search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added functions to export structures in an allocated buffer.
[gnutls.git] / lib / x509 / common.c
blobd577f8ae4a902782763f586929f10a7c67012f3c
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 #include <gnutls_int.h>
24 #include <libtasn1.h>
25 #include <gnutls_datum.h>
26 #include <gnutls_global.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_str.h>
29 #include <gnutls_x509.h>
30 #include <gnutls_num.h>
31 #include <x509_b64.h>
32 #include "x509_int.h"
33 #include <common.h>
34
35 struct oid2string
36 {
37 const char *oid;
38 const char *ldap_desc;
39 int choice; /* of type DirectoryString */
40 int printable;
41 const char *asn_desc; /* description in the pkix file */
42 };
43
44 /* This list contains all the OIDs that may be
45 * contained in a rdnSequence and are printable.
46 */
47 static const struct oid2string _oid2str[] = {
48 /* PKIX
49 */
50 {"1.3.6.1.5.5.7.9.1", "dateOfBirth", 0, 1, "PKIX1.GeneralizedTime"},
51 {"1.3.6.1.5.5.7.9.2", "placeOfBirth", 0, 1, "PKIX1.DirectoryString"},
52 {"1.3.6.1.5.5.7.9.3", "gender", 0, 1, "PKIX1.PrintableString"},
53 {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", 0, 1,
54 "PKIX1.PrintableString"},
55 {"1.3.6.1.5.5.7.9.5", "countryOfResidence", 0, 1, "PKIX1.PrintableString"},
56
57 {"2.5.4.6", "C", 0, 1, "PKIX1.PrintableString"},
58 {"2.5.4.9", "STREET", 1, 1, "PKIX1.DirectoryString"},
59 {"2.5.4.12", "T", 1, 1, "PKIX1.DirectoryString"},
60 {"2.5.4.10", "O", 1, 1, "PKIX1.DirectoryString"},
61 {"2.5.4.11", "OU", 1, 1, "PKIX1.DirectoryString"},
62 {"2.5.4.3", "CN", 1, 1, "PKIX1.DirectoryString"},
63 {"2.5.4.7", "L", 1, 1, "PKIX1.DirectoryString"},
64 {"2.5.4.8", "ST", 1, 1, "PKIX1.DirectoryString"},
65
66 {"2.5.4.5", "serialNumber", 0, 1, "PKIX1.PrintableString"},
67 {"2.5.4.20", "telephoneNumber", 0, 1, "PKIX1.PrintableString"},
68 {"2.5.4.4", "surName", 1, 1, "PKIX1.DirectoryString"},
69 {"2.5.4.43", "initials", 1, 1, "PKIX1.DirectoryString"},
70 {"2.5.4.44", "generationQualifier", 1, 1, "PKIX1.DirectoryString"},
71 {"2.5.4.42", "givenName", 1, 1, "PKIX1.DirectoryString"},
72 {"2.5.4.65", "pseudonym", 1, 1, "PKIX1.DirectoryString"},
73 {"2.5.4.46", "dnQualifier", 0, 1, "PKIX1.PrintableString"},
74 {"2.5.4.17", "postalCode", 1, 1, "PKIX1.DirectoryString"},
75 {"2.5.4.41", "Name", 1, 1, "PKIX1.DirectoryString"},
76 {"2.5.4.15", "businessCategory", 1, 1, "PKIX1.DirectoryString"},
77
78 {"0.9.2342.19200300.100.1.25", "DC", 0, 1, "PKIX1.IA5String"},
79 {"0.9.2342.19200300.100.1.1", "UID", 1, 1, "PKIX1.DirectoryString"},
80
81 /* Extended validation
82 */
83 {"1.3.6.1.4.1.311.60.2.1.1", "jurisdictionOfIncorporationLocalityName", 1,
84 1, "PKIX1.DirectoryString"},
85 {"1.3.6.1.4.1.311.60.2.1.2",
86 "jurisdictionOfIncorporationStateOrProvinceName", 1, 1,
87 "PKIX1.DirectoryString"},
88 {"1.3.6.1.4.1.311.60.2.1.3", "jurisdictionOfIncorporationCountryName", 0, 1,
89 "PKIX1.PrintableString"},
90
91 /* PKCS #9
92 */
93 {"1.2.840.113549.1.9.1", "EMAIL", 0, 1, "PKIX1.IA5String"},
94 {"1.2.840.113549.1.9.7", NULL, 1, 1, "PKIX1.pkcs-9-challengePassword"},
95
96 /* friendly name */
97 {"1.2.840.113549.1.9.20", NULL, 0, 1, "PKIX1.BMPString"},
98 /* local key id */
99 {"1.2.840.113549.1.9.21", NULL, 0, 1, "PKIX1.pkcs-9-localKeyId"},
100
101 /* rfc3920 section 5.1.1 */
102 {"1.3.6.1.5.5.7.8.5", "XmppAddr", 0, 1, "PKIX1.UTF8String"},
103
104 {NULL, NULL, 0, 0, ""}
105 };
106
107 /* Returns 1 if the data defined by the OID are printable.
108 */
109 int
110 _gnutls_x509_oid_data_printable (const char *oid)
111 {
112 unsigned int i = 0;
113
114 do
115 {
116 if (strcmp (_oid2str[i].oid, oid) == 0)
117 return _oid2str[i].printable;
118 i++;
119 }
120 while (_oid2str[i].oid != NULL);
121
122 return 0;
123 }
124
125 /**
126 * gnutls_x509_dn_oid_known:
127 * @oid: holds an Object Identifier in a null terminated string
128 *
129 * This function will inform about known DN OIDs. This is useful since
130 * functions like gnutls_x509_crt_set_dn_by_oid() use the information
131 * on known OIDs to properly encode their input. Object Identifiers
132 * that are not known are not encoded by these functions, and their
133 * input is stored directly into the ASN.1 structure. In that case of
134 * unknown OIDs, you have the responsibility of DER encoding your
135 * data.
136 *
137 * Returns: 1 on known OIDs and 0 otherwise.
138 **/
139 int
140 gnutls_x509_dn_oid_known (const char *oid)
141 {
142 unsigned int i = 0;
143
144 do
145 {
146 if (strcmp (_oid2str[i].oid, oid) == 0)
147 return 1;
148 i++;
149 }
150 while (_oid2str[i].oid != NULL);
151
152 return 0;
153 }
154
155 /* Returns 1 if the data defined by the OID are of a choice
156 * type.
157 */
158 int
159 _gnutls_x509_oid_data_choice (const char *oid)
160 {
161 unsigned int i = 0;
162
163 do
164 {
165 if (strcmp (_oid2str[i].oid, oid) == 0)
166 return _oid2str[i].choice;
167 i++;
168 }
169 while (_oid2str[i].oid != NULL);
170
171 return 0;
172 }
173
174 /**
175 * gnutls_x509_dn_oid_name:
176 * @oid: holds an Object Identifier in a null terminated string
177 * @flags: 0 or GNUTLS_X509_DN_OID_*
178 *
179 * This function will return the name of a known DN OID. If
180 * %GNUTLS_X509_DN_OID_RETURN_OID is specified this function
181 * will return the given OID if no descriptive name has been
182 * found.
183 *
184 * Returns: A null terminated string or NULL otherwise.
185 *
186 * Since: 3.0
187 **/
188 const char*
189 gnutls_x509_dn_oid_name (const char *oid, unsigned int flags)
190 {
191 unsigned int i = 0;
192
193 do
194 {
195 if (strcmp (_oid2str[i].oid, oid) == 0)
196 return _oid2str[i].ldap_desc;
197 i++;
198 }
199 while (_oid2str[i].oid != NULL);
200
201 if (flags & GNUTLS_X509_DN_OID_RETURN_OID) return oid;
202 else return NULL;
203 }
204
205 const char *
206 _gnutls_x509_oid2asn_string (const char *oid)
207 {
208 unsigned int i = 0;
209
210 do
211 {
212 if (strcmp (_oid2str[i].oid, oid) == 0)
213 return _oid2str[i].asn_desc;
214 i++;
215 }
216 while (_oid2str[i].oid != NULL);
217
218 return NULL;
219 }
220
221
222 /* This function will convert an attribute value, specified by the OID,
223 * to a string. The result will be a null terminated string.
224 *
225 * res may be null. This will just return the res_size, needed to
226 * hold the string.
227 */
228 int
229 _gnutls_x509_oid_data2string (const char *oid, void *value,
230 int value_size, char *res, size_t * res_size)
231 {
232 char str[MAX_STRING_LEN], tmpname[128];
233 const char *ANAME = NULL;
234 int CHOICE = -1, len = -1, result;
235 ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY;
236 char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = "";
237
238 if (value == NULL || value_size <= 0 || res_size == NULL)
239 {
240 gnutls_assert ();
241 return GNUTLS_E_INVALID_REQUEST;
242 }
243
244 if (_gnutls_x509_oid_data_printable (oid) == 0)
245 {
246 gnutls_assert ();
247 return GNUTLS_E_INTERNAL_ERROR;
248 }
249
250 ANAME = _gnutls_x509_oid2asn_string (oid);
251 CHOICE = _gnutls_x509_oid_data_choice (oid);
252
253 if (ANAME == NULL)
254 {
255 gnutls_assert ();
256 return GNUTLS_E_INTERNAL_ERROR;
257 }
258
259 if ((result =
260 asn1_create_element (_gnutls_get_pkix (), ANAME,
261 &tmpasn)) != ASN1_SUCCESS)
262 {
263 gnutls_assert ();
264 return _gnutls_asn2err (result);
265 }
266
267 if ((result =
268 asn1_der_decoding (&tmpasn, value, value_size,
269 asn1_err)) != ASN1_SUCCESS)
270 {
271 gnutls_assert ();
272 _gnutls_debug_log ("asn1_der_decoding: %s:%s\n", str, asn1_err);
273 asn1_delete_structure (&tmpasn);
274 return _gnutls_asn2err (result);
275 }
276
277 /* If this is a choice then we read the choice. Otherwise it
278 * is the value;
279 */
280 len = sizeof (str) - 1;
281 if ((result = asn1_read_value (tmpasn, "", str, &len)) != ASN1_SUCCESS)
282 { /* CHOICE */
283 gnutls_assert ();
284 asn1_delete_structure (&tmpasn);
285 return _gnutls_asn2err (result);
286 }
287
288 if (CHOICE == 0)
289 {
290 str[len] = 0;
291
292 /* Refuse to deal with strings containing NULs. */
293 if (strlen (str) != (size_t)len)
294 return GNUTLS_E_ASN1_DER_ERROR;
295
296 if (res)
297 _gnutls_str_cpy (res, *res_size, str);
298 *res_size = (size_t)len;
299
300 asn1_delete_structure (&tmpasn);
301 }
302 else
303 { /* CHOICE */
304 int non_printable = 0, teletex = 0;
305 str[len] = 0;
306
307 /* Note that we do not support strings other than
308 * UTF-8 (thus ASCII as well).
309 */
310 if (strcmp (str, "printableString") != 0 &&
311 strcmp (str, "ia5String") != 0 && strcmp (str, "utf8String") != 0)
312 {
313 non_printable = 1;
314 }
315 if (strcmp (str, "teletexString") == 0)
316 teletex = 1;
317
318
319 _gnutls_str_cpy (tmpname, sizeof (tmpname), str);
320
321 len = sizeof (str) - 1;
322 if ((result =
323 asn1_read_value (tmpasn, tmpname, str, &len)) != ASN1_SUCCESS)
324 {
325 asn1_delete_structure (&tmpasn);
326 return _gnutls_asn2err (result);
327 }
328
329 asn1_delete_structure (&tmpasn);
330
331 if (teletex != 0)
332 {
333 int ascii = 0, i;
334 /* HACK: if the teletex string contains only ascii
335 * characters then treat it as printable.
336 */
337 for (i = 0; i < len; i++)
338 if (!isascii (str[i]))
339 ascii = 1;
340
341 if (ascii == 0)
342 non_printable = 0;
343 }
344
345 if (non_printable == 0)
346 {
347 str[len] = 0;
348
349 /* Refuse to deal with strings containing NULs. */
350 if (strlen (str) != (size_t)len)
351 return GNUTLS_E_ASN1_DER_ERROR;
352
353 if (res)
354 _gnutls_str_cpy (res, *res_size, str);
355 *res_size = (size_t)len;
356 }
357 else
358 {
359 result = _gnutls_x509_data2hex (str, (size_t)len, res, res_size);
360 if (result < 0)
361 {
362 gnutls_assert ();
363 return result;
364 }
365 }
366 }
367
368 return 0;
369 }
370
371
372 /* Converts a data string to an LDAP rfc2253 hex string
373 * something like '#01020304'
374 */
375 int
376 _gnutls_x509_data2hex (const void * data, size_t data_size,
377 void * _out, size_t * sizeof_out)
378 {
379 char *res;
380 char escaped[MAX_STRING_LEN];
381 unsigned int size;
382 char* out = _out;
383
384 if (2 * data_size + 1 > MAX_STRING_LEN)
385 {
386 gnutls_assert ();
387 return GNUTLS_E_INTERNAL_ERROR;
388 }
389
390 res = _gnutls_bin2hex (data, data_size, escaped, sizeof (escaped), NULL);
391 if (!res)
392 {
393 gnutls_assert ();
394 return GNUTLS_E_INTERNAL_ERROR;
395 }
396
397 size = strlen (res) + 1;
398 if (size + 1 > *sizeof_out)
399 {
400 *sizeof_out = size;
401 return GNUTLS_E_SHORT_MEMORY_BUFFER;
402 }
403 *sizeof_out = size; /* -1 for the null +1 for the '#' */
404
405 if (out)
406 {
407 out[0] = '#';
408 out[1] = 0;
409 _gnutls_str_cat (out, *sizeof_out, res);
410 }
411
412 return 0;
413 }
414
415
416 /* TIME functions
417 * Convertions between generalized or UTC time to time_t
418 *
419 */
420
421 /* This is an emulations of the struct tm.
422 * Since we do not use libc's functions, we don't need to
423 * depend on the libc structure.
424 */
425 typedef struct fake_tm
426 {
427 int tm_mon;
428 int tm_year; /* FULL year - ie 1971 */
429 int tm_mday;
430 int tm_hour;
431 int tm_min;
432 int tm_sec;
433 } fake_tm;
434
435 /* The mktime_utc function is due to Russ Allbery (rra@stanford.edu),
436 * who placed it under public domain:
437 */
438
439 /* The number of days in each month.
440 */
441 static const int MONTHDAYS[] = {
442 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
443 };
444
445 /* Whether a given year is a leap year. */
446 #define ISLEAP(year) \
447 (((year) % 4) == 0 && (((year) % 100) != 0 || ((year) % 400) == 0))
448
449 /*
450 ** Given a struct tm representing a calendar time in UTC, convert it to
451 ** seconds since epoch. Returns (time_t) -1 if the time is not
452 ** convertable. Note that this function does not canonicalize the provided
453 ** struct tm, nor does it allow out of range values or years before 1970.
454 */
455 static time_t
456 mktime_utc (const struct fake_tm *tm)
457 {
458 time_t result = 0;
459 int i;
460
461 /* We do allow some ill-formed dates, but we don't do anything special
462 * with them and our callers really shouldn't pass them to us. Do
463 * explicitly disallow the ones that would cause invalid array accesses
464 * or other algorithm problems.
465 */
466 if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970)
467 return (time_t) - 1;
468
469 /* Convert to a time_t.
470 */
471 for (i = 1970; i < tm->tm_year; i++)
472 result += 365 + ISLEAP (i);
473 for (i = 0; i < tm->tm_mon; i++)
474 result += MONTHDAYS[i];
475 if (tm->tm_mon > 1 && ISLEAP (tm->tm_year))
476 result++;
477 result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour;
478 result = 60 * result + tm->tm_min;
479 result = 60 * result + tm->tm_sec;
480 return result;
481 }
482
483
484 /* this one will parse dates of the form:
485 * month|day|hour|minute|sec* (2 chars each)
486 * and year is given. Returns a time_t date.
487 */
488 static time_t
489 time2gtime (const char *ttime, int year)
490 {
491 char xx[4];
492 struct fake_tm etime;
493
494 if (strlen (ttime) < 8)
495 {
496 gnutls_assert ();
497 return (time_t) - 1;
498 }
499
500 etime.tm_year = year;
501
502 /* In order to work with 32 bit
503 * time_t.
504 */
505 if (sizeof (time_t) <= 4 && etime.tm_year >= 2038)
506 return (time_t) 2145914603; /* 2037-12-31 23:23:23 */
507
508 if (etime.tm_year < 1970)
509 return (time_t) 0;
510
511 xx[2] = 0;
512
513 /* get the month
514 */
515 memcpy (xx, ttime, 2); /* month */
516 etime.tm_mon = atoi (xx) - 1;
517 ttime += 2;
518
519 /* get the day
520 */
521 memcpy (xx, ttime, 2); /* day */
522 etime.tm_mday = atoi (xx);
523 ttime += 2;
524
525 /* get the hour
526 */
527 memcpy (xx, ttime, 2); /* hour */
528 etime.tm_hour = atoi (xx);
529 ttime += 2;
530
531 /* get the minutes
532 */
533 memcpy (xx, ttime, 2); /* minutes */
534 etime.tm_min = atoi (xx);
535 ttime += 2;
536
537 if (strlen (ttime) >= 2)
538 {
539 memcpy (xx, ttime, 2);
540 etime.tm_sec = atoi (xx);
541 }
542 else
543 etime.tm_sec = 0;
544
545 return mktime_utc (&etime);
546 }
547
548
549 /* returns a time_t value that contains the given time.
550 * The given time is expressed as:
551 * YEAR(2)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2)|SEC(2)*
552 *
553 * (seconds are optional)
554 */
555 static time_t
556 utcTime2gtime (const char *ttime)
557 {
558 char xx[3];
559 int year;
560
561 if (strlen (ttime) < 10)
562 {
563 gnutls_assert ();
564 return (time_t) - 1;
565 }
566 xx[2] = 0;
567 /* get the year
568 */
569 memcpy (xx, ttime, 2); /* year */
570 year = atoi (xx);
571 ttime += 2;
572
573 if (year > 49)
574 year += 1900;
575 else
576 year += 2000;
577
578 return time2gtime (ttime, year);
579 }
580
581 /* returns a time_t value that contains the given time.
582 * The given time is expressed as:
583 * YEAR(4)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2)|SEC(2)*
584 */
585 time_t
586 _gnutls_x509_generalTime2gtime (const char *ttime)
587 {
588 char xx[5];
589 int year;
590
591 if (strlen (ttime) < 12)
592 {
593 gnutls_assert ();
594 return (time_t) - 1;
595 }
596
597 if (strchr (ttime, 'Z') == 0)
598 {
599 gnutls_assert ();
600 /* sorry we don't support it yet
601 */
602 return (time_t) - 1;
603 }
604 xx[4] = 0;
605
606 /* get the year
607 */
608 memcpy (xx, ttime, 4); /* year */
609 year = atoi (xx);
610 ttime += 4;
611
612 return time2gtime (ttime, year);
613 }
614
615 static int
616 gtime2generalTime (time_t gtime, char *str_time, size_t str_time_size)
617 {
618 size_t ret;
619 struct tm _tm;
620
621 if (!gmtime_r (&gtime, &_tm))
622 {
623 gnutls_assert ();
624 return GNUTLS_E_INTERNAL_ERROR;
625 }
626
627 ret = strftime (str_time, str_time_size, "%Y%m%d%H%M%SZ", &_tm);
628 if (!ret)
629 {
630 gnutls_assert ();
631 return GNUTLS_E_SHORT_MEMORY_BUFFER;
632 }
633
634
635 return 0;
636 }
637
638
639 /* Extracts the time in time_t from the ASN1_TYPE given. When should
640 * be something like "tbsCertList.thisUpdate".
641 */
642 #define MAX_TIME 64
643 time_t
644 _gnutls_x509_get_time (ASN1_TYPE c2, const char *when, int nochoice)
645 {
646 char ttime[MAX_TIME];
647 char name[128];
648 time_t c_time = (time_t) - 1;
649 int len, result;
650
651 len = sizeof (ttime) - 1;
652 result = asn1_read_value (c2, when, ttime, &len);
653 if (result != ASN1_SUCCESS)
654 {
655 gnutls_assert ();
656 return (time_t) (-1);
657 }
658
659 if (nochoice != 0)
660 {
661 c_time = _gnutls_x509_generalTime2gtime (ttime);
662 }
663 else
664 {
665 _gnutls_str_cpy (name, sizeof (name), when);
666
667 /* CHOICE */
668 if (strcmp (ttime, "generalTime") == 0)
669 {
670 _gnutls_str_cat (name, sizeof (name), ".generalTime");
671 len = sizeof (ttime) - 1;
672 result = asn1_read_value (c2, name, ttime, &len);
673 if (result == ASN1_SUCCESS)
674 c_time = _gnutls_x509_generalTime2gtime (ttime);
675 }
676 else
677 { /* UTCTIME */
678 _gnutls_str_cat (name, sizeof (name), ".utcTime");
679 len = sizeof (ttime) - 1;
680 result = asn1_read_value (c2, name, ttime, &len);
681 if (result == ASN1_SUCCESS)
682 c_time = utcTime2gtime (ttime);
683 }
684
685 /* We cannot handle dates after 2031 in 32 bit machines.
686 * a time_t of 64bits has to be used.
687 */
688 if (result != ASN1_SUCCESS)
689 {
690 gnutls_assert ();
691 return (time_t) (-1);
692 }
693 }
694
695 return c_time;
696 }
697
698 /* Sets the time in time_t in the ASN1_TYPE given. Where should
699 * be something like "tbsCertList.thisUpdate".
700 */
701 int
702 _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim, int nochoice)
703 {
704 char str_time[MAX_TIME];
705 char name[128];
706 int result, len;
707
708 if (nochoice != 0)
709 {
710 result = gtime2generalTime( tim, str_time, sizeof(str_time));
711 if (result < 0)
712 return gnutls_assert_val(result);
713
714 len = strlen (str_time);
715 result = asn1_write_value(c2, where, str_time, len);
716 if (result != ASN1_SUCCESS)
717 return gnutls_assert_val(_gnutls_asn2err (result));
718
719 return 0;
720 }
721
722 _gnutls_str_cpy (name, sizeof (name), where);
723
724 if ((result = asn1_write_value (c2, name, "generalTime", 1)) < 0)
725 {
726 gnutls_assert ();
727 return _gnutls_asn2err (result);
728 }
729
730 result = gtime2generalTime (tim, str_time, sizeof (str_time));
731 if (result < 0)
732 {
733 gnutls_assert ();
734 return result;
735 }
736
737 _gnutls_str_cat (name, sizeof (name), ".generalTime");
738
739 len = strlen (str_time);
740 result = asn1_write_value (c2, name, str_time, len);
741 if (result != ASN1_SUCCESS)
742 {
743 gnutls_assert ();
744 return _gnutls_asn2err (result);
745 }
746
747 return 0;
748 }
749
750
751 gnutls_x509_subject_alt_name_t
752 _gnutls_x509_san_find_type (char *str_type)
753 {
754 if (strcmp (str_type, "dNSName") == 0)
755 return GNUTLS_SAN_DNSNAME;
756 if (strcmp (str_type, "rfc822Name") == 0)
757 return GNUTLS_SAN_RFC822NAME;
758 if (strcmp (str_type, "uniformResourceIdentifier") == 0)
759 return GNUTLS_SAN_URI;
760 if (strcmp (str_type, "iPAddress") == 0)
761 return GNUTLS_SAN_IPADDRESS;
762 if (strcmp (str_type, "otherName") == 0)
763 return GNUTLS_SAN_OTHERNAME;
764 if (strcmp (str_type, "directoryName") == 0)
765 return GNUTLS_SAN_DN;
766 return (gnutls_x509_subject_alt_name_t) - 1;
767 }
768
769 /* A generic export function. Will export the given ASN.1 encoded data
770 * to PEM or DER raw data.
771 */
772 int
773 _gnutls_x509_export_int_named (ASN1_TYPE asn1_data, const char *name,
774 gnutls_x509_crt_fmt_t format,
775 const char *pem_header,
776 unsigned char *output_data,
777 size_t * output_data_size)
778 {
779 int ret;
780 gnutls_datum_t out;
781 size_t size;
782
783 ret = _gnutls_x509_export_int_named2 (asn1_data, name,
784 format, pem_header, &out);
785 if (ret < 0)
786 return gnutls_assert_val(ret);
787
788 if (format == GNUTLS_X509_FMT_PEM)
789 size = out.size+1;
790 else
791 size = out.size;
792
793 if (*output_data_size < size)
794 {
795 *output_data_size = size;
796 ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
797 goto cleanup;
798 }
799
800 *output_data_size = (size_t)out.size;
801 if (output_data)
802 {
803 memcpy (output_data, out.data, (size_t)out.size);
804 if (format == GNUTLS_X509_FMT_PEM)
805 output_data[out.size] = 0;
806 }
807
808 ret = 0;
809
810 cleanup:
811 gnutls_free (out.data);
812
813 return ret;
814 }
815
816 /* A generic export function. Will export the given ASN.1 encoded data
817 * to PEM or DER raw data.
818 */
819 int
820 _gnutls_x509_export_int_named2 (ASN1_TYPE asn1_data, const char *name,
821 gnutls_x509_crt_fmt_t format,
822 const char *pem_header,
823 gnutls_datum_t *out)
824 {
825 int ret;
826
827 if (format == GNUTLS_X509_FMT_DER)
828 {
829 ret = _gnutls_x509_der_encode(asn1_data, name, out, 0);
830 if (ret < 0)
831 return gnutls_assert_val(ret);
832 }
833 else
834 { /* PEM */
835 gnutls_datum_t tmp;
836
837 ret = _gnutls_x509_der_encode (asn1_data, name, &tmp, 0);
838 if (ret < 0)
839 return gnutls_assert_val(ret);
840
841 ret = _gnutls_fbase64_encode (pem_header, tmp.data, tmp.size, out);
842 _gnutls_free_datum (&tmp);
843
844 if (ret < 0)
845 return gnutls_assert_val(ret);
846 }
847
848 return 0;
849 }
850
851 /* Decodes an octet string. Leave string_type null for a normal
852 * octet string. Otherwise put something like BMPString, PrintableString
853 * etc.
854 */
855 int
856 _gnutls_x509_decode_octet_string (const char *string_type,
857 const uint8_t * der, size_t der_size,
858 uint8_t * output, size_t * output_size)
859 {
860 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
861 int result, tmp_output_size;
862 char strname[64];
863
864 if (string_type == NULL)
865 _gnutls_str_cpy (strname, sizeof (strname), "PKIX1.pkcs-7-Data");
866 else
867 {
868 _gnutls_str_cpy (strname, sizeof (strname), "PKIX1.");
869 _gnutls_str_cat (strname, sizeof (strname), string_type);
870 }
871
872 if ((result = asn1_create_element
873 (_gnutls_get_pkix (), strname, &c2)) != ASN1_SUCCESS)
874 {
875 gnutls_assert ();
876 result = _gnutls_asn2err (result);
877 goto cleanup;
878 }
879
880 result = asn1_der_decoding (&c2, der, der_size, NULL);
881 if (result != ASN1_SUCCESS)
882 {
883 gnutls_assert ();
884 result = _gnutls_asn2err (result);
885 goto cleanup;
886 }
887
888 tmp_output_size = *output_size;
889 result = asn1_read_value (c2, "", output, &tmp_output_size);
890 *output_size = (size_t)tmp_output_size;
891
892 if (result != ASN1_SUCCESS)
893 {
894 gnutls_assert ();
895 result = _gnutls_asn2err (result);
896 goto cleanup;
897 }
898
899 result = 0;
900
901 cleanup:
902 if (c2)
903 asn1_delete_structure (&c2);
904
905 return result;
906 }
907
908
909 /* Reads a value from an ASN1 tree, and puts the output
910 * in an allocated variable in the given datum.
911 * flags == 0 do nothing with the DER output
912 * flags == 1 parse the DER output as OCTET STRING
913 * flags == 2 the value is a BIT STRING
914 */
915 int
916 _gnutls_x509_read_value (ASN1_TYPE c, const char *root,
917 gnutls_datum_t * ret, int flags)
918 {
919 int len = 0, result;
920 size_t slen;
921 uint8_t *tmp = NULL;
922
923 result = asn1_read_value (c, root, NULL, &len);
924 if (result != ASN1_MEM_ERROR)
925 {
926 gnutls_assert ();
927 result = _gnutls_asn2err (result);
928 return result;
929 }
930
931 if (flags == 2)
932 len /= 8;
933
934 tmp = gnutls_malloc ((size_t)len);
935 if (tmp == NULL)
936 {
937 gnutls_assert ();
938 result = GNUTLS_E_MEMORY_ERROR;
939 goto cleanup;
940 }
941
942 result = asn1_read_value (c, root, tmp, &len);
943 if (result != ASN1_SUCCESS)
944 {
945 gnutls_assert ();
946 result = _gnutls_asn2err (result);
947 goto cleanup;
948 }
949
950 if (flags == 2)
951 len /= 8;
952
953 /* Extract the OCTET STRING.
954 */
955
956 if (flags == 1)
957 {
958 slen = (size_t)len;
959 result = _gnutls_x509_decode_octet_string (NULL, tmp, slen, tmp, &slen);
960 if (result < 0)
961 {
962 gnutls_assert ();
963 goto cleanup;
964 }
965 len = slen;
966 }
967
968 ret->data = tmp;
969 ret->size = (unsigned)len;
970
971 return 0;
972
973 cleanup:
974 gnutls_free (tmp);
975 return result;
976
977 }
978
979 int _gnutls_x509_encode_octet_string(const void* input_data, size_t input_size,
980 gnutls_datum_t* output)
981 {
982 int ret;
983 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
984
985 if ((ret = asn1_create_element
986 (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS)
987 {
988 gnutls_assert ();
989 ret = _gnutls_asn2err (ret);
990 goto cleanup;
991 }
992
993 ret = asn1_write_value (c2, "", input_data, input_size);
994 if (ret != ASN1_SUCCESS)
995 {
996 gnutls_assert ();
997 ret = _gnutls_asn2err (ret);
998 goto cleanup;
999 }
1000
1001 ret = _gnutls_x509_der_encode(c2, "", output, 0);
1002 if (ret < 0)
1003 {
1004 gnutls_assert ();
1005 goto cleanup;
1006 }
1007
1008 ret = 0;
1009
1010 cleanup:
1011 asn1_delete_structure (&c2);
1012 return ret;
1013 }
1014
1015 /* DER Encodes the src ASN1_TYPE and stores it to
1016 * the given datum. If str is non zero then the data are encoded as
1017 * an OCTET STRING.
1018 */
1019 int
1020 _gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name,
1021 gnutls_datum_t * res, int str)
1022 {
1023 int size, result;
1024 int asize;
1025 uint8_t *data = NULL;
1026 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1027
1028 size = 0;
1029 result = asn1_der_coding (src, src_name, NULL, &size, NULL);
1030 if (result != ASN1_MEM_ERROR)
1031 {
1032 gnutls_assert ();
1033 result = _gnutls_asn2err (result);
1034 goto cleanup;
1035 }
1036
1037 /* allocate data for the der
1038 */
1039
1040 if (str)
1041 size += 16; /* for later to include the octet tags */
1042 asize = size;
1043
1044 data = gnutls_malloc ((size_t)size);
1045 if (data == NULL)
1046 {
1047 gnutls_assert ();
1048 result = GNUTLS_E_MEMORY_ERROR;
1049 goto cleanup;
1050 }
1051
1052 result = asn1_der_coding (src, src_name, data, &size, NULL);
1053 if (result != ASN1_SUCCESS)
1054 {
1055 gnutls_assert ();
1056 result = _gnutls_asn2err (result);
1057 goto cleanup;
1058 }
1059
1060 if (str)
1061 {
1062 if ((result = asn1_create_element
1063 (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS)
1064 {
1065 gnutls_assert ();
1066 result = _gnutls_asn2err (result);
1067 goto cleanup;
1068 }
1069
1070 result = asn1_write_value (c2, "", data, size);
1071 if (result != ASN1_SUCCESS)
1072 {
1073 gnutls_assert ();
1074 result = _gnutls_asn2err (result);
1075 goto cleanup;
1076 }
1077
1078 result = asn1_der_coding (c2, "", data, &asize, NULL);
1079 if (result != ASN1_SUCCESS)
1080 {
1081 gnutls_assert ();
1082 result = _gnutls_asn2err (result);
1083 goto cleanup;
1084 }
1085
1086 size = asize;
1087
1088 asn1_delete_structure (&c2);
1089 }
1090
1091 res->data = data;
1092 res->size = (unsigned)size;
1093 return 0;
1094
1095 cleanup:
1096 gnutls_free (data);
1097 asn1_delete_structure (&c2);
1098 return result;
1099
1100 }
1101
1102 /* DER Encodes the src ASN1_TYPE and stores it to
1103 * dest in dest_name. Useful to encode something and store it
1104 * as OCTET. If str is non null then the data are encoded as
1105 * an OCTET STRING.
1106 */
1107 int
1108 _gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const char *src_name,
1109 ASN1_TYPE dest, const char *dest_name,
1110 int str)
1111 {
1112 int result;
1113 gnutls_datum_t encoded;
1114
1115 result = _gnutls_x509_der_encode (src, src_name, &encoded, str);
1116
1117 if (result < 0)
1118 {
1119 gnutls_assert ();
1120 return result;
1121 }
1122
1123 /* Write the data.
1124 */
1125 result = asn1_write_value (dest, dest_name, encoded.data, (int)encoded.size);
1126
1127 _gnutls_free_datum (&encoded);
1128
1129 if (result != ASN1_SUCCESS)
1130 {
1131 gnutls_assert ();
1132 return _gnutls_asn2err (result);
1133 }
1134
1135 return 0;
1136 }
1137
1138 /* Writes the value of the datum in the given ASN1_TYPE. If str is non
1139 * (0) it encodes it as OCTET STRING.
1140 */
1141 int
1142 _gnutls_x509_write_value (ASN1_TYPE c, const char *root,
1143 const gnutls_datum_t * data, int str)
1144 {
1145 int result;
1146 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1147 gnutls_datum_t val = { NULL, 0 };
1148
1149 if (str)
1150 {
1151 /* Convert it to OCTET STRING
1152 */
1153 if ((result = asn1_create_element
1154 (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS)
1155 {
1156 gnutls_assert ();
1157 result = _gnutls_asn2err (result);
1158 goto cleanup;
1159 }
1160
1161 result = asn1_write_value (c2, "", data->data, data->size);
1162 if (result != ASN1_SUCCESS)
1163 {
1164 gnutls_assert ();
1165 result = _gnutls_asn2err (result);
1166 goto cleanup;
1167 }
1168
1169 result = _gnutls_x509_der_encode (c2, "", &val, 0);
1170 if (result < 0)
1171 {
1172 gnutls_assert ();
1173 goto cleanup;
1174 }
1175
1176 }
1177 else
1178 {
1179 val.data = data->data;
1180 val.size = data->size;
1181 }
1182
1183 /* Write the data.
1184 */
1185 result = asn1_write_value (c, root, val.data, val.size);
1186 if (result != ASN1_SUCCESS)
1187 {
1188 gnutls_assert ();
1189 result = _gnutls_asn2err (result);
1190 goto cleanup;
1191 }
1192
1193 result = 0;
1194
1195 cleanup:
1196 asn1_delete_structure (&c2);
1197 if (val.data != data->data)
1198 _gnutls_free_datum (&val);
1199 return result;
1200 }
1201
1202 void
1203 _asnstr_append_name (char *name, size_t name_size, const char *part1,
1204 const char *part2)
1205 {
1206 if (part1[0] != 0)
1207 {
1208 _gnutls_str_cpy (name, name_size, part1);
1209 _gnutls_str_cat (name, name_size, part2);
1210 }
1211 else
1212 _gnutls_str_cpy (name, name_size, part2 + 1 /* remove initial dot */ );
1213 }
1214
1215
1216
1217 /* Encodes and copies the private key parameters into a
1218 * subjectPublicKeyInfo structure.
1219 *
1220 */
1221 int
1222 _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst,
1223 const char *dst_name,
1224 gnutls_pk_algorithm_t
1225 pk_algorithm, gnutls_pk_params_st * params)
1226 {
1227 const char *pk;
1228 gnutls_datum_t der = { NULL, 0 };
1229 int result;
1230 char name[128];
1231
1232 pk = _gnutls_x509_pk_to_oid (pk_algorithm);
1233 if (pk == NULL)
1234 {
1235 gnutls_assert ();
1236 return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
1237 }
1238
1239 /* write the OID
1240 */
1241 _asnstr_append_name (name, sizeof (name), dst_name, ".algorithm.algorithm");
1242
1243 result = asn1_write_value (dst, name, pk, 1);
1244 if (result != ASN1_SUCCESS)
1245 {
1246 gnutls_assert ();
1247 return _gnutls_asn2err (result);
1248 }
1249
1250 result = _gnutls_x509_write_pubkey_params (pk_algorithm, params, &der);
1251 if (result < 0)
1252 {
1253 gnutls_assert ();
1254 return result;
1255 }
1256
1257 _asnstr_append_name (name, sizeof (name), dst_name,
1258 ".algorithm.parameters");
1259
1260 result = asn1_write_value (dst, name, der.data, der.size);
1261
1262 _gnutls_free_datum (&der);
1263
1264 if (result != ASN1_SUCCESS)
1265 {
1266 gnutls_assert ();
1267 return _gnutls_asn2err (result);
1268 }
1269
1270 result = _gnutls_x509_write_pubkey (pk_algorithm, params, &der);
1271 if (result < 0)
1272 {
1273 gnutls_assert ();
1274 return result;
1275 }
1276
1277 /* Write the DER parameters. (in bits)
1278 */
1279 _asnstr_append_name (name, sizeof (name), dst_name,
1280 ".subjectPublicKey");
1281 result = asn1_write_value (dst, name, der.data, der.size * 8);
1282 _gnutls_free_datum (&der);
1283
1284 if (result != ASN1_SUCCESS)
1285 {
1286 gnutls_assert ();
1287 return _gnutls_asn2err (result);
1288 }
1289
1290 return 0;
1291 }
1292
1293 /* Encodes and public key parameters into a
1294 * subjectPublicKeyInfo structure and stores it in der.
1295 */
1296 int
1297 _gnutls_x509_encode_PKI_params (gnutls_datum_t *der,
1298 gnutls_pk_algorithm_t
1299 pk_algorithm, gnutls_pk_params_st * params)
1300 {
1301 int ret;
1302 ASN1_TYPE tmp;
1303
1304 ret = asn1_create_element (_gnutls_get_pkix (),
1305 "PKIX1.Certificate", &tmp);
1306 if (ret != ASN1_SUCCESS)
1307 {
1308 gnutls_assert ();
1309 return _gnutls_asn2err (ret);
1310 }
1311
1312 ret = _gnutls_x509_encode_and_copy_PKI_params (tmp,
1313 "tbsCertificate.subjectPublicKeyInfo",
1314 pk_algorithm, params);
1315 if (ret != ASN1_SUCCESS)
1316 {
1317 gnutls_assert ();
1318 ret = _gnutls_asn2err (ret);
1319 goto cleanup;
1320 }
1321
1322 ret = _gnutls_x509_der_encode(tmp, "tbsCertificate.subjectPublicKeyInfo", der, 0);
1323
1324 cleanup:
1325 asn1_delete_structure (&tmp);
1326
1327 return ret;
1328 }
1329
1330 /* Reads and returns the PK algorithm of the given certificate-like
1331 * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo".
1332 */
1333 int
1334 _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name,
1335 unsigned int *bits)
1336 {
1337 int result;
1338 int algo;
1339 char oid[64];
1340 int len;
1341 gnutls_pk_params_st params;
1342 char name[128];
1343
1344 gnutls_pk_params_init(&params);
1345
1346 _asnstr_append_name (name, sizeof (name), src_name, ".algorithm.algorithm");
1347 len = sizeof (oid);
1348 result = asn1_read_value (src, name, oid, &len);
1349
1350 if (result != ASN1_SUCCESS)
1351 {
1352 gnutls_assert ();
1353 return _gnutls_asn2err (result);
1354 }
1355
1356 algo = _gnutls_x509_oid2pk_algorithm (oid);
1357 if (algo == GNUTLS_PK_UNKNOWN)
1358 {
1359 _gnutls_debug_log
1360 ("%s: unknown public key algorithm: %s\n", __func__, oid);
1361 }
1362
1363 if (bits == NULL)
1364 {
1365 return algo;
1366 }
1367
1368 /* Now read the parameters' bits
1369 */
1370 result = _gnutls_get_asn_mpis(src, src_name, &params);
1371 if (result < 0)
1372 return gnutls_assert_val(result);
1373
1374 bits[0] = pubkey_to_bits(algo, &params);
1375
1376 gnutls_pk_params_release(&params);
1377 return algo;
1378 }
1379
1380 /* Reads the DER signed data from the certificate and allocates space and
1381 * returns them into signed_data.
1382 */
1383 int
1384 _gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name,
1385 gnutls_datum_t * signed_data)
1386 {
1387 gnutls_datum_t der;
1388 int start, end, result;
1389
1390 result = _gnutls_x509_der_encode (src, "", &der, 0);
1391 if (result < 0)
1392 {
1393 gnutls_assert ();
1394 return result;
1395 }
1396
1397 /* Get the signed data
1398 */
1399 result = asn1_der_decoding_startEnd (src, der.data, der.size,
1400 src_name, &start, &end);
1401 if (result != ASN1_SUCCESS)
1402 {
1403 result = _gnutls_asn2err (result);
1404 gnutls_assert ();
1405 goto cleanup;
1406 }
1407
1408 result = _gnutls_set_datum (signed_data, &der.data[start], end - start + 1);
1409
1410 if (result < 0)
1411 {
1412 gnutls_assert ();
1413 goto cleanup;
1414 }
1415
1416 result = 0;
1417
1418 cleanup:
1419 _gnutls_free_datum (&der);
1420
1421 return result;
1422 }
1423
1424 /*-
1425 * gnutls_x509_get_signature_algorithm:
1426 * @src: should contain an ASN1_TYPE structure
1427 * @src_name: the description of the signature field
1428 *
1429 * This function will return a value of the #gnutls_sign_algorithm_t
1430 * enumeration that is the signature algorithm that has been used to
1431 * sign this certificate.
1432 *
1433 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on
1434 * error.
1435 -*/
1436 int
1437 _gnutls_x509_get_signature_algorithm (ASN1_TYPE src, const char *src_name)
1438 {
1439 int result;
1440 gnutls_datum_t sa;
1441
1442 /* Read the signature algorithm. Note that parameters are not
1443 * read. They will be read from the issuer's certificate if needed.
1444 */
1445 result =
1446 _gnutls_x509_read_value (src, src_name, &sa, 0);
1447
1448 if (result < 0)
1449 {
1450 gnutls_assert ();
1451 return result;
1452 }
1453
1454 result = _gnutls_x509_oid2sign_algorithm ( (char*)sa.data);
1455
1456 _gnutls_free_datum (&sa);
1457
1458 return result;
1459 }
1460
1461
1462 /* Reads the DER signature from the certificate and allocates space and
1463 * returns them into signed_data.
1464 */
1465 int
1466 _gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name,
1467 gnutls_datum_t * signature)
1468 {
1469 int result, len;
1470 unsigned int bits;
1471
1472 signature->data = NULL;
1473 signature->size = 0;
1474
1475 /* Read the signature
1476 */
1477 len = 0;
1478 result = asn1_read_value (src, src_name, NULL, &len);
1479
1480 if (result != ASN1_MEM_ERROR)
1481 {
1482 result = _gnutls_asn2err (result);
1483 gnutls_assert ();
1484 goto cleanup;
1485 }
1486
1487 bits = len;
1488 if (bits % 8 != 0)
1489 {
1490 gnutls_assert ();
1491 result = GNUTLS_E_CERTIFICATE_ERROR;
1492 goto cleanup;
1493 }
1494
1495 len = bits / 8;
1496
1497 signature->data = gnutls_malloc (len);
1498 if (signature->data == NULL)
1499 {
1500 gnutls_assert ();
1501 result = GNUTLS_E_MEMORY_ERROR;
1502 return result;
1503 }
1504
1505 /* read the bit string of the signature
1506 */
1507 bits = len;
1508 result = asn1_read_value (src, src_name, signature->data, (int*)&bits);
1509
1510 if (result != ASN1_SUCCESS)
1511 {
1512 result = _gnutls_asn2err (result);
1513 gnutls_assert ();
1514 goto cleanup;
1515 }
1516
1517 signature->size = len;
1518
1519 return 0;
1520
1521 cleanup:
1522 return result;
1523 }
Implementation of the SSL/TLS protocol