g
2799 * }
2800 */
2801 if( ( ret = asn1_get_tag( &p, end, &len,
2802 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
2803 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2804#if defined(POLARSSL_PEM_C)
2805 pem_free( &pem );
2806#endif
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2807 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2808 }
2809
2810 end = p + len;
2811
2812 if( ( ret = asn1_get_mpi( &p, end, &dhm->P ) ) != 0 ||
2813 ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
2814 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2815#if defined(POLARSSL_PEM_C)
2816 pem_free( &pem );
2817#endif
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2818 dhm_free( dhm );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2819 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2820 }
2821
2822 if( p != end )
2823 {
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2824#if defined(POLARSSL_PEM_C)
2825 pem_free( &pem );
2826#endif
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2827 dhm_free( dhm );
Paul Bakker9d781402011-05-09 16:17:09 +0000[diff] [blame]2828 return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2829 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
2830 }
2831
Paul Bakker96743fc2011-02-12 14:30:57 +0000[diff] [blame]2832#if defined(POLARSSL_PEM_C)
2833 pem_free( &pem );
2834#endif
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2835
2836 return( 0 );
2837}
2838
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]2839#if defined(POLARSSL_FS_IO)
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2840/*
Manuel Pégourié-Gonnard4250a1f2013-06-27 13:00:00 +0200[diff] [blame]2841 * Load and parse DHM parameters
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2842 */
2843int x509parse_dhmfile( dhm_context *dhm, const char *path )
2844{
2845 int ret;
2846 size_t n;
2847 unsigned char *buf;
2848
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]2849 if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
2850 return( ret );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2851
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2852 ret = x509parse_dhm( dhm, buf, n );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2853
2854 memset( buf, 0, n + 1 );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]2855 polarssl_free( buf );
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2856
2857 return( ret );
2858}
Paul Bakker335db3f2011-04-25 15:28:35 +0000[diff] [blame]2859#endif /* POLARSSL_FS_IO */
Paul Bakkereaa89f82011-04-04 21:36:15 +0000[diff] [blame]2860#endif /* POLARSSL_DHM_C */
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]2861
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2862#if defined _MSC_VER && !defined snprintf
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2863#include <stdarg.h>
2864
2865#if !defined vsnprintf
2866#define vsnprintf _vsnprintf
2867#endif // vsnprintf
2868
2869/*
2870 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
2871 * Result value is not size of buffer needed, but -1 if no fit is possible.
2872 *
2873 * This fuction tries to 'fix' this by at least suggesting enlarging the
2874 * size by 20.
2875 */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2876static int compat_snprintf(char *str, size_t size, const char *format, ...)
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2877{
2878 va_list ap;
2879 int res = -1;
2880
2881 va_start( ap, format );
2882
2883 res = vsnprintf( str, size, format, ap );
2884
2885 va_end( ap );
2886
2887 // No quick fix possible
2888 if ( res < 0 )
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2889 return( (int) size + 20 );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2890
2891 return res;
2892}
2893
2894#define snprintf compat_snprintf
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2895#endif
2896
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2897#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
2898
2899#define SAFE_SNPRINTF() \
2900{ \
2901 if( ret == -1 ) \
2902 return( -1 ); \
2903 \
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2904 if ( (unsigned int) ret > n ) { \
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2905 p[n - 1] = '\0'; \
2906 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
2907 } \
2908 \
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2909 n -= (unsigned int) ret; \
2910 p += (unsigned int) ret; \
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2911}
2912
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2913/*
2914 * Store the name in printable form into buf; no more
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2915 * than size characters will be written
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2916 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2917int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2918{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2919 int ret;
2920 size_t i, n;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2921 unsigned char c;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]2922 const x509_name *name;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2923 const char *short_name = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2924 char s[128], *p;
2925
2926 memset( s, 0, sizeof( s ) );
2927
2928 name = dn;
2929 p = buf;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2930 n = size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2931
2932 while( name != NULL )
2933 {
Paul Bakkercefb3962012-06-27 11:51:09 +0000[diff] [blame]2934 if( !name->oid.p )
2935 {
2936 name = name->next;
2937 continue;
2938 }
2939
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]2940 if( name != dn )
2941 {
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2942 ret = snprintf( p, n, ", " );
2943 SAFE_SNPRINTF();
2944 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2945
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2946 ret = oid_get_attr_short_name( &name->oid, &short_name );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2947
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2948 if( ret == 0 )
2949 ret = snprintf( p, n, "%s=", short_name );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2950 else
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2951 ret = snprintf( p, n, "\?\?=" );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2952 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2953
2954 for( i = 0; i < name->val.len; i++ )
2955 {
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2956 if( i >= sizeof( s ) - 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2957 break;
2958
2959 c = name->val.p[i];
2960 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
2961 s[i] = '?';
2962 else s[i] = c;
2963 }
2964 s[i] = '\0';
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]2965 ret = snprintf( p, n, "%s", s );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2966 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2967 name = name->next;
2968 }
2969
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2970 return( (int) ( size - n ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2971}
2972
2973/*
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]2974 * Store the serial in printable form into buf; no more
2975 * than size characters will be written
2976 */
2977int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial )
2978{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2979 int ret;
2980 size_t i, n, nr;
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]2981 char *p;
2982
2983 p = buf;
2984 n = size;
2985
2986 nr = ( serial->len <= 32 )
Paul Bakker03c7c252011-11-25 12:37:37 +0000[diff] [blame]2987 ? serial->len : 28;
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]2988
2989 for( i = 0; i < nr; i++ )
2990 {
Paul Bakker93048802011-12-05 14:38:06 +0000[diff] [blame]2991 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
Paul Bakkerc8ffbe72011-12-05 14:22:49 +0000[diff] [blame]2992 continue;
2993
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]2994 ret = snprintf( p, n, "%02X%s",
2995 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
2996 SAFE_SNPRINTF();
2997 }
2998
Paul Bakker03c7c252011-11-25 12:37:37 +0000[diff] [blame]2999 if( nr != serial->len )
3000 {
3001 ret = snprintf( p, n, "...." );
3002 SAFE_SNPRINTF();
3003 }
3004
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3005 return( (int) ( size - n ) );
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]3006}
3007
3008/*
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3009 * Return an informational string about the certificate.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3010 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3011int x509parse_cert_info( char *buf, size_t size, const char *prefix,
3012 const x509_cert *crt )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3013{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3014 int ret;
3015 size_t n;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3016 char *p;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3017 const char *desc = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3018
3019 p = buf;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3020 n = size;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3021
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3022 ret = snprintf( p, n, "%scert. version : %d\n",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3023 prefix, crt->version );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3024 SAFE_SNPRINTF();
3025 ret = snprintf( p, n, "%sserial number : ",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3026 prefix );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3027 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3028
Paul Bakkerdd476992011-01-16 21:34:59 +0000[diff] [blame]3029 ret = x509parse_serial_gets( p, n, &crt->serial);
3030 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3031
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3032 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
3033 SAFE_SNPRINTF();
3034 ret = x509parse_dn_gets( p, n, &crt->issuer );
3035 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3036
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3037 ret = snprintf( p, n, "\n%ssubject name : ", prefix );
3038 SAFE_SNPRINTF();
3039 ret = x509parse_dn_gets( p, n, &crt->subject );
3040 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3041
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3042 ret = snprintf( p, n, "\n%sissued on : " \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3043 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
3044 crt->valid_from.year, crt->valid_from.mon,
3045 crt->valid_from.day, crt->valid_from.hour,
3046 crt->valid_from.min, crt->valid_from.sec );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3047 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3048
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3049 ret = snprintf( p, n, "\n%sexpires on : " \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3050 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
3051 crt->valid_to.year, crt->valid_to.mon,
3052 crt->valid_to.day, crt->valid_to.hour,
3053 crt->valid_to.min, crt->valid_to.sec );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3054 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3055
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3056 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3057 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3058
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3059 ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc );
3060 if( ret != 0 )
3061 ret = snprintf( p, n, "???" );
3062 else
3063 ret = snprintf( p, n, desc );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3064 SAFE_SNPRINTF();
3065
Manuel Pégourié-Gonnardab2d9832013-07-11 16:17:23 +0200[diff] [blame^]3066#if defined(POLARSSL_RSA_C)
3067 if( crt->pk.type == POLARSSL_PK_RSA )
3068 ret = snprintf( p, n, "\n%sRSA key size : %d bits\n", prefix,
3069 (int) pk_rsa( crt->pk )->N.n * (int) sizeof( t_uint ) * 8 );
3070 else
3071#endif /* POLARSSL_RSA_C */
3072#if defined(POLARSSL_ECP_C)
3073 if( crt->pk.type == POLARSSL_PK_ECKEY ||
3074 crt->pk.type == POLARSSL_PK_ECKEY_DH )
3075 ret = snprintf( p, n, "\n%sEC key size : %d bits\n", prefix,
3076 (int) pk_ec( crt->pk )->grp.pbits );
3077 else
3078#endif /* POLARSSL_ECP_C */
3079 ret = snprintf(p, n, "\n%sPK type looks wrong!", prefix);
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3080 SAFE_SNPRINTF();
3081
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3082 return( (int) ( size - n ) );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3083}
3084
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3085/*
3086 * Return an informational string describing the given OID
3087 */
3088const char *x509_oid_get_description( x509_buf *oid )
3089{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3090 const char *desc = NULL;
3091 int ret;
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3092
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3093 ret = oid_get_extended_key_usage( oid, &desc );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3094
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3095 if( ret != 0 )
3096 return( NULL );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3097
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3098 return( desc );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3099}
3100
3101/* Return the x.y.z.... style numeric string for the given OID */
3102int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
3103{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3104 return oid_get_numeric_string( buf, size, oid );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3105}
3106
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3107/*
3108 * Return an informational string about the CRL.
3109 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3110int x509parse_crl_info( char *buf, size_t size, const char *prefix,
3111 const x509_crl *crl )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3112{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3113 int ret;
Paul Bakkerc8ffbe72011-12-05 14:22:49 +0000[diff] [blame]3114 size_t n;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3115 char *p;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3116 const char *desc;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3117 const x509_crl_entry *entry;
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3118
3119 p = buf;
3120 n = size;
3121
3122 ret = snprintf( p, n, "%sCRL version : %d",
3123 prefix, crl->version );
3124 SAFE_SNPRINTF();
3125
3126 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
3127 SAFE_SNPRINTF();
3128 ret = x509parse_dn_gets( p, n, &crl->issuer );
3129 SAFE_SNPRINTF();
3130
3131 ret = snprintf( p, n, "\n%sthis update : " \
3132 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
3133 crl->this_update.year, crl->this_update.mon,
3134 crl->this_update.day, crl->this_update.hour,
3135 crl->this_update.min, crl->this_update.sec );
3136 SAFE_SNPRINTF();
3137
3138 ret = snprintf( p, n, "\n%snext update : " \
3139 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
3140 crl->next_update.year, crl->next_update.mon,
3141 crl->next_update.day, crl->next_update.hour,
3142 crl->next_update.min, crl->next_update.sec );
3143 SAFE_SNPRINTF();
3144
3145 entry = &crl->entry;
3146
3147 ret = snprintf( p, n, "\n%sRevoked certificates:",
3148 prefix );
3149 SAFE_SNPRINTF();
3150
Paul Bakker9be19372009-07-27 20:21:53 +0000[diff] [blame]3151 while( entry != NULL && entry->raw.len != 0 )
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3152 {
3153 ret = snprintf( p, n, "\n%sserial number: ",
3154 prefix );
3155 SAFE_SNPRINTF();
3156
Paul Bakkerc8ffbe72011-12-05 14:22:49 +0000[diff] [blame]3157 ret = x509parse_serial_gets( p, n, &entry->serial);
3158 SAFE_SNPRINTF();
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3159
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3160 ret = snprintf( p, n, " revocation date: " \
3161 "%04d-%02d-%02d %02d:%02d:%02d",
3162 entry->revocation_date.year, entry->revocation_date.mon,
3163 entry->revocation_date.day, entry->revocation_date.hour,
3164 entry->revocation_date.min, entry->revocation_date.sec );
Paul Bakkerc8ffbe72011-12-05 14:22:49 +0000[diff] [blame]3165 SAFE_SNPRINTF();
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3166
3167 entry = entry->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3168 }
3169
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3170 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3171 SAFE_SNPRINTF();
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3172
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3173 ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc );
3174 if( ret != 0 )
3175 ret = snprintf( p, n, "???" );
3176 else
3177 ret = snprintf( p, n, desc );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3178 SAFE_SNPRINTF();
3179
Paul Bakker1e27bb22009-07-19 20:25:25 +0000[diff] [blame]3180 ret = snprintf( p, n, "\n" );
3181 SAFE_SNPRINTF();
3182
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3183 return( (int) ( size - n ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3184}
3185
3186/*
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3187 * Return 0 if the x509_time is still valid, or 1 otherwise.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3188 */
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]3189#if defined(POLARSSL_HAVE_TIME)
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3190int x509parse_time_expired( const x509_time *to )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3191{
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3192 int year, mon, day;
3193 int hour, min, sec;
3194
3195#if defined(_WIN32)
3196 SYSTEMTIME st;
3197
3198 GetLocalTime(&st);
3199
3200 year = st.wYear;
3201 mon = st.wMonth;
3202 day = st.wDay;
3203 hour = st.wHour;
3204 min = st.wMinute;
3205 sec = st.wSecond;
3206#else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3207 struct tm *lt;
3208 time_t tt;
3209
3210 tt = time( NULL );
3211 lt = localtime( &tt );
3212
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3213 year = lt->tm_year + 1900;
3214 mon = lt->tm_mon + 1;
3215 day = lt->tm_mday;
3216 hour = lt->tm_hour;
3217 min = lt->tm_min;
3218 sec = lt->tm_sec;
3219#endif
3220
3221 if( year > to->year )
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3222 return( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3223
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3224 if( year == to->year &&
3225 mon > to->mon )
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3226 return( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3227
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3228 if( year == to->year &&
3229 mon == to->mon &&
3230 day > to->day )
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3231 return( 1 );
3232
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3233 if( year == to->year &&
3234 mon == to->mon &&
3235 day == to->day &&
3236 hour > to->hour )
Paul Bakkerb6194992011-01-16 21:40:22 +0000[diff] [blame]3237 return( 1 );
3238
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3239 if( year == to->year &&
3240 mon == to->mon &&
3241 day == to->day &&
3242 hour == to->hour &&
3243 min > to->min )
Paul Bakkerb6194992011-01-16 21:40:22 +0000[diff] [blame]3244 return( 1 );
3245
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]3246 if( year == to->year &&
3247 mon == to->mon &&
3248 day == to->day &&
3249 hour == to->hour &&
3250 min == to->min &&
3251 sec > to->sec )
Paul Bakkerb6194992011-01-16 21:40:22 +0000[diff] [blame]3252 return( 1 );
3253
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3254 return( 0 );
3255}
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]3256#else /* POLARSSL_HAVE_TIME */
3257int x509parse_time_expired( const x509_time *to )
3258{
3259 ((void) to);
3260 return( 0 );
3261}
3262#endif /* POLARSSL_HAVE_TIME */
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3263
3264/*
3265 * Return 1 if the certificate is revoked, or 0 otherwise.
3266 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3267int x509parse_revoked( const x509_cert *crt, const x509_crl *crl )
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3268{
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]3269 const x509_crl_entry *cur = &crl->entry;
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3270
3271 while( cur != NULL && cur->serial.len != 0 )
3272 {
Paul Bakkera056efc2011-01-16 21:38:35 +0000[diff] [blame]3273 if( crt->serial.len == cur->serial.len &&
3274 memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3275 {
3276 if( x509parse_time_expired( &cur->revocation_date ) )
3277 return( 1 );
3278 }
3279
3280 cur = cur->next;
3281 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3282
3283 return( 0 );
3284}
3285
Paul Bakkerde4d2ea2009-10-03 19:58:52 +0000[diff] [blame]3286/*
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3287 * Check that the given certificate is valid accoring to the CRL.
3288 */
3289static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
3290 x509_crl *crl_list)
3291{
3292 int flags = 0;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3293 unsigned char hash[POLARSSL_MD_MAX_SIZE];
3294 const md_info_t *md_info;
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3295
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3296 if( ca == NULL )
3297 return( flags );
3298
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3299 /*
3300 * TODO: What happens if no CRL is present?
3301 * Suggestion: Revocation state should be unknown if no CRL is present.
3302 * For backwards compatibility this is not yet implemented.
3303 */
3304
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3305 while( crl_list != NULL )
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3306 {
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3307 if( crl_list->version == 0 ||
3308 crl_list->issuer_raw.len != ca->subject_raw.len ||
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3309 memcmp( crl_list->issuer_raw.p, ca->subject_raw.p,
3310 crl_list->issuer_raw.len ) != 0 )
3311 {
3312 crl_list = crl_list->next;
3313 continue;
3314 }
3315
3316 /*
3317 * Check if CRL is correctly signed by the trusted CA
3318 */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3319 md_info = md_info_from_type( crl_list->sig_md );
3320 if( md_info == NULL )
3321 {
3322 /*
3323 * Cannot check 'unknown' hash
3324 */
3325 flags |= BADCRL_NOT_TRUSTED;
3326 break;
3327 }
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3328
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3329 md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash );
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3330
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3331 /* EC NOT IMPLEMENTED YET */
3332 if( ca->pk.type != POLARSSL_PK_RSA )
3333 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
3334
3335 if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, crl_list->sig_md,
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3336 0, hash, crl_list->sig.p ) == 0 )
3337 {
3338 /*
3339 * CRL is not trusted
3340 */
3341 flags |= BADCRL_NOT_TRUSTED;
3342 break;
3343 }
3344
3345 /*
3346 * Check for validity of CRL (Do not drop out)
3347 */
3348 if( x509parse_time_expired( &crl_list->next_update ) )
3349 flags |= BADCRL_EXPIRED;
3350
3351 /*
3352 * Check if certificate is revoked
3353 */
3354 if( x509parse_revoked(crt, crl_list) )
3355 {
3356 flags |= BADCERT_REVOKED;
3357 break;
3358 }
3359
3360 crl_list = crl_list->next;
3361 }
3362 return flags;
3363}
3364
Paul Bakkerb6c5d2e2013-06-25 16:25:17 +0200[diff] [blame]3365static int x509_wildcard_verify( const char *cn, x509_buf *name )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3366{
3367 size_t i;
3368 size_t cn_idx = 0;
3369
Paul Bakker57b12982012-02-11 17:38:38 +0000[diff] [blame]3370 if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3371 return( 0 );
3372
3373 for( i = 0; i < strlen( cn ); ++i )
3374 {
3375 if( cn[i] == '.' )
3376 {
3377 cn_idx = i;
3378 break;
3379 }
3380 }
3381
3382 if( cn_idx == 0 )
3383 return( 0 );
3384
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]3385 if( strlen( cn ) - cn_idx == name->len - 1 &&
3386 memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3387 {
3388 return( 1 );
3389 }
3390
3391 return( 0 );
3392}
3393
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3394static int x509parse_verify_top(
3395 x509_cert *child, x509_cert *trust_ca,
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3396 x509_crl *ca_crl, int path_cnt, int *flags,
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3397 int (*f_vrfy)(void *, x509_cert *, int, int *),
3398 void *p_vrfy )
3399{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3400 int ret;
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3401 int ca_flags = 0, check_path_cnt = path_cnt + 1;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3402 unsigned char hash[POLARSSL_MD_MAX_SIZE];
3403 const md_info_t *md_info;
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3404
3405 if( x509parse_time_expired( &child->valid_to ) )
3406 *flags |= BADCERT_EXPIRED;
3407
3408 /*
3409 * Child is the top of the chain. Check against the trust_ca list.
3410 */
3411 *flags |= BADCERT_NOT_TRUSTED;
3412
3413 while( trust_ca != NULL )
3414 {
3415 if( trust_ca->version == 0 ||
3416 child->issuer_raw.len != trust_ca->subject_raw.len ||
3417 memcmp( child->issuer_raw.p, trust_ca->subject_raw.p,
3418 child->issuer_raw.len ) != 0 )
3419 {
3420 trust_ca = trust_ca->next;
3421 continue;
3422 }
3423
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3424 /*
3425 * Reduce path_len to check against if top of the chain is
3426 * the same as the trusted CA
3427 */
3428 if( child->subject_raw.len == trust_ca->subject_raw.len &&
3429 memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
3430 child->issuer_raw.len ) == 0 )
3431 {
3432 check_path_cnt--;
3433 }
3434
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3435 if( trust_ca->max_pathlen > 0 &&
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3436 trust_ca->max_pathlen < check_path_cnt )
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3437 {
3438 trust_ca = trust_ca->next;
3439 continue;
3440 }
3441
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3442 md_info = md_info_from_type( child->sig_md );
3443 if( md_info == NULL )
3444 {
3445 /*
3446 * Cannot check 'unknown' hash
3447 */
3448 continue;
3449 }
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3450
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3451 md( md_info, child->tbs.p, child->tbs.len, hash );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3452
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3453 /* EC NOT IMPLEMENTED YET */
3454 if( trust_ca->pk.type != POLARSSL_PK_RSA )
3455 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
3456
3457 if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, child->sig_md,
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3458 0, hash, child->sig.p ) != 0 )
3459 {
3460 trust_ca = trust_ca->next;
3461 continue;
3462 }
3463
3464 /*
3465 * Top of chain is signed by a trusted CA
3466 */
3467 *flags &= ~BADCERT_NOT_TRUSTED;
3468 break;
3469 }
3470
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3471 /*
Paul Bakker3497d8c2012-11-24 11:53:17 +0100[diff] [blame]3472 * If top of chain is not the same as the trusted CA send a verify request
3473 * to the callback for any issues with validity and CRL presence for the
3474 * trusted CA certificate.
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3475 */
3476 if( trust_ca != NULL &&
3477 ( child->subject_raw.len != trust_ca->subject_raw.len ||
3478 memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
3479 child->issuer_raw.len ) != 0 ) )
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3480 {
3481 /* Check trusted CA's CRL for then chain's top crt */
3482 *flags |= x509parse_verifycrl( child, trust_ca, ca_crl );
3483
3484 if( x509parse_time_expired( &trust_ca->valid_to ) )
3485 ca_flags |= BADCERT_EXPIRED;
3486
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3487 if( NULL != f_vrfy )
3488 {
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3489 if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3490 return( ret );
3491 }
3492 }
3493
3494 /* Call callback on top cert */
3495 if( NULL != f_vrfy )
3496 {
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3497 if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 )
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3498 return( ret );
3499 }
3500
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3501 *flags |= ca_flags;
3502
3503 return( 0 );
3504}
3505
3506static int x509parse_verify_child(
3507 x509_cert *child, x509_cert *parent, x509_cert *trust_ca,
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3508 x509_crl *ca_crl, int path_cnt, int *flags,
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3509 int (*f_vrfy)(void *, x509_cert *, int, int *),
3510 void *p_vrfy )
3511{
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3512 int ret;
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3513 int parent_flags = 0;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3514 unsigned char hash[POLARSSL_MD_MAX_SIZE];
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3515 x509_cert *grandparent;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3516 const md_info_t *md_info;
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3517
3518 if( x509parse_time_expired( &child->valid_to ) )
3519 *flags |= BADCERT_EXPIRED;
3520
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3521 md_info = md_info_from_type( child->sig_md );
3522 if( md_info == NULL )
3523 {
3524 /*
3525 * Cannot check 'unknown' hash
3526 */
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3527 *flags |= BADCERT_NOT_TRUSTED;
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3528 }
3529 else
3530 {
3531 md( md_info, child->tbs.p, child->tbs.len, hash );
3532
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3533 /* EC NOT IMPLEMENTED YET */
3534 if( parent->pk.type != POLARSSL_PK_RSA )
3535 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
3536
3537 if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, child->sig_md,
3538 0, hash, child->sig.p ) != 0 )
3539 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3540 *flags |= BADCERT_NOT_TRUSTED;
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]3541 }
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3542 }
3543
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3544 /* Check trusted CA's CRL for the given crt */
3545 *flags |= x509parse_verifycrl(child, parent, ca_crl);
3546
3547 grandparent = parent->next;
3548
3549 while( grandparent != NULL )
3550 {
3551 if( grandparent->version == 0 ||
3552 grandparent->ca_istrue == 0 ||
3553 parent->issuer_raw.len != grandparent->subject_raw.len ||
3554 memcmp( parent->issuer_raw.p, grandparent->subject_raw.p,
3555 parent->issuer_raw.len ) != 0 )
3556 {
3557 grandparent = grandparent->next;
3558 continue;
3559 }
3560 break;
3561 }
3562
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3563 if( grandparent != NULL )
3564 {
3565 /*
3566 * Part of the chain
3567 */
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3568 ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3569 if( ret != 0 )
3570 return( ret );
3571 }
3572 else
3573 {
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3574 ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3575 if( ret != 0 )
3576 return( ret );
3577 }
3578
3579 /* child is verified to be a child of the parent, call verify callback */
3580 if( NULL != f_vrfy )
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3581 if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3582 return( ret );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3583
3584 *flags |= parent_flags;
3585
3586 return( 0 );
3587}
3588
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3589/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3590 * Verify the certificate validity
3591 */
3592int x509parse_verify( x509_cert *crt,
3593 x509_cert *trust_ca,
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3594 x509_crl *ca_crl,
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]3595 const char *cn, int *flags,
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3596 int (*f_vrfy)(void *, x509_cert *, int, int *),
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]3597 void *p_vrfy )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3598{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3599 size_t cn_len;
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3600 int ret;
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3601 int pathlen = 0;
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3602 x509_cert *parent;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3603 x509_name *name;
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3604 x509_sequence *cur = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3605
Paul Bakker40ea7de2009-05-03 10:18:48 +0000[diff] [blame]3606 *flags = 0;
3607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3608 if( cn != NULL )
3609 {
3610 name = &crt->subject;
3611 cn_len = strlen( cn );
3612
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3613 if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3614 {
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3615 cur = &crt->subject_alt_names;
3616
3617 while( cur != NULL )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3618 {
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]3619 if( cur->buf.len == cn_len &&
3620 memcmp( cn, cur->buf.p, cn_len ) == 0 )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3621 break;
3622
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]3623 if( cur->buf.len > 2 &&
3624 memcmp( cur->buf.p, "*.", 2 ) == 0 &&
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3625 x509_wildcard_verify( cn, &cur->buf ) )
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3626 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3627
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3628 cur = cur->next;
Paul Bakkera8cd2392012-02-11 16:09:32 +0000[diff] [blame]3629 }
3630
3631 if( cur == NULL )
3632 *flags |= BADCERT_CN_MISMATCH;
3633 }
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3634 else
3635 {
3636 while( name != NULL )
3637 {
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]3638 if( OID_CMP( OID_AT_CN, &name->oid ) )
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3639 {
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]3640 if( name->val.len == cn_len &&
3641 memcmp( name->val.p, cn, cn_len ) == 0 )
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3642 break;
3643
Paul Bakker535e97d2012-08-23 10:49:55 +0000[diff] [blame]3644 if( name->val.len > 2 &&
3645 memcmp( name->val.p, "*.", 2 ) == 0 &&
Paul Bakker4d2c1242012-05-10 14:12:46 +0000[diff] [blame]3646 x509_wildcard_verify( cn, &name->val ) )
3647 break;
3648 }
3649
3650 name = name->next;
3651 }
3652
3653 if( name == NULL )
3654 *flags |= BADCERT_CN_MISMATCH;
3655 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3656 }
3657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3658 /*
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3659 * Iterate upwards in the given cert chain, to find our crt parent.
3660 * Ignore any upper cert with CA != TRUE.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3661 */
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3662 parent = crt->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3663
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3664 while( parent != NULL && parent->version != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3665 {
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3666 if( parent->ca_istrue == 0 ||
3667 crt->issuer_raw.len != parent->subject_raw.len ||
3668 memcmp( crt->issuer_raw.p, parent->subject_raw.p,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3669 crt->issuer_raw.len ) != 0 )
3670 {
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3671 parent = parent->next;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3672 continue;
3673 }
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3674 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3675 }
3676
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3677 if( parent != NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3678 {
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3679 /*
3680 * Part of the chain
3681 */
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3682 ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3683 if( ret != 0 )
3684 return( ret );
3685 }
3686 else
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3687 {
Paul Bakker9a736322012-11-14 12:39:52 +0000[diff] [blame]3688 ret = x509parse_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3689 if( ret != 0 )
3690 return( ret );
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]3691 }
Paul Bakker915275b2012-09-28 07:10:55 +0000[diff] [blame]3692
3693 if( *flags != 0 )
Paul Bakker76fd75a2011-01-16 21:12:10 +0000[diff] [blame]3694 return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
Paul Bakkerb63b0af2011-01-13 17:54:59 +0000[diff] [blame]3695
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3696 return( 0 );
3697}
3698
3699/*
3700 * Unallocate all certificate data
3701 */
3702void x509_free( x509_cert *crt )
3703{
3704 x509_cert *cert_cur = crt;
3705 x509_cert *cert_prv;
3706 x509_name *name_cur;
3707 x509_name *name_prv;
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3708 x509_sequence *seq_cur;
3709 x509_sequence *seq_prv;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3710
3711 if( crt == NULL )
3712 return;
3713
3714 do
3715 {
Manuel Pégourié-Gonnard674b2242013-07-10 14:32:58 +0200[diff] [blame]3716 pk_free( &cert_cur->pk );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3717
3718 name_cur = cert_cur->issuer.next;
3719 while( name_cur != NULL )
3720 {
3721 name_prv = name_cur;
3722 name_cur = name_cur->next;
3723 memset( name_prv, 0, sizeof( x509_name ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3724 polarssl_free( name_prv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3725 }
3726
3727 name_cur = cert_cur->subject.next;
3728 while( name_cur != NULL )
3729 {
3730 name_prv = name_cur;
3731 name_cur = name_cur->next;
3732 memset( name_prv, 0, sizeof( x509_name ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3733 polarssl_free( name_prv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3734 }
3735
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3736 seq_cur = cert_cur->ext_key_usage.next;
3737 while( seq_cur != NULL )
3738 {
3739 seq_prv = seq_cur;
3740 seq_cur = seq_cur->next;
3741 memset( seq_prv, 0, sizeof( x509_sequence ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3742 polarssl_free( seq_prv );
Paul Bakker74111d32011-01-15 16:57:55 +0000[diff] [blame]3743 }
3744
Paul Bakker8afa70d2012-02-11 18:42:45 +0000[diff] [blame]3745 seq_cur = cert_cur->subject_alt_names.next;
3746 while( seq_cur != NULL )
3747 {
3748 seq_prv = seq_cur;
3749 seq_cur = seq_cur->next;
3750 memset( seq_prv, 0, sizeof( x509_sequence ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3751 polarssl_free( seq_prv );
Paul Bakker8afa70d2012-02-11 18:42:45 +0000[diff] [blame]3752 }
3753
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3754 if( cert_cur->raw.p != NULL )
3755 {
3756 memset( cert_cur->raw.p, 0, cert_cur->raw.len );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3757 polarssl_free( cert_cur->raw.p );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3758 }
3759
3760 cert_cur = cert_cur->next;
3761 }
3762 while( cert_cur != NULL );
3763
3764 cert_cur = crt;
3765 do
3766 {
3767 cert_prv = cert_cur;
3768 cert_cur = cert_cur->next;
3769
3770 memset( cert_prv, 0, sizeof( x509_cert ) );
3771 if( cert_prv != crt )
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3772 polarssl_free( cert_prv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3773 }
3774 while( cert_cur != NULL );
3775}
3776
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3777/*
3778 * Unallocate all CRL data
3779 */
3780void x509_crl_free( x509_crl *crl )
3781{
3782 x509_crl *crl_cur = crl;
3783 x509_crl *crl_prv;
3784 x509_name *name_cur;
3785 x509_name *name_prv;
3786 x509_crl_entry *entry_cur;
3787 x509_crl_entry *entry_prv;
3788
3789 if( crl == NULL )
3790 return;
3791
3792 do
3793 {
3794 name_cur = crl_cur->issuer.next;
3795 while( name_cur != NULL )
3796 {
3797 name_prv = name_cur;
3798 name_cur = name_cur->next;
3799 memset( name_prv, 0, sizeof( x509_name ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3800 polarssl_free( name_prv );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3801 }
3802
3803 entry_cur = crl_cur->entry.next;
3804 while( entry_cur != NULL )
3805 {
3806 entry_prv = entry_cur;
3807 entry_cur = entry_cur->next;
3808 memset( entry_prv, 0, sizeof( x509_crl_entry ) );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3809 polarssl_free( entry_prv );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3810 }
3811
3812 if( crl_cur->raw.p != NULL )
3813 {
3814 memset( crl_cur->raw.p, 0, crl_cur->raw.len );
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3815 polarssl_free( crl_cur->raw.p );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3816 }
3817
3818 crl_cur = crl_cur->next;
3819 }
3820 while( crl_cur != NULL );
3821
3822 crl_cur = crl;
3823 do
3824 {
3825 crl_prv = crl_cur;
3826 crl_cur = crl_cur->next;
3827
3828 memset( crl_prv, 0, sizeof( x509_crl ) );
3829 if( crl_prv != crl )
Paul Bakker6e339b52013-07-03 13:37:05 +0200[diff] [blame]3830 polarssl_free( crl_prv );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000[diff] [blame]3831 }
3832 while( crl_cur != NULL );
3833}
3834
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3835#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3836
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]3837#include "polarssl/certs.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3838
3839/*
3840 * Checkup routine
3841 */
3842int x509_self_test( int verbose )
3843{
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3844#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C)
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3845 int ret;
3846 int flags;
3847 size_t i, j;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3848 x509_cert cacert;
3849 x509_cert clicert;
3850 rsa_context rsa;
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3851#if defined(POLARSSL_DHM_C)
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3852 dhm_context dhm;
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3853#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3854
3855 if( verbose != 0 )
3856 printf( " X.509 certificate load: " );
3857
3858 memset( &clicert, 0, sizeof( x509_cert ) );
3859
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]3860 ret = x509parse_crt( &clicert, (const unsigned char *) test_cli_crt,
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]3861 strlen( test_cli_crt ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3862 if( ret != 0 )
3863 {
3864 if( verbose != 0 )
3865 printf( "failed\n" );
3866
3867 return( ret );
3868 }
3869
3870 memset( &cacert, 0, sizeof( x509_cert ) );
3871
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]3872 ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt,
Paul Bakker69e095c2011-12-10 21:55:01 +0000[diff] [blame]3873 strlen( test_ca_crt ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3874 if( ret != 0 )
3875 {
3876 if( verbose != 0 )
3877 printf( "failed\n" );
3878
3879 return( ret );
3880 }
3881
3882 if( verbose != 0 )
3883 printf( "passed\n X.509 private key load: " );
3884
3885 i = strlen( test_ca_key );
3886 j = strlen( test_ca_pwd );
3887
Paul Bakker66b78b22011-03-25 14:22:50 +0000[diff] [blame]3888 rsa_init( &rsa, RSA_PKCS_V15, 0 );
3889
Manuel Pégourié-Gonnardba4878a2013-06-27 10:51:01 +0200[diff] [blame]3890 if( ( ret = x509parse_key_rsa( &rsa,
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]3891 (const unsigned char *) test_ca_key, i,
3892 (const unsigned char *) test_ca_pwd, j ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3893 {
3894 if( verbose != 0 )
3895 printf( "failed\n" );
3896
3897 return( ret );
3898 }
3899
3900 if( verbose != 0 )
3901 printf( "passed\n X.509 signature verify: ");
3902
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3903 ret = x509parse_verify( &clicert, &cacert, NULL, "PolarSSL Client 2", &flags, NULL, NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3904 if( ret != 0 )
3905 {
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3906 printf("%02x", flags);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3907 if( verbose != 0 )
3908 printf( "failed\n" );
3909
3910 return( ret );
3911 }
3912
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3913#if defined(POLARSSL_DHM_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3914 if( verbose != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3915 printf( "passed\n X.509 DHM parameter load: " );
3916
3917 i = strlen( test_dhm_params );
3918 j = strlen( test_ca_pwd );
3919
Paul Bakker3c2122f2013-06-24 19:03:14 +0200[diff] [blame]3920 if( ( ret = x509parse_dhm( &dhm, (const unsigned char *) test_dhm_params, i ) ) != 0 )
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3921 {
3922 if( verbose != 0 )
3923 printf( "failed\n" );
3924
3925 return( ret );
3926 }
3927
3928 if( verbose != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3929 printf( "passed\n\n" );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3930#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3931
3932 x509_free( &cacert );
3933 x509_free( &clicert );
3934 rsa_free( &rsa );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3935#if defined(POLARSSL_DHM_C)
Paul Bakker1b57b062011-01-06 15:48:19 +0000[diff] [blame]3936 dhm_free( &dhm );
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]3937#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3938
3939 return( 0 );
Paul Bakkerde4d2ea2009-10-03 19:58:52 +0000[diff] [blame]3940#else
3941 ((void) verbose);
3942 return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
3943#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3944}
3945
3946#endif
3947
3948#endif