search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kdc: per-target CPPFLAGS do not have an _AM in the variable name
[heimdal.git] / lib / hx509 / req.c
blob5ac1ea7a380a189f47c4d4edbbc20bdda5270bb6
1 /*
2 * Copyright (c) 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35 #include <pkcs10_asn1.h>
36
37 typedef struct abitstring_s {
38 unsigned char *feats;
39 size_t feat_bytes;
40 } *abitstring;
41
42 struct hx509_request_data {
43 hx509_context context;
44 hx509_name name;
45 SubjectPublicKeyInfo key;
46 KeyUsage ku;
47 ExtKeyUsage eku;
48 GeneralNames san;
49 BasicConstraints bc;
50 struct abitstring_s authorized_EKUs;
51 struct abitstring_s authorized_SANs;
52 uint32_t nunsupported_crit; /* Count of unsupported critical features requested */
53 uint32_t nunsupported_opt; /* Count of unsupported optional features requested */
54 uint32_t nauthorized; /* Count of supported features authorized */
55 uint32_t ca_is_authorized:1;
56 uint32_t ku_are_authorized:1;
57 uint32_t include_BasicConstraints:1;
58 };
59
60 /**
61 * Allocate and initialize an hx509_request structure representing a PKCS#10
62 * certificate signing request.
63 *
64 * @param context An hx509 context.
65 * @param req Where to put the new hx509_request object.
66 *
67 * @return An hx509 error code, see hx509_get_error_string().
68 *
69 * @ingroup hx509_request
70 */
71 HX509_LIB_FUNCTION int HX509_LIB_CALL
72 hx509_request_init(hx509_context context, hx509_request *req)
73 {
74 *req = calloc(1, sizeof(**req));
75 if (*req == NULL)
76 return ENOMEM;
77
78 (*req)->context = context;
79 return 0;
80 }
81
82 /**
83 * Free a certificate signing request object.
84 *
85 * @param req A pointer to the hx509_request to free.
86 *
87 * @ingroup hx509_request
88 */
89 HX509_LIB_FUNCTION void HX509_LIB_CALL
90 hx509_request_free(hx509_request *reqp)
91 {
92 hx509_request req = *reqp;
93
94 *reqp = NULL;
95 if (req == NULL)
96 return;
97 if (req->name)
98 hx509_name_free(&req->name);
99 free(req->authorized_EKUs.feats);
100 free(req->authorized_SANs.feats);
101 free_SubjectPublicKeyInfo(&req->key);
102 free_ExtKeyUsage(&req->eku);
103 free_GeneralNames(&req->san);
104 free_BasicConstraints(&req->bc);
105 memset(req, 0, sizeof(*req));
106 free(req);
107 }
108
109 /**
110 * Make the CSR request a CA certificate
111 *
112 * @param context An hx509 context.
113 * @param req The hx509_request to alter.
114 * @param pathLenConstraint the pathLenConstraint for the BasicConstraints (optional)
115 *
116 * @return An hx509 error code, see hx509_get_error_string().
117 *
118 * @ingroup hx509_request
119 */
120 HX509_LIB_FUNCTION int HX509_LIB_CALL
121 hx509_request_set_cA(hx509_context context,
122 hx509_request req,
123 unsigned *pathLenConstraint)
124 {
125 req->bc.cA = 1;
126 if (pathLenConstraint) {
127 if (req->bc.pathLenConstraint == NULL)
128 req->bc.pathLenConstraint = malloc(sizeof(*pathLenConstraint));
129 if (req->bc.pathLenConstraint == NULL)
130 return ENOMEM;
131 *req->bc.pathLenConstraint = *pathLenConstraint;
132 }
133 return 0;
134 }
135
136 /**
137 * Make the CSR request an EE (end-entity, i.e., not a CA) certificate
138 *
139 * @param context An hx509 context.
140 * @param req The hx509_request to alter.
141 *
142 * @ingroup hx509_request
143 */
144 HX509_LIB_FUNCTION void HX509_LIB_CALL
145 hx509_request_set_eE(hx509_context context, hx509_request req)
146 {
147 req->bc.cA = 0;
148 free(req->bc.pathLenConstraint);
149 req->include_BasicConstraints = 1;
150 req->ca_is_authorized = 0;
151 }
152
153 /**
154 * Set the subjectName of the CSR.
155 *
156 * @param context An hx509 context.
157 * @param req The hx509_request to alter.
158 * @param name The subjectName.
159 *
160 * @return An hx509 error code, see hx509_get_error_string().
161 *
162 * @ingroup hx509_request
163 */
164 HX509_LIB_FUNCTION int HX509_LIB_CALL
165 hx509_request_set_name(hx509_context context,
166 hx509_request req,
167 hx509_name name)
168 {
169 if (req->name)
170 hx509_name_free(&req->name);
171 if (name) {
172 int ret = hx509_name_copy(context, name, &req->name);
173 if (ret)
174 return ret;
175 }
176 return 0;
177 }
178
179 /**
180 * Get the subject name requested by a CSR.
181 *
182 * @param context An hx509 context.
183 * @param req The hx509_request object.
184 * @param name Where to put the name.
185 *
186 * @return An hx509 error code, see hx509_get_error_string().
187 *
188 * @ingroup hx509_request
189 */
190 HX509_LIB_FUNCTION int HX509_LIB_CALL
191 hx509_request_get_name(hx509_context context,
192 hx509_request req,
193 hx509_name *name)
194 {
195 if (req->name == NULL) {
196 hx509_set_error_string(context, 0, EINVAL, "Request has no name");
197 return EINVAL;
198 }
199 return hx509_name_copy(context, req->name, name);
200 }
201
202 /**
203 * Set the subject public key requested by a CSR.
204 *
205 * @param context An hx509 context.
206 * @param req The hx509_request object.
207 * @param key The public key.
208 *
209 * @return An hx509 error code, see hx509_get_error_string().
210 *
211 * @ingroup hx509_request
212 */
213 HX509_LIB_FUNCTION int HX509_LIB_CALL
214 hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
215 hx509_request req,
216 const SubjectPublicKeyInfo *key)
217 {
218 free_SubjectPublicKeyInfo(&req->key);
219 return copy_SubjectPublicKeyInfo(key, &req->key);
220 }
221
222 /**
223 * Get the subject public key requested by a CSR.
224 *
225 * @param context An hx509 context.
226 * @param req The hx509_request object.
227 * @param key Where to put the key.
228 *
229 * @return An hx509 error code, see hx509_get_error_string().
230 *
231 * @ingroup hx509_request
232 */
233 HX509_LIB_FUNCTION int HX509_LIB_CALL
234 hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
235 hx509_request req,
236 SubjectPublicKeyInfo *key)
237 {
238 return copy_SubjectPublicKeyInfo(&req->key, key);
239 }
240
241 /**
242 * Set the key usage requested by a CSR.
243 *
244 * @param context An hx509 context.
245 * @param req The hx509_request object.
246 * @param ku The key usage.
247 *
248 * @return An hx509 error code, see hx509_get_error_string().
249 *
250 * @ingroup hx509_request
251 */
252 HX509_LIB_FUNCTION int HX509_LIB_CALL
253 hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku)
254 {
255 uint64_t n = KeyUsage2int(ku);
256
257 if ((KeyUsage2int(req->ku) & n) != n)
258 req->ku_are_authorized = 0;
259 req->ku = ku;
260 return 0;
261 }
262
263 /**
264 * Get the key usage requested by a CSR.
265 *
266 * @param context An hx509 context.
267 * @param req The hx509_request object.
268 * @param ku Where to put the key usage.
269 *
270 * @return An hx509 error code, see hx509_get_error_string().
271 *
272 * @ingroup hx509_request
273 */
274 HX509_LIB_FUNCTION int HX509_LIB_CALL
275 hx509_request_get_ku(hx509_context context, hx509_request req, KeyUsage *ku)
276 {
277 *ku = req->ku;
278 return 0;
279 }
280
281 /**
282 * Add an extended key usage OID to a CSR.
283 *
284 * @param context An hx509 context.
285 * @param req The hx509_request object.
286 * @param oid The EKU OID.
287 *
288 * @return An hx509 error code, see hx509_get_error_string().
289 *
290 * @ingroup hx509_request
291 */
292 HX509_LIB_FUNCTION int HX509_LIB_CALL
293 hx509_request_add_eku(hx509_context context,
294 hx509_request req,
295 const heim_oid *oid)
296 {
297 void *val;
298 int ret;
299
300 val = realloc(req->eku.val, sizeof(req->eku.val[0]) * (req->eku.len + 1));
301 if (val == NULL)
302 return ENOMEM;
303 req->eku.val = val;
304
305 ret = der_copy_oid(oid, &req->eku.val[req->eku.len]);
306 if (ret)
307 return ret;
308
309 req->eku.len += 1;
310
311 return 0;
312 }
313
314 /**
315 * Add a GeneralName (Jabber ID) subject alternative name to a CSR.
316 *
317 * XXX Make this take a heim_octet_string, not a GeneralName*.
318 *
319 * @param context An hx509 context.
320 * @param req The hx509_request object.
321 * @param gn The GeneralName object.
322 *
323 * @return An hx509 error code, see hx509_get_error_string().
324 *
325 * @ingroup hx509_request
326 */
327 HX509_LIB_FUNCTION int HX509_LIB_CALL
328 hx509_request_add_GeneralName(hx509_context context,
329 hx509_request req,
330 const GeneralName *gn)
331 {
332 return add_GeneralNames(&req->san, gn);
333 }
334
335 static int
336 add_utf8_other_san(hx509_context context,
337 GeneralNames *gns,
338 const heim_oid *oid,
339 const char *s)
340 {
341 const PKIXXmppAddr us = (const PKIXXmppAddr)(uintptr_t)s;
342 GeneralName gn;
343 size_t size;
344 int ret;
345
346 gn.element = choice_GeneralName_otherName;
347 gn.u.otherName.type_id.length = 0;
348 gn.u.otherName.type_id.components = 0;
349 gn.u.otherName.value.data = NULL;
350 gn.u.otherName.value.length = 0;
351 ret = der_copy_oid(oid, &gn.u.otherName.type_id);
352 if (ret == 0)
353 ASN1_MALLOC_ENCODE(PKIXXmppAddr, gn.u.otherName.value.data,
354 gn.u.otherName.value.length, &us, &size, ret);
355 if (ret == 0 && size != gn.u.otherName.value.length)
356 _hx509_abort("internal ASN.1 encoder error");
357 if (ret == 0)
358 ret = add_GeneralNames(gns, &gn);
359 free_GeneralName(&gn);
360 if (ret)
361 hx509_set_error_string(context, 0, ret, "Out of memory");
362 return ret;
363 }
364
365 /**
366 * Add an xmppAddr (Jabber ID) subject alternative name to a CSR.
367 *
368 * @param context An hx509 context.
369 * @param req The hx509_request object.
370 * @param jid The XMPP address.
371 *
372 * @return An hx509 error code, see hx509_get_error_string().
373 *
374 * @ingroup hx509_request
375 */
376 HX509_LIB_FUNCTION int HX509_LIB_CALL
377 hx509_request_add_xmpp_name(hx509_context context,
378 hx509_request req,
379 const char *jid)
380 {
381 return add_utf8_other_san(context, &req->san,
382 &asn1_oid_id_pkix_on_xmppAddr, jid);
383 }
384
385 /**
386 * Add a Microsoft UPN subject alternative name to a CSR.
387 *
388 * @param context An hx509 context.
389 * @param req The hx509_request object.
390 * @param hostname The XMPP address.
391 *
392 * @return An hx509 error code, see hx509_get_error_string().
393 *
394 * @ingroup hx509_request
395 */
396 HX509_LIB_FUNCTION int HX509_LIB_CALL
397 hx509_request_add_ms_upn_name(hx509_context context,
398 hx509_request req,
399 const char *upn)
400 {
401 return add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san,
402 upn);
403 }
404
405 /**
406 * Add a dNSName (hostname) subject alternative name to a CSR.
407 *
408 * @param context An hx509 context.
409 * @param req The hx509_request object.
410 * @param hostname The fully-qualified hostname.
411 *
412 * @return An hx509 error code, see hx509_get_error_string().
413 *
414 * @ingroup hx509_request
415 */
416 HX509_LIB_FUNCTION int HX509_LIB_CALL
417 hx509_request_add_dns_name(hx509_context context,
418 hx509_request req,
419 const char *hostname)
420 {
421 GeneralName name;
422
423 memset(&name, 0, sizeof(name));
424 name.element = choice_GeneralName_dNSName;
425 name.u.dNSName.data = rk_UNCONST(hostname);
426 name.u.dNSName.length = strlen(hostname);
427
428 return add_GeneralNames(&req->san, &name);
429 }
430
431 /**
432 * Add a dnsSRV (_service.hostname) subject alternative name to a CSR.
433 *
434 * @param context An hx509 context.
435 * @param req The hx509_request object.
436 * @param dnssrv The DNS SRV name.
437 *
438 * @return An hx509 error code, see hx509_get_error_string().
439 *
440 * @ingroup hx509_request
441 */
442 HX509_LIB_FUNCTION int HX509_LIB_CALL
443 hx509_request_add_dns_srv(hx509_context context,
444 hx509_request req,
445 const char *dnssrv)
446 {
447 GeneralName gn;
448 SRVName n;
449 size_t size;
450 int ret;
451
452 memset(&n, 0, sizeof(n));
453 memset(&gn, 0, sizeof(gn));
454 gn.element = choice_GeneralName_otherName;
455 gn.u.otherName.type_id.length = 0;
456 gn.u.otherName.type_id.components = 0;
457 gn.u.otherName.value.data = NULL;
458 gn.u.otherName.value.length = 0;
459 n.length = strlen(dnssrv);
460 n.data = (void *)(uintptr_t)dnssrv;
461 ASN1_MALLOC_ENCODE(SRVName,
462 gn.u.otherName.value.data,
463 gn.u.otherName.value.length, &n, &size, ret);
464 if (ret == 0)
465 ret = der_copy_oid(&asn1_oid_id_pkix_on_dnsSRV, &gn.u.otherName.type_id);
466 if (ret == 0)
467 ret = add_GeneralNames(&req->san, &gn);
468 free_GeneralName(&gn);
469 return ret;
470 }
471
472 /**
473 * Add an rfc822Name (e-mail address) subject alternative name to a CSR.
474 *
475 * @param context An hx509 context.
476 * @param req The hx509_request object.
477 * @param email The e-mail address.
478 *
479 * @return An hx509 error code, see hx509_get_error_string().
480 *
481 * @ingroup hx509_request
482 */
483 HX509_LIB_FUNCTION int HX509_LIB_CALL
484 hx509_request_add_email(hx509_context context,
485 hx509_request req,
486 const char *email)
487 {
488 GeneralName name;
489
490 memset(&name, 0, sizeof(name));
491 name.element = choice_GeneralName_rfc822Name;
492 name.u.rfc822Name.data = rk_UNCONST(email);
493 name.u.rfc822Name.length = strlen(email);
494
495 return add_GeneralNames(&req->san, &name);
496 }
497
498 /**
499 * Add a registeredID (OID) subject alternative name to a CSR.
500 *
501 * @param context An hx509 context.
502 * @param req The hx509_request object.
503 * @param oid The OID.
504 *
505 * @return An hx509 error code, see hx509_get_error_string().
506 *
507 * @ingroup hx509_request
508 */
509 HX509_LIB_FUNCTION int HX509_LIB_CALL
510 hx509_request_add_registered(hx509_context context,
511 hx509_request req,
512 heim_oid *oid)
513 {
514 GeneralName name;
515 int ret;
516
517 memset(&name, 0, sizeof(name));
518 name.element = choice_GeneralName_registeredID;
519 ret = der_copy_oid(oid, &name.u.registeredID);
520 if (ret)
521 return ret;
522 ret = add_GeneralNames(&req->san, &name);
523 free_GeneralName(&name);
524 return ret;
525 }
526
527 /**
528 * Add a Kerberos V5 principal subject alternative name to a CSR.
529 *
530 * @param context An hx509 context.
531 * @param req The hx509_request object.
532 * @param princ The Kerberos principal name.
533 *
534 * @return An hx509 error code, see hx509_get_error_string().
535 *
536 * @ingroup hx509_request
537 */
538 HX509_LIB_FUNCTION int HX509_LIB_CALL
539 hx509_request_add_pkinit(hx509_context context,
540 hx509_request req,
541 const char *princ)
542 {
543 KRB5PrincipalName kn;
544 GeneralName gn;
545 int ret;
546
547 memset(&kn, 0, sizeof(kn));
548 memset(&gn, 0, sizeof(gn));
549 gn.element = choice_GeneralName_otherName;
550 gn.u.otherName.type_id.length = 0;
551 gn.u.otherName.type_id.components = 0;
552 gn.u.otherName.value.data = NULL;
553 gn.u.otherName.value.length = 0;
554 ret = der_copy_oid(&asn1_oid_id_pkinit_san, &gn.u.otherName.type_id);
555 if (ret == 0)
556 ret = _hx509_make_pkinit_san(context, princ, &gn.u.otherName.value);
557 if (ret == 0)
558 ret = add_GeneralNames(&req->san, &gn);
559 free_GeneralName(&gn);
560 return ret;
561 }
562
563 /* XXX Add DNSSRV and other SANs */
564
565 static int
566 get_exts(hx509_context context,
567 const hx509_request req,
568 Extensions *exts)
569 {
570 size_t size;
571 int ret = 0;
572
573 exts->val = NULL;
574 exts->len = 0;
575
576 if (req->bc.cA || req->include_BasicConstraints) {
577 Extension e;
578
579 /*
580 * If `!req->bc.cA' then we don't include BasicConstraints unless
581 * hx509_request_set_eE() was called on this request, and in that case
582 * we make this extension non-critical. We do this to emulate Dell
583 * iDRAC CSR-making software.
584 *
585 * If `req->bc.cA' then we make the BasicConstraints critical,
586 * obviously.
587 */
588 memset(&e, 0, sizeof(e));
589 e.critical = req->bc.cA ? 1 : 0;
590 if (ret == 0)
591 ASN1_MALLOC_ENCODE(BasicConstraints, e.extnValue.data, e.extnValue.length,
592 &req->bc, &size, ret);
593 if (ret == 0)
594 ret = der_copy_oid(&asn1_oid_id_x509_ce_basicConstraints, &e.extnID);
595 if (ret == 0)
596 ret = add_Extensions(exts, &e);
597 free_Extension(&e);
598 }
599 if (KeyUsage2int(req->ku)) {
600 Extension e;
601
602 memset(&e, 0, sizeof(e));
603 /* The critical field needs to be made DEFAULT FALSE... */
604 e.critical = 1;
605 if (ret == 0)
606 ASN1_MALLOC_ENCODE(KeyUsage, e.extnValue.data, e.extnValue.length,
607 &req->ku, &size, ret);
608 if (ret == 0)
609 ret = der_copy_oid(&asn1_oid_id_x509_ce_keyUsage, &e.extnID);
610 if (ret == 0)
611 ret = add_Extensions(exts, &e);
612 free_Extension(&e);
613 }
614 if (ret == 0 && req->eku.len) {
615 Extension e;
616
617 memset(&e, 0, sizeof(e));
618 e.critical = 1;
619 if (ret == 0)
620 ASN1_MALLOC_ENCODE(ExtKeyUsage,
621 e.extnValue.data, e.extnValue.length,
622 &req->eku, &size, ret);
623 if (ret == 0)
624 ret = der_copy_oid(&asn1_oid_id_x509_ce_extKeyUsage, &e.extnID);
625 if (ret == 0)
626 ret = add_Extensions(exts, &e);
627 free_Extension(&e);
628 }
629 if (ret == 0 && req->san.len) {
630 Extension e;
631
632 memset(&e, 0, sizeof(e));
633 /*
634 * SANs are critical when the subject Name is empty.
635 *
636 * The empty DN check could probably stand to be a function we export.
637 */
638 e.critical = FALSE;
639 if (req->name &&
640 req->name->der_name.element == choice_Name_rdnSequence &&
641 req->name->der_name.u.rdnSequence.len == 0)
642 e.critical = 1;
643 if (ret == 0)
644 ASN1_MALLOC_ENCODE(GeneralNames,
645 e.extnValue.data, e.extnValue.length,
646 &req->san,
647 &size, ret);
648 if (ret == 0)
649 ret = der_copy_oid(&asn1_oid_id_x509_ce_subjectAltName, &e.extnID);
650 if (ret == 0)
651 ret = add_Extensions(exts, &e);
652 free_Extension(&e);
653 }
654
655 return ret;
656 }
657
658 /**
659 * Get the KU/EKUs/SANs set on a request as a DER-encoding of Extensions.
660 *
661 * @param context An hx509 context.
662 * @param req The hx509_request object.
663 * @param exts_der Where to put the DER-encoded Extensions.
664 *
665 * @return An hx509 error code, see hx509_get_error_string().
666 *
667 * @ingroup hx509_request
668 */
669 HX509_LIB_FUNCTION int HX509_LIB_CALL
670 hx509_request_get_exts(hx509_context context,
671 const hx509_request req,
672 heim_octet_string *exts_der)
673 {
674 Extensions exts;
675 size_t size;
676 int ret;
677
678 exts_der->data = NULL;
679 exts_der->length = 0;
680 ret = get_exts(context, req, &exts);
681 if (ret == 0 && exts.len /* Extensions has a min size constraint of 1 */)
682 ASN1_MALLOC_ENCODE(Extensions, exts_der->data, exts_der->length,
683 &exts, &size, ret);
684 free_Extensions(&exts);
685 return ret;
686 }
687
688 /* XXX Add PEM */
689
690 /**
691 * Encode a CSR.
692 *
693 * @param context An hx509 context.
694 * @param req The hx509_request object.
695 * @param signer The private key corresponding to the CSR's subject public key.
696 * @param request Where to put the DER-encoded CSR.
697 *
698 * @return An hx509 error code, see hx509_get_error_string().
699 *
700 * @ingroup hx509_request
701 */
702 HX509_LIB_FUNCTION int HX509_LIB_CALL
703 hx509_request_to_pkcs10(hx509_context context,
704 const hx509_request req,
705 const hx509_private_key signer,
706 heim_octet_string *request)
707 {
708 CertificationRequest r;
709 Extensions exts;
710 heim_octet_string data;
711 size_t size;
712 int ret;
713
714 request->data = NULL;
715 request->length = 0;
716
717 data.length = 0;
718 data.data = NULL;
719
720 if (req->name == NULL) {
721 hx509_set_error_string(context, 0, EINVAL,
722 "PKCS10 needs to have a subject");
723 return EINVAL;
724 }
725
726 memset(&r, 0, sizeof(r));
727
728 /* Setup CSR */
729 r.certificationRequestInfo.version = pkcs10_v1;
730 ret = copy_Name(&req->name->der_name,
731 &r.certificationRequestInfo.subject);
732 if (ret == 0)
733 ret = copy_SubjectPublicKeyInfo(&req->key,
734 &r.certificationRequestInfo.subjectPKInfo);
735
736 /* Encode extReq attribute with requested Certificate Extensions */
737
738 if (ret == 0)
739 ret = get_exts(context, req, &exts);
740 if (ret == 0 && exts.len) {
741 Attribute *a = NULL; /* Quiet VC */
742 heim_any extns;
743
744 extns.data = NULL;
745 extns.length = 0;
746 r.certificationRequestInfo.attributes =
747 calloc(1, sizeof(r.certificationRequestInfo.attributes[0]));
748 if (r.certificationRequestInfo.attributes == NULL)
749 ret = ENOMEM;
750 if (ret == 0) {
751 r.certificationRequestInfo.attributes[0].len = 1;
752 r.certificationRequestInfo.attributes[0].val =
753 calloc(1, sizeof(r.certificationRequestInfo.attributes[0].val[0]));
754 if (r.certificationRequestInfo.attributes[0].val == NULL)
755 ret = ENOMEM;
756 if (ret == 0)
757 a = r.certificationRequestInfo.attributes[0].val;
758 }
759 if (ret == 0)
760 ASN1_MALLOC_ENCODE(Extensions, extns.data, extns.length,
761 &exts, &size, ret);
762 if (ret == 0 && a)
763 ret = der_copy_oid(&asn1_oid_id_pkcs9_extReq, &a->type);
764 if (ret == 0)
765 ret = add_AttributeValues(&a->value, &extns);
766 free_heim_any(&extns);
767 }
768
769 /* Encode CSR body for signing */
770 if (ret == 0)
771 ASN1_MALLOC_ENCODE(CertificationRequestInfo, data.data, data.length,
772 &r.certificationRequestInfo, &size, ret);
773 if (ret == 0 && data.length != size)
774 abort();
775
776 /* Self-sign CSR body */
777 if (ret == 0) {
778 ret = _hx509_create_signature_bitstring(context, signer,
779 _hx509_crypto_default_sig_alg,
780 &data,
781 &r.signatureAlgorithm,
782 &r.signature);
783 }
784 free(data.data);
785
786 /* Encode CSR */
787 if (ret == 0)
788 ASN1_MALLOC_ENCODE(CertificationRequest, request->data, request->length,
789 &r, &size, ret);
790 if (ret == 0 && request->length != size)
791 abort();
792
793 free_CertificationRequest(&r);
794 free_Extensions(&exts);
795 return ret;
796 }
797
798 /**
799 * Parse an encoded CSR and verify its self-signature.
800 *
801 * @param context An hx509 context.
802 * @param der The DER-encoded CSR.
803 * @param req Where to put request object.
804 *
805 * @return An hx509 error code, see hx509_get_error_string().
806 *
807 * @ingroup hx509_request
808 */
809 HX509_LIB_FUNCTION int HX509_LIB_CALL
810 hx509_request_parse_der(hx509_context context,
811 heim_octet_string *der,
812 hx509_request *req)
813 {
814 CertificationRequestInfo *rinfo = NULL;
815 CertificationRequest r;
816 hx509_cert signer = NULL;
817 Extensions exts;
818 size_t i, size;
819 int ret;
820
821 memset(&exts, 0, sizeof(exts));
822
823 /* Initial setup and decoding of CSR */
824 ret = hx509_request_init(context, req);
825 if (ret)
826 return ret;
827 ret = decode_CertificationRequest(der->data, der->length, &r, &size);
828 if (ret) {
829 hx509_set_error_string(context, 0, ret, "Failed to decode CSR");
830 free(*req);
831 *req = NULL;
832 return ret;
833 }
834 rinfo = &r.certificationRequestInfo;
835
836 /*
837 * Setup a 'signer' for verifying the self-signature for proof of
838 * possession.
839 *
840 * Sadly we need a "certificate" here because _hx509_verify_signature_*()
841 * functions want one as a signer even though all the verification
842 * functions that use the signer argument only ever use the spki of the
843 * signer certificate.
844 *
845 * FIXME Change struct signature_alg's verify_signature's prototype to use
846 * an spki instead of an hx509_cert as the signer! The we won't have
847 * to do this.
848 */
849 if (ret == 0) {
850 Certificate c;
851 memset(&c, 0, sizeof(c));
852 c.tbsCertificate.subjectPublicKeyInfo = rinfo->subjectPKInfo;
853 if ((signer = hx509_cert_init(context, &c, NULL)) == NULL)
854 ret = ENOMEM;
855 }
856
857 /* Verify the signature */
858 if (ret == 0)
859 ret = _hx509_verify_signature_bitstring(context, signer,
860 &r.signatureAlgorithm,
861 &rinfo->_save,
862 &r.signature);
863 if (ret)
864 hx509_set_error_string(context, 0, ret,
865 "CSR signature verification failed");
866 hx509_cert_free(signer);
867
868 /* Populate the hx509_request */
869 if (ret == 0)
870 ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
871 &rinfo->subjectPKInfo);
872 if (ret == 0)
873 ret = _hx509_name_from_Name(&rinfo->subject, &(*req)->name);
874
875 /* Extract KUs, EKUs, and SANs from the CSR's attributes */
876 if (ret || !rinfo->attributes || !rinfo->attributes[0].len)
877 goto out;
878
879 for (i = 0; ret == 0 && i < rinfo->attributes[0].len; i++) {
880 Attribute *a = &rinfo->attributes[0].val[i];
881 heim_any *av = NULL;
882
883 /* We only support Extensions request attributes */
884 if (der_heim_oid_cmp(&a->type, &asn1_oid_id_pkcs9_extReq) != 0) {
885 char *oidstr = NULL;
886
887 /*
888 * We need an HX509_TRACE facility for this sort of warning.
889 *
890 * We'd put the warning in the context and then allow the caller to
891 * extract and reset the warning.
892 *
893 * FIXME
894 */
895 der_print_heim_oid(&a->type, '.', &oidstr);
896 warnx("Unknown or unsupported CSR attribute %s",
897 oidstr ? oidstr : "<error decoding OID>");
898 free(oidstr);
899 continue;
900 }
901 if (!a->value.val)
902 continue;
903
904 av = a->value.val;
905 ret = decode_Extensions(av->data, av->length, &exts, NULL);
906 if (ret) {
907 hx509_set_error_string(context, 0, ret,
908 "CSR signature verification failed "
909 "due to invalid extReq attribute");
910 goto out;
911 }
912 }
913 for (i = 0; ret == 0 && i < exts.len; i++) {
914 const char *what = "";
915 Extension *e = &exts.val[i];
916
917 if (der_heim_oid_cmp(&e->extnID,
918 &asn1_oid_id_x509_ce_keyUsage) == 0) {
919 ret = decode_KeyUsage(e->extnValue.data, e->extnValue.length,
920 &(*req)->ku, NULL);
921 what = "keyUsage";
922 /*
923 * Count all KUs as one requested extension to be authorized,
924 * though the caller will have to check the KU values individually.
925 */
926 if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0ULL))) {
927 if (e->critical)
928 (*req)->nunsupported_crit++;
929 else
930 (*req)->nunsupported_opt++;
931 }
932 } else if (der_heim_oid_cmp(&e->extnID,
933 &asn1_oid_id_x509_ce_extKeyUsage) == 0) {
934 ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
935 &(*req)->eku, NULL);
936 what = "extKeyUsage";
937
938 /*
939 * Count each EKU as a separate requested extension to be
940 * authorized.
941 */
942 } else if (der_heim_oid_cmp(&e->extnID,
943 &asn1_oid_id_x509_ce_subjectAltName) == 0) {
944 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
945 &(*req)->san, NULL);
946 what = "subjectAlternativeName";
947
948 /*
949 * Count each SAN as a separate requested extension to be
950 * authorized.
951 */
952 } else if (der_heim_oid_cmp(&e->extnID,
953 &asn1_oid_id_x509_ce_basicConstraints) == 0) {
954 (*req)->include_BasicConstraints = 1;
955 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
956 &(*req)->bc, NULL);
957 } else {
958 char *oidstr = NULL;
959
960 if (e->critical)
961 (*req)->nunsupported_crit++;
962 else
963 (*req)->nunsupported_opt++;
964
965 /*
966 * We need an HX509_TRACE facility for this sort of warning.
967 *
968 * We'd put the warning in the context and then allow the caller to
969 * extract and reset the warning.
970 *
971 * FIXME
972 */
973 der_print_heim_oid(&e->extnID, '.', &oidstr);
974 warnx("Unknown or unsupported CSR extension request %s",
975 oidstr ? oidstr : "<error decoding OID>");
976 free(oidstr);
977 }
978 if (ret) {
979 hx509_set_error_string(context, 0, ret,
980 "CSR signature verification failed "
981 "due to invalid %s extension", what);
982 break;
983 }
984 }
985
986 out:
987 free_CertificationRequest(&r);
988 free_Extensions(&exts);
989 if (ret)
990 hx509_request_free(req);
991 return ret;
992 }
993
994 /**
995 * Parse an encoded CSR and verify its self-signature.
996 *
997 * @param context An hx509 context.
998 * @param csr The name of a store containing the CSR ("PKCS10:/path/to/file")
999 * @param req Where to put request object.
1000 *
1001 * @return An hx509 error code, see hx509_get_error_string().
1002 *
1003 * @ingroup hx509_request
1004 */
1005 HX509_LIB_FUNCTION int HX509_LIB_CALL
1006 hx509_request_parse(hx509_context context,
1007 const char *csr,
1008 hx509_request *req)
1009 {
1010 heim_octet_string d;
1011 int ret;
1012
1013 /* XXX Add support for PEM */
1014 if (strncmp(csr, "PKCS10:", 7) != 0) {
1015 hx509_set_error_string(context, 0, HX509_UNSUPPORTED_OPERATION,
1016 "CSR location does not start with \"PKCS10:\": %s",
1017 csr);
1018 return HX509_UNSUPPORTED_OPERATION;
1019 }
1020
1021 ret = rk_undumpdata(csr + 7, &d.data, &d.length);
1022 if (ret) {
1023 hx509_set_error_string(context, 0, ret, "Could not read %s", csr);
1024 return ret;
1025 }
1026
1027 ret = hx509_request_parse_der(context, &d, req);
1028 free(d.data);
1029 if (ret)
1030 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
1031 " (while parsing CSR from %s)", csr);
1032 return ret;
1033 }
1034
1035 /**
1036 * Get some EKU from a CSR. Usable as an iterator.
1037 *
1038 * @param context An hx509 context.
1039 * @param req The hx509_request object.
1040 * @param idx The index of the EKU (0 for the first) to return
1041 * @param out A pointer to a char * variable where the OID will be placed
1042 * (caller must free with free())
1043 *
1044 * @return Zero on success, HX509_NO_ITEM if no such item exists (denoting
1045 * iteration end), or an error.
1046 *
1047 * @ingroup hx509_request
1048 */
1049 HX509_LIB_FUNCTION int HX509_LIB_CALL
1050 hx509_request_get_eku(hx509_request req,
1051 size_t idx,
1052 char **out)
1053 {
1054 *out = NULL;
1055 if (idx >= req->eku.len)
1056 return HX509_NO_ITEM;
1057 return der_print_heim_oid(&req->eku.val[idx], '.', out);
1058 }
1059
1060 static int
1061 abitstring_check(abitstring a, size_t n, int idx)
1062 {
1063 size_t bytes;
1064
1065 if (idx >= n)
1066 return HX509_NO_ITEM;
1067
1068 bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
1069 if (a->feat_bytes < bytes)
1070 return 0;
1071
1072 return !!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)));
1073 }
1074
1075 /*
1076 * Sets and returns 0 if not already set, -1 if already set. Positive return
1077 * values are system errors.
1078 */
1079 static int
1080 abitstring_set(abitstring a, size_t n, int idx)
1081 {
1082 size_t bytes;
1083
1084 if (idx >= n)
1085 return HX509_NO_ITEM;
1086
1087 bytes = n / CHAR_BIT + ((n % CHAR_BIT) ? 1 : 0);
1088 if (a->feat_bytes < bytes) {
1089 unsigned char *tmp;
1090
1091 if ((tmp = realloc(a->feats, bytes)) == NULL)
1092 return ENOMEM;
1093 memset(tmp + a->feat_bytes, 0, bytes - a->feat_bytes);
1094 a->feats = tmp;
1095 a->feat_bytes = bytes;
1096 }
1097
1098 if (!(a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
1099 a->feats[idx / CHAR_BIT] |= 1UL<<(idx % CHAR_BIT);
1100 return 0;
1101 }
1102 return -1;
1103 }
1104
1105 /*
1106 * Resets and returns 0 if not already reset, -1 if already reset. Positive
1107 * return values are system errors.
1108 */
1109 static int
1110 abitstring_reset(abitstring a, size_t n, int idx)
1111 {
1112 size_t bytes;
1113
1114 if (idx >= n)
1115 return HX509_NO_ITEM;
1116
1117 bytes = (idx + 1) / CHAR_BIT + (((idx + 1) % CHAR_BIT) ? 1 : 0);
1118 if (a->feat_bytes >= bytes &&
1119 (a->feats[idx / CHAR_BIT] & (1UL<<(idx % CHAR_BIT)))) {
1120 a->feats[idx / CHAR_BIT] &= ~(1UL<<(idx % CHAR_BIT));
1121 return 0;
1122 }
1123 return -1;
1124 }
1125
1126 static int
1127 authorize_feat(hx509_request req, abitstring a, size_t n, int idx)
1128 {
1129 int ret;
1130
1131 ret = abitstring_set(a, n, idx);
1132 switch (ret) {
1133 case 0:
1134 req->nauthorized++;
1135 HEIM_FALLTHROUGH;
1136 case -1:
1137 return 0;
1138 default:
1139 return ret;
1140 }
1141 }
1142
1143 static int
1144 reject_feat(hx509_request req, abitstring a, size_t n, int idx)
1145 {
1146 int ret;
1147
1148 ret = abitstring_reset(a, n, idx);
1149 switch (ret) {
1150 case 0:
1151 req->nauthorized--;
1152 HEIM_FALLTHROUGH;
1153 case -1:
1154 return 0;
1155 default:
1156 return ret;
1157 }
1158 }
1159
1160 /**
1161 * Authorize issuance of a CA certificate as requested.
1162 *
1163 * @param req The hx509_request object.
1164 * @param pathLenConstraint the pathLenConstraint for the BasicConstraints (optional)
1165 *
1166 * @return an hx509 or system error.
1167 *
1168 * @ingroup hx509_request
1169 */
1170 HX509_LIB_FUNCTION int HX509_LIB_CALL
1171 hx509_request_authorize_cA(hx509_request req, unsigned *pathLenConstraint)
1172 {
1173 int ret;
1174
1175 ret = hx509_request_set_cA(NULL, req, pathLenConstraint);
1176 req->ca_is_authorized++;
1177 return ret;
1178 }
1179
1180 /**
1181 * Filter the requested KeyUsage and mark it authorized.
1182 *
1183 * @param req The hx509_request object.
1184 * @param ku Permitted KeyUsage
1185 *
1186 * @ingroup hx509_request
1187 */
1188 HX509_LIB_FUNCTION void HX509_LIB_CALL
1189 hx509_request_authorize_ku(hx509_request req, KeyUsage ku)
1190 {
1191 (void) hx509_request_set_ku(NULL, req, ku);
1192 req->ku = int2KeyUsage(KeyUsage2int(req->ku) & KeyUsage2int(ku));
1193 if (KeyUsage2int(ku))
1194 req->ku_are_authorized = 1;
1195 }
1196
1197 /**
1198 * Mark a requested EKU as authorized.
1199 *
1200 * @param req The hx509_request object.
1201 * @param idx The index of an EKU that can be fetched with
1202 * hx509_request_get_eku()
1203 *
1204 * @return Zero on success, an error otherwise.
1205 *
1206 * @ingroup hx509_request
1207 */
1208 HX509_LIB_FUNCTION int HX509_LIB_CALL
1209 hx509_request_authorize_eku(hx509_request req, size_t idx)
1210 {
1211 return authorize_feat(req, &req->authorized_EKUs, req->eku.len, idx);
1212 }
1213
1214 /**
1215 * Mark a requested EKU as not authorized.
1216 *
1217 * @param req The hx509_request object.
1218 * @param idx The index of an EKU that can be fetched with
1219 * hx509_request_get_eku()
1220 *
1221 * @return Zero on success, an error otherwise.
1222 *
1223 * @ingroup hx509_request
1224 */
1225 HX509_LIB_FUNCTION int HX509_LIB_CALL
1226 hx509_request_reject_eku(hx509_request req, size_t idx)
1227 {
1228 return reject_feat(req, &req->authorized_EKUs, req->eku.len, idx);
1229 }
1230
1231 /**
1232 * Check if an EKU has been marked authorized.
1233 *
1234 * @param req The hx509_request object.
1235 * @param idx The index of an EKU that can be fetched with
1236 * hx509_request_get_eku()
1237 *
1238 * @return Non-zero if authorized, zero if not.
1239 *
1240 * @ingroup hx509_request
1241 */
1242 HX509_LIB_FUNCTION int HX509_LIB_CALL
1243 hx509_request_eku_authorized_p(hx509_request req, size_t idx)
1244 {
1245 return abitstring_check(&req->authorized_EKUs, req->eku.len, idx);
1246 }
1247
1248 /**
1249 * Mark a requested SAN as authorized.
1250 *
1251 * @param req The hx509_request object.
1252 * @param idx The cursor as modified by a SAN iterator.
1253 *
1254 * @return Zero on success, an error otherwise.
1255 *
1256 * @ingroup hx509_request
1257 */
1258 HX509_LIB_FUNCTION int HX509_LIB_CALL
1259 hx509_request_authorize_san(hx509_request req, size_t idx)
1260 {
1261 return authorize_feat(req, &req->authorized_SANs, req->san.len, idx);
1262 }
1263
1264 /**
1265 * Mark a requested SAN as not authorized.
1266 *
1267 * @param req The hx509_request object.
1268 * @param idx The cursor as modified by a SAN iterator.
1269 *
1270 * @return Zero on success, an error otherwise.
1271 *
1272 * @ingroup hx509_request
1273 */
1274 HX509_LIB_FUNCTION int HX509_LIB_CALL
1275 hx509_request_reject_san(hx509_request req, size_t idx)
1276 {
1277 return reject_feat(req, &req->authorized_SANs, req->san.len, idx);
1278 }
1279
1280 /**
1281 * Check if a SAN has been marked authorized.
1282 *
1283 * @param req The hx509_request object.
1284 * @param idx The index of a SAN that can be fetched with
1285 * hx509_request_get_san()
1286 *
1287 * @return Non-zero if authorized, zero if not.
1288 *
1289 * @ingroup hx509_request
1290 */
1291 HX509_LIB_FUNCTION int HX509_LIB_CALL
1292 hx509_request_san_authorized_p(hx509_request req, size_t idx)
1293 {
1294 return abitstring_check(&req->authorized_SANs, req->san.len, idx);
1295 }
1296
1297 /**
1298 * Return the count of unsupported requested certificate extensions.
1299 *
1300 * @param req The hx509_request object.
1301 * @return The number of unsupported certificate extensions requested.
1302 *
1303 * @ingroup hx509_request
1304 */
1305 HX509_LIB_FUNCTION size_t HX509_LIB_CALL
1306 hx509_request_count_unsupported(hx509_request req)
1307 {
1308 return req->nunsupported_crit;
1309 }
1310
1311 /**
1312 * Return the count of as-yet unauthorized certificate extensions requested.
1313 *
1314 * @param req The hx509_request object.
1315 * @return The number of as-yet unauthorized certificate extensions requested.
1316 *
1317 * @ingroup hx509_request
1318 */
1319 HX509_LIB_FUNCTION size_t HX509_LIB_CALL
1320 hx509_request_count_unauthorized(hx509_request req)
1321 {
1322 size_t nrequested = req->eku.len + req->san.len +
1323 (KeyUsage2int(req->ku) ? 1 : 0) + !!req->bc.cA +
1324 req->nunsupported_crit;
1325
1326 return nrequested - (req->nauthorized + req->ku_are_authorized + req->ca_is_authorized);
1327 }
1328
1329 static hx509_san_type
1330 san_map_type(GeneralName *san)
1331 {
1332 static const struct {
1333 const heim_oid *oid;
1334 hx509_san_type type;
1335 } map[] = {
1336 { &asn1_oid_id_pkix_on_dnsSRV, HX509_SAN_TYPE_DNSSRV },
1337 { &asn1_oid_id_pkinit_san, HX509_SAN_TYPE_PKINIT },
1338 { &asn1_oid_id_pkix_on_xmppAddr, HX509_SAN_TYPE_XMPP },
1339 { &asn1_oid_id_pkinit_ms_san, HX509_SAN_TYPE_MS_UPN },
1340 { &asn1_oid_id_pkix_on_permanentIdentifier, HX509_SAN_TYPE_PERMANENT_ID },
1341 { &asn1_oid_id_on_hardwareModuleName, HX509_SAN_TYPE_HW_MODULE },
1342 };
1343 size_t i;
1344
1345 switch (san->element) {
1346 case choice_GeneralName_rfc822Name: return HX509_SAN_TYPE_EMAIL;
1347 case choice_GeneralName_dNSName: return HX509_SAN_TYPE_DNSNAME;
1348 case choice_GeneralName_directoryName: return HX509_SAN_TYPE_DN;
1349 case choice_GeneralName_registeredID: return HX509_SAN_TYPE_REGISTERED_ID;
1350 case choice_GeneralName_otherName: {
1351 for (i = 0; i < sizeof(map)/sizeof(map[0]); i++)
1352 if (der_heim_oid_cmp(&san->u.otherName.type_id, map[i].oid) == 0)
1353 return map[i].type;
1354 }
1355 HEIM_FALLTHROUGH;
1356 default: return HX509_SAN_TYPE_UNSUPPORTED;
1357 }
1358 }
1359
1360 /**
1361 * Return the count of as-yet unauthorized certificate extensions requested.
1362 *
1363 * @param req The hx509_request object.
1364 *
1365 * @ingroup hx509_request
1366 */
1367 HX509_LIB_FUNCTION size_t HX509_LIB_CALL
1368 hx509_request_get_san(hx509_request req,
1369 size_t idx,
1370 hx509_san_type *type,
1371 char **out)
1372 {
1373 struct rk_strpool *pool = NULL;
1374 GeneralName *san;
1375
1376 *out = NULL;
1377 if (idx >= req->san.len)
1378 return HX509_NO_ITEM;
1379
1380 san = &req->san.val[idx];
1381 switch ((*type = san_map_type(san))) {
1382 case HX509_SAN_TYPE_UNSUPPORTED: return 0;
1383 case HX509_SAN_TYPE_EMAIL:
1384 *out = strndup(san->u.rfc822Name.data,
1385 san->u.rfc822Name.length);
1386 break;
1387 case HX509_SAN_TYPE_DNSNAME:
1388 *out = strndup(san->u.dNSName.data,
1389 san->u.dNSName.length);
1390 break;
1391 case HX509_SAN_TYPE_DNSSRV: {
1392 SRVName name;
1393 size_t size;
1394 int ret;
1395
1396 ret = decode_SRVName(san->u.otherName.value.data,
1397 san->u.otherName.value.length, &name, &size);
1398 if (ret)
1399 return ret;
1400 *out = strndup(name.data, name.length);
1401 break;
1402 }
1403 case HX509_SAN_TYPE_PERMANENT_ID: {
1404 PermanentIdentifier pi;
1405 size_t size;
1406 char *s = NULL;
1407 int ret;
1408
1409 ret = decode_PermanentIdentifier(san->u.otherName.value.data,
1410 san->u.otherName.value.length,
1411 &pi, &size);
1412 if (ret == 0 && pi.assigner) {
1413 ret = der_print_heim_oid(pi.assigner, '.', &s);
1414 if (ret == 0 &&
1415 (pool = rk_strpoolprintf(NULL, "%s", s)) == NULL)
1416 ret = ENOMEM;
1417 } else if (ret == 0) {
1418 pool = rk_strpoolprintf(NULL, "-");
1419 }
1420 if (ret == 0 &&
1421 (pool = rk_strpoolprintf(pool, "%s%s",
1422 *pi.identifierValue ? " " : "",
1423 *pi.identifierValue ? *pi.identifierValue : "")) == NULL)
1424 ret = ENOMEM;
1425 if (ret == 0 && (*out = rk_strpoolcollect(pool)) == NULL)
1426 ret = ENOMEM;
1427 free_PermanentIdentifier(&pi);
1428 free(s);
1429 return ret;
1430 }
1431 case HX509_SAN_TYPE_HW_MODULE: {
1432 HardwareModuleName hn;
1433 size_t size;
1434 char *s = NULL;
1435 int ret;
1436
1437 ret = decode_HardwareModuleName(san->u.otherName.value.data,
1438 san->u.otherName.value.length,
1439 &hn, &size);
1440 if (ret == 0 && hn.hwSerialNum.length > 256)
1441 hn.hwSerialNum.length = 256;
1442 if (ret == 0)
1443 ret = der_print_heim_oid(&hn.hwType, '.', &s);
1444 if (ret == 0)
1445 pool = rk_strpoolprintf(NULL, "%s", s);
1446 if (ret == 0 && pool)
1447 pool = rk_strpoolprintf(pool, " %.*s",
1448 (int)hn.hwSerialNum.length,
1449 (char *)hn.hwSerialNum.data);
1450 if (ret == 0 &&
1451 (pool == NULL || (*out = rk_strpoolcollect(pool)) == NULL))
1452 ret = ENOMEM;
1453 free_HardwareModuleName(&hn);
1454 return ret;
1455 }
1456 case HX509_SAN_TYPE_DN: {
1457 Name name;
1458
1459 if (san->u.directoryName.element == choice_Name_rdnSequence) {
1460 name.element = choice_Name_rdnSequence;
1461 name.u.rdnSequence = san->u.directoryName.u.rdnSequence;
1462 return _hx509_Name_to_string(&name, out);
1463 }
1464 *type = HX509_SAN_TYPE_UNSUPPORTED;
1465 return 0;
1466 }
1467 case HX509_SAN_TYPE_REGISTERED_ID:
1468 return der_print_heim_oid(&san->u.registeredID, '.', out);
1469 case HX509_SAN_TYPE_XMPP:
1470 HEIM_FALLTHROUGH;
1471 case HX509_SAN_TYPE_MS_UPN: {
1472 int ret;
1473
1474 ret = _hx509_unparse_utf8_string_name(req->context, &pool,
1475 &san->u.otherName.value);
1476 if ((*out = rk_strpoolcollect(pool)) == NULL)
1477 return hx509_enomem(req->context);
1478 return ret;
1479 }
1480 case HX509_SAN_TYPE_PKINIT: {
1481 int ret;
1482
1483 ret = _hx509_unparse_KRB5PrincipalName(req->context, &pool,
1484 &san->u.otherName.value);
1485 if ((*out = rk_strpoolcollect(pool)) == NULL)
1486 return hx509_enomem(req->context);
1487 return ret;
1488 }
1489 default:
1490 *type = HX509_SAN_TYPE_UNSUPPORTED;
1491 return 0;
1492 }
1493 if (*out == NULL)
1494 return ENOMEM;
1495 return 0;
1496 }
1497
1498 /**
1499 * Indicate if a CSR requested a CA certificate.
1500 *
1501 * @param context An hx509 context.
1502 * @param req The hx509_request object.
1503 *
1504 * @return 1 if the CSR requested CA certificate, 0 otherwise.
1505 *
1506 * @ingroup hx509_request
1507 */
1508 HX509_LIB_FUNCTION int HX509_LIB_CALL
1509 hx509_request_get_cA(hx509_context context,
1510 hx509_request req)
1511 {
1512 return req->bc.cA;
1513 }
1514
1515 /**
1516 * Return the CSR's requested BasicConstraints pathLenConstraint.
1517 *
1518 * @param context An hx509 context.
1519 * @param req The hx509_request object.
1520 *
1521 * @return -1 if no pathLenConstraint was requested (or the BasicConstraints
1522 * does not request a CA certificate), or the actual requested
1523 * pathLenConstraint.
1524 *
1525 * @ingroup hx509_request
1526 */
1527 HX509_LIB_FUNCTION int HX509_LIB_CALL
1528 hx509_request_get_cA_pathLenConstraint(hx509_context context,
1529 hx509_request req)
1530 {
1531 if (req->bc.cA && req->bc.pathLenConstraint &&
1532 *req->bc.pathLenConstraint < INT_MAX)
1533 return *req->bc.pathLenConstraint;
1534 return -1;
1535 }
1536
1537 /**
1538 * Display a CSR.
1539 *
1540 * @param context An hx509 context.
1541 * @param req The hx509_request object.
1542 * @param f A FILE * to print the CSR to.
1543 *
1544 * @return An hx509 error code, see hx509_get_error_string().
1545 *
1546 * @ingroup hx509_request
1547 */
1548 HX509_LIB_FUNCTION int HX509_LIB_CALL
1549 hx509_request_print(hx509_context context, hx509_request req, FILE *f)
1550 {
1551 uint64_t ku_num;
1552 size_t i;
1553 char *s = NULL;
1554 int ret = 0;
1555
1556 /*
1557 * It's really unformatunate that we can't reuse more of the
1558 * lib/hx509/print.c infrastructure here, as it's too focused on
1559 * Certificates.
1560 *
1561 * For that matter, it's really annoying that CSRs don't more resemble
1562 * Certificates. Indeed, an ideal CSR would look like this:
1563 *
1564 * CSRInfo ::= {
1565 * desiredTbsCertificate TBSCertificate,
1566 * attributes [1] SEQUENCE OF Attribute OPTIONAL,
1567 * }
1568 * CSR :: = {
1569 * csrInfo CSRInfo,
1570 * sigAlg AlgorithmIdentifier,
1571 * signature BIT STRING
1572 * }
1573 *
1574 * with everything related to the desired certificate in
1575 * desiredTbsCertificate and anything not related to the CSR's contents in
1576 * the 'attributes' field.
1577 *
1578 * That wouldn't allow one to have optional desired TBSCertificate
1579 * features, but hey. One could express "gimme all or gimme nothing" as an
1580 * attribute, or "gimme what you can", then check what one got.
1581 */
1582 fprintf(f, "PKCS#10 CertificationRequest:\n");
1583
1584 if (req->include_BasicConstraints) {
1585 fprintf(f, " cA: %s\n", req->bc.cA ? "yes" : "no");
1586 if (req->bc.pathLenConstraint)
1587 fprintf(f, " pathLenConstraint: %u\n", *req->bc.pathLenConstraint);
1588 else
1589 fprintf(f, " pathLenConstraint: unspecified\n");
1590 }
1591 if (req->name) {
1592 char *subject;
1593 ret = hx509_name_to_string(req->name, &subject);
1594 if (ret) {
1595 hx509_set_error_string(context, 0, ret, "Failed to print name");
1596 return ret;
1597 }
1598 fprintf(f, " name: %s\n", subject);
1599 free(subject);
1600 }
1601 /* XXX Use hx509_request_get_ku() accessor */
1602 if ((ku_num = KeyUsage2int(req->ku))) {
1603 const struct units *u;
1604 const char *first = " ";
1605
1606 fprintf(f, " key usage:");
1607 for (u = asn1_KeyUsage_units(); u->name; ++u) {
1608 if ((ku_num & u->mult)) {
1609 fprintf(f, "%s%s", first, u->name);
1610 first = ", ";
1611 ku_num &= ~u->mult;
1612 }
1613 }
1614 if (ku_num)
1615 fprintf(f, "%s<unknown-KeyUsage-value(s)>", first);
1616 fprintf(f, "\n");
1617 }
1618 if (req->eku.len) {
1619 const char *first = " ";
1620
1621 fprintf(f, " eku:");
1622 for (i = 0; ret == 0; i++) {
1623 free(s); s = NULL;
1624 ret = hx509_request_get_eku(req, i, &s);
1625 if (ret)
1626 break;
1627 fprintf(f, "%s{%s}", first, s);
1628 first = ", ";
1629 }
1630 fprintf(f, "\n");
1631 }
1632 free(s); s = NULL;
1633 if (ret == HX509_NO_ITEM)
1634 ret = 0;
1635 for (i = 0; ret == 0; i++) {
1636 hx509_san_type san_type;
1637
1638 free(s); s = NULL;
1639 ret = hx509_request_get_san(req, i, &san_type, &s);
1640 if (ret)
1641 break;
1642 switch (san_type) {
1643 case HX509_SAN_TYPE_EMAIL:
1644 fprintf(f, " san: rfc822Name: %s\n", s);
1645 break;
1646 case HX509_SAN_TYPE_DNSNAME:
1647 fprintf(f, " san: dNSName: %s\n", s);
1648 break;
1649 case HX509_SAN_TYPE_DN:
1650 fprintf(f, " san: dn: %s\n", s);
1651 break;
1652 case HX509_SAN_TYPE_REGISTERED_ID:
1653 fprintf(f, " san: registeredID: %s\n", s);
1654 break;
1655 case HX509_SAN_TYPE_XMPP:
1656 fprintf(f, " san: xmpp: %s\n", s);
1657 break;
1658 case HX509_SAN_TYPE_PKINIT:
1659 fprintf(f, " san: pkinit: %s\n", s);
1660 break;
1661 case HX509_SAN_TYPE_MS_UPN:
1662 fprintf(f, " san: ms-upn: %s\n", s);
1663 break;
1664 default:
1665 fprintf(f, " san: <SAN type not supported>\n");
1666 break;
1667 }
1668 }
1669 if (req->nunsupported_crit) {
1670 fprintf(f, " unsupported_critical_extensions_count: %u\n",
1671 (unsigned)req->nunsupported_crit);
1672 }
1673 if (req->nunsupported_opt) {
1674 fprintf(f, " unsupported_optional_extensions_count: %u\n",
1675 (unsigned)req->nunsupported_opt);
1676 }
1677 free(s); s = NULL;
1678 if (ret == HX509_NO_ITEM)
1679 ret = 0;
1680 return ret;
1681 }
Heimdal