x509: add support for Russian extensions defined for qualified certificate

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

6 files changed, 214 insertions, 2 deletions

diff --git a/lib/gnutls.asn b/lib/gnutls.asn
index f4dacdefe7..209577b70c 100644
--- a/lib/gnutls.asn
+++ b/lib/gnutls.asn
@@ -131,4 +131,12 @@ GOSTParameters ::= SEQUENCE {
 GOSTPrivateKey ::= OCTET STRING
 GOSTPrivateKeyOld ::= INTEGER
 
+-- GOST x509 Extensions
+IssuerSignTool ::= SEQUENCE {
+	signTool	UTF8String, -- (SIZE (1..200))
+	cATool		UTF8String, -- (SIZE (1..200))
+	signToolCert	UTF8String, -- (SIZE (1..100))
+	cAToolCert	UTF8String  -- (SIZE (1..100))
+}
+
 END
diff --git a/lib/gnutls_asn1_tab.c b/lib/gnutls_asn1_tab.c
index 06a6ecefa4..86d621eb66 100644
--- a/lib/gnutls_asn1_tab.c
+++ b/lib/gnutls_asn1_tab.c
@@ -94,6 +94,11 @@ const asn1_static_node gnutls_asn1_tab[] = {
   { "digestParamSet", 1073741836, NULL },
   { "encryptionParamSet", 16396, NULL },
   { "GOSTPrivateKey", 1073741831, NULL },
-  { "GOSTPrivateKeyOld", 3, NULL },
+  { "GOSTPrivateKeyOld", 1073741827, NULL },
+  { "IssuerSignTool", 536870917, NULL },
+  { "signTool", 1073741858, NULL },
+  { "cATool", 1073741858, NULL },
+  { "signToolCert", 1073741858, NULL },
+  { "cAToolCert", 34, NULL },
   { NULL, 0, NULL }
 };
diff --git a/lib/x509/output.c b/lib/x509/output.c
index 40ba77b7ea..78a0e5c5e8 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -870,6 +870,94 @@ cleanup:
 	gnutls_x509_tlsfeatures_deinit(features);
 }
 
+static void print_subject_sign_tool(gnutls_buffer_st * str, const char *prefix, const gnutls_datum_t *der)
+{
+	int ret;
+	gnutls_datum_t tmp = {NULL, 0};
+
+	ret = _gnutls_x509_decode_string(ASN1_ETYPE_UTF8_STRING, der->data, der->size, &tmp, 0);
+	if (ret < 0) {
+		addf(str, _("%s\t\t\tASCII: "), prefix);
+		_gnutls_buffer_asciiprint(str, (char*)der->data, der->size);
+
+		addf(str, "\n");
+		addf(str, _("%s\t\t\tHexdump: "), prefix);
+		_gnutls_buffer_hexprint(str, (char*)der->data, der->size);
+		adds(str, "\n");
+
+		return;
+	}
+
+	addf(str, _("%s\t\t\t%.*s\n"), prefix, tmp.size, NON_NULL(tmp.data));
+	_gnutls_free_datum(&tmp);
+}
+
+static void print_issuer_sign_tool(gnutls_buffer_st * str, const char *prefix, const gnutls_datum_t *der)
+{
+	int ret, result;
+	ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY;
+	char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = "";
+	gnutls_datum_t tmp;
+
+	if ((result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.IssuerSignTool",
+				 &tmpasn)) != ASN1_SUCCESS) {
+		gnutls_assert();
+		goto hexdump;
+	}
+
+	if ((result = _asn1_strict_der_decode(&tmpasn, der->data, der->size, asn1_err)) != ASN1_SUCCESS) {
+		gnutls_assert();
+		_gnutls_debug_log("_asn1_strict_der_decode: %s\n", asn1_err);
+		asn1_delete_structure(&tmpasn);
+		goto hexdump;
+	}
+
+	ret = _gnutls_x509_read_value(tmpasn, "signTool", &tmp);
+	if (ret < 0) {
+		gnutls_assert();
+		goto hexdump;
+	}
+	addf(str, _("%s\t\t\tSignTool: %.*s\n"), prefix, tmp.size, NON_NULL(tmp.data));
+	_gnutls_free_datum(&tmp);
+
+	ret = _gnutls_x509_read_value(tmpasn, "cATool", &tmp);
+	if (ret < 0) {
+		gnutls_assert();
+		goto hexdump;
+	}
+	addf(str, _("%s\t\t\tCATool: %.*s\n"), prefix, tmp.size, NON_NULL(tmp.data));
+	_gnutls_free_datum(&tmp);
+
+	ret = _gnutls_x509_read_value(tmpasn, "signToolCert", &tmp);
+	if (ret < 0) {
+		gnutls_assert();
+		goto hexdump;
+	}
+	addf(str, _("%s\t\t\tSignToolCert: %.*s\n"), prefix, tmp.size, NON_NULL(tmp.data));
+	_gnutls_free_datum(&tmp);
+
+	ret = _gnutls_x509_read_value(tmpasn, "cAToolCert", &tmp);
+	if (ret < 0) {
+		gnutls_assert();
+		goto hexdump;
+	}
+	addf(str, _("%s\t\t\tCAToolCert: %.*s\n"), prefix, tmp.size, NON_NULL(tmp.data));
+	_gnutls_free_datum(&tmp);
+
+	asn1_delete_structure(&tmpasn);
+
+	return;
+
+hexdump:
+	addf(str, _("%s\t\t\tASCII: "), prefix);
+	_gnutls_buffer_asciiprint(str, (char*)der->data, der->size);
+
+	addf(str, "\n");
+	addf(str, _("%s\t\t\tHexdump: "), prefix);
+	_gnutls_buffer_hexprint(str, (char*)der->data, der->size);
+	adds(str, "\n");
+}
+
 struct ext_indexes_st {
 	int san;
 	int ian;
@@ -1132,6 +1220,18 @@ static void print_extension(gnutls_buffer_st * str, const char *prefix,
 		print_tlsfeatures(str, prefix, der);
 
 		idx->tlsfeatures++;
+	} else if (strcmp(oid, "1.2.643.100.111") == 0) {
+		addf(str, _("%s\t\tSubject Signing Tool(%s):\n"),
+			 prefix,
+			 critical ? _("critical") : _("not critical"));
+
+		print_subject_sign_tool(str, prefix, der);
+	} else if (strcmp(oid, "1.2.643.100.112") == 0) {
+		addf(str, _("%s\t\tIssuer Signing Tool(%s):\n"),
+			 prefix,
+			 critical ? _("critical") : _("not critical"));
+
+		print_issuer_sign_tool(str, prefix, der);
 	} else {
 		addf(str, _("%s\t\tUnknown extension %s (%s):\n"),
 		     prefix, oid,
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index c34b69c40a..319acec39c 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -97,7 +97,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b \
 	data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \
 	data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \
-	data/key-gost12-512.p8
+	data/key-gost12-512.p8 data/grfc.crt
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/data/grfc.crt b/tests/cert-tests/data/grfc.crt
new file mode 100644
index 0000000000..c7af541b5f
--- /dev/null
+++ b/tests/cert-tests/data/grfc.crt
@@ -0,0 +1,88 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 0c8c4093bbe693bd430bf51826031d05
+	Issuer: CN=УЦ ФГУП \"ГРЧЦ\",O=ФГУП \"ГРЧЦ\",L=Москва,ST=77 г. Москва,C=RU,EMAIL=pki-grfc@grfc.ru,street=Дербеневская наб. д. 7 стр. 15,INN=007706228218,OGRN=1027739334479
+	Validity:
+		Not Before: Tue Mar 12 07:38:26 UTC 2013
+		Not After: Sun Mar 12 07:46:00 UTC 2028
+	Subject: CN=УЦ ФГУП \"ГРЧЦ\",O=ФГУП \"ГРЧЦ\",L=Москва,ST=77 г. Москва,C=RU,EMAIL=pki-grfc@grfc.ru,street=Дербеневская наб. д. 7 стр. 15,INN=007706228218,OGRN=1027739334479
+	Subject Public Key Algorithm: GOST R 34.10-2001
+	Algorithm Security Level: High (256 bits)
+		Curve:	CryptoPro-A
+		Digest:	GOSTR341194
+		ParamSet: CryptoPro-A
+		X:
+			3c:be:60:cc:c2:77:02:f6:ef:c0:fc:2c:71:69:99:61
+			c0:55:d0:b9:e8:27:1d:4b:7f:1f:98:90:27:b6:53:96
+		Y:
+			f5:df:19:10:28:26:33:cf:0c:ad:a4:f7:5c:e4:22:f0
+			45:78:d6:de:78:3d:c2:bf:9c:c5:30:8a:63:34:ff:c8
+	Extensions:
+		Subject Signing Tool(not critical):
+			"КриптоПро CSP" (версия 3.6)
+		Issuer Signing Tool(not critical):
+			SignTool: "КриптоПро CSP" (версия 3.6)
+			CATool: "Удостоверяющий центр "КриптоПро УЦ" версии 1.5
+			SignToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012
+			CAToolCert: Сертификат соответствия № СФ/128-1822 от 01.06.2012
+		Key Usage (not critical):
+			Digital signature.
+			Certificate signing.
+			CRL signing.
+		Basic Constraints (critical):
+			Certificate Authority (CA): TRUE
+		Subject Key Identifier (not critical):
+			6b00868389d200cf56b86be4e336101e1f72aec3
+		Unknown extension 1.3.6.1.4.1.311.21.1 (not critical):
+			ASCII: ...
+			Hexdump: 020100
+		Certificate Policies (not critical):
+			1.2.643.100.113.1
+			1.2.643.100.113.2
+			2.5.29.32.0
+	Signature Algorithm: GOSTR341001
+	Signature:
+		bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0
+		13:1a:21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9
+		79:09:15:a2:41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60
+		f3:0f:4e:e3:29:6e:b8:6e:01:b4:03:2c:07:8f:27:37
+Other Information:
+	Fingerprint:
+		sha1:c2040cc02f1d7e50abfdd1b597213579be2d0573
+		sha256:d9e6a4abdce8ac2ca7d394be7dce745e0565f0da1de382538ccc32b21a86d73c
+	Public Key ID:
+		sha1:6b00868389d200cf56b86be4e336101e1f72aec3
+		sha256:1e6b34a93b04a67bfb05270b3f26b9c945f095f24ab7fc2fe8ca4cce01a45682
+	Public Key PIN:
+		pin-sha256:Hms0qTsEpnv7BScLPya5yUXwlfJKt/wv6MpMzgGkVoI=
+
+-----BEGIN CERTIFICATE-----
+MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
+FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
+MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
+tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
+MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
+A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
+MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
+ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
+OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
+0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
+hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
+DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
+BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
+0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
+BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
+eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
+0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
+KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
+NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
+0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
+gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
+MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
+gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
+MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
+HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
+Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
+KW64bgG0AywHjyc3
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/gost b/tests/cert-tests/gost
index 80e6e142ec..28817af942 100755
--- a/tests/cert-tests/gost
+++ b/tests/cert-tests/gost
@@ -97,6 +97,17 @@ if [ $? != 0 ]; then
 	exit 1
 fi
 
+"${CERTTOOL}" -i < "${srcdir}"/data/grfc.crt --outfile $TMPFILE
+if [ $? != 0 ]; then
+	cat $TMPFILE
+	exit 1
+fi
+
+if ! cmp "${srcdir}"/data/grfc.crt $TMPFILE ; then
+	cat $TMPFILE
+	exit 1
+fi
+
 rm -f $VERIFYOUT $TMPUSER $TMPCA $TMPSUBCA $TMPTEMPL $TMPFILE
 rm -f $TMPSUBCAKEY $TMPCAKEY $TMPKEY