search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added functions to export structures in an allocated buffer.
[gnutls.git] / lib / x509 / pkcs7.c
blob5149f5c3fed2380890941a229a7a1b5054d8c45f
1 /*
2 * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate on PKCS7 certificate lists parsing.
24 */
25
26 #include <gnutls_int.h>
27 #include <libtasn1.h>
28
29 #include <gnutls_datum.h>
30 #include <gnutls_global.h>
31 #include <gnutls_errors.h>
32 #include <common.h>
33 #include <x509_b64.h>
34
35 #define SIGNED_DATA_OID "1.2.840.113549.1.7.2"
36
37 /* Decodes the PKCS #7 signed data, and returns an ASN1_TYPE,
38 * which holds them. If raw is non null then the raw decoded
39 * data are copied (they are locally allocated) there.
40 */
41 static int
42 _decode_pkcs7_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata,
43 gnutls_datum_t * raw)
44 {
45 char oid[MAX_OID_SIZE];
46 ASN1_TYPE c2;
47 uint8_t *tmp = NULL;
48 int tmp_size, len, result;
49
50 len = sizeof (oid) - 1;
51 result = asn1_read_value (pkcs7, "contentType", oid, &len);
52 if (result != ASN1_SUCCESS)
53 {
54 gnutls_assert ();
55 return _gnutls_asn2err (result);
56 }
57
58 if (strcmp (oid, SIGNED_DATA_OID) != 0)
59 {
60 gnutls_assert ();
61 _gnutls_debug_log ("Unknown PKCS7 Content OID '%s'\n", oid);
62 return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE;
63 }
64
65 if ((result = asn1_create_element
66 (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS)
67 {
68 gnutls_assert ();
69 return _gnutls_asn2err (result);
70 }
71
72 /* the Signed-data has been created, so
73 * decode them.
74 */
75 tmp_size = 0;
76 result = asn1_read_value (pkcs7, "content", NULL, &tmp_size);
77 if (result != ASN1_MEM_ERROR)
78 {
79 gnutls_assert ();
80 result = _gnutls_asn2err (result);
81 goto cleanup;
82 }
83
84 tmp = gnutls_malloc (tmp_size);
85 if (tmp == NULL)
86 {
87 gnutls_assert ();
88 result = GNUTLS_E_MEMORY_ERROR;
89 goto cleanup;
90 }
91
92 result = asn1_read_value (pkcs7, "content", tmp, &tmp_size);
93 if (result != ASN1_SUCCESS)
94 {
95 gnutls_assert ();
96 result = _gnutls_asn2err (result);
97 goto cleanup;
98 }
99
100 /* tmp, tmp_size hold the data and the size of the CertificateSet structure
101 * actually the ANY stuff.
102 */
103
104 /* Step 1. In case of a signed structure extract certificate set.
105 */
106
107 result = asn1_der_decoding (&c2, tmp, tmp_size, NULL);
108 if (result != ASN1_SUCCESS)
109 {
110 gnutls_assert ();
111 result = _gnutls_asn2err (result);
112 goto cleanup;
113 }
114
115 if (raw == NULL)
116 {
117 gnutls_free (tmp);
118 }
119 else
120 {
121 raw->data = tmp;
122 raw->size = tmp_size;
123 }
124
125 *sdata = c2;
126
127 return 0;
128
129 cleanup:
130 if (c2)
131 asn1_delete_structure (&c2);
132 gnutls_free (tmp);
133 return result;
134 }
135
136 /**
137 * gnutls_pkcs7_init:
138 * @pkcs7: The structure to be initialized
139 *
140 * This function will initialize a PKCS7 structure. PKCS7 structures
141 * usually contain lists of X.509 Certificates and X.509 Certificate
142 * revocation lists.
143 *
144 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
145 * negative error value.
146 **/
147 int
148 gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7)
149 {
150 *pkcs7 = gnutls_calloc (1, sizeof (gnutls_pkcs7_int));
151
152 if (*pkcs7)
153 {
154 int result = asn1_create_element (_gnutls_get_pkix (),
155 "PKIX1.pkcs-7-ContentInfo",
156 &(*pkcs7)->pkcs7);
157 if (result != ASN1_SUCCESS)
158 {
159 gnutls_assert ();
160 gnutls_free (*pkcs7);
161 return _gnutls_asn2err (result);
162 }
163 return 0; /* success */
164 }
165 return GNUTLS_E_MEMORY_ERROR;
166 }
167
168 /**
169 * gnutls_pkcs7_deinit:
170 * @pkcs7: The structure to be initialized
171 *
172 * This function will deinitialize a PKCS7 structure.
173 **/
174 void
175 gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7)
176 {
177 if (!pkcs7)
178 return;
179
180 if (pkcs7->pkcs7)
181 asn1_delete_structure (&pkcs7->pkcs7);
182
183 gnutls_free (pkcs7);
184 }
185
186 /**
187 * gnutls_pkcs7_import:
188 * @pkcs7: The structure to store the parsed PKCS7.
189 * @data: The DER or PEM encoded PKCS7.
190 * @format: One of DER or PEM
191 *
192 * This function will convert the given DER or PEM encoded PKCS7 to
193 * the native #gnutls_pkcs7_t format. The output will be stored in
194 * @pkcs7.
195 *
196 * If the PKCS7 is PEM encoded it should have a header of "PKCS7".
197 *
198 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
199 * negative error value.
200 **/
201 int
202 gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data,
203 gnutls_x509_crt_fmt_t format)
204 {
205 int result = 0, need_free = 0;
206 gnutls_datum_t _data;
207
208 if (pkcs7 == NULL)
209 return GNUTLS_E_INVALID_REQUEST;
210
211 _data.data = data->data;
212 _data.size = data->size;
213
214 /* If the PKCS7 is in PEM format then decode it
215 */
216 if (format == GNUTLS_X509_FMT_PEM)
217 {
218 result = _gnutls_fbase64_decode (PEM_PKCS7, data->data, data->size,
219 &_data);
220
221 if (result <= 0)
222 {
223 gnutls_assert ();
224 return result;
225 }
226
227 need_free = 1;
228 }
229
230
231 result = asn1_der_decoding (&pkcs7->pkcs7, _data.data, _data.size, NULL);
232 if (result != ASN1_SUCCESS)
233 {
234 result = _gnutls_asn2err (result);
235 gnutls_assert ();
236 goto cleanup;
237 }
238
239 if (need_free)
240 _gnutls_free_datum (&_data);
241
242 return 0;
243
244 cleanup:
245 if (need_free)
246 _gnutls_free_datum (&_data);
247 return result;
248 }
249
250 /**
251 * gnutls_pkcs7_get_crt_raw:
252 * @pkcs7: should contain a gnutls_pkcs7_t structure
253 * @indx: contains the index of the certificate to extract
254 * @certificate: the contents of the certificate will be copied
255 * there (may be null)
256 * @certificate_size: should hold the size of the certificate
257 *
258 * This function will return a certificate of the PKCS7 or RFC2630
259 * certificate set.
260 *
261 * After the last certificate has been read
262 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
263 *
264 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
265 * negative error value. If the provided buffer is not long enough,
266 * then @certificate_size is updated and
267 * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned.
268 **/
269 int
270 gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7,
271 int indx, void *certificate,
272 size_t * certificate_size)
273 {
274 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
275 int result, len;
276 char root2[ASN1_MAX_NAME_SIZE];
277 char oid[MAX_OID_SIZE];
278 gnutls_datum_t tmp = { NULL, 0 };
279
280 if (certificate_size == NULL || pkcs7 == NULL)
281 return GNUTLS_E_INVALID_REQUEST;
282
283 /* Step 1. decode the signed data.
284 */
285 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp);
286 if (result < 0)
287 {
288 gnutls_assert ();
289 return result;
290 }
291
292 /* Step 2. Parse the CertificateSet
293 */
294
295 snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1);
296
297 len = sizeof (oid) - 1;
298
299 result = asn1_read_value (c2, root2, oid, &len);
300
301 if (result == ASN1_VALUE_NOT_FOUND)
302 {
303 result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
304 goto cleanup;
305 }
306
307 if (result != ASN1_SUCCESS)
308 {
309 gnutls_assert ();
310 result = _gnutls_asn2err (result);
311 goto cleanup;
312 }
313
314 /* if 'Certificate' is the choice found:
315 */
316 if (strcmp (oid, "certificate") == 0)
317 {
318 int start, end;
319
320 result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size,
321 root2, &start, &end);
322
323 if (result != ASN1_SUCCESS)
324 {
325 gnutls_assert ();
326 result = _gnutls_asn2err (result);
327 goto cleanup;
328 }
329
330 end = end - start + 1;
331
332 if ((unsigned) end > *certificate_size)
333 {
334 *certificate_size = end;
335 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
336 goto cleanup;
337 }
338
339 if (certificate)
340 memcpy (certificate, &tmp.data[start], end);
341
342 *certificate_size = end;
343
344 result = 0;
345
346 }
347 else
348 {
349 result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
350 }
351
352 cleanup:
353 _gnutls_free_datum (&tmp);
354 if (c2)
355 asn1_delete_structure (&c2);
356 return result;
357 }
358
359 /**
360 * gnutls_pkcs7_get_crt_count:
361 * @pkcs7: should contain a #gnutls_pkcs7_t structure
362 *
363 * This function will return the number of certifcates in the PKCS7
364 * or RFC2630 certificate set.
365 *
366 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
367 * negative error value.
368 **/
369 int
370 gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7)
371 {
372 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
373 int result, count;
374
375 if (pkcs7 == NULL)
376 return GNUTLS_E_INVALID_REQUEST;
377
378 /* Step 1. decode the signed data.
379 */
380 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
381 if (result < 0)
382 {
383 gnutls_assert ();
384 return result;
385 }
386
387 /* Step 2. Count the CertificateSet */
388
389 result = asn1_number_of_elements (c2, "certificates", &count);
390
391 asn1_delete_structure (&c2);
392
393 if (result != ASN1_SUCCESS)
394 {
395 gnutls_assert ();
396 return 0; /* no certificates */
397 }
398
399 return count;
400
401 }
402
403 /**
404 * gnutls_pkcs7_export:
405 * @pkcs7: Holds the pkcs7 structure
406 * @format: the format of output params. One of PEM or DER.
407 * @output_data: will contain a structure PEM or DER encoded
408 * @output_data_size: holds the size of output_data (and will be
409 * replaced by the actual size of parameters)
410 *
411 * This function will export the pkcs7 structure to DER or PEM format.
412 *
413 * If the buffer provided is not long enough to hold the output, then
414 * *@output_data_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER
415 * will be returned.
416 *
417 * If the structure is PEM encoded, it will have a header
418 * of "BEGIN PKCS7".
419 *
420 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
421 * negative error value.
422 **/
423 int
424 gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7,
425 gnutls_x509_crt_fmt_t format, void *output_data,
426 size_t * output_data_size)
427 {
428 if (pkcs7 == NULL)
429 return GNUTLS_E_INVALID_REQUEST;
430
431 return _gnutls_x509_export_int (pkcs7->pkcs7, format, PEM_PKCS7,
432 output_data, output_data_size);
433 }
434
435 /**
436 * gnutls_pkcs7_export2:
437 * @pkcs7: Holds the pkcs7 structure
438 * @format: the format of output params. One of PEM or DER.
439 * @out: will contain a structure PEM or DER encoded
440 *
441 * This function will export the pkcs7 structure to DER or PEM format.
442 *
443 * The output buffer is allocated using gnutls_malloc().
444 *
445 * If the structure is PEM encoded, it will have a header
446 * of "BEGIN PKCS7".
447 *
448 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
449 * negative error value.
450 **/
451 int
452 gnutls_pkcs7_export2 (gnutls_pkcs7_t pkcs7,
453 gnutls_x509_crt_fmt_t format, gnutls_datum_t *out)
454 {
455 if (pkcs7 == NULL)
456 return GNUTLS_E_INVALID_REQUEST;
457
458 return _gnutls_x509_export_int2 (pkcs7->pkcs7, format, PEM_PKCS7, out);
459 }
460
461 /* Creates an empty signed data structure in the pkcs7
462 * structure and returns a handle to the signed data.
463 */
464 static int
465 create_empty_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata)
466 {
467 uint8_t one = 1;
468 int result;
469
470 *sdata = ASN1_TYPE_EMPTY;
471
472 if ((result = asn1_create_element
473 (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData",
474 sdata)) != ASN1_SUCCESS)
475 {
476 gnutls_assert ();
477 result = _gnutls_asn2err (result);
478 goto cleanup;
479 }
480
481 /* Use version 1
482 */
483 result = asn1_write_value (*sdata, "version", &one, 1);
484 if (result != ASN1_SUCCESS)
485 {
486 gnutls_assert ();
487 result = _gnutls_asn2err (result);
488 goto cleanup;
489 }
490
491 /* Use no digest algorithms
492 */
493
494 /* id-data */
495 result =
496 asn1_write_value (*sdata, "encapContentInfo.eContentType",
497 "1.2.840.113549.1.7.5", 1);
498 if (result != ASN1_SUCCESS)
499 {
500 gnutls_assert ();
501 result = _gnutls_asn2err (result);
502 goto cleanup;
503 }
504
505 result = asn1_write_value (*sdata, "encapContentInfo.eContent", NULL, 0);
506 if (result != ASN1_SUCCESS)
507 {
508 gnutls_assert ();
509 result = _gnutls_asn2err (result);
510 goto cleanup;
511 }
512
513 /* Add no certificates.
514 */
515
516 /* Add no crls.
517 */
518
519 /* Add no signerInfos.
520 */
521
522 /* Write the content type of the signed data
523 */
524 result = asn1_write_value (pkcs7, "contentType", SIGNED_DATA_OID, 1);
525 if (result != ASN1_SUCCESS)
526 {
527 gnutls_assert ();
528 result = _gnutls_asn2err (result);
529 goto cleanup;
530 }
531
532 return 0;
533
534 cleanup:
535 asn1_delete_structure (sdata);
536 return result;
537
538 }
539
540 /**
541 * gnutls_pkcs7_set_crt_raw:
542 * @pkcs7: should contain a #gnutls_pkcs7_t structure
543 * @crt: the DER encoded certificate to be added
544 *
545 * This function will add a certificate to the PKCS7 or RFC2630
546 * certificate set.
547 *
548 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
549 * negative error value.
550 **/
551 int
552 gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt)
553 {
554 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
555 int result;
556
557 if (pkcs7 == NULL)
558 return GNUTLS_E_INVALID_REQUEST;
559
560 /* Step 1. decode the signed data.
561 */
562 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
563 if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND)
564 {
565 gnutls_assert ();
566 return result;
567 }
568
569 /* If the signed data are uninitialized
570 * then create them.
571 */
572 if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
573 {
574 /* The pkcs7 structure is new, so create the
575 * signedData.
576 */
577 result = create_empty_signed_data (pkcs7->pkcs7, &c2);
578 if (result < 0)
579 {
580 gnutls_assert ();
581 return result;
582 }
583 }
584
585 /* Step 2. Append the new certificate.
586 */
587
588 result = asn1_write_value (c2, "certificates", "NEW", 1);
589 if (result != ASN1_SUCCESS)
590 {
591 gnutls_assert ();
592 result = _gnutls_asn2err (result);
593 goto cleanup;
594 }
595
596 result = asn1_write_value (c2, "certificates.?LAST", "certificate", 1);
597 if (result != ASN1_SUCCESS)
598 {
599 gnutls_assert ();
600 result = _gnutls_asn2err (result);
601 goto cleanup;
602 }
603
604 result =
605 asn1_write_value (c2, "certificates.?LAST.certificate", crt->data,
606 crt->size);
607 if (result != ASN1_SUCCESS)
608 {
609 gnutls_assert ();
610 result = _gnutls_asn2err (result);
611 goto cleanup;
612 }
613
614 /* Step 3. Replace the old content with the new
615 */
616 result =
617 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
618 if (result < 0)
619 {
620 gnutls_assert ();
621 goto cleanup;
622 }
623
624 asn1_delete_structure (&c2);
625
626 return 0;
627
628 cleanup:
629 if (c2)
630 asn1_delete_structure (&c2);
631 return result;
632 }
633
634 /**
635 * gnutls_pkcs7_set_crt:
636 * @pkcs7: should contain a #gnutls_pkcs7_t structure
637 * @crt: the certificate to be copied.
638 *
639 * This function will add a parsed certificate to the PKCS7 or
640 * RFC2630 certificate set. This is a wrapper function over
641 * gnutls_pkcs7_set_crt_raw() .
642 *
643 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
644 * negative error value.
645 **/
646 int
647 gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt)
648 {
649 int ret;
650 gnutls_datum_t data;
651
652 if (pkcs7 == NULL)
653 return GNUTLS_E_INVALID_REQUEST;
654
655 ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0);
656 if (ret < 0)
657 {
658 gnutls_assert ();
659 return ret;
660 }
661
662 ret = gnutls_pkcs7_set_crt_raw (pkcs7, &data);
663
664 _gnutls_free_datum (&data);
665
666 if (ret < 0)
667 {
668 gnutls_assert ();
669 return ret;
670 }
671
672 return 0;
673 }
674
675
676 /**
677 * gnutls_pkcs7_delete_crt:
678 * @pkcs7: should contain a gnutls_pkcs7_t structure
679 * @indx: the index of the certificate to delete
680 *
681 * This function will delete a certificate from a PKCS7 or RFC2630
682 * certificate set. Index starts from 0. Returns 0 on success.
683 *
684 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
685 * negative error value.
686 **/
687 int
688 gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7, int indx)
689 {
690 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
691 int result;
692 char root2[ASN1_MAX_NAME_SIZE];
693
694 if (pkcs7 == NULL)
695 return GNUTLS_E_INVALID_REQUEST;
696
697 /* Step 1. Decode the signed data.
698 */
699 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
700 if (result < 0)
701 {
702 gnutls_assert ();
703 return result;
704 }
705
706 /* Step 2. Delete the certificate.
707 */
708
709 snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1);
710
711 result = asn1_write_value (c2, root2, NULL, 0);
712 if (result != ASN1_SUCCESS)
713 {
714 gnutls_assert ();
715 result = _gnutls_asn2err (result);
716 goto cleanup;
717 }
718
719 /* Step 3. Replace the old content with the new
720 */
721 result =
722 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
723 if (result < 0)
724 {
725 gnutls_assert ();
726 goto cleanup;
727 }
728
729 asn1_delete_structure (&c2);
730
731 return 0;
732
733 cleanup:
734 if (c2)
735 asn1_delete_structure (&c2);
736 return result;
737 }
738
739 /* Read and write CRLs
740 */
741
742 /**
743 * gnutls_pkcs7_get_crl_raw:
744 * @pkcs7: should contain a #gnutls_pkcs7_t structure
745 * @indx: contains the index of the crl to extract
746 * @crl: the contents of the crl will be copied there (may be null)
747 * @crl_size: should hold the size of the crl
748 *
749 * This function will return a crl of the PKCS7 or RFC2630 crl set.
750 *
751 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
752 * negative error value. If the provided buffer is not long enough,
753 * then @crl_size is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER is
754 * returned. After the last crl has been read
755 * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
756 **/
757 int
758 gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7,
759 int indx, void *crl, size_t * crl_size)
760 {
761 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
762 int result;
763 char root2[ASN1_MAX_NAME_SIZE];
764 gnutls_datum_t tmp = { NULL, 0 };
765 int start, end;
766
767 if (pkcs7 == NULL || crl_size == NULL)
768 return GNUTLS_E_INVALID_REQUEST;
769
770 /* Step 1. decode the signed data.
771 */
772 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp);
773 if (result < 0)
774 {
775 gnutls_assert ();
776 return result;
777 }
778
779 /* Step 2. Parse the CertificateSet
780 */
781
782 snprintf (root2, sizeof (root2), "crls.?%u", indx + 1);
783
784 /* Get the raw CRL
785 */
786 result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size,
787 root2, &start, &end);
788
789 if (result != ASN1_SUCCESS)
790 {
791 gnutls_assert ();
792 result = _gnutls_asn2err (result);
793 goto cleanup;
794 }
795
796 end = end - start + 1;
797
798 if ((unsigned) end > *crl_size)
799 {
800 *crl_size = end;
801 result = GNUTLS_E_SHORT_MEMORY_BUFFER;
802 goto cleanup;
803 }
804
805 if (crl)
806 memcpy (crl, &tmp.data[start], end);
807
808 *crl_size = end;
809
810 result = 0;
811
812 cleanup:
813 _gnutls_free_datum (&tmp);
814 if (c2)
815 asn1_delete_structure (&c2);
816 return result;
817 }
818
819 /**
820 * gnutls_pkcs7_get_crl_count:
821 * @pkcs7: should contain a gnutls_pkcs7_t structure
822 *
823 * This function will return the number of certifcates in the PKCS7
824 * or RFC2630 crl set.
825 *
826 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
827 * negative error value.
828 **/
829 int
830 gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7)
831 {
832 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
833 int result, count;
834
835 if (pkcs7 == NULL)
836 return GNUTLS_E_INVALID_REQUEST;
837
838 /* Step 1. decode the signed data.
839 */
840 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
841 if (result < 0)
842 {
843 gnutls_assert ();
844 return result;
845 }
846
847 /* Step 2. Count the CertificateSet */
848
849 result = asn1_number_of_elements (c2, "crls", &count);
850
851 asn1_delete_structure (&c2);
852
853 if (result != ASN1_SUCCESS)
854 {
855 gnutls_assert ();
856 return 0; /* no crls */
857 }
858
859 return count;
860
861 }
862
863 /**
864 * gnutls_pkcs7_set_crl_raw:
865 * @pkcs7: should contain a #gnutls_pkcs7_t structure
866 * @crl: the DER encoded crl to be added
867 *
868 * This function will add a crl to the PKCS7 or RFC2630 crl set.
869 *
870 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
871 * negative error value.
872 **/
873 int
874 gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl)
875 {
876 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
877 int result;
878
879 if (pkcs7 == NULL)
880 return GNUTLS_E_INVALID_REQUEST;
881
882 /* Step 1. decode the signed data.
883 */
884 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
885 if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND)
886 {
887 gnutls_assert ();
888 return result;
889 }
890
891 /* If the signed data are uninitialized
892 * then create them.
893 */
894 if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
895 {
896 /* The pkcs7 structure is new, so create the
897 * signedData.
898 */
899 result = create_empty_signed_data (pkcs7->pkcs7, &c2);
900 if (result < 0)
901 {
902 gnutls_assert ();
903 return result;
904 }
905 }
906
907 /* Step 2. Append the new crl.
908 */
909
910 result = asn1_write_value (c2, "crls", "NEW", 1);
911 if (result != ASN1_SUCCESS)
912 {
913 gnutls_assert ();
914 result = _gnutls_asn2err (result);
915 goto cleanup;
916 }
917
918 result = asn1_write_value (c2, "crls.?LAST", crl->data, crl->size);
919 if (result != ASN1_SUCCESS)
920 {
921 gnutls_assert ();
922 result = _gnutls_asn2err (result);
923 goto cleanup;
924 }
925
926 /* Step 3. Replace the old content with the new
927 */
928 result =
929 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
930 if (result < 0)
931 {
932 gnutls_assert ();
933 goto cleanup;
934 }
935
936 asn1_delete_structure (&c2);
937
938 return 0;
939
940 cleanup:
941 if (c2)
942 asn1_delete_structure (&c2);
943 return result;
944 }
945
946 /**
947 * gnutls_pkcs7_set_crl:
948 * @pkcs7: should contain a #gnutls_pkcs7_t structure
949 * @crl: the DER encoded crl to be added
950 *
951 * This function will add a parsed CRL to the PKCS7 or RFC2630 crl
952 * set.
953 *
954 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
955 * negative error value.
956 **/
957 int
958 gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl)
959 {
960 int ret;
961 gnutls_datum_t data;
962
963 if (pkcs7 == NULL)
964 return GNUTLS_E_INVALID_REQUEST;
965
966 ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0);
967 if (ret < 0)
968 {
969 gnutls_assert ();
970 return ret;
971 }
972
973 ret = gnutls_pkcs7_set_crl_raw (pkcs7, &data);
974
975 _gnutls_free_datum (&data);
976
977 if (ret < 0)
978 {
979 gnutls_assert ();
980 return ret;
981 }
982
983 return 0;
984 }
985
986 /**
987 * gnutls_pkcs7_delete_crl:
988 * @pkcs7: should contain a #gnutls_pkcs7_t structure
989 * @indx: the index of the crl to delete
990 *
991 * This function will delete a crl from a PKCS7 or RFC2630 crl set.
992 * Index starts from 0. Returns 0 on success.
993 *
994 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
995 * negative error value.
996 **/
997 int
998 gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7, int indx)
999 {
1000 ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1001 int result;
1002 char root2[ASN1_MAX_NAME_SIZE];
1003
1004 if (pkcs7 == NULL)
1005 return GNUTLS_E_INVALID_REQUEST;
1006
1007 /* Step 1. Decode the signed data.
1008 */
1009 result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL);
1010 if (result < 0)
1011 {
1012 gnutls_assert ();
1013 return result;
1014 }
1015
1016 /* Step 2. Delete the crl.
1017 */
1018
1019 snprintf (root2, sizeof (root2), "crls.?%u", indx + 1);
1020
1021 result = asn1_write_value (c2, root2, NULL, 0);
1022 if (result != ASN1_SUCCESS)
1023 {
1024 gnutls_assert ();
1025 result = _gnutls_asn2err (result);
1026 goto cleanup;
1027 }
1028
1029 /* Step 3. Replace the old content with the new
1030 */
1031 result =
1032 _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0);
1033 if (result < 0)
1034 {
1035 gnutls_assert ();
1036 goto cleanup;
1037 }
1038
1039 asn1_delete_structure (&c2);
1040
1041 return 0;
1042
1043 cleanup:
1044 if (c2)
1045 asn1_delete_structure (&c2);
1046 return result;
1047 }
Implementation of the SSL/TLS protocol