search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added gnutls_x509_crt_set_policy()
[gnutls.git] / lib / x509 / dn.c
blob238e28ed86f7f35ba515e290ffa45a51590b5636
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <libtasn1.h>
25 #include <gnutls_datum.h>
26 #include <gnutls_global.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_str.h>
29 #include <common.h>
30 #include <gnutls_num.h>
31
32 /* This file includes all the required to parse an X.509 Distriguished
33 * Name (you need a parser just to read a name in the X.509 protoocols!!!)
34 */
35
36 /* Escapes a string following the rules from RFC4514.
37 */
38 static char *
39 str_escape (char *str, char *buffer, unsigned int buffer_size)
40 {
41 int str_length, j, i;
42
43 if (str == NULL || buffer == NULL)
44 return NULL;
45
46 str_length = MIN (strlen (str), buffer_size - 1);
47
48 for (i = j = 0; i < str_length; i++)
49 {
50 if (str[i] == ',' || str[i] == '+' || str[i] == '"'
51 || str[i] == '\\' || str[i] == '<' || str[i] == '>'
52 || str[i] == ';')
53 buffer[j++] = '\\';
54
55 buffer[j++] = str[i];
56 }
57
58 /* null terminate the string */
59 buffer[j] = 0;
60
61 return buffer;
62 }
63
64 /* Parses an X509 DN in the asn1_struct, and puts the output into
65 * the string buf. The output is an LDAP encoded DN.
66 *
67 * asn1_rdn_name must be a string in the form "tbsCertificate.issuer.rdnSequence".
68 * That is to point in the rndSequence.
69 */
70 int
71 _gnutls_x509_parse_dn (ASN1_TYPE asn1_struct,
72 const char *asn1_rdn_name, char *buf,
73 size_t * sizeof_buf)
74 {
75 gnutls_buffer_st out_str;
76 int k2, k1, result;
77 char tmpbuffer1[ASN1_MAX_NAME_SIZE];
78 char tmpbuffer2[ASN1_MAX_NAME_SIZE];
79 char tmpbuffer3[ASN1_MAX_NAME_SIZE];
80 uint8_t value[MAX_STRING_LEN], *value2 = NULL;
81 char *escaped = NULL;
82 const char *ldap_desc;
83 char oid[MAX_OID_SIZE];
84 int len, printable;
85 char *string = NULL;
86 size_t sizeof_string, sizeof_escaped;
87
88 if (sizeof_buf == NULL)
89 {
90 gnutls_assert ();
91 return GNUTLS_E_INVALID_REQUEST;
92 }
93
94 if (*sizeof_buf > 0 && buf)
95 buf[0] = 0;
96 else
97 *sizeof_buf = 0;
98
99 _gnutls_buffer_init (&out_str);
100
101 k1 = 0;
102 do
103 {
104
105 k1++;
106 /* create a string like "tbsCertList.issuer.rdnSequence.?1"
107 */
108 if (asn1_rdn_name[0] != 0)
109 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name,
110 k1);
111 else
112 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
113
114 len = sizeof (value) - 1;
115 result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
116
117 if (result == ASN1_ELEMENT_NOT_FOUND)
118 {
119 break;
120 }
121
122 if (result != ASN1_VALUE_NOT_FOUND)
123 {
124 gnutls_assert ();
125 result = _gnutls_asn2err (result);
126 goto cleanup;
127 }
128
129 k2 = 0;
130
131 do
132 { /* Move to the attibute type and values
133 */
134 k2++;
135
136 if (tmpbuffer1[0] != 0)
137 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1,
138 k2);
139 else
140 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2);
141
142 /* Try to read the RelativeDistinguishedName attributes.
143 */
144
145 len = sizeof (value) - 1;
146 result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len);
147
148 if (result == ASN1_ELEMENT_NOT_FOUND)
149 break;
150 if (result != ASN1_VALUE_NOT_FOUND)
151 {
152 gnutls_assert ();
153 result = _gnutls_asn2err (result);
154 goto cleanup;
155 }
156
157 /* Read the OID
158 */
159 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2);
160 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type");
161
162 len = sizeof (oid) - 1;
163 result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
164
165 if (result == ASN1_ELEMENT_NOT_FOUND)
166 break;
167 else if (result != ASN1_SUCCESS)
168 {
169 gnutls_assert ();
170 result = _gnutls_asn2err (result);
171 goto cleanup;
172 }
173
174 /* Read the Value
175 */
176 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2);
177 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value");
178
179 len = 0;
180 result = asn1_read_value (asn1_struct, tmpbuffer3, NULL, &len);
181 if (result != ASN1_MEM_ERROR)
182 {
183 gnutls_assert ();
184 result = _gnutls_asn2err (result);
185 goto cleanup;
186 }
187
188 value2 = gnutls_malloc (len);
189 if (value2 == NULL)
190 {
191 gnutls_assert ();
192 result = GNUTLS_E_MEMORY_ERROR;
193 goto cleanup;
194 }
195
196 result = asn1_read_value (asn1_struct, tmpbuffer3, value2, &len);
197
198 if (result != ASN1_SUCCESS)
199 {
200 gnutls_assert ();
201 result = _gnutls_asn2err (result);
202 goto cleanup;
203 }
204 #define STR_APPEND(y) if ((result=_gnutls_buffer_append_str( &out_str, y)) < 0) { \
205 gnutls_assert(); \
206 goto cleanup; \
207 }
208 /* The encodings of adjoining RelativeDistinguishedNames are separated
209 * by a comma character (',' ASCII 44).
210 */
211
212 /* Where there is a multi-valued RDN, the outputs from adjoining
213 * AttributeTypeAndValues are separated by a plus ('+' ASCII 43)
214 * character.
215 */
216 if (k1 != 1)
217 { /* the first time do not append a comma */
218 if (k2 != 1)
219 { /* adjoining multi-value RDN */
220 STR_APPEND ("+");
221 }
222 else
223 {
224 STR_APPEND (",");
225 }
226 }
227
228 ldap_desc = gnutls_x509_dn_oid_name (oid, GNUTLS_X509_DN_OID_RETURN_OID);
229 printable = _gnutls_x509_oid_data_printable (oid);
230
231 /* leading #, hex encoded value and terminating NULL */
232 sizeof_escaped = 2 * len + 2;
233
234 escaped = gnutls_malloc (sizeof_escaped);
235 if (escaped == NULL)
236 {
237 gnutls_assert ();
238 result = GNUTLS_E_MEMORY_ERROR;
239 goto cleanup;
240 }
241
242 sizeof_string = 2 * len + 2; /* in case it is not printable */
243
244 string = gnutls_malloc (sizeof_string);
245 if (string == NULL)
246 {
247 gnutls_assert ();
248 result = GNUTLS_E_MEMORY_ERROR;
249 goto cleanup;
250 }
251
252 STR_APPEND (ldap_desc);
253 STR_APPEND ("=");
254 result = 0;
255
256 if (printable)
257 result =
258 _gnutls_x509_oid_data2string (oid,
259 value2, len,
260 string, &sizeof_string);
261
262 if (!printable || result < 0)
263 result =
264 _gnutls_x509_data2hex (value2, len, string, &sizeof_string);
265
266 if (result < 0)
267 {
268 gnutls_assert ();
269 _gnutls_debug_log
270 ("Found OID: '%s' with value '%s'\n",
271 oid, _gnutls_bin2hex (value2, len, escaped, sizeof_escaped,
272 NULL));
273 goto cleanup;
274 }
275 STR_APPEND (str_escape (string, escaped, sizeof_escaped));
276 gnutls_free (string);
277 string = NULL;
278
279 gnutls_free (escaped);
280 escaped = NULL;
281 gnutls_free (value2);
282 value2 = NULL;
283
284 }
285 while (1);
286
287 }
288 while (1);
289
290 if (out_str.length >= (unsigned int) *sizeof_buf)
291 {
292 gnutls_assert ();
293 *sizeof_buf = out_str.length + 1;
294 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
295 goto cleanup;
296 }
297
298 if (buf)
299 {
300 _gnutls_buffer_pop_data (&out_str, buf, sizeof_buf);
301 buf[*sizeof_buf] = 0;
302 }
303 else
304 *sizeof_buf = out_str.length;
305
306 result = 0;
307
308 cleanup:
309 gnutls_free (value2);
310 gnutls_free (string);
311 gnutls_free (escaped);
312 _gnutls_buffer_clear (&out_str);
313 return result;
314 }
315
316 /* Parses an X509 DN in the asn1_struct, and searches for the
317 * given OID in the DN.
318 *
319 * If raw_flag == 0, the output will be encoded in the LDAP way. (#hex for non printable)
320 * Otherwise the raw DER data are returned.
321 *
322 * asn1_rdn_name must be a string in the form "tbsCertificate.issuer.rdnSequence".
323 * That is to point in the rndSequence.
324 *
325 * indx specifies which OID to return. Ie 0 means return the first specified
326 * OID found, 1 the second etc.
327 */
328 int
329 _gnutls_x509_parse_dn_oid (ASN1_TYPE asn1_struct,
330 const char *asn1_rdn_name,
331 const char *given_oid, int indx,
332 unsigned int raw_flag,
333 void *buf, size_t * sizeof_buf)
334 {
335 int k2, k1, result;
336 char tmpbuffer1[ASN1_MAX_NAME_SIZE];
337 char tmpbuffer2[ASN1_MAX_NAME_SIZE];
338 char tmpbuffer3[ASN1_MAX_NAME_SIZE];
339 uint8_t value[256];
340 char oid[MAX_OID_SIZE];
341 int len, printable;
342 int i = 0;
343 char *cbuf = buf;
344
345 if (cbuf == NULL)
346 *sizeof_buf = 0;
347 else
348 cbuf[0] = 0;
349
350 k1 = 0;
351 do
352 {
353
354 k1++;
355 /* create a string like "tbsCertList.issuer.rdnSequence.?1"
356 */
357 if (asn1_rdn_name[0] != 0)
358 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name,
359 k1);
360 else
361 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
362
363 len = sizeof (value) - 1;
364 result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
365
366 if (result == ASN1_ELEMENT_NOT_FOUND)
367 {
368 gnutls_assert ();
369 break;
370 }
371
372 if (result != ASN1_VALUE_NOT_FOUND)
373 {
374 gnutls_assert ();
375 result = _gnutls_asn2err (result);
376 goto cleanup;
377 }
378
379 k2 = 0;
380
381 do
382 { /* Move to the attibute type and values
383 */
384 k2++;
385
386 if (tmpbuffer1[0] != 0)
387 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1,
388 k2);
389 else
390 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2);
391
392 /* Try to read the RelativeDistinguishedName attributes.
393 */
394
395 len = sizeof (value) - 1;
396 result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len);
397
398 if (result == ASN1_ELEMENT_NOT_FOUND)
399 {
400 break;
401 }
402 if (result != ASN1_VALUE_NOT_FOUND)
403 {
404 gnutls_assert ();
405 result = _gnutls_asn2err (result);
406 goto cleanup;
407 }
408
409 /* Read the OID
410 */
411 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2);
412 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type");
413
414 len = sizeof (oid) - 1;
415 result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
416
417 if (result == ASN1_ELEMENT_NOT_FOUND)
418 break;
419 else if (result != ASN1_SUCCESS)
420 {
421 gnutls_assert ();
422 result = _gnutls_asn2err (result);
423 goto cleanup;
424 }
425
426 if (strcmp (oid, given_oid) == 0 && indx == i++)
427 { /* Found the OID */
428
429 /* Read the Value
430 */
431 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2);
432 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value");
433
434 len = *sizeof_buf;
435 result = asn1_read_value (asn1_struct, tmpbuffer3, buf, &len);
436
437 if (result != ASN1_SUCCESS)
438 {
439 gnutls_assert ();
440 if (result == ASN1_MEM_ERROR)
441 *sizeof_buf = len;
442 result = _gnutls_asn2err (result);
443 goto cleanup;
444 }
445
446 if (raw_flag != 0)
447 {
448 if ((unsigned) len > *sizeof_buf)
449 {
450 *sizeof_buf = len;
451 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
452 goto cleanup;
453 }
454 *sizeof_buf = len;
455
456 return 0;
457
458 }
459 else
460 { /* parse data. raw_flag == 0 */
461 printable = _gnutls_x509_oid_data_printable (oid);
462
463 if (printable == 1)
464 result =
465 _gnutls_x509_oid_data2string (oid, buf, len,
466 cbuf, sizeof_buf);
467 else
468 result =
469 _gnutls_x509_data2hex (buf, len, cbuf, sizeof_buf);
470
471 if (result < 0)
472 {
473 gnutls_assert ();
474 goto cleanup;
475 }
476
477 return 0;
478
479 } /* raw_flag == 0 */
480 }
481 }
482 while (1);
483
484 }
485 while (1);
486
487 gnutls_assert ();
488
489 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
490
491 cleanup:
492 return result;
493 }
494
495
496 /* Parses an X509 DN in the asn1_struct, and returns the requested
497 * DN OID.
498 *
499 * asn1_rdn_name must be a string in the form "tbsCertificate.issuer.rdnSequence".
500 * That is to point in the rndSequence.
501 *
502 * indx specifies which OID to return. Ie 0 means return the first specified
503 * OID found, 1 the second etc.
504 */
505 int
506 _gnutls_x509_get_dn_oid (ASN1_TYPE asn1_struct,
507 const char *asn1_rdn_name,
508 int indx, void *_oid, size_t * sizeof_oid)
509 {
510 int k2, k1, result;
511 char tmpbuffer1[ASN1_MAX_NAME_SIZE];
512 char tmpbuffer2[ASN1_MAX_NAME_SIZE];
513 char tmpbuffer3[ASN1_MAX_NAME_SIZE];
514 char value[256];
515 char oid[MAX_OID_SIZE];
516 int len;
517 int i = 0;
518
519 k1 = 0;
520 do
521 {
522
523 k1++;
524 /* create a string like "tbsCertList.issuer.rdnSequence.?1"
525 */
526 if (asn1_rdn_name[0] != 0)
527 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name,
528 k1);
529 else
530 snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1);
531
532 len = sizeof (value) - 1;
533 result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len);
534
535 if (result == ASN1_ELEMENT_NOT_FOUND)
536 {
537 gnutls_assert ();
538 break;
539 }
540
541 if (result != ASN1_VALUE_NOT_FOUND)
542 {
543 gnutls_assert ();
544 result = _gnutls_asn2err (result);
545 goto cleanup;
546 }
547
548 k2 = 0;
549
550 do
551 { /* Move to the attibute type and values
552 */
553 k2++;
554
555 if (tmpbuffer1[0] != 0)
556 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1,
557 k2);
558 else
559 snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2);
560
561 /* Try to read the RelativeDistinguishedName attributes.
562 */
563
564 len = sizeof (value) - 1;
565 result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len);
566
567 if (result == ASN1_ELEMENT_NOT_FOUND)
568 {
569 break;
570 }
571 if (result != ASN1_VALUE_NOT_FOUND)
572 {
573 gnutls_assert ();
574 result = _gnutls_asn2err (result);
575 goto cleanup;
576 }
577
578 /* Read the OID
579 */
580 _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2);
581 _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type");
582
583 len = sizeof (oid) - 1;
584 result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len);
585
586 if (result == ASN1_ELEMENT_NOT_FOUND)
587 break;
588 else if (result != ASN1_SUCCESS)
589 {
590 gnutls_assert ();
591 result = _gnutls_asn2err (result);
592 goto cleanup;
593 }
594
595 if (indx == i++)
596 { /* Found the OID */
597
598 len = strlen (oid) + 1;
599
600 if (*sizeof_oid < (unsigned) len)
601 {
602 *sizeof_oid = len;
603 gnutls_assert ();
604 return GNUTLS_E_SHORT_MEMORY_BUFFER;
605 }
606
607 memcpy (_oid, oid, len);
608 *sizeof_oid = len - 1;
609
610 return 0;
611 }
612 }
613 while (1);
614
615 }
616 while (1);
617
618 gnutls_assert ();
619
620 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
621
622 cleanup:
623 return result;
624 }
625
626 static int is_printable(char p)
627 {
628 if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') ||
629 (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' ||
630 p == '(' || p == '+' || p == ',' || p == '-' || p == '.' ||
631 p == '/' || p == ':' || p == '=' || p == '?')
632 return 1;
633
634 return 0;
635 }
636
637 /* This will encode and write the AttributeTypeAndValue field.
638 * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
639 * In all cases only one value is written.
640 */
641 int
642 _gnutls_x509_encode_and_write_attribute (const char *given_oid,
643 ASN1_TYPE asn1_struct,
644 const char *where,
645 const void *_data,
646 int sizeof_data, int multi)
647 {
648 const char *val_name;
649 const uint8_t *data = _data;
650 char tmp[128];
651 ASN1_TYPE c2;
652 int result;
653
654
655 /* Find how to encode the data.
656 */
657 val_name = _gnutls_x509_oid2asn_string (given_oid);
658 if (val_name == NULL)
659 {
660 gnutls_assert ();
661 _gnutls_debug_log ("Cannot find OID: %s\n", given_oid);
662 return GNUTLS_E_X509_UNSUPPORTED_OID;
663 }
664
665 result = asn1_create_element (_gnutls_get_pkix (), val_name, &c2);
666 if (result != ASN1_SUCCESS)
667 {
668 gnutls_assert ();
669 return _gnutls_asn2err (result);
670 }
671
672 tmp[0] = 0;
673
674 if ((result = _gnutls_x509_oid_data_choice (given_oid)) > 0)
675 {
676 const char *string_type;
677 int i;
678
679 string_type = "printableString";
680
681 /* Check if the data is ASN.1 printable, and use
682 * the UTF8 string type if not.
683 */
684 for (i = 0; i < sizeof_data; i++)
685 {
686 if (!is_printable (data[i]))
687 {
688 string_type = "utf8String";
689 break;
690 }
691 }
692
693 /* if the type is a CHOICE then write the
694 * type we'll use.
695 */
696 result = asn1_write_value (c2, "", string_type, 1);
697 if (result != ASN1_SUCCESS)
698 {
699 gnutls_assert ();
700 result = _gnutls_asn2err (result);
701 goto error;
702 }
703
704 _gnutls_str_cpy (tmp, sizeof (tmp), string_type);
705 }
706
707 result = asn1_write_value (c2, tmp, data, sizeof_data);
708 if (result != ASN1_SUCCESS)
709 {
710 gnutls_assert ();
711 result = _gnutls_asn2err (result);
712 goto error;
713 }
714
715
716 /* write the data (value)
717 */
718
719 _gnutls_str_cpy (tmp, sizeof (tmp), where);
720 _gnutls_str_cat (tmp, sizeof (tmp), ".value");
721
722 if (multi != 0)
723 { /* if not writing an AttributeTypeAndValue, but an Attribute */
724 _gnutls_str_cat (tmp, sizeof (tmp), "s"); /* values */
725
726 result = asn1_write_value (asn1_struct, tmp, "NEW", 1);
727 if (result != ASN1_SUCCESS)
728 {
729 gnutls_assert ();
730 result = _gnutls_asn2err (result);
731 goto error;
732 }
733
734 _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST");
735
736 }
737
738 result = _gnutls_x509_der_encode_and_copy (c2, "", asn1_struct, tmp, 0);
739 if (result < 0)
740 {
741 gnutls_assert ();
742 result = _gnutls_asn2err (result);
743 goto error;
744 }
745
746 /* write the type
747 */
748 _gnutls_str_cpy (tmp, sizeof (tmp), where);
749 _gnutls_str_cat (tmp, sizeof (tmp), ".type");
750
751 result = asn1_write_value (asn1_struct, tmp, given_oid, 1);
752 if (result != ASN1_SUCCESS)
753 {
754 gnutls_assert ();
755 result = _gnutls_asn2err (result);
756 goto error;
757 }
758
759 result = 0;
760
761 error:
762 asn1_delete_structure (&c2);
763 return result;
764 }
765
766 /* This will write the AttributeTypeAndValue field. The data must be already DER encoded.
767 * 'multi' must be (0) if writing an AttributeTypeAndValue, and 1 if Attribute.
768 * In all cases only one value is written.
769 */
770 static int
771 _gnutls_x509_write_attribute (const char *given_oid,
772 ASN1_TYPE asn1_struct, const char *where,
773 const void *_data, int sizeof_data)
774 {
775 char tmp[128];
776 int result;
777
778 /* write the data (value)
779 */
780
781 _gnutls_str_cpy (tmp, sizeof (tmp), where);
782 _gnutls_str_cat (tmp, sizeof (tmp), ".value");
783
784 result = asn1_write_value (asn1_struct, tmp, _data, sizeof_data);
785 if (result < 0)
786 {
787 gnutls_assert ();
788 return _gnutls_asn2err (result);
789 }
790
791 /* write the type
792 */
793 _gnutls_str_cpy (tmp, sizeof (tmp), where);
794 _gnutls_str_cat (tmp, sizeof (tmp), ".type");
795
796 result = asn1_write_value (asn1_struct, tmp, given_oid, 1);
797 if (result != ASN1_SUCCESS)
798 {
799 gnutls_assert ();
800 return _gnutls_asn2err (result);
801 }
802
803 return 0;
804 }
805
806
807 /* Decodes an X.509 Attribute (if multi==1) or an AttributeTypeAndValue
808 * otherwise.
809 *
810 * octet_string should be non-zero if we are to decode octet strings after
811 * decoding.
812 *
813 * The output is allocated and stored in value.
814 */
815 int
816 _gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct,
817 const char *where, char *oid,
818 int oid_size, gnutls_datum_t * value,
819 int multi, int octet_string)
820 {
821 char tmpbuffer[128];
822 int len, result;
823
824 /* Read the OID
825 */
826 _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where);
827 _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".type");
828
829 len = oid_size - 1;
830 result = asn1_read_value (asn1_struct, tmpbuffer, oid, &len);
831
832 if (result != ASN1_SUCCESS)
833 {
834 gnutls_assert ();
835 result = _gnutls_asn2err (result);
836 return result;
837 }
838
839 /* Read the Value
840 */
841
842 _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where);
843 _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".value");
844
845 if (multi)
846 _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), "s.?1"); /* .values.?1 */
847
848 if (octet_string)
849 result = _gnutls_x509_read_string (asn1_struct, tmpbuffer, value, RV_OCTET_STRING);
850 else
851 result = _gnutls_x509_read_value (asn1_struct, tmpbuffer, value);
852 if (result < 0)
853 {
854 gnutls_assert ();
855 return result;
856 }
857
858 return 0;
859
860 }
861
862 /* Sets an X509 DN in the asn1_struct, and puts the given OID in the DN.
863 * The input is assumed to be raw data.
864 *
865 * asn1_rdn_name must be a string in the form "tbsCertificate.issuer".
866 * That is to point before the rndSequence.
867 *
868 */
869 int
870 _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct,
871 const char *asn1_name, const char *given_oid,
872 int raw_flag, const char *name, int sizeof_name)
873 {
874 int result;
875 char tmp[ASN1_MAX_NAME_SIZE], asn1_rdn_name[ASN1_MAX_NAME_SIZE];
876
877 if (sizeof_name == 0 || name == NULL)
878 {
879 gnutls_assert ();
880 return GNUTLS_E_INVALID_REQUEST;
881 }
882
883 /* create the rdnSequence
884 */
885 result = asn1_write_value (asn1_struct, asn1_name, "rdnSequence", 1);
886 if (result != ASN1_SUCCESS)
887 {
888 gnutls_assert ();
889 return _gnutls_asn2err (result);
890 }
891
892 _gnutls_str_cpy (asn1_rdn_name, sizeof (asn1_rdn_name), asn1_name);
893 _gnutls_str_cat (asn1_rdn_name, sizeof (asn1_rdn_name), ".rdnSequence");
894
895 /* create a new element
896 */
897 result = asn1_write_value (asn1_struct, asn1_rdn_name, "NEW", 1);
898 if (result != ASN1_SUCCESS)
899 {
900 gnutls_assert ();
901 return _gnutls_asn2err (result);
902 }
903
904 _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name);
905 _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST");
906
907 /* create the set with only one element
908 */
909 result = asn1_write_value (asn1_struct, tmp, "NEW", 1);
910 if (result != ASN1_SUCCESS)
911 {
912 gnutls_assert ();
913 return _gnutls_asn2err (result);
914 }
915
916
917 /* Encode and write the data
918 */
919 _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name);
920 _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST.?LAST");
921
922 if (!raw_flag)
923 {
924 result =
925 _gnutls_x509_encode_and_write_attribute (given_oid,
926 asn1_struct,
927 tmp, name, sizeof_name, 0);
928 }
929 else
930 {
931 result =
932 _gnutls_x509_write_attribute (given_oid, asn1_struct,
933 tmp, name, sizeof_name);
934 }
935
936 if (result < 0)
937 {
938 gnutls_assert ();
939 return result;
940 }
941
942 return 0;
943 }
944
945 /**
946 * gnutls_x509_dn_init:
947 * @dn: the object to be initialized
948 *
949 * This function initializes a #gnutls_x509_dn_t structure.
950 *
951 * The object returned must be deallocated using
952 * gnutls_x509_dn_deinit().
953 *
954 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
955 * negative error value.
956 *
957 * Since: 2.4.0
958 **/
959 int
960 gnutls_x509_dn_init (gnutls_x509_dn_t * dn)
961 {
962 int result;
963 ASN1_TYPE tmpdn = ASN1_TYPE_EMPTY;
964
965 if ((result =
966 asn1_create_element (_gnutls_get_pkix (),
967 "PKIX1.Name", &tmpdn)) != ASN1_SUCCESS)
968 {
969 gnutls_assert ();
970 return _gnutls_asn2err (result);
971 }
972
973 *dn = tmpdn;
974
975 return 0;
976 }
977
978 /**
979 * gnutls_x509_dn_import:
980 * @dn: the structure that will hold the imported DN
981 * @data: should contain a DER encoded RDN sequence
982 *
983 * This function parses an RDN sequence and stores the result to a
984 * #gnutls_x509_dn_t structure. The structure must have been initialized
985 * with gnutls_x509_dn_init(). You may use gnutls_x509_dn_get_rdn_ava() to
986 * decode the DN.
987 *
988 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
989 * negative error value.
990 *
991 * Since: 2.4.0
992 **/
993 int
994 gnutls_x509_dn_import (gnutls_x509_dn_t dn, const gnutls_datum_t * data)
995 {
996 int result;
997 char err[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
998
999 result = asn1_der_decoding ((ASN1_TYPE *) & dn,
1000 data->data, data->size, err);
1001 if (result != ASN1_SUCCESS)
1002 {
1003 /* couldn't decode DER */
1004 _gnutls_debug_log ("ASN.1 Decoding error: %s\n", err);
1005 gnutls_assert ();
1006 return _gnutls_asn2err (result);
1007 }
1008
1009 return 0;
1010 }
1011
1012 /**
1013 * gnutls_x509_dn_deinit:
1014 * @dn: a DN uint8_t object pointer.
1015 *
1016 * This function deallocates the DN object as returned by
1017 * gnutls_x509_dn_import().
1018 *
1019 * Since: 2.4.0
1020 **/
1021 void
1022 gnutls_x509_dn_deinit (gnutls_x509_dn_t dn)
1023 {
1024 asn1_delete_structure ((ASN1_TYPE *) & dn);
1025 }
1026
1027 /**
1028 * gnutls_x509_rdn_get:
1029 * @idn: should contain a DER encoded RDN sequence
1030 * @buf: a pointer to a structure to hold the peer's name
1031 * @sizeof_buf: holds the size of @buf
1032 *
1033 * This function will return the name of the given RDN sequence. The
1034 * name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in
1035 * RFC4514.
1036 *
1037 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
1038 * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is
1039 * updated if the provided buffer is not long enough, otherwise a
1040 * negative error value.
1041 **/
1042 int
1043 gnutls_x509_rdn_get (const gnutls_datum_t * idn,
1044 char *buf, size_t * sizeof_buf)
1045 {
1046 int result;
1047 ASN1_TYPE dn = ASN1_TYPE_EMPTY;
1048
1049 if (sizeof_buf == 0)
1050 {
1051 gnutls_assert ();
1052 return GNUTLS_E_INVALID_REQUEST;
1053 }
1054
1055 if (buf)
1056 buf[0] = 0;
1057
1058
1059 if ((result =
1060 asn1_create_element (_gnutls_get_pkix (),
1061 "PKIX1.Name", &dn)) != ASN1_SUCCESS)
1062 {
1063 gnutls_assert ();
1064 return _gnutls_asn2err (result);
1065 }
1066
1067 result = asn1_der_decoding (&dn, idn->data, idn->size, NULL);
1068 if (result != ASN1_SUCCESS)
1069 {
1070 /* couldn't decode DER */
1071 gnutls_assert ();
1072 asn1_delete_structure (&dn);
1073 return _gnutls_asn2err (result);
1074 }
1075
1076 result = _gnutls_x509_parse_dn (dn, "rdnSequence", buf, sizeof_buf);
1077
1078 asn1_delete_structure (&dn);
1079 return result;
1080
1081 }
1082
1083 /**
1084 * gnutls_x509_rdn_get_by_oid:
1085 * @idn: should contain a DER encoded RDN sequence
1086 * @oid: an Object Identifier
1087 * @indx: In case multiple same OIDs exist in the RDN indicates which
1088 * to send. Use 0 for the first one.
1089 * @raw_flag: If non-zero then the raw DER data are returned.
1090 * @buf: a pointer to a structure to hold the peer's name
1091 * @sizeof_buf: holds the size of @buf
1092 *
1093 * This function will return the name of the given Object identifier,
1094 * of the RDN sequence. The name will be encoded using the rules
1095 * from RFC4514.
1096 *
1097 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
1098 * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is
1099 * updated if the provided buffer is not long enough, otherwise a
1100 * negative error value.
1101 **/
1102 int
1103 gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid,
1104 int indx, unsigned int raw_flag,
1105 void *buf, size_t * sizeof_buf)
1106 {
1107 int result;
1108 ASN1_TYPE dn = ASN1_TYPE_EMPTY;
1109
1110 if (sizeof_buf == 0)
1111 {
1112 return GNUTLS_E_INVALID_REQUEST;
1113 }
1114
1115 if ((result =
1116 asn1_create_element (_gnutls_get_pkix (),
1117 "PKIX1.Name", &dn)) != ASN1_SUCCESS)
1118 {
1119 gnutls_assert ();
1120 return _gnutls_asn2err (result);
1121 }
1122
1123 result = asn1_der_decoding (&dn, idn->data, idn->size, NULL);
1124 if (result != ASN1_SUCCESS)
1125 {
1126 /* couldn't decode DER */
1127 gnutls_assert ();
1128 asn1_delete_structure (&dn);
1129 return _gnutls_asn2err (result);
1130 }
1131
1132 result =
1133 _gnutls_x509_parse_dn_oid (dn, "rdnSequence", oid, indx,
1134 raw_flag, buf, sizeof_buf);
1135
1136 asn1_delete_structure (&dn);
1137 return result;
1138
1139 }
1140
1141 /**
1142 * gnutls_x509_rdn_get_oid:
1143 * @idn: should contain a DER encoded RDN sequence
1144 * @indx: Indicates which OID to return. Use 0 for the first one.
1145 * @buf: a pointer to a structure to hold the peer's name OID
1146 * @sizeof_buf: holds the size of @buf
1147 *
1148 * This function will return the specified Object identifier, of the
1149 * RDN sequence.
1150 *
1151 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or
1152 * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned and *@sizeof_buf is
1153 * updated if the provided buffer is not long enough, otherwise a
1154 * negative error value.
1155 *
1156 * Since: 2.4.0
1157 **/
1158 int
1159 gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn,
1160 int indx, void *buf, size_t * sizeof_buf)
1161 {
1162 int result;
1163 ASN1_TYPE dn = ASN1_TYPE_EMPTY;
1164
1165 if (sizeof_buf == 0)
1166 {
1167 return GNUTLS_E_INVALID_REQUEST;
1168 }
1169
1170 if ((result =
1171 asn1_create_element (_gnutls_get_pkix (),
1172 "PKIX1.Name", &dn)) != ASN1_SUCCESS)
1173 {
1174 gnutls_assert ();
1175 return _gnutls_asn2err (result);
1176 }
1177
1178 result = asn1_der_decoding (&dn, idn->data, idn->size, NULL);
1179 if (result != ASN1_SUCCESS)
1180 {
1181 /* couldn't decode DER */
1182 gnutls_assert ();
1183 asn1_delete_structure (&dn);
1184 return _gnutls_asn2err (result);
1185 }
1186
1187 result = _gnutls_x509_get_dn_oid (dn, "rdnSequence", indx, buf, sizeof_buf);
1188
1189 asn1_delete_structure (&dn);
1190 return result;
1191
1192 }
1193
1194 /*
1195 * Compares the DER encoded part of a DN.
1196 *
1197 * FIXME: use a real DN comparison algorithm.
1198 *
1199 * Returns 1 if the DN's match and (0) if they don't match. Otherwise
1200 * a negative error code is returned to indicate error.
1201 */
1202 int
1203 _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1,
1204 const gnutls_datum_t * dn2)
1205 {
1206
1207 if (dn1->size != dn2->size)
1208 {
1209 gnutls_assert ();
1210 return 0;
1211 }
1212 if (memcmp (dn1->data, dn2->data, dn2->size) != 0)
1213 {
1214 gnutls_assert ();
1215 return 0;
1216 }
1217 return 1; /* they match */
1218 }
1219
1220 /**
1221 * gnutls_x509_dn_export:
1222 * @dn: Holds the uint8_t DN object
1223 * @format: the format of output params. One of PEM or DER.
1224 * @output_data: will contain a DN PEM or DER encoded
1225 * @output_data_size: holds the size of output_data (and will be
1226 * replaced by the actual size of parameters)
1227 *
1228 * This function will export the DN to DER or PEM format.
1229 *
1230 * If the buffer provided is not long enough to hold the output, then
1231 * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
1232 * will be returned.
1233 *
1234 * If the structure is PEM encoded, it will have a header
1235 * of "BEGIN NAME".
1236 *
1237 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1238 * negative error value.
1239 **/
1240 int
1241 gnutls_x509_dn_export (gnutls_x509_dn_t dn,
1242 gnutls_x509_crt_fmt_t format, void *output_data,
1243 size_t * output_data_size)
1244 {
1245 ASN1_TYPE asn1 = dn;
1246
1247 if (asn1 == NULL)
1248 {
1249 gnutls_assert ();
1250 return GNUTLS_E_INVALID_REQUEST;
1251 }
1252
1253 return _gnutls_x509_export_int_named (asn1, "rdnSequence",
1254 format, "NAME",
1255 output_data, output_data_size);
1256 }
1257
1258 /**
1259 * gnutls_x509_dn_export2:
1260 * @dn: Holds the uint8_t DN object
1261 * @format: the format of output params. One of PEM or DER.
1262 * @out: will contain a DN PEM or DER encoded
1263 *
1264 * This function will export the DN to DER or PEM format.
1265 *
1266 * The output buffer is allocated using gnutls_malloc().
1267 *
1268 * If the structure is PEM encoded, it will have a header
1269 * of "BEGIN NAME".
1270 *
1271 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1272 * negative error value.
1273 **/
1274 int
1275 gnutls_x509_dn_export2 (gnutls_x509_dn_t dn,
1276 gnutls_x509_crt_fmt_t format, gnutls_datum_t *out)
1277 {
1278 ASN1_TYPE asn1 = dn;
1279
1280 if (asn1 == NULL)
1281 {
1282 gnutls_assert ();
1283 return GNUTLS_E_INVALID_REQUEST;
1284 }
1285
1286 return _gnutls_x509_export_int_named2 (asn1, "rdnSequence",
1287 format, "NAME", out);
1288 }
Implementation of the SSL/TLS protocol