search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
*** empty log message ***
[gnutls.git] / lib / x509_extensions.c
blobbb737cc2b9147f7d5c4eb0cf2e7583a3c7e10a81
1 /*
2 * Copyright (C) 2001,2002 Nikos Mavroyanopoulos
3 *
4 * This file is part of GNUTLS.
5 *
6 * The GNUTLS library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #include <gnutls_int.h>
23 #include <x509_asn1.h>
24 #include <x509_der.h>
25 #include <gnutls_num.h>
26 #include <gnutls_cert.h>
27 #include <gnutls_errors.h>
28 #include <gnutls_global.h>
29 #include "debug.h"
30 #include <gnutls_str.h>
31 #include <gnutls_x509.h>
32
33 /* Here we only extract the KeyUsage field
34 */
35 static int _extract_keyUsage(uint16 *keyUsage, opaque * extnValue,
36 int extnValueLen)
37 {
38 node_asn *ext;
39 char str[10];
40 int len, result;
41
42 keyUsage[0] = 0;
43
44 if ((result=asn1_create_structure
45 (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext,
46 "ku")) != ASN_OK) {
47 gnutls_assert();
48 return _gnutls_asn2err(result);
49 }
50
51 result = asn1_get_der(ext, extnValue, extnValueLen);
52
53 if (result != ASN_OK) {
54 gnutls_assert();
55 asn1_delete_structure(ext);
56 return 0;
57 }
58
59 len = sizeof(str) - 1;
60 result = asn1_read_value(ext, "ku", str, &len);
61 if (result != ASN_OK) {
62 gnutls_assert();
63 asn1_delete_structure(ext);
64 return 0;
65 }
66
67 keyUsage[0] = str[0];
68
69 asn1_delete_structure(ext);
70
71 return 0;
72 }
73
74 static int _extract_basicConstraints(int *CA, opaque * extnValue,
75 int extnValueLen)
76 {
77 node_asn *ext;
78 char str[128];
79 int len, result;
80
81 *CA = 0;
82
83 if ((result=asn1_create_structure
84 (_gnutls_get_pkix(), "PKIX1.BasicConstraints", &ext,
85 "bc")) != ASN_OK) {
86 gnutls_assert();
87 return _gnutls_asn2err(result);
88 }
89
90 result = asn1_get_der(ext, extnValue, extnValueLen);
91
92 if (result != ASN_OK) {
93 gnutls_assert();
94 asn1_delete_structure(ext);
95 return 0;
96 }
97
98 len = sizeof(str) - 1;
99 result = asn1_read_value(ext, "bc.cA", str, &len);
100 if (result != ASN_OK) {
101 gnutls_assert();
102 asn1_delete_structure(ext);
103 return 0;
104 }
105
106 asn1_delete_structure(ext);
107
108 if (strcmp(str, "TRUE") == 0)
109 *CA = 1;
110 else
111 *CA = 0;
112
113
114 return 0;
115 }
116
117
118 static int _parse_extension(gnutls_cert * cert, char *extnID,
119 char *critical, char *extnValue,
120 int extnValueLen)
121 {
122
123 if (strcmp(extnID, "2 5 29 14") == 0) { /* subject Key ID */
124 /* we don't use it */
125 return 0;
126 }
127
128 if (strcmp(extnID, "2 5 29 15") == 0) { /* Key Usage */
129 return _extract_keyUsage(&cert->keyUsage, extnValue, extnValueLen);
130 }
131
132 if (strcmp(extnID, "2 5 29 19") == 0) { /* Basic Constraints */
133 /* actually checks if a certificate belongs to
134 * a Certificate Authority.
135 */
136 return _extract_basicConstraints(&cert->CA, extnValue,
137 extnValueLen);
138 }
139
140 _gnutls_x509_log("X509_EXT: CERT[%s]: Unsupported Extension: %s, %s\n",
141 GET_CN(cert->raw), extnID, critical);
142
143 if (strcmp(critical, "TRUE") == 0) {
144 gnutls_assert();
145 return GNUTLS_E_X509_UNSUPPORTED_CRITICAL_EXTENSION;
146 }
147 return 0;
148
149 }
150
151 /* This function will attempt to parse Extensions in
152 * an X509v3 certificate
153 */
154 int _gnutls_get_ext_type(node_asn * rasn, char *root, gnutls_cert * cert)
155 {
156 int k, result, len;
157 char name[128], name2[128], counter[MAX_INT_DIGITS];
158 char str[1024];
159 char critical[10];
160 char extnID[128];
161 char extnValue[256];
162
163 k = 0;
164 do {
165 k++;
166
167 _gnutls_str_cpy(name, sizeof(name), root);
168 _gnutls_str_cat(name, sizeof(name), ".?");
169 _gnutls_int2str(k, counter);
170 _gnutls_str_cat(name, sizeof(name), counter);
171
172 len = sizeof(str) - 1;
173 result = asn1_read_value(rasn, name, str, &len);
174
175 /* move to next
176 */
177
178 if (result == ASN_ELEMENT_NOT_FOUND)
179 break;
180
181 do {
182
183 _gnutls_str_cpy(name2, sizeof(name2), name);
184 _gnutls_str_cat(name2, sizeof(name2), ".extnID");
185
186 len = sizeof(extnID) - 1;
187 result =
188 asn1_read_value(rasn, name2, extnID, &len);
189
190 if (result == ASN_ELEMENT_NOT_FOUND)
191 break;
192 else if (result != ASN_OK) {
193 gnutls_assert();
194 return _gnutls_asn2err(result);
195 }
196
197 _gnutls_str_cpy(name2, sizeof(name2), name);
198 _gnutls_str_cat(name2, sizeof(name2), ".critical");
199
200 len = sizeof(critical) - 1;
201 result =
202 asn1_read_value(rasn, name2, critical, &len);
203
204 if (result == ASN_ELEMENT_NOT_FOUND)
205 break;
206 else if (result != ASN_OK) {
207 gnutls_assert();
208 return _gnutls_asn2err(result);
209 }
210
211 _gnutls_str_cpy(name2, sizeof(name2), name);
212 _gnutls_str_cat(name2, sizeof(name2), ".extnValue");
213
214 len = sizeof(extnValue) - 1;
215 result =
216 asn1_read_value(rasn, name2, extnValue, &len);
217
218 if (result == ASN_ELEMENT_NOT_FOUND)
219 break;
220 else {
221 if (result == ASN_MEM_ERROR
222 && strcmp(critical, "FALSE") == 0) {
223
224 _gnutls_x509_log
225 ("X509_EXT: Cannot parse extension: %s. Too small buffer.",
226 extnID);
227
228 continue;
229 }
230 if (result != ASN_OK) {
231 gnutls_assert();
232 return _gnutls_asn2err(result);
233 }
234 }
235
236 /* Handle Extension */
237 if ((result =
238 _parse_extension(cert, extnID, critical,
239 extnValue, len)) < 0) {
240 gnutls_assert();
241 return result;
242 }
243
244
245 } while (0);
246 } while (1);
247
248 if (result == ASN_ELEMENT_NOT_FOUND)
249 return 0;
250 else
251 return _gnutls_asn2err(result);
252 }
253
254 /* This function will attempt to return the requested extension found in
255 * the given X509v3 certificate. The return value is allocated and stored into
256 * ret.
257 */
258 int _gnutls_get_extension( const gnutls_datum * cert, const char* extension_id, gnutls_datum* ret)
259 {
260 int k, result, len;
261 char name[128], name2[128], counter[MAX_INT_DIGITS];
262 char str[1024];
263 char critical[10];
264 char extnID[128];
265 char extnValue[256];
266 node_asn* rasn;
267
268 ret->data = NULL;
269 ret->size = 0;
270
271 if ((result=asn1_create_structure
272 (_gnutls_get_pkix(), "PKIX1.Certificate", &rasn,
273 "certificate2"))
274 != ASN_OK) {
275 gnutls_assert();
276 return _gnutls_asn2err(result);
277 }
278
279 result =
280 asn1_get_der(rasn, cert->data, cert->size);
281 if (result != ASN_OK) {
282 /* couldn't decode DER */
283
284 _gnutls_x509_log("X509_EXT: Decoding error %d\n", result);
285
286 gnutls_assert();
287 asn1_delete_structure(rasn);
288 return _gnutls_asn2err(result);
289 }
290
291 k = 0;
292 do {
293 k++;
294
295 _gnutls_str_cpy(name, sizeof(name), "certificate2.tbsCertificate.extensions");
296 _gnutls_str_cat(name, sizeof(name), ".?");
297 _gnutls_int2str(k, counter);
298 _gnutls_str_cat(name, sizeof(name), counter);
299
300 len = sizeof(str) - 1;
301 result = asn1_read_value(rasn, name, str, &len);
302
303 /* move to next
304 */
305
306 if (result == ASN_ELEMENT_NOT_FOUND) {
307 gnutls_assert();
308 break;
309 }
310
311 do {
312
313 _gnutls_str_cpy(name2, sizeof(name2), name);
314 _gnutls_str_cat(name2, sizeof(name2), ".extnID");
315
316 len = sizeof(extnID) - 1;
317 result =
318 asn1_read_value(rasn, name2, extnID, &len);
319
320 if (result == ASN_ELEMENT_NOT_FOUND) {
321 gnutls_assert();
322 break;
323 } else if (result != ASN_OK) {
324 gnutls_assert();
325 return _gnutls_asn2err(result);
326 }
327
328 _gnutls_str_cpy(name2, sizeof(name2), name);
329 _gnutls_str_cat(name2, sizeof(name2), ".critical");
330
331 len = sizeof(critical) - 1;
332 result =
333 asn1_read_value(rasn, name2, critical, &len);
334
335 if (result == ASN_ELEMENT_NOT_FOUND) {
336 gnutls_assert();
337 break;
338 } else if (result != ASN_OK) {
339 gnutls_assert();
340 asn1_delete_structure(rasn);
341 return _gnutls_asn2err(result);
342 }
343
344 _gnutls_str_cpy(name2, sizeof(name2), name);
345 _gnutls_str_cat(name2, sizeof(name2), ".extnValue");
346
347 len = sizeof(extnValue) - 1;
348 result =
349 asn1_read_value(rasn, name2, extnValue, &len);
350
351 if (result == ASN_ELEMENT_NOT_FOUND)
352 break;
353 else {
354 if (result == ASN_MEM_ERROR
355 && strcmp(critical, "FALSE") == 0) {
356
357 _gnutls_x509_log
358 ("X509_EXT: Cannot parse extension: %s. Too small buffer.",
359 extnID);
360
361 continue;
362 }
363 if (result != ASN_OK) {
364 gnutls_assert();
365 asn1_delete_structure(rasn);
366 return _gnutls_asn2err(result);
367 }
368 }
369
370 /* Handle Extension */
371 if ( strcmp(extnID, extension_id)==0) { /* extension was found */
372 asn1_delete_structure(rasn);
373 ret->data = gnutls_malloc( len);
374 if (ret->data==NULL)
375 return GNUTLS_E_MEMORY_ERROR;
376
377 ret->size = len;
378 memcpy( ret->data, extnValue, len);
379
380 return 0;
381 }
382
383
384 } while (0);
385 } while (1);
386
387 asn1_delete_structure(rasn);
388
389
390 if (result == ASN_ELEMENT_NOT_FOUND) {
391 gnutls_assert();
392 return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
393 } else {
394 gnutls_assert();
395 return _gnutls_asn2err(result);
396 }
397 }
Implementation of the SSL/TLS protocol