2 * X.509v3 certificate parsing and processing (RFC 3280 profile)
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
19 #ifdef CONFIG_INTERNAL_X509
26 static void x509_free_name(struct x509_name
*name
)
35 name
->cn
= name
->c
= name
->l
= name
->st
= name
->o
= name
->ou
= NULL
;
41 * x509_certificate_free - Free an X.509 certificate
42 * @cert: Certificate to be freed
44 void x509_certificate_free(struct x509_certificate
*cert
)
49 wpa_printf(MSG_DEBUG
, "X509: x509_certificate_free: cer=%p "
50 "was still on a list (next=%p)\n",
53 x509_free_name(&cert
->issuer
);
54 x509_free_name(&cert
->subject
);
55 os_free(cert
->public_key
);
56 os_free(cert
->sign_value
);
62 * x509_certificate_free - Free an X.509 certificate chain
63 * @cert: Pointer to the first certificate in the chain
65 void x509_certificate_chain_free(struct x509_certificate
*cert
)
67 struct x509_certificate
*next
;
72 x509_certificate_free(cert
);
78 static int x509_whitespace(char c
)
80 return c
== ' ' || c
== '\t';
84 static void x509_str_strip_whitespace(char *a
)
87 int remove_whitespace
= 1;
92 if (remove_whitespace
&& x509_whitespace(*ipos
))
95 remove_whitespace
= x509_whitespace(*ipos
);
101 if (opos
> a
&& x509_whitespace(*opos
))
106 static int x509_str_compare(const char *a
, const char *b
)
121 if (aa
== NULL
|| bb
== NULL
) {
124 return os_strcasecmp(a
, b
);
127 x509_str_strip_whitespace(aa
);
128 x509_str_strip_whitespace(bb
);
130 ret
= os_strcasecmp(aa
, bb
);
140 * x509_name_compare - Compare X.509 certificate names
141 * @a: Certificate name
142 * @b: Certificate name
143 * Returns: <0, 0, or >0 based on whether a is less than, equal to, or
146 int x509_name_compare(struct x509_name
*a
, struct x509_name
*b
)
157 res
= x509_str_compare(a
->cn
, b
->cn
);
160 res
= x509_str_compare(a
->c
, b
->c
);
163 res
= x509_str_compare(a
->l
, b
->l
);
166 res
= x509_str_compare(a
->st
, b
->st
);
169 res
= x509_str_compare(a
->o
, b
->o
);
172 res
= x509_str_compare(a
->ou
, b
->ou
);
175 res
= x509_str_compare(a
->email
, b
->email
);
183 static int x509_parse_algorithm_identifier(
184 const u8
*buf
, size_t len
,
185 struct x509_algorithm_identifier
*id
, const u8
**next
)
191 * AlgorithmIdentifier ::= SEQUENCE {
192 * algorithm OBJECT IDENTIFIER,
193 * parameters ANY DEFINED BY algorithm OPTIONAL
197 if (asn1_get_next(buf
, len
, &hdr
) < 0 ||
198 hdr
.class != ASN1_CLASS_UNIVERSAL
||
199 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
200 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
201 "(AlgorithmIdentifier) - found class %d tag 0x%x",
206 end
= pos
+ hdr
.length
;
213 if (asn1_get_oid(pos
, end
- pos
, &id
->oid
, &pos
))
216 /* TODO: optional parameters */
222 static int x509_parse_public_key(const u8
*buf
, size_t len
,
223 struct x509_certificate
*cert
,
230 * SubjectPublicKeyInfo ::= SEQUENCE {
231 * algorithm AlgorithmIdentifier,
232 * subjectPublicKey BIT STRING
239 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
240 hdr
.class != ASN1_CLASS_UNIVERSAL
||
241 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
242 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
243 "(SubjectPublicKeyInfo) - found class %d tag 0x%x",
249 if (pos
+ hdr
.length
> end
)
251 end
= pos
+ hdr
.length
;
254 if (x509_parse_algorithm_identifier(pos
, end
- pos
,
255 &cert
->public_key_alg
, &pos
))
258 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
259 hdr
.class != ASN1_CLASS_UNIVERSAL
||
260 hdr
.tag
!= ASN1_TAG_BITSTRING
) {
261 wpa_printf(MSG_DEBUG
, "X509: Expected BITSTRING "
262 "(subjectPublicKey) - found class %d tag 0x%x",
270 wpa_printf(MSG_DEBUG
, "X509: BITSTRING - %d unused bits",
273 * TODO: should this be rejected? X.509 certificates are
274 * unlikely to use such a construction. Now we would end up
275 * including the extra bits in the buffer which may also be
279 os_free(cert
->public_key
);
280 cert
->public_key
= os_malloc(hdr
.length
- 1);
281 if (cert
->public_key
== NULL
) {
282 wpa_printf(MSG_DEBUG
, "X509: Failed to allocate memory for "
286 os_memcpy(cert
->public_key
, pos
+ 1, hdr
.length
- 1);
287 cert
->public_key_len
= hdr
.length
- 1;
288 wpa_hexdump(MSG_MSGDUMP
, "X509: subjectPublicKey",
289 cert
->public_key
, cert
->public_key_len
);
295 static int x509_parse_name(const u8
*buf
, size_t len
, struct x509_name
*name
,
299 const u8
*pos
, *end
, *set_pos
, *set_end
, *seq_pos
, *seq_end
;
304 * Name ::= CHOICE { RDNSequence }
305 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
306 * RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
307 * AttributeTypeAndValue ::= SEQUENCE {
308 * type AttributeType,
309 * value AttributeValue
311 * AttributeType ::= OBJECT IDENTIFIER
312 * AttributeValue ::= ANY DEFINED BY AttributeType
315 if (asn1_get_next(buf
, len
, &hdr
) < 0 ||
316 hdr
.class != ASN1_CLASS_UNIVERSAL
||
317 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
318 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
319 "(Name / RDNSequencer) - found class %d tag 0x%x",
325 if (pos
+ hdr
.length
> buf
+ len
)
328 end
= *next
= pos
+ hdr
.length
;
331 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
332 hdr
.class != ASN1_CLASS_UNIVERSAL
||
333 hdr
.tag
!= ASN1_TAG_SET
) {
334 wpa_printf(MSG_DEBUG
, "X509: Expected SET "
335 "(RelativeDistinguishedName) - found class "
336 "%d tag 0x%x", hdr
.class, hdr
.tag
);
337 x509_free_name(name
);
341 set_pos
= hdr
.payload
;
342 pos
= set_end
= hdr
.payload
+ hdr
.length
;
344 if (asn1_get_next(set_pos
, set_end
- set_pos
, &hdr
) < 0 ||
345 hdr
.class != ASN1_CLASS_UNIVERSAL
||
346 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
347 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
348 "(AttributeTypeAndValue) - found class %d "
349 "tag 0x%x", hdr
.class, hdr
.tag
);
350 x509_free_name(name
);
354 seq_pos
= hdr
.payload
;
355 seq_end
= hdr
.payload
+ hdr
.length
;
357 if (asn1_get_oid(seq_pos
, seq_end
- seq_pos
, &oid
, &seq_pos
)) {
358 x509_free_name(name
);
362 if (asn1_get_next(seq_pos
, seq_end
- seq_pos
, &hdr
) < 0 ||
363 hdr
.class != ASN1_CLASS_UNIVERSAL
) {
364 wpa_printf(MSG_DEBUG
, "X509: Failed to parse "
366 x509_free_name(name
);
371 * MUST: country, organization, organizational-unit,
372 * distinguished name qualifier, state or province name,
373 * common name, serial number.
374 * SHOULD: locality, title, surname, given name, initials,
375 * pseudonym, generation qualifier.
376 * MUST: domainComponent (RFC 2247).
380 oid
.oid
[0] == 2 && oid
.oid
[1] == 5 && oid
.oid
[2] == 4) {
381 /* id-at ::= 2.5.4 */
382 switch (oid
.oid
[3]) {
396 /* stateOrProvinceName */
400 /* organizationName */
404 /* organizationalUnitName */
408 } else if (oid
.len
== 7 &&
409 oid
.oid
[0] == 1 && oid
.oid
[1] == 2 &&
410 oid
.oid
[2] == 840 && oid
.oid
[3] == 113549 &&
411 oid
.oid
[4] == 1 && oid
.oid
[5] == 9 &&
413 /* 1.2.840.113549.1.9.1 - e-mailAddress */
414 fieldp
= &name
->email
;
417 if (fieldp
== NULL
) {
418 wpa_hexdump(MSG_DEBUG
, "X509: Unrecognized OID",
420 oid
.len
* sizeof(oid
.oid
[0]));
421 wpa_hexdump_ascii(MSG_MSGDUMP
, "X509: Attribute Data",
422 hdr
.payload
, hdr
.length
);
427 *fieldp
= os_malloc(hdr
.length
+ 1);
428 if (*fieldp
== NULL
) {
429 x509_free_name(name
);
432 os_memcpy(*fieldp
, hdr
.payload
, hdr
.length
);
433 (*fieldp
)[hdr
.length
] = '\0';
441 * x509_name_string - Convert an X.509 certificate name into a string
442 * @name: Name to convert
443 * @buf: Buffer for the string
444 * @len: Maximum buffer length
446 void x509_name_string(struct x509_name
*name
, char *buf
, size_t len
)
458 ret
= os_snprintf(pos
, end
- pos
, "C=%s, ", name
->c
);
459 if (ret
< 0 || ret
>= end
- pos
)
464 ret
= os_snprintf(pos
, end
- pos
, "ST=%s, ", name
->st
);
465 if (ret
< 0 || ret
>= end
- pos
)
470 ret
= os_snprintf(pos
, end
- pos
, "L=%s, ", name
->l
);
471 if (ret
< 0 || ret
>= end
- pos
)
476 ret
= os_snprintf(pos
, end
- pos
, "O=%s, ", name
->o
);
477 if (ret
< 0 || ret
>= end
- pos
)
482 ret
= os_snprintf(pos
, end
- pos
, "OU=%s, ", name
->ou
);
483 if (ret
< 0 || ret
>= end
- pos
)
488 ret
= os_snprintf(pos
, end
- pos
, "CN=%s, ", name
->cn
);
489 if (ret
< 0 || ret
>= end
- pos
)
494 if (pos
> buf
+ 1 && pos
[-1] == ' ' && pos
[-2] == ',') {
500 ret
= os_snprintf(pos
, end
- pos
, "/emailAddress=%s",
502 if (ret
< 0 || ret
>= end
- pos
)
512 static int x509_parse_time(const u8
*buf
, size_t len
, u8 asn1_tag
,
516 int year
, month
, day
, hour
, min
, sec
;
521 * generalTime GeneralizedTime
524 * UTCTime: YYMMDDHHMMSSZ
525 * GeneralizedTime: YYYYMMDDHHMMSSZ
528 pos
= (const char *) buf
;
531 case ASN1_TAG_UTCTIME
:
532 if (len
!= 13 || buf
[12] != 'Z') {
533 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Unrecognized "
534 "UTCTime format", buf
, len
);
537 if (sscanf(pos
, "%02d", &year
) != 1) {
538 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse "
539 "UTCTime year", buf
, len
);
548 case ASN1_TAG_GENERALIZEDTIME
:
549 if (len
!= 15 || buf
[14] != 'Z') {
550 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Unrecognized "
551 "GeneralizedTime format", buf
, len
);
554 if (sscanf(pos
, "%04d", &year
) != 1) {
555 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse "
556 "GeneralizedTime year", buf
, len
);
562 wpa_printf(MSG_DEBUG
, "X509: Expected UTCTime or "
563 "GeneralizedTime - found tag 0x%x", asn1_tag
);
567 if (sscanf(pos
, "%02d", &month
) != 1) {
568 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse Time "
569 "(month)", buf
, len
);
574 if (sscanf(pos
, "%02d", &day
) != 1) {
575 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse Time "
581 if (sscanf(pos
, "%02d", &hour
) != 1) {
582 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse Time "
588 if (sscanf(pos
, "%02d", &min
) != 1) {
589 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse Time "
595 if (sscanf(pos
, "%02d", &sec
) != 1) {
596 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse Time "
601 if (os_mktime(year
, month
, day
, hour
, min
, sec
, val
) < 0) {
602 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to convert Time",
606 * At least some test certificates have been configured
607 * to use dates prior to 1970. Set the date to
608 * beginning of 1970 to handle these case.
610 wpa_printf(MSG_DEBUG
, "X509: Year=%d before epoch - "
611 "assume epoch as the time", year
);
622 static int x509_parse_validity(const u8
*buf
, size_t len
,
623 struct x509_certificate
*cert
, const u8
**next
)
630 * Validity ::= SEQUENCE {
636 * CAs conforming to this profile MUST always encode certificate
637 * validity dates through the year 2049 as UTCTime; certificate
638 * validity dates in 2050 or later MUST be encoded as GeneralizedTime.
641 if (asn1_get_next(buf
, len
, &hdr
) < 0 ||
642 hdr
.class != ASN1_CLASS_UNIVERSAL
||
643 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
644 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
645 "(Validity) - found class %d tag 0x%x",
652 if (pos
+ plen
> buf
+ len
)
657 if (asn1_get_next(pos
, plen
, &hdr
) < 0 ||
658 hdr
.class != ASN1_CLASS_UNIVERSAL
||
659 x509_parse_time(hdr
.payload
, hdr
.length
, hdr
.tag
,
660 &cert
->not_before
) < 0) {
661 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse notBefore "
662 "Time", hdr
.payload
, hdr
.length
);
666 pos
= hdr
.payload
+ hdr
.length
;
669 if (asn1_get_next(pos
, plen
, &hdr
) < 0 ||
670 hdr
.class != ASN1_CLASS_UNIVERSAL
||
671 x509_parse_time(hdr
.payload
, hdr
.length
, hdr
.tag
,
672 &cert
->not_after
) < 0) {
673 wpa_hexdump_ascii(MSG_DEBUG
, "X509: Failed to parse notAfter "
674 "Time", hdr
.payload
, hdr
.length
);
678 wpa_printf(MSG_MSGDUMP
, "X509: Validity: notBefore: %lu notAfter: %lu",
679 (unsigned long) cert
->not_before
,
680 (unsigned long) cert
->not_after
);
686 static int x509_id_ce_oid(struct asn1_oid
*oid
)
688 /* id-ce arc from X.509 for standard X.509v3 extensions */
689 return oid
->len
>= 4 &&
690 oid
->oid
[0] == 2 /* joint-iso-ccitt */ &&
691 oid
->oid
[1] == 5 /* ds */ &&
692 oid
->oid
[2] == 29 /* id-ce */;
696 static int x509_parse_ext_key_usage(struct x509_certificate
*cert
,
697 const u8
*pos
, size_t len
)
702 * KeyUsage ::= BIT STRING {
703 * digitalSignature (0),
704 * nonRepudiation (1),
705 * keyEncipherment (2),
706 * dataEncipherment (3),
714 if (asn1_get_next(pos
, len
, &hdr
) < 0 ||
715 hdr
.class != ASN1_CLASS_UNIVERSAL
||
716 hdr
.tag
!= ASN1_TAG_BITSTRING
||
718 wpa_printf(MSG_DEBUG
, "X509: Expected BIT STRING in "
719 "KeyUsage; found %d tag 0x%x len %d",
720 hdr
.class, hdr
.tag
, hdr
.length
);
724 cert
->extensions_present
|= X509_EXT_KEY_USAGE
;
725 cert
->key_usage
= asn1_bit_string_to_long(hdr
.payload
, hdr
.length
);
727 wpa_printf(MSG_DEBUG
, "X509: KeyUsage 0x%lx", cert
->key_usage
);
733 static int x509_parse_ext_basic_constraints(struct x509_certificate
*cert
,
734 const u8
*pos
, size_t len
)
741 * BasicConstraints ::= SEQUENCE {
742 * cA BOOLEAN DEFAULT FALSE,
743 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
746 if (asn1_get_next(pos
, len
, &hdr
) < 0 ||
747 hdr
.class != ASN1_CLASS_UNIVERSAL
||
748 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
749 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE in "
750 "BasicConstraints; found %d tag 0x%x",
755 cert
->extensions_present
|= X509_EXT_BASIC_CONSTRAINTS
;
760 if (asn1_get_next(hdr
.payload
, hdr
.length
, &hdr
) < 0 ||
761 hdr
.class != ASN1_CLASS_UNIVERSAL
) {
762 wpa_printf(MSG_DEBUG
, "X509: Failed to parse "
767 if (hdr
.tag
== ASN1_TAG_BOOLEAN
) {
768 if (hdr
.length
!= 1) {
769 wpa_printf(MSG_DEBUG
, "X509: Unexpected "
770 "Boolean length (%u) in BasicConstraints",
774 cert
->ca
= hdr
.payload
[0];
776 if (hdr
.payload
+ hdr
.length
== pos
+ len
) {
777 wpa_printf(MSG_DEBUG
, "X509: BasicConstraints - cA=%d",
782 if (asn1_get_next(hdr
.payload
+ hdr
.length
, len
- hdr
.length
,
784 hdr
.class != ASN1_CLASS_UNIVERSAL
) {
785 wpa_printf(MSG_DEBUG
, "X509: Failed to parse "
791 if (hdr
.tag
!= ASN1_TAG_INTEGER
) {
792 wpa_printf(MSG_DEBUG
, "X509: Expected INTEGER in "
793 "BasicConstraints; found class %d tag 0x%x",
807 cert
->path_len_constraint
= value
;
808 cert
->extensions_present
|= X509_EXT_PATH_LEN_CONSTRAINT
;
810 wpa_printf(MSG_DEBUG
, "X509: BasicConstraints - cA=%d "
811 "pathLenConstraint=%lu",
812 cert
->ca
, cert
->path_len_constraint
);
818 static int x509_parse_extension_data(struct x509_certificate
*cert
,
819 struct asn1_oid
*oid
,
820 const u8
*pos
, size_t len
)
822 if (!x509_id_ce_oid(oid
))
825 /* TODO: add other extensions required by RFC 3280, Ch 4.2:
826 * certificate policies (section 4.2.1.5)
827 * the subject alternative name (section 4.2.1.7)
828 * name constraints (section 4.2.1.11)
829 * policy constraints (section 4.2.1.12)
830 * extended key usage (section 4.2.1.13)
831 * inhibit any-policy (section 4.2.1.15)
833 switch (oid
->oid
[3]) {
834 case 15: /* id-ce-keyUsage */
835 return x509_parse_ext_key_usage(cert
, pos
, len
);
836 case 19: /* id-ce-basicConstraints */
837 return x509_parse_ext_basic_constraints(cert
, pos
, len
);
844 static int x509_parse_extension(struct x509_certificate
*cert
,
845 const u8
*pos
, size_t len
, const u8
**next
)
850 int critical_ext
= 0, res
;
854 * Extension ::= SEQUENCE {
855 * extnID OBJECT IDENTIFIER,
856 * critical BOOLEAN DEFAULT FALSE,
857 * extnValue OCTET STRING
861 if (asn1_get_next(pos
, len
, &hdr
) < 0 ||
862 hdr
.class != ASN1_CLASS_UNIVERSAL
||
863 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
864 wpa_printf(MSG_DEBUG
, "X509: Unexpected ASN.1 header in "
865 "Extensions: class %d tag 0x%x; expected SEQUENCE",
870 *next
= end
= pos
+ hdr
.length
;
872 if (asn1_get_oid(pos
, end
- pos
, &oid
, &pos
) < 0) {
873 wpa_printf(MSG_DEBUG
, "X509: Unexpected ASN.1 data for "
874 "Extension (expected OID)");
878 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
879 hdr
.class != ASN1_CLASS_UNIVERSAL
||
880 (hdr
.tag
!= ASN1_TAG_BOOLEAN
&&
881 hdr
.tag
!= ASN1_TAG_OCTETSTRING
)) {
882 wpa_printf(MSG_DEBUG
, "X509: Unexpected ASN.1 header in "
883 "Extensions: class %d tag 0x%x; expected BOOLEAN "
884 "or OCTET STRING", hdr
.class, hdr
.tag
);
888 if (hdr
.tag
== ASN1_TAG_BOOLEAN
) {
889 if (hdr
.length
!= 1) {
890 wpa_printf(MSG_DEBUG
, "X509: Unexpected "
891 "Boolean length (%u)", hdr
.length
);
894 critical_ext
= hdr
.payload
[0];
896 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
897 (hdr
.class != ASN1_CLASS_UNIVERSAL
&&
898 hdr
.class != ASN1_CLASS_PRIVATE
) ||
899 hdr
.tag
!= ASN1_TAG_OCTETSTRING
) {
900 wpa_printf(MSG_DEBUG
, "X509: Unexpected ASN.1 header "
901 "in Extensions: class %d tag 0x%x; "
902 "expected OCTET STRING",
908 asn1_oid_to_str(&oid
, buf
, sizeof(buf
));
909 wpa_printf(MSG_DEBUG
, "X509: Extension: extnID=%s critical=%d",
911 wpa_hexdump(MSG_MSGDUMP
, "X509: extnValue", hdr
.payload
, hdr
.length
);
913 res
= x509_parse_extension_data(cert
, &oid
, hdr
.payload
, hdr
.length
);
916 if (res
== 1 && critical_ext
) {
917 wpa_printf(MSG_INFO
, "X509: Unknown critical extension %s",
926 static int x509_parse_extensions(struct x509_certificate
*cert
,
927 const u8
*pos
, size_t len
)
932 /* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension */
934 if (asn1_get_next(pos
, len
, &hdr
) < 0 ||
935 hdr
.class != ASN1_CLASS_UNIVERSAL
||
936 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
937 wpa_printf(MSG_DEBUG
, "X509: Unexpected ASN.1 data "
938 "for Extensions: class %d tag 0x%x; "
939 "expected SEQUENCE", hdr
.class, hdr
.tag
);
944 end
= pos
+ hdr
.length
;
947 if (x509_parse_extension(cert
, pos
, end
- pos
, &pos
)
956 static int x509_parse_tbs_certificate(const u8
*buf
, size_t len
,
957 struct x509_certificate
*cert
,
966 /* tbsCertificate TBSCertificate ::= SEQUENCE */
967 if (asn1_get_next(buf
, len
, &hdr
) < 0 ||
968 hdr
.class != ASN1_CLASS_UNIVERSAL
||
969 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
970 wpa_printf(MSG_DEBUG
, "X509: tbsCertificate did not start "
971 "with a valid SEQUENCE - found class %d tag 0x%x",
976 end
= *next
= pos
+ hdr
.length
;
979 * version [0] EXPLICIT Version DEFAULT v1
980 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
982 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0)
986 if (hdr
.class == ASN1_CLASS_CONTEXT_SPECIFIC
) {
987 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0)
990 if (hdr
.class != ASN1_CLASS_UNIVERSAL
||
991 hdr
.tag
!= ASN1_TAG_INTEGER
) {
992 wpa_printf(MSG_DEBUG
, "X509: No INTEGER tag found for "
993 "version field - found class %d tag 0x%x",
997 if (hdr
.length
!= 1) {
998 wpa_printf(MSG_DEBUG
, "X509: Unexpected version field "
999 "length %u (expected 1)", hdr
.length
);
1011 cert
->version
= value
;
1012 if (cert
->version
!= X509_CERT_V1
&&
1013 cert
->version
!= X509_CERT_V2
&&
1014 cert
->version
!= X509_CERT_V3
) {
1015 wpa_printf(MSG_DEBUG
, "X509: Unsupported version %d",
1020 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0)
1023 cert
->version
= X509_CERT_V1
;
1024 wpa_printf(MSG_MSGDUMP
, "X509: Version X.509v%d", cert
->version
+ 1);
1026 /* serialNumber CertificateSerialNumber ::= INTEGER */
1027 if (hdr
.class != ASN1_CLASS_UNIVERSAL
||
1028 hdr
.tag
!= ASN1_TAG_INTEGER
) {
1029 wpa_printf(MSG_DEBUG
, "X509: No INTEGER tag found for "
1030 "serialNumber; class=%d tag=0x%x",
1031 hdr
.class, hdr
.tag
);
1038 cert
->serial_number
<<= 8;
1039 cert
->serial_number
|= *pos
++;
1042 wpa_printf(MSG_MSGDUMP
, "X509: serialNumber %lu", cert
->serial_number
);
1044 /* signature AlgorithmIdentifier */
1045 if (x509_parse_algorithm_identifier(pos
, end
- pos
, &cert
->signature
,
1050 if (x509_parse_name(pos
, end
- pos
, &cert
->issuer
, &pos
))
1052 x509_name_string(&cert
->issuer
, sbuf
, sizeof(sbuf
));
1053 wpa_printf(MSG_MSGDUMP
, "X509: issuer %s", sbuf
);
1055 /* validity Validity */
1056 if (x509_parse_validity(pos
, end
- pos
, cert
, &pos
))
1060 if (x509_parse_name(pos
, end
- pos
, &cert
->subject
, &pos
))
1062 x509_name_string(&cert
->subject
, sbuf
, sizeof(sbuf
));
1063 wpa_printf(MSG_MSGDUMP
, "X509: subject %s", sbuf
);
1065 /* subjectPublicKeyInfo SubjectPublicKeyInfo */
1066 if (x509_parse_public_key(pos
, end
- pos
, cert
, &pos
))
1072 if (cert
->version
== X509_CERT_V1
)
1075 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1076 hdr
.class != ASN1_CLASS_CONTEXT_SPECIFIC
) {
1077 wpa_printf(MSG_DEBUG
, "X509: Expected Context-Specific"
1078 " tag to parse optional tbsCertificate "
1079 "field(s); parsed class %d tag 0x%x",
1080 hdr
.class, hdr
.tag
);
1085 /* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL */
1086 wpa_printf(MSG_DEBUG
, "X509: issuerUniqueID");
1087 /* TODO: parse UniqueIdentifier ::= BIT STRING */
1089 if (hdr
.payload
+ hdr
.length
== end
)
1092 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1093 hdr
.class != ASN1_CLASS_CONTEXT_SPECIFIC
) {
1094 wpa_printf(MSG_DEBUG
, "X509: Expected Context-Specific"
1095 " tag to parse optional tbsCertificate "
1096 "field(s); parsed class %d tag 0x%x",
1097 hdr
.class, hdr
.tag
);
1103 /* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL */
1104 wpa_printf(MSG_DEBUG
, "X509: subjectUniqueID");
1105 /* TODO: parse UniqueIdentifier ::= BIT STRING */
1107 if (hdr
.payload
+ hdr
.length
== end
)
1110 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1111 hdr
.class != ASN1_CLASS_CONTEXT_SPECIFIC
) {
1112 wpa_printf(MSG_DEBUG
, "X509: Expected Context-Specific"
1113 " tag to parse optional tbsCertificate "
1114 "field(s); parsed class %d tag 0x%x",
1115 hdr
.class, hdr
.tag
);
1121 wpa_printf(MSG_DEBUG
, "X509: Ignored unexpected "
1122 "Context-Specific tag %d in optional "
1123 "tbsCertificate fields", hdr
.tag
);
1127 /* extensions [3] EXPLICIT Extensions OPTIONAL */
1129 if (cert
->version
!= X509_CERT_V3
) {
1130 wpa_printf(MSG_DEBUG
, "X509: X.509%d certificate and "
1131 "Extensions data which are only allowed for "
1132 "version 3", cert
->version
+ 1);
1136 if (x509_parse_extensions(cert
, hdr
.payload
, hdr
.length
) < 0)
1139 pos
= hdr
.payload
+ hdr
.length
;
1141 wpa_hexdump(MSG_DEBUG
,
1142 "X509: Ignored extra tbsCertificate data",
1150 static int x509_rsadsi_oid(struct asn1_oid
*oid
)
1152 return oid
->len
>= 4 &&
1153 oid
->oid
[0] == 1 /* iso */ &&
1154 oid
->oid
[1] == 2 /* member-body */ &&
1155 oid
->oid
[2] == 840 /* us */ &&
1156 oid
->oid
[3] == 113549 /* rsadsi */;
1160 static int x509_pkcs_oid(struct asn1_oid
*oid
)
1162 return oid
->len
>= 5 &&
1163 x509_rsadsi_oid(oid
) &&
1164 oid
->oid
[4] == 1 /* pkcs */;
1168 static int x509_digest_oid(struct asn1_oid
*oid
)
1170 return oid
->len
>= 5 &&
1171 x509_rsadsi_oid(oid
) &&
1172 oid
->oid
[4] == 2 /* digestAlgorithm */;
1176 static int x509_sha1_oid(struct asn1_oid
*oid
)
1178 return oid
->len
== 6 &&
1179 oid
->oid
[0] == 1 /* iso */ &&
1180 oid
->oid
[1] == 3 /* identified-organization */ &&
1181 oid
->oid
[2] == 14 /* oiw */ &&
1182 oid
->oid
[3] == 3 /* secsig */ &&
1183 oid
->oid
[4] == 2 /* algorithms */ &&
1184 oid
->oid
[5] == 26 /* id-sha1 */;
1188 static int x509_sha256_oid(struct asn1_oid
*oid
)
1190 return oid
->len
== 9 &&
1191 oid
->oid
[0] == 2 /* joint-iso-itu-t */ &&
1192 oid
->oid
[1] == 16 /* country */ &&
1193 oid
->oid
[2] == 840 /* us */ &&
1194 oid
->oid
[3] == 1 /* organization */ &&
1195 oid
->oid
[4] == 101 /* gov */ &&
1196 oid
->oid
[5] == 3 /* csor */ &&
1197 oid
->oid
[6] == 4 /* nistAlgorithm */ &&
1198 oid
->oid
[7] == 2 /* hashAlgs */ &&
1199 oid
->oid
[8] == 1 /* sha256 */;
1204 * x509_certificate_parse - Parse a X.509 certificate in DER format
1205 * @buf: Pointer to the X.509 certificate in DER format
1206 * @len: Buffer length
1207 * Returns: Pointer to the parsed certificate or %NULL on failure
1209 * Caller is responsible for freeing the returned certificate by calling
1210 * x509_certificate_free().
1212 struct x509_certificate
* x509_certificate_parse(const u8
*buf
, size_t len
)
1214 struct asn1_hdr hdr
;
1215 const u8
*pos
, *end
, *hash_start
;
1216 struct x509_certificate
*cert
;
1218 cert
= os_zalloc(sizeof(*cert
) + len
);
1221 os_memcpy(cert
+ 1, buf
, len
);
1222 cert
->cert_start
= (u8
*) (cert
+ 1);
1223 cert
->cert_len
= len
;
1228 /* RFC 3280 - X.509 v3 certificate / ASN.1 DER */
1230 /* Certificate ::= SEQUENCE */
1231 if (asn1_get_next(pos
, len
, &hdr
) < 0 ||
1232 hdr
.class != ASN1_CLASS_UNIVERSAL
||
1233 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
1234 wpa_printf(MSG_DEBUG
, "X509: Certificate did not start with "
1235 "a valid SEQUENCE - found class %d tag 0x%x",
1236 hdr
.class, hdr
.tag
);
1237 x509_certificate_free(cert
);
1242 if (pos
+ hdr
.length
> end
) {
1243 x509_certificate_free(cert
);
1247 if (pos
+ hdr
.length
< end
) {
1248 wpa_hexdump(MSG_MSGDUMP
, "X509: Ignoring extra data after DER "
1249 "encoded certificate",
1250 pos
+ hdr
.length
, end
- pos
+ hdr
.length
);
1251 end
= pos
+ hdr
.length
;
1255 cert
->tbs_cert_start
= cert
->cert_start
+ (hash_start
- buf
);
1256 if (x509_parse_tbs_certificate(pos
, end
- pos
, cert
, &pos
)) {
1257 x509_certificate_free(cert
);
1260 cert
->tbs_cert_len
= pos
- hash_start
;
1262 /* signatureAlgorithm AlgorithmIdentifier */
1263 if (x509_parse_algorithm_identifier(pos
, end
- pos
,
1264 &cert
->signature_alg
, &pos
)) {
1265 x509_certificate_free(cert
);
1269 /* signatureValue BIT STRING */
1270 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1271 hdr
.class != ASN1_CLASS_UNIVERSAL
||
1272 hdr
.tag
!= ASN1_TAG_BITSTRING
) {
1273 wpa_printf(MSG_DEBUG
, "X509: Expected BITSTRING "
1274 "(signatureValue) - found class %d tag 0x%x",
1275 hdr
.class, hdr
.tag
);
1276 x509_certificate_free(cert
);
1279 if (hdr
.length
< 1) {
1280 x509_certificate_free(cert
);
1285 wpa_printf(MSG_DEBUG
, "X509: BITSTRING - %d unused bits",
1287 /* PKCS #1 v1.5 10.2.1:
1288 * It is an error if the length in bits of the signature S is
1289 * not a multiple of eight.
1291 x509_certificate_free(cert
);
1294 os_free(cert
->sign_value
);
1295 cert
->sign_value
= os_malloc(hdr
.length
- 1);
1296 if (cert
->sign_value
== NULL
) {
1297 wpa_printf(MSG_DEBUG
, "X509: Failed to allocate memory for "
1299 x509_certificate_free(cert
);
1302 os_memcpy(cert
->sign_value
, pos
+ 1, hdr
.length
- 1);
1303 cert
->sign_value_len
= hdr
.length
- 1;
1304 wpa_hexdump(MSG_MSGDUMP
, "X509: signature",
1305 cert
->sign_value
, cert
->sign_value_len
);
1312 * x509_certificate_check_signature - Verify certificate signature
1313 * @issuer: Issuer certificate
1314 * @cert: Certificate to be verified
1315 * Returns: 0 if cert has a valid signature that was signed by the issuer,
1318 int x509_certificate_check_signature(struct x509_certificate
*issuer
,
1319 struct x509_certificate
*cert
)
1321 struct crypto_public_key
*pk
;
1323 const u8
*pos
, *end
, *next
, *da_end
;
1325 struct asn1_hdr hdr
;
1326 struct asn1_oid oid
;
1330 if (!x509_pkcs_oid(&cert
->signature
.oid
) ||
1331 cert
->signature
.oid
.len
!= 7 ||
1332 cert
->signature
.oid
.oid
[5] != 1 /* pkcs-1 */) {
1333 wpa_printf(MSG_DEBUG
, "X509: Unrecognized signature "
1338 pk
= crypto_public_key_import(issuer
->public_key
,
1339 issuer
->public_key_len
);
1343 data_len
= cert
->sign_value_len
;
1344 data
= os_malloc(data_len
);
1346 crypto_public_key_free(pk
);
1350 if (crypto_public_key_decrypt_pkcs1(pk
, cert
->sign_value
,
1351 cert
->sign_value_len
, data
,
1353 wpa_printf(MSG_DEBUG
, "X509: Failed to decrypt signature");
1354 crypto_public_key_free(pk
);
1358 crypto_public_key_free(pk
);
1360 wpa_hexdump(MSG_MSGDUMP
, "X509: Signature data D", data
, data_len
);
1363 * PKCS #1 v1.5, 10.1.2:
1365 * DigestInfo ::= SEQUENCE {
1366 * digestAlgorithm DigestAlgorithmIdentifier,
1370 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
1372 * Digest ::= OCTET STRING
1375 if (asn1_get_next(data
, data_len
, &hdr
) < 0 ||
1376 hdr
.class != ASN1_CLASS_UNIVERSAL
||
1377 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
1378 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
1379 "(DigestInfo) - found class %d tag 0x%x",
1380 hdr
.class, hdr
.tag
);
1386 end
= pos
+ hdr
.length
;
1390 * AlgorithmIdentifier ::= SEQUENCE {
1391 * algorithm OBJECT IDENTIFIER,
1392 * parameters ANY DEFINED BY algorithm OPTIONAL
1396 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1397 hdr
.class != ASN1_CLASS_UNIVERSAL
||
1398 hdr
.tag
!= ASN1_TAG_SEQUENCE
) {
1399 wpa_printf(MSG_DEBUG
, "X509: Expected SEQUENCE "
1400 "(AlgorithmIdentifier) - found class %d tag 0x%x",
1401 hdr
.class, hdr
.tag
);
1405 da_end
= hdr
.payload
+ hdr
.length
;
1407 if (asn1_get_oid(hdr
.payload
, hdr
.length
, &oid
, &next
)) {
1408 wpa_printf(MSG_DEBUG
, "X509: Failed to parse digestAlgorithm");
1413 if (x509_sha1_oid(&oid
)) {
1414 if (cert
->signature
.oid
.oid
[6] !=
1415 5 /* sha-1WithRSAEncryption */) {
1416 wpa_printf(MSG_DEBUG
, "X509: digestAlgorithm SHA1 "
1417 "does not match with certificate "
1418 "signatureAlgorithm (%lu)",
1419 cert
->signature
.oid
.oid
[6]);
1423 goto skip_digest_oid
;
1426 if (x509_sha256_oid(&oid
)) {
1427 if (cert
->signature
.oid
.oid
[6] !=
1428 11 /* sha2561WithRSAEncryption */) {
1429 wpa_printf(MSG_DEBUG
, "X509: digestAlgorithm SHA256 "
1430 "does not match with certificate "
1431 "signatureAlgorithm (%lu)",
1432 cert
->signature
.oid
.oid
[6]);
1436 goto skip_digest_oid
;
1439 if (!x509_digest_oid(&oid
)) {
1440 wpa_printf(MSG_DEBUG
, "X509: Unrecognized digestAlgorithm");
1444 switch (oid
.oid
[5]) {
1446 if (cert
->signature
.oid
.oid
[6] != 4 /* md5WithRSAEncryption */)
1448 wpa_printf(MSG_DEBUG
, "X509: digestAlgorithm MD5 does "
1449 "not match with certificate "
1450 "signatureAlgorithm (%lu)",
1451 cert
->signature
.oid
.oid
[6]);
1459 wpa_printf(MSG_DEBUG
, "X509: Unsupported digestAlgorithm "
1460 "(%lu)", oid
.oid
[5]);
1466 /* Digest ::= OCTET STRING */
1468 end
= data
+ data_len
;
1470 if (asn1_get_next(pos
, end
- pos
, &hdr
) < 0 ||
1471 hdr
.class != ASN1_CLASS_UNIVERSAL
||
1472 hdr
.tag
!= ASN1_TAG_OCTETSTRING
) {
1473 wpa_printf(MSG_DEBUG
, "X509: Expected OCTETSTRING "
1474 "(Digest) - found class %d tag 0x%x",
1475 hdr
.class, hdr
.tag
);
1479 wpa_hexdump(MSG_MSGDUMP
, "X509: Decrypted Digest",
1480 hdr
.payload
, hdr
.length
);
1482 switch (cert
->signature
.oid
.oid
[6]) {
1483 case 4: /* md5WithRSAEncryption */
1484 md5_vector(1, &cert
->tbs_cert_start
, &cert
->tbs_cert_len
,
1487 wpa_hexdump(MSG_MSGDUMP
, "X509: Certificate hash (MD5)",
1490 case 5: /* sha-1WithRSAEncryption */
1491 sha1_vector(1, &cert
->tbs_cert_start
, &cert
->tbs_cert_len
,
1494 wpa_hexdump(MSG_MSGDUMP
, "X509: Certificate hash (SHA1)",
1497 case 11: /* sha256WithRSAEncryption */
1499 sha256_vector(1, &cert
->tbs_cert_start
, &cert
->tbs_cert_len
,
1502 wpa_hexdump(MSG_MSGDUMP
, "X509: Certificate hash (SHA256)",
1505 #else /* NEED_SHA256 */
1506 wpa_printf(MSG_INFO
, "X509: SHA256 support disabled");
1509 #endif /* NEED_SHA256 */
1510 case 2: /* md2WithRSAEncryption */
1511 case 12: /* sha384WithRSAEncryption */
1512 case 13: /* sha512WithRSAEncryption */
1514 wpa_printf(MSG_INFO
, "X509: Unsupported certificate signature "
1515 "algorithm (%lu)", cert
->signature
.oid
.oid
[6]);
1520 if (hdr
.length
!= hash_len
||
1521 os_memcmp(hdr
.payload
, hash
, hdr
.length
) != 0) {
1522 wpa_printf(MSG_INFO
, "X509: Certificate Digest does not match "
1523 "with calculated tbsCertificate hash");
1530 wpa_printf(MSG_DEBUG
, "X509: Certificate Digest matches with "
1531 "calculated tbsCertificate hash");
1537 static int x509_valid_issuer(const struct x509_certificate
*cert
)
1539 if ((cert
->extensions_present
& X509_EXT_BASIC_CONSTRAINTS
) &&
1541 wpa_printf(MSG_DEBUG
, "X509: Non-CA certificate used as an "
1546 if (cert
->version
== X509_CERT_V3
&&
1547 !(cert
->extensions_present
& X509_EXT_BASIC_CONSTRAINTS
)) {
1548 wpa_printf(MSG_DEBUG
, "X509: v3 CA certificate did not "
1549 "include BasicConstraints extension");
1553 if ((cert
->extensions_present
& X509_EXT_KEY_USAGE
) &&
1554 !(cert
->key_usage
& X509_KEY_USAGE_KEY_CERT_SIGN
)) {
1555 wpa_printf(MSG_DEBUG
, "X509: Issuer certificate did not have "
1556 "keyCertSign bit in Key Usage");
1565 * x509_certificate_chain_validate - Validate X.509 certificate chain
1566 * @trusted: List of trusted certificates
1567 * @chain: Certificate chain to be validated (first chain must be issued by
1568 * signed by the second certificate in the chain and so on)
1569 * @reason: Buffer for returning failure reason (X509_VALIDATE_*)
1570 * Returns: 0 if chain is valid, -1 if not
1572 int x509_certificate_chain_validate(struct x509_certificate
*trusted
,
1573 struct x509_certificate
*chain
,
1577 int chain_trusted
= 0;
1578 struct x509_certificate
*cert
, *trust
;
1582 *reason
= X509_VALIDATE_OK
;
1584 wpa_printf(MSG_DEBUG
, "X509: Validate certificate chain");
1587 for (cert
= chain
, idx
= 0; cert
; cert
= cert
->next
, idx
++) {
1588 x509_name_string(&cert
->subject
, buf
, sizeof(buf
));
1589 wpa_printf(MSG_DEBUG
, "X509: %lu: %s", idx
, buf
);
1594 if ((unsigned long) now
.sec
<
1595 (unsigned long) cert
->not_before
||
1596 (unsigned long) now
.sec
>
1597 (unsigned long) cert
->not_after
) {
1598 wpa_printf(MSG_INFO
, "X509: Certificate not valid "
1599 "(now=%lu not_before=%lu not_after=%lu)",
1600 now
.sec
, cert
->not_before
, cert
->not_after
);
1601 *reason
= X509_VALIDATE_CERTIFICATE_EXPIRED
;
1606 if (x509_name_compare(&cert
->issuer
,
1607 &cert
->next
->subject
) != 0) {
1608 wpa_printf(MSG_DEBUG
, "X509: Certificate "
1609 "chain issuer name mismatch");
1610 x509_name_string(&cert
->issuer
, buf
,
1612 wpa_printf(MSG_DEBUG
, "X509: cert issuer: %s",
1614 x509_name_string(&cert
->next
->subject
, buf
,
1616 wpa_printf(MSG_DEBUG
, "X509: next cert "
1617 "subject: %s", buf
);
1618 *reason
= X509_VALIDATE_CERTIFICATE_UNKNOWN
;
1622 if (x509_valid_issuer(cert
->next
) < 0) {
1623 *reason
= X509_VALIDATE_BAD_CERTIFICATE
;
1627 if ((cert
->next
->extensions_present
&
1628 X509_EXT_PATH_LEN_CONSTRAINT
) &&
1629 idx
> cert
->next
->path_len_constraint
) {
1630 wpa_printf(MSG_DEBUG
, "X509: pathLenConstraint"
1631 " not met (idx=%lu issuer "
1632 "pathLenConstraint=%lu)", idx
,
1633 cert
->next
->path_len_constraint
);
1634 *reason
= X509_VALIDATE_BAD_CERTIFICATE
;
1638 if (x509_certificate_check_signature(cert
->next
, cert
)
1640 wpa_printf(MSG_DEBUG
, "X509: Invalid "
1641 "certificate signature within "
1643 *reason
= X509_VALIDATE_BAD_CERTIFICATE
;
1648 for (trust
= trusted
; trust
; trust
= trust
->next
) {
1649 if (x509_name_compare(&cert
->issuer
, &trust
->subject
)
1655 wpa_printf(MSG_DEBUG
, "X509: Found issuer from the "
1656 "list of trusted certificates");
1657 if (x509_valid_issuer(trust
) < 0) {
1658 *reason
= X509_VALIDATE_BAD_CERTIFICATE
;
1662 if (x509_certificate_check_signature(trust
, cert
) < 0)
1664 wpa_printf(MSG_DEBUG
, "X509: Invalid "
1665 "certificate signature");
1666 *reason
= X509_VALIDATE_BAD_CERTIFICATE
;
1670 wpa_printf(MSG_DEBUG
, "X509: Trusted certificate "
1671 "found to complete the chain");
1676 if (!chain_trusted
) {
1677 wpa_printf(MSG_DEBUG
, "X509: Did not find any of the issuers "
1678 "from the list of trusted certificates");
1680 *reason
= X509_VALIDATE_UNKNOWN_CA
;
1683 wpa_printf(MSG_DEBUG
, "X509: Certificate chain validation "
1684 "disabled - ignore unknown CA issue");
1687 wpa_printf(MSG_DEBUG
, "X509: Certificate chain valid");
1694 * x509_certificate_get_subject - Get a certificate based on Subject name
1695 * @chain: Certificate chain to search through
1696 * @name: Subject name to search for
1697 * Returns: Pointer to the certificate with the given Subject name or
1700 struct x509_certificate
*
1701 x509_certificate_get_subject(struct x509_certificate
*chain
,
1702 struct x509_name
*name
)
1704 struct x509_certificate
*cert
;
1706 for (cert
= chain
; cert
; cert
= cert
->next
) {
1707 if (x509_name_compare(&cert
->subject
, name
) == 0)
1715 * x509_certificate_self_signed - Is the certificate self-signed?
1716 * @cert: Certificate
1717 * Returns: 1 if certificate is self-signed, 0 if not
1719 int x509_certificate_self_signed(struct x509_certificate
*cert
)
1721 return x509_name_compare(&cert
->issuer
, &cert
->subject
) == 0;
1724 #endif /* CONFIG_INTERNAL_X509 */