diff options
Diffstat (limited to 'lib/x509')
32 files changed, 23311 insertions, 24099 deletions
diff --git a/lib/x509/common.c b/lib/x509/common.c index ee8478dc99..53cae80c06 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -34,161 +34,172 @@ #include <c-ctype.h> static int -data2hex (const void * data, size_t data_size, - void * _out, size_t * sizeof_out); - -struct oid_to_string -{ - const char *oid; - const char *ldap_desc; - const char *asn_desc; /* description in the pkix file if complex type */ - unsigned int etype; /* the libtasn1 ASN1_ETYPE or INVALID - * if cannot be simply parsed */ +data2hex(const void *data, size_t data_size, + void *_out, size_t * sizeof_out); + +struct oid_to_string { + const char *oid; + const char *ldap_desc; + const char *asn_desc; /* description in the pkix file if complex type */ + unsigned int etype; /* the libtasn1 ASN1_ETYPE or INVALID + * if cannot be simply parsed */ }; /* This list contains all the OIDs that may be * contained in a rdnSequence and are printable. */ static const struct oid_to_string _oid2str[] = { - /* PKIX - */ - {"1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - - {"2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.13", "description", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - - {"2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"2.5.4.4", "surName", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.43", "initials", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.44", "generationQualifier", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.42", "givenName", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.65", "pseudonym", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING}, - {"2.5.4.17", "postalCode", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"2.5.4.15", "businessCategory", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - - {"0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING}, - {"0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - - /* Extended validation - */ - {"1.3.6.1.4.1.311.60.2.1.1", "jurisdictionOfIncorporationLocalityName", - "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"1.3.6.1.4.1.311.60.2.1.2", - "jurisdictionOfIncorporationStateOrProvinceName", - "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, - {"1.3.6.1.4.1.311.60.2.1.3", "jurisdictionOfIncorporationCountryName", - NULL, ASN1_ETYPE_PRINTABLE_STRING}, - - /* PKCS #9 - */ - {"1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING}, - {"1.2.840.113549.1.9.7", NULL, "PKIX1.pkcs-9-challengePassword", ASN1_ETYPE_INVALID}, - - /* friendly name */ - {"1.2.840.113549.1.9.20", NULL, NULL, ASN1_ETYPE_BMP_STRING}, - /* local key id */ - {"1.2.840.113549.1.9.21", NULL, NULL, ASN1_ETYPE_OCTET_STRING}, - - /* rfc3920 section 5.1.1 */ - {"1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING}, - - {NULL, NULL, NULL, 0} + /* PKIX + */ + {"1.3.6.1.5.5.7.9.2", "placeOfBirth", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"1.3.6.1.5.5.7.9.3", "gender", NULL, ASN1_ETYPE_PRINTABLE_STRING}, + {"1.3.6.1.5.5.7.9.4", "countryOfCitizenship", NULL, + ASN1_ETYPE_PRINTABLE_STRING}, + {"1.3.6.1.5.5.7.9.5", "countryOfResidence", NULL, + ASN1_ETYPE_PRINTABLE_STRING}, + + {"2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING}, + {"2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.11", "OU", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.3", "CN", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.7", "L", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.8", "ST", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.13", "description", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + + {"2.5.4.5", "serialNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING}, + {"2.5.4.20", "telephoneNumber", NULL, ASN1_ETYPE_PRINTABLE_STRING}, + {"2.5.4.4", "surName", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.43", "initials", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.44", "generationQualifier", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.42", "givenName", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.65", "pseudonym", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.46", "dnQualifier", NULL, ASN1_ETYPE_PRINTABLE_STRING}, + {"2.5.4.17", "postalCode", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + {"2.5.4.41", "name", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"2.5.4.15", "businessCategory", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + + {"0.9.2342.19200300.100.1.25", "DC", NULL, ASN1_ETYPE_IA5_STRING}, + {"0.9.2342.19200300.100.1.1", "UID", "PKIX1.DirectoryString", + ASN1_ETYPE_INVALID}, + + /* Extended validation + */ + {"1.3.6.1.4.1.311.60.2.1.1", + "jurisdictionOfIncorporationLocalityName", + "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"1.3.6.1.4.1.311.60.2.1.2", + "jurisdictionOfIncorporationStateOrProvinceName", + "PKIX1.DirectoryString", ASN1_ETYPE_INVALID}, + {"1.3.6.1.4.1.311.60.2.1.3", + "jurisdictionOfIncorporationCountryName", + NULL, ASN1_ETYPE_PRINTABLE_STRING}, + + /* PKCS #9 + */ + {"1.2.840.113549.1.9.1", "EMAIL", NULL, ASN1_ETYPE_IA5_STRING}, + {"1.2.840.113549.1.9.7", NULL, "PKIX1.pkcs-9-challengePassword", + ASN1_ETYPE_INVALID}, + + /* friendly name */ + {"1.2.840.113549.1.9.20", NULL, NULL, ASN1_ETYPE_BMP_STRING}, + /* local key id */ + {"1.2.840.113549.1.9.21", NULL, NULL, ASN1_ETYPE_OCTET_STRING}, + + /* rfc3920 section 5.1.1 */ + {"1.3.6.1.5.5.7.8.5", "XmppAddr", NULL, ASN1_ETYPE_UTF8_STRING}, + + {NULL, NULL, NULL, 0} }; -static const struct oid_to_string* get_oid_entry (const char* oid) +static const struct oid_to_string *get_oid_entry(const char *oid) { - unsigned int i = 0; + unsigned int i = 0; - do - { - if (strcmp (_oid2str[i].oid, oid) == 0) - return &_oid2str[i]; - i++; - } - while (_oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return &_oid2str[i]; + i++; + } + while (_oid2str[i].oid != NULL); - return NULL; + return NULL; } -const char* _gnutls_ldap_string_to_oid (const char* str, unsigned str_len) +const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len) { - unsigned int i = 0; - - do - { - if ((_oid2str[i].ldap_desc != NULL) && - (str_len == strlen(_oid2str[i].ldap_desc)) && - (strncasecmp (_oid2str[i].ldap_desc, str, str_len) == 0)) - return _oid2str[i].oid; - i++; - } - while (_oid2str[i].oid != NULL); - - return NULL; + unsigned int i = 0; + + do { + if ((_oid2str[i].ldap_desc != NULL) && + (str_len == strlen(_oid2str[i].ldap_desc)) && + (strncasecmp(_oid2str[i].ldap_desc, str, str_len) == + 0)) + return _oid2str[i].oid; + i++; + } + while (_oid2str[i].oid != NULL); + + return NULL; } /* Escapes a string following the rules from RFC4514. */ -static int -str_escape (const gnutls_datum_t* str, gnutls_datum_t * escaped) +static int str_escape(const gnutls_datum_t * str, gnutls_datum_t * escaped) { - unsigned int j, i; - uint8_t *buffer = NULL; - int ret; - - if (str == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - /* the string will be at most twice the original */ - buffer = gnutls_malloc(str->size*2+2); - if (buffer == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - for (i = j = 0; i < str->size; i++) - { - if (str->data[i] == 0) - { - /* this is handled earlier */ - ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); - goto cleanup; - } - - if (str->data[i] == ',' || str->data[i] == '+' || str->data[i] == '"' - || str->data[i] == '\\' || str->data[i] == '<' || str->data[i] == '>' - || str->data[i] == ';' || str->data[i] == 0) - buffer[j++] = '\\'; - else if (i==0 && str->data[i] == '#') - buffer[j++] = '\\'; - else if (i==0 && str->data[i] == ' ') - buffer[j++] = '\\'; - else if (i==(str->size-1) && str->data[i] == ' ') - buffer[j++] = '\\'; - - buffer[j++] = str->data[i]; - } - - /* null terminate the string */ - buffer[j] = 0; - escaped->data = buffer; - escaped->size = j; - - return 0; -cleanup: - gnutls_free(buffer); - return ret; + unsigned int j, i; + uint8_t *buffer = NULL; + int ret; + + if (str == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + /* the string will be at most twice the original */ + buffer = gnutls_malloc(str->size * 2 + 2); + if (buffer == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + for (i = j = 0; i < str->size; i++) { + if (str->data[i] == 0) { + /* this is handled earlier */ + ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + goto cleanup; + } + + if (str->data[i] == ',' || str->data[i] == '+' + || str->data[i] == '"' || str->data[i] == '\\' + || str->data[i] == '<' || str->data[i] == '>' + || str->data[i] == ';' || str->data[i] == 0) + buffer[j++] = '\\'; + else if (i == 0 && str->data[i] == '#') + buffer[j++] = '\\'; + else if (i == 0 && str->data[i] == ' ') + buffer[j++] = '\\'; + else if (i == (str->size - 1) && str->data[i] == ' ') + buffer[j++] = '\\'; + + buffer[j++] = str->data[i]; + } + + /* null terminate the string */ + buffer[j] = 0; + escaped->data = buffer; + escaped->size = j; + + return 0; + cleanup: + gnutls_free(buffer); + return ret; } /** @@ -205,20 +216,18 @@ cleanup: * * Returns: 1 on known OIDs and 0 otherwise. **/ -int -gnutls_x509_dn_oid_known (const char *oid) +int gnutls_x509_dn_oid_known(const char *oid) { - unsigned int i = 0; + unsigned int i = 0; - do - { - if (strcmp (_oid2str[i].oid, oid) == 0) - return 1; - i++; - } - while (_oid2str[i].oid != NULL); + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return 1; + i++; + } + while (_oid2str[i].oid != NULL); - return 0; + return 0; } /** @@ -235,182 +244,169 @@ gnutls_x509_dn_oid_known (const char *oid) * * Since: 3.0 **/ -const char* -gnutls_x509_dn_oid_name (const char *oid, unsigned int flags) +const char *gnutls_x509_dn_oid_name(const char *oid, unsigned int flags) { - unsigned int i = 0; - - do - { - if (strcmp (_oid2str[i].oid, oid) == 0) - return _oid2str[i].ldap_desc; - i++; - } - while (_oid2str[i].oid != NULL); - - if (flags & GNUTLS_X509_DN_OID_RETURN_OID) return oid; - else return NULL; + unsigned int i = 0; + + do { + if (strcmp(_oid2str[i].oid, oid) == 0) + return _oid2str[i].ldap_desc; + i++; + } + while (_oid2str[i].oid != NULL); + + if (flags & GNUTLS_X509_DN_OID_RETURN_OID) + return oid; + else + return NULL; } static int -make_printable_string(unsigned etype, const gnutls_datum_t *input, gnutls_datum_t *out) +make_printable_string(unsigned etype, const gnutls_datum_t * input, + gnutls_datum_t * out) { -int printable = 0; -int ret; -unsigned int i; -size_t size; - - if (etype == ASN1_ETYPE_BMP_STRING) - { - ret = _gnutls_ucs2_to_utf8(input->data, input->size, out); - if (ret < 0) - { - /* could not convert. Handle it as non-printable */ - printable = 0; - } - else - printable = 1; - } - else if (etype == ASN1_ETYPE_TELETEX_STRING) - { - int ascii = 0; - /* HACK: if the teletex string contains only ascii - * characters then treat it as printable. - */ - for (i = 0; i < input->size; i++) - if (!c_isascii (input->data[i])) - ascii = 1; - - if (ascii == 0) - { - out->data = gnutls_malloc(input->size+1); - if (out->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - memcpy(out->data, input->data, input->size); - out->size = input->size; - - out->data[out->size] = 0; - - printable = 1; - } - } - else if (etype != ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */ - return GNUTLS_E_INVALID_REQUEST; - - if (printable == 0) - { /* need to allocate out */ - out->size = input->size*2+2; - out->data = gnutls_malloc(out->size); - if (out->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - size = out->size; - ret = data2hex (input->data, input->size, out->data, &size); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - out->size = size; - } - - return 0; - -cleanup: - _gnutls_free_datum(out); - return ret; + int printable = 0; + int ret; + unsigned int i; + size_t size; + + if (etype == ASN1_ETYPE_BMP_STRING) { + ret = _gnutls_ucs2_to_utf8(input->data, input->size, out); + if (ret < 0) { + /* could not convert. Handle it as non-printable */ + printable = 0; + } else + printable = 1; + } else if (etype == ASN1_ETYPE_TELETEX_STRING) { + int ascii = 0; + /* HACK: if the teletex string contains only ascii + * characters then treat it as printable. + */ + for (i = 0; i < input->size; i++) + if (!c_isascii(input->data[i])) + ascii = 1; + + if (ascii == 0) { + out->data = gnutls_malloc(input->size + 1); + if (out->data == NULL) + return + gnutls_assert_val + (GNUTLS_E_MEMORY_ERROR); + + memcpy(out->data, input->data, input->size); + out->size = input->size; + + out->data[out->size] = 0; + + printable = 1; + } + } else if (etype != ASN1_ETYPE_UNIVERSAL_STRING) /* supported but not printable */ + return GNUTLS_E_INVALID_REQUEST; + + if (printable == 0) { /* need to allocate out */ + out->size = input->size * 2 + 2; + out->data = gnutls_malloc(out->size); + if (out->data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + size = out->size; + ret = data2hex(input->data, input->size, out->data, &size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + out->size = size; + } + + return 0; + + cleanup: + _gnutls_free_datum(out); + return ret; } static int -decode_complex_string (const struct oid_to_string* oentry, void *value, - int value_size, gnutls_datum_t* out) +decode_complex_string(const struct oid_to_string *oentry, void *value, + int value_size, gnutls_datum_t * out) { - char str[MAX_STRING_LEN], tmpname[128]; - int len = -1, result; - ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; - char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; - unsigned int etype; - gnutls_datum_t td; - - if (oentry->asn_desc == NULL) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), oentry->asn_desc, - &tmpasn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if ((result = - asn1_der_decoding (&tmpasn, value, value_size, - asn1_err)) != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_debug_log ("asn1_der_decoding: %s\n", asn1_err); - asn1_delete_structure (&tmpasn); - return _gnutls_asn2err (result); - } - - /* Read the type of choice. - */ - len = sizeof (str) - 1; - if ((result = asn1_read_value (tmpasn, "", str, &len)) != ASN1_SUCCESS) - { /* CHOICE */ - gnutls_assert (); - asn1_delete_structure (&tmpasn); - return _gnutls_asn2err (result); - } - - str[len] = 0; - - /* We set the etype on the strings that may need - * some conversion to UTF-8. The INVALID flag indicates - * no conversion needed */ - if (strcmp (str, "teletexString") == 0) - etype = ASN1_ETYPE_TELETEX_STRING; - else if (strcmp (str, "bmpString") == 0) - etype = ASN1_ETYPE_BMP_STRING; - else if (strcmp (str, "universalString") == 0) - etype = ASN1_ETYPE_UNIVERSAL_STRING; - else etype = ASN1_ETYPE_INVALID; - - _gnutls_str_cpy (tmpname, sizeof (tmpname), str); - - result = _gnutls_x509_read_value(tmpasn, tmpname, &td); - asn1_delete_structure (&tmpasn); - if (result < 0) - return gnutls_assert_val(result); - - if (etype != ASN1_ETYPE_INVALID) - { - result = make_printable_string(etype, &td, out); - - _gnutls_free_datum(&td); - - if (result < 0) - return gnutls_assert_val(result); - } - else - { - out->data = td.data; - out->size = td.size; - out->data[out->size] = 0; - } - - /* Refuse to deal with strings containing NULs. */ - if (strlen ((void*)out->data) != (size_t)out->size) - { - _gnutls_free_datum(out); - return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); - } - - return 0; + char str[MAX_STRING_LEN], tmpname[128]; + int len = -1, result; + ASN1_TYPE tmpasn = ASN1_TYPE_EMPTY; + char asn1_err[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = ""; + unsigned int etype; + gnutls_datum_t td; + + if (oentry->asn_desc == NULL) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, + &tmpasn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if ((result = + asn1_der_decoding(&tmpasn, value, value_size, + asn1_err)) != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_debug_log("asn1_der_decoding: %s\n", asn1_err); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } + + /* Read the type of choice. + */ + len = sizeof(str) - 1; + if ((result = asn1_read_value(tmpasn, "", str, &len)) != ASN1_SUCCESS) { /* CHOICE */ + gnutls_assert(); + asn1_delete_structure(&tmpasn); + return _gnutls_asn2err(result); + } + + str[len] = 0; + + /* We set the etype on the strings that may need + * some conversion to UTF-8. The INVALID flag indicates + * no conversion needed */ + if (strcmp(str, "teletexString") == 0) + etype = ASN1_ETYPE_TELETEX_STRING; + else if (strcmp(str, "bmpString") == 0) + etype = ASN1_ETYPE_BMP_STRING; + else if (strcmp(str, "universalString") == 0) + etype = ASN1_ETYPE_UNIVERSAL_STRING; + else + etype = ASN1_ETYPE_INVALID; + + _gnutls_str_cpy(tmpname, sizeof(tmpname), str); + + result = _gnutls_x509_read_value(tmpasn, tmpname, &td); + asn1_delete_structure(&tmpasn); + if (result < 0) + return gnutls_assert_val(result); + + if (etype != ASN1_ETYPE_INVALID) { + result = make_printable_string(etype, &td, out); + + _gnutls_free_datum(&td); + + if (result < 0) + return gnutls_assert_val(result); + } else { + out->data = td.data; + out->size = td.size; + out->data[out->size] = 0; + } + + /* Refuse to deal with strings containing NULs. */ + if (strlen((void *) out->data) != (size_t) out->size) { + _gnutls_free_datum(out); + return gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + } + + return 0; } @@ -421,105 +417,99 @@ decode_complex_string (const struct oid_to_string* oentry, void *value, * hold the string. */ int -_gnutls_x509_dn_to_string (const char *oid, void *value, - int value_size, gnutls_datum_t *str) +_gnutls_x509_dn_to_string(const char *oid, void *value, + int value_size, gnutls_datum_t * str) { - const struct oid_to_string* oentry; - int ret; - gnutls_datum_t tmp; - size_t size; - - if (value == NULL || value_size <= 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - oentry = get_oid_entry(oid); - if (oentry == NULL) - { /* unknown OID -> hex */ - str->size = value_size*2+2; - str->data = gnutls_malloc(str->size); - if (str->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - size = str->size; - ret = data2hex (value, value_size, str->data, &size); - if (ret < 0) - { - gnutls_assert(); - gnutls_free(str->data); - return ret; - } - str->size = size; - return 0; - } - - if (oentry->asn_desc != NULL) - { /* complex */ - ret = decode_complex_string(oentry, value, value_size, &tmp); - if (ret < 0) - return gnutls_assert_val(ret); - } - else - { - ret = _gnutls_x509_decode_string(oentry->etype, value, value_size, - &tmp); - if (ret < 0) - return gnutls_assert_val(ret); - } - - ret = str_escape(&tmp, str); - _gnutls_free_datum (&tmp); - - if (ret < 0) - return gnutls_assert_val(ret); - - return 0; + const struct oid_to_string *oentry; + int ret; + gnutls_datum_t tmp; + size_t size; + + if (value == NULL || value_size <= 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + oentry = get_oid_entry(oid); + if (oentry == NULL) { /* unknown OID -> hex */ + str->size = value_size * 2 + 2; + str->data = gnutls_malloc(str->size); + if (str->data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + size = str->size; + ret = data2hex(value, value_size, str->data, &size); + if (ret < 0) { + gnutls_assert(); + gnutls_free(str->data); + return ret; + } + str->size = size; + return 0; + } + + if (oentry->asn_desc != NULL) { /* complex */ + ret = + decode_complex_string(oentry, value, value_size, &tmp); + if (ret < 0) + return gnutls_assert_val(ret); + } else { + ret = + _gnutls_x509_decode_string(oentry->etype, value, + value_size, &tmp); + if (ret < 0) + return gnutls_assert_val(ret); + } + + ret = str_escape(&tmp, str); + _gnutls_free_datum(&tmp); + + if (ret < 0) + return gnutls_assert_val(ret); + + return 0; } /* Converts a data string to an LDAP rfc2253 hex string * something like '#01020304' */ static int -data2hex (const void * data, size_t data_size, - void * _out, size_t * sizeof_out) +data2hex(const void *data, size_t data_size, + void *_out, size_t * sizeof_out) { - char *res; - char escaped[MAX_STRING_LEN]; - unsigned int size, res_size; - char* out = _out; - - if (2 * data_size + 1 > MAX_STRING_LEN) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - res = _gnutls_bin2hex (data, data_size, escaped, sizeof (escaped), NULL); - if (!res) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - res_size = strlen(res); - size = res_size + 1; /* +1 for the '#' */ - if (size + 1 > *sizeof_out) - { - *sizeof_out = size + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - *sizeof_out = size; /* -1 for the null +1 for the '#' */ - - if (out) - { - out[0] = '#'; - memcpy(&out[1], res, res_size); - out[size] = 0; - } - - return 0; + char *res; + char escaped[MAX_STRING_LEN]; + unsigned int size, res_size; + char *out = _out; + + if (2 * data_size + 1 > MAX_STRING_LEN) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + res = + _gnutls_bin2hex(data, data_size, escaped, sizeof(escaped), + NULL); + if (!res) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + res_size = strlen(res); + size = res_size + 1; /* +1 for the '#' */ + if (size + 1 > *sizeof_out) { + *sizeof_out = size + 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + *sizeof_out = size; /* -1 for the null +1 for the '#' */ + + if (out) { + out[0] = '#'; + memcpy(&out[1], res, res_size); + out[size] = 0; + } + + return 0; } @@ -532,14 +522,13 @@ data2hex (const void * data, size_t data_size, * Since we do not use libc's functions, we don't need to * depend on the libc structure. */ -typedef struct fake_tm -{ - int tm_mon; - int tm_year; /* FULL year - ie 1971 */ - int tm_mday; - int tm_hour; - int tm_min; - int tm_sec; +typedef struct fake_tm { + int tm_mon; + int tm_year; /* FULL year - ie 1971 */ + int tm_mday; + int tm_hour; + int tm_min; + int tm_sec; } fake_tm; /* The mktime_utc function is due to Russ Allbery (rra@stanford.edu), @@ -549,7 +538,7 @@ typedef struct fake_tm /* The number of days in each month. */ static const int MONTHDAYS[] = { - 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 + 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; /* Whether a given year is a leap year. */ @@ -562,32 +551,31 @@ static const int MONTHDAYS[] = { ** convertable. Note that this function does not canonicalize the provided ** struct tm, nor does it allow out of range values or years before 1970. */ -static time_t -mktime_utc (const struct fake_tm *tm) +static time_t mktime_utc(const struct fake_tm *tm) { - time_t result = 0; - int i; + time_t result = 0; + int i; /* We do allow some ill-formed dates, but we don't do anything special * with them and our callers really shouldn't pass them to us. Do * explicitly disallow the ones that would cause invalid array accesses * or other algorithm problems. */ - if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) - return (time_t) - 1; + if (tm->tm_mon < 0 || tm->tm_mon > 11 || tm->tm_year < 1970) + return (time_t) - 1; /* Convert to a time_t. */ - for (i = 1970; i < tm->tm_year; i++) - result += 365 + ISLEAP (i); - for (i = 0; i < tm->tm_mon; i++) - result += MONTHDAYS[i]; - if (tm->tm_mon > 1 && ISLEAP (tm->tm_year)) - result++; - result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; - result = 60 * result + tm->tm_min; - result = 60 * result + tm->tm_sec; - return result; + for (i = 1970; i < tm->tm_year; i++) + result += 365 + ISLEAP(i); + for (i = 0; i < tm->tm_mon; i++) + result += MONTHDAYS[i]; + if (tm->tm_mon > 1 && ISLEAP(tm->tm_year)) + result++; + result = 24 * (result + tm->tm_mday - 1) + tm->tm_hour; + result = 60 * result + tm->tm_min; + result = 60 * result + tm->tm_sec; + return result; } @@ -595,64 +583,60 @@ mktime_utc (const struct fake_tm *tm) * month|day|hour|minute|sec* (2 chars each) * and year is given. Returns a time_t date. */ -static time_t -time2gtime (const char *ttime, int year) +static time_t time2gtime(const char *ttime, int year) { - char xx[4]; - struct fake_tm etime; + char xx[4]; + struct fake_tm etime; - if (strlen (ttime) < 8) - { - gnutls_assert (); - return (time_t) - 1; - } + if (strlen(ttime) < 8) { + gnutls_assert(); + return (time_t) - 1; + } - etime.tm_year = year; + etime.tm_year = year; - /* In order to work with 32 bit - * time_t. - */ - if (sizeof (time_t) <= 4 && etime.tm_year >= 2038) - return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ + /* In order to work with 32 bit + * time_t. + */ + if (sizeof(time_t) <= 4 && etime.tm_year >= 2038) + return (time_t) 2145914603; /* 2037-12-31 23:23:23 */ - if (etime.tm_year < 1970) - return (time_t) 0; + if (etime.tm_year < 1970) + return (time_t) 0; - xx[2] = 0; + xx[2] = 0; /* get the month */ - memcpy (xx, ttime, 2); /* month */ - etime.tm_mon = atoi (xx) - 1; - ttime += 2; + memcpy(xx, ttime, 2); /* month */ + etime.tm_mon = atoi(xx) - 1; + ttime += 2; /* get the day */ - memcpy (xx, ttime, 2); /* day */ - etime.tm_mday = atoi (xx); - ttime += 2; + memcpy(xx, ttime, 2); /* day */ + etime.tm_mday = atoi(xx); + ttime += 2; /* get the hour */ - memcpy (xx, ttime, 2); /* hour */ - etime.tm_hour = atoi (xx); - ttime += 2; + memcpy(xx, ttime, 2); /* hour */ + etime.tm_hour = atoi(xx); + ttime += 2; /* get the minutes */ - memcpy (xx, ttime, 2); /* minutes */ - etime.tm_min = atoi (xx); - ttime += 2; - - if (strlen (ttime) >= 2) - { - memcpy (xx, ttime, 2); - etime.tm_sec = atoi (xx); - } - else - etime.tm_sec = 0; - - return mktime_utc (&etime); + memcpy(xx, ttime, 2); /* minutes */ + etime.tm_min = atoi(xx); + ttime += 2; + + if (strlen(ttime) >= 2) { + memcpy(xx, ttime, 2); + etime.tm_sec = atoi(xx); + } else + etime.tm_sec = 0; + + return mktime_utc(&etime); } @@ -662,87 +646,80 @@ time2gtime (const char *ttime, int year) * * (seconds are optional) */ -static time_t -utcTime2gtime (const char *ttime) +static time_t utcTime2gtime(const char *ttime) { - char xx[3]; - int year; - - if (strlen (ttime) < 10) - { - gnutls_assert (); - return (time_t) - 1; - } - xx[2] = 0; + char xx[3]; + int year; + + if (strlen(ttime) < 10) { + gnutls_assert(); + return (time_t) - 1; + } + xx[2] = 0; /* get the year */ - memcpy (xx, ttime, 2); /* year */ - year = atoi (xx); - ttime += 2; + memcpy(xx, ttime, 2); /* year */ + year = atoi(xx); + ttime += 2; - if (year > 49) - year += 1900; - else - year += 2000; + if (year > 49) + year += 1900; + else + year += 2000; - return time2gtime (ttime, year); + return time2gtime(ttime, year); } /* returns a time_t value that contains the given time. * The given time is expressed as: * YEAR(4)|MONTH(2)|DAY(2)|HOUR(2)|MIN(2)|SEC(2)* */ -time_t -_gnutls_x509_generalTime2gtime (const char *ttime) +time_t _gnutls_x509_generalTime2gtime(const char *ttime) { - char xx[5]; - int year; - - if (strlen (ttime) < 12) - { - gnutls_assert (); - return (time_t) - 1; - } - - if (strchr (ttime, 'Z') == 0) - { - gnutls_assert (); - /* sorry we don't support it yet - */ - return (time_t) - 1; - } - xx[4] = 0; + char xx[5]; + int year; + + if (strlen(ttime) < 12) { + gnutls_assert(); + return (time_t) - 1; + } + + if (strchr(ttime, 'Z') == 0) { + gnutls_assert(); + /* sorry we don't support it yet + */ + return (time_t) - 1; + } + xx[4] = 0; /* get the year */ - memcpy (xx, ttime, 4); /* year */ - year = atoi (xx); - ttime += 4; + memcpy(xx, ttime, 4); /* year */ + year = atoi(xx); + ttime += 4; - return time2gtime (ttime, year); + return time2gtime(ttime, year); } static int -gtime2generalTime (time_t gtime, char *str_time, size_t str_time_size) +gtime2generalTime(time_t gtime, char *str_time, size_t str_time_size) { - size_t ret; - struct tm _tm; + size_t ret; + struct tm _tm; - if (!gmtime_r (>ime, &_tm)) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } + if (!gmtime_r(>ime, &_tm)) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } - ret = strftime (str_time, str_time_size, "%Y%m%d%H%M%SZ", &_tm); - if (!ret) - { - gnutls_assert (); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + ret = strftime(str_time, str_time_size, "%Y%m%d%H%M%SZ", &_tm); + if (!ret) { + gnutls_assert(); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - return 0; + return 0; } @@ -750,212 +727,199 @@ gtime2generalTime (time_t gtime, char *str_time, size_t str_time_size) * be something like "tbsCertList.thisUpdate". */ #define MAX_TIME 64 -time_t -_gnutls_x509_get_time (ASN1_TYPE c2, const char *when, int nochoice) +time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when, int nochoice) { - char ttime[MAX_TIME]; - char name[128]; - time_t c_time = (time_t) - 1; - int len, result; - - len = sizeof (ttime) - 1; - result = asn1_read_value (c2, when, ttime, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return (time_t) (-1); - } - - if (nochoice != 0) - { - c_time = _gnutls_x509_generalTime2gtime (ttime); - } - else - { - _gnutls_str_cpy (name, sizeof (name), when); - - /* choice */ - if (strcmp (ttime, "generalTime") == 0) - { - _gnutls_str_cat (name, sizeof (name), ".generalTime"); - len = sizeof (ttime) - 1; - result = asn1_read_value (c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - c_time = _gnutls_x509_generalTime2gtime (ttime); - } - else - { /* UTCTIME */ - _gnutls_str_cat (name, sizeof (name), ".utcTime"); - len = sizeof (ttime) - 1; - result = asn1_read_value (c2, name, ttime, &len); - if (result == ASN1_SUCCESS) - c_time = utcTime2gtime (ttime); - } - - /* We cannot handle dates after 2031 in 32 bit machines. - * a time_t of 64bits has to be used. - */ - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return (time_t) (-1); - } - } - - return c_time; + char ttime[MAX_TIME]; + char name[128]; + time_t c_time = (time_t) - 1; + int len, result; + + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, when, ttime, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return (time_t) (-1); + } + + if (nochoice != 0) { + c_time = _gnutls_x509_generalTime2gtime(ttime); + } else { + _gnutls_str_cpy(name, sizeof(name), when); + + /* choice */ + if (strcmp(ttime, "generalTime") == 0) { + _gnutls_str_cat(name, sizeof(name), + ".generalTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + c_time = + _gnutls_x509_generalTime2gtime(ttime); + } else { /* UTCTIME */ + _gnutls_str_cat(name, sizeof(name), ".utcTime"); + len = sizeof(ttime) - 1; + result = asn1_read_value(c2, name, ttime, &len); + if (result == ASN1_SUCCESS) + c_time = utcTime2gtime(ttime); + } + + /* We cannot handle dates after 2031 in 32 bit machines. + * a time_t of 64bits has to be used. + */ + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return (time_t) (-1); + } + } + + return c_time; } /* Sets the time in time_t in the ASN1_TYPE given. Where should * be something like "tbsCertList.thisUpdate". */ int -_gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim, int nochoice) +_gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim, + int nochoice) { - char str_time[MAX_TIME]; - char name[128]; - int result, len; - - if (nochoice != 0) - { - result = gtime2generalTime( tim, str_time, sizeof(str_time)); - if (result < 0) - return gnutls_assert_val(result); - - len = strlen (str_time); - result = asn1_write_value(c2, where, str_time, len); - if (result != ASN1_SUCCESS) - return gnutls_assert_val(_gnutls_asn2err (result)); - - return 0; - } - - _gnutls_str_cpy (name, sizeof (name), where); - - if ((result = asn1_write_value (c2, name, "generalTime", 1)) < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = gtime2generalTime (tim, str_time, sizeof (str_time)); - if (result < 0) - { - gnutls_assert (); - return result; - } - - _gnutls_str_cat (name, sizeof (name), ".generalTime"); - - len = strlen (str_time); - result = asn1_write_value (c2, name, str_time, len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + char str_time[MAX_TIME]; + char name[128]; + int result, len; + + if (nochoice != 0) { + result = + gtime2generalTime(tim, str_time, sizeof(str_time)); + if (result < 0) + return gnutls_assert_val(result); + + len = strlen(str_time); + result = asn1_write_value(c2, where, str_time, len); + if (result != ASN1_SUCCESS) + return gnutls_assert_val(_gnutls_asn2err(result)); + + return 0; + } + + _gnutls_str_cpy(name, sizeof(name), where); + + if ((result = asn1_write_value(c2, name, "generalTime", 1)) < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = gtime2generalTime(tim, str_time, sizeof(str_time)); + if (result < 0) { + gnutls_assert(); + return result; + } + + _gnutls_str_cat(name, sizeof(name), ".generalTime"); + + len = strlen(str_time); + result = asn1_write_value(c2, name, str_time, len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } -gnutls_x509_subject_alt_name_t -_gnutls_x509_san_find_type (char *str_type) +gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type) { - if (strcmp (str_type, "dNSName") == 0) - return GNUTLS_SAN_DNSNAME; - if (strcmp (str_type, "rfc822Name") == 0) - return GNUTLS_SAN_RFC822NAME; - if (strcmp (str_type, "uniformResourceIdentifier") == 0) - return GNUTLS_SAN_URI; - if (strcmp (str_type, "iPAddress") == 0) - return GNUTLS_SAN_IPADDRESS; - if (strcmp (str_type, "otherName") == 0) - return GNUTLS_SAN_OTHERNAME; - if (strcmp (str_type, "directoryName") == 0) - return GNUTLS_SAN_DN; - return (gnutls_x509_subject_alt_name_t) - 1; + if (strcmp(str_type, "dNSName") == 0) + return GNUTLS_SAN_DNSNAME; + if (strcmp(str_type, "rfc822Name") == 0) + return GNUTLS_SAN_RFC822NAME; + if (strcmp(str_type, "uniformResourceIdentifier") == 0) + return GNUTLS_SAN_URI; + if (strcmp(str_type, "iPAddress") == 0) + return GNUTLS_SAN_IPADDRESS; + if (strcmp(str_type, "otherName") == 0) + return GNUTLS_SAN_OTHERNAME; + if (strcmp(str_type, "directoryName") == 0) + return GNUTLS_SAN_DN; + return (gnutls_x509_subject_alt_name_t) - 1; } /* A generic export function. Will export the given ASN.1 encoded data * to PEM or DER raw data. */ int -_gnutls_x509_export_int_named (ASN1_TYPE asn1_data, const char *name, - gnutls_x509_crt_fmt_t format, - const char *pem_header, - unsigned char *output_data, - size_t * output_data_size) +_gnutls_x509_export_int_named(ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, + const char *pem_header, + unsigned char *output_data, + size_t * output_data_size) { - int ret; - gnutls_datum_t out; - size_t size; - - ret = _gnutls_x509_export_int_named2 (asn1_data, name, - format, pem_header, &out); - if (ret < 0) - return gnutls_assert_val(ret); - - if (format == GNUTLS_X509_FMT_PEM) - size = out.size+1; - else - size = out.size; - - if (*output_data_size < size) - { - *output_data_size = size; - ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - goto cleanup; - } - - *output_data_size = (size_t)out.size; - if (output_data) - { - memcpy (output_data, out.data, (size_t)out.size); - if (format == GNUTLS_X509_FMT_PEM) - output_data[out.size] = 0; - } - - ret = 0; - -cleanup: - gnutls_free (out.data); - - return ret; + int ret; + gnutls_datum_t out; + size_t size; + + ret = _gnutls_x509_export_int_named2(asn1_data, name, + format, pem_header, &out); + if (ret < 0) + return gnutls_assert_val(ret); + + if (format == GNUTLS_X509_FMT_PEM) + size = out.size + 1; + else + size = out.size; + + if (*output_data_size < size) { + *output_data_size = size; + ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + goto cleanup; + } + + *output_data_size = (size_t) out.size; + if (output_data) { + memcpy(output_data, out.data, (size_t) out.size); + if (format == GNUTLS_X509_FMT_PEM) + output_data[out.size] = 0; + } + + ret = 0; + + cleanup: + gnutls_free(out.data); + + return ret; } /* A generic export function. Will export the given ASN.1 encoded data * to PEM or DER raw data. */ int -_gnutls_x509_export_int_named2 (ASN1_TYPE asn1_data, const char *name, - gnutls_x509_crt_fmt_t format, - const char *pem_header, - gnutls_datum_t *out) +_gnutls_x509_export_int_named2(ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, + const char *pem_header, + gnutls_datum_t * out) { - int ret; - - if (format == GNUTLS_X509_FMT_DER) - { - ret = _gnutls_x509_der_encode(asn1_data, name, out, 0); - if (ret < 0) - return gnutls_assert_val(ret); - } - else - { /* PEM */ - gnutls_datum_t tmp; - - ret = _gnutls_x509_der_encode (asn1_data, name, &tmp, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = _gnutls_fbase64_encode (pem_header, tmp.data, tmp.size, out); - _gnutls_free_datum (&tmp); - - if (ret < 0) - return gnutls_assert_val(ret); - } - - return 0; + int ret; + + if (format == GNUTLS_X509_FMT_DER) { + ret = _gnutls_x509_der_encode(asn1_data, name, out, 0); + if (ret < 0) + return gnutls_assert_val(ret); + } else { /* PEM */ + gnutls_datum_t tmp; + + ret = _gnutls_x509_der_encode(asn1_data, name, &tmp, 0); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + _gnutls_fbase64_encode(pem_header, tmp.data, tmp.size, + out); + _gnutls_free_datum(&tmp); + + if (ret < 0) + return gnutls_assert_val(ret); + } + + return 0; } /* Decodes an octet string. The etype specifies the string type. @@ -963,59 +927,54 @@ _gnutls_x509_export_int_named2 (ASN1_TYPE asn1_data, const char *name, * included in size). */ int -_gnutls_x509_decode_string (unsigned int etype, - const uint8_t * der, size_t der_size, - gnutls_datum_t * output) +_gnutls_x509_decode_string(unsigned int etype, + const uint8_t * der, size_t der_size, + gnutls_datum_t * output) { - int ret; - const uint8_t *str; - unsigned int str_size, len; - gnutls_datum_t td; - - ret = asn1_decode_simple_der (etype, der, der_size, &str, &str_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - return ret; - } - - td.size = str_size; - td.data = gnutls_malloc(str_size+1); - if (td.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - memcpy(td.data, str, str_size); - td.data[str_size] = 0; - - ret = make_printable_string(etype, &td, output); - if (ret == GNUTLS_E_INVALID_REQUEST) /* unsupported etype */ - { - output->data = td.data; - output->size = td.size; - ret = 0; - } - else if (ret <= 0) - { - _gnutls_free_datum(&td); - } - - /* Refuse to deal with strings containing NULs. */ - if (etype != ASN1_ETYPE_OCTET_STRING) - { - if (output->data) - len = strlen ((void*)output->data); - else - len = 0; - - if (len != (size_t)output->size) - { - _gnutls_free_datum(output); - ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); - } - } - - return ret; + int ret; + const uint8_t *str; + unsigned int str_size, len; + gnutls_datum_t td; + + ret = + asn1_decode_simple_der(etype, der, der_size, &str, &str_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + return ret; + } + + td.size = str_size; + td.data = gnutls_malloc(str_size + 1); + if (td.data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + memcpy(td.data, str, str_size); + td.data[str_size] = 0; + + ret = make_printable_string(etype, &td, output); + if (ret == GNUTLS_E_INVALID_REQUEST) { /* unsupported etype */ + output->data = td.data; + output->size = td.size; + ret = 0; + } else if (ret <= 0) { + _gnutls_free_datum(&td); + } + + /* Refuse to deal with strings containing NULs. */ + if (etype != ASN1_ETYPE_OCTET_STRING) { + if (output->data) + len = strlen((void *) output->data); + else + len = 0; + + if (len != (size_t) output->size) { + _gnutls_free_datum(output); + ret = gnutls_assert_val(GNUTLS_E_ASN1_DER_ERROR); + } + } + + return ret; } @@ -1026,58 +985,53 @@ _gnutls_x509_decode_string (unsigned int etype, * the required data size (to allow for a null byte). */ int -_gnutls_x509_read_value (ASN1_TYPE c, const char *root, - gnutls_datum_t * ret) +_gnutls_x509_read_value(ASN1_TYPE c, const char *root, + gnutls_datum_t * ret) { - int len = 0, result; - uint8_t *tmp = NULL; - unsigned int etype; - - result = asn1_read_value_type (c, root, NULL, &len, &etype); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - return result; - } - - if (etype == ASN1_ETYPE_BIT_STRING) - { - len /= 8; - len++; - } - - tmp = gnutls_malloc ((size_t)len+1); - if (tmp == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value (c, root, tmp, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (etype == ASN1_ETYPE_BIT_STRING) - { - ret->size = len / 8; - if (len % 8 > 0) - ret->size++; - } - else ret->size = (unsigned)len; - - ret->data = tmp; - - return 0; - -cleanup: - gnutls_free (tmp); - return result; + int len = 0, result; + uint8_t *tmp = NULL; + unsigned int etype; + + result = asn1_read_value_type(c, root, NULL, &len, &etype); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } + + if (etype == ASN1_ETYPE_BIT_STRING) { + len /= 8; + len++; + } + + tmp = gnutls_malloc((size_t) len + 1); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(c, root, tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (etype == ASN1_ETYPE_BIT_STRING) { + ret->size = len / 8; + if (len % 8 > 0) + ret->size++; + } else + ret->size = (unsigned) len; + + ret->data = tmp; + + return 0; + + cleanup: + gnutls_free(tmp); + return result; } /* Reads a value from an ASN1 tree, then interprets it as the provided @@ -1087,92 +1041,89 @@ cleanup: * at the end of a readable string value (which is not accounted into size) */ int -_gnutls_x509_read_string (ASN1_TYPE c, const char *root, - gnutls_datum_t * ret, unsigned int etype) +_gnutls_x509_read_string(ASN1_TYPE c, const char *root, + gnutls_datum_t * ret, unsigned int etype) { - int len = 0, result; - size_t slen; - uint8_t *tmp = NULL; - unsigned rtype; - - result = asn1_read_value_type (c, root, NULL, &len, &rtype); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - return result; - } - - if (rtype == ASN1_ETYPE_BIT_STRING) - len /= 8; - - tmp = gnutls_malloc ((size_t)len+1); - if (tmp == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value (c, root, tmp, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (rtype == ASN1_ETYPE_BIT_STRING) - len /= 8; - - /* Extract the STRING. - */ - slen = (size_t)len; - - result = _gnutls_x509_decode_string (etype, tmp, slen, ret); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - gnutls_free(tmp); - - return 0; - -cleanup: - gnutls_free (tmp); - return result; + int len = 0, result; + size_t slen; + uint8_t *tmp = NULL; + unsigned rtype; + + result = asn1_read_value_type(c, root, NULL, &len, &rtype); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } + + if (rtype == ASN1_ETYPE_BIT_STRING) + len /= 8; + + tmp = gnutls_malloc((size_t) len + 1); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(c, root, tmp, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (rtype == ASN1_ETYPE_BIT_STRING) + len /= 8; + + /* Extract the STRING. + */ + slen = (size_t) len; + + result = _gnutls_x509_decode_string(etype, tmp, slen, ret); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + gnutls_free(tmp); + + return 0; + + cleanup: + gnutls_free(tmp); + return result; } /* The string type should be IA5String, UTF8String etc. Leave * null for octet string */ -int _gnutls_x509_encode_string(unsigned int etype, - const void* input_data, size_t input_size, - gnutls_datum_t* output) +int _gnutls_x509_encode_string(unsigned int etype, + const void *input_data, size_t input_size, + gnutls_datum_t * output) { - uint8_t tl[ASN1_MAX_TL_SIZE]; - unsigned int tl_size; - int ret; - - tl_size = sizeof(tl); - ret = asn1_encode_simple_der (etype, input_data, input_size, tl, &tl_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - return ret; - } - - output->data = gnutls_malloc(tl_size + input_size); - if (output->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - memcpy(output->data, tl, tl_size); - memcpy(output->data+tl_size, input_data, input_size); - - output->size = tl_size + input_size; - - return 0; + uint8_t tl[ASN1_MAX_TL_SIZE]; + unsigned int tl_size; + int ret; + + tl_size = sizeof(tl); + ret = + asn1_encode_simple_der(etype, input_data, input_size, tl, + &tl_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + return ret; + } + + output->data = gnutls_malloc(tl_size + input_size); + if (output->data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + memcpy(output->data, tl, tl_size); + memcpy(output->data + tl_size, input_data, input_size); + + output->size = tl_size + input_size; + + return 0; } /* DER Encodes the src ASN1_TYPE and stores it to @@ -1180,85 +1131,79 @@ int _gnutls_x509_encode_string(unsigned int etype, * an OCTET STRING. */ int -_gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * res, int str) +_gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * res, int str) { - int size, result; - int asize; - uint8_t *data = NULL; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - size = 0; - result = asn1_der_coding (src, src_name, NULL, &size, NULL); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* allocate data for the der - */ - - if (str) - size += 16; /* for later to include the octet tags */ - asize = size; - - data = gnutls_malloc ((size_t)size); - if (data == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_der_coding (src, src_name, data, &size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (str) - { - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-7-Data", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (c2, "", data, size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_der_coding (c2, "", data, &asize, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - size = asize; - - asn1_delete_structure (&c2); - } - - res->data = data; - res->size = (unsigned)size; - return 0; - -cleanup: - gnutls_free (data); - asn1_delete_structure (&c2); - return result; + int size, result; + int asize; + uint8_t *data = NULL; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + size = 0; + result = asn1_der_coding(src, src_name, NULL, &size, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* allocate data for the der + */ + + if (str) + size += 16; /* for later to include the octet tags */ + asize = size; + + data = gnutls_malloc((size_t) size); + if (data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_der_coding(src, src_name, data, &size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (str) { + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-Data", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "", data, size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_coding(c2, "", data, &asize, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + size = asize; + + asn1_delete_structure(&c2); + } + + res->data = data; + res->size = (unsigned) size; + return 0; + + cleanup: + gnutls_free(data); + asn1_delete_structure(&c2); + return result; } @@ -1268,97 +1213,96 @@ cleanup: * an OCTET STRING. */ int -_gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const char *src_name, - ASN1_TYPE dest, const char *dest_name, - int str) +_gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str) { - int result; - gnutls_datum_t encoded; + int result; + gnutls_datum_t encoded; - result = _gnutls_x509_der_encode (src, src_name, &encoded, str); + result = _gnutls_x509_der_encode(src, src_name, &encoded, str); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - /* Write the data. - */ - result = asn1_write_value (dest, dest_name, encoded.data, (int)encoded.size); + /* Write the data. + */ + result = + asn1_write_value(dest, dest_name, encoded.data, + (int) encoded.size); - _gnutls_free_datum (&encoded); + _gnutls_free_datum(&encoded); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /* Writes the value of the datum in the given ASN1_TYPE. */ int -_gnutls_x509_write_value (ASN1_TYPE c, const char *root, - const gnutls_datum_t * data) +_gnutls_x509_write_value(ASN1_TYPE c, const char *root, + const gnutls_datum_t * data) { - int ret; - - /* Write the data. - */ - ret = asn1_write_value (c, root, data->data, data->size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return 0; + int ret; + + /* Write the data. + */ + ret = asn1_write_value(c, root, data->data, data->size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /* Writes the value of the datum in the given ASN1_TYPE as a string. */ int -_gnutls_x509_write_string (ASN1_TYPE c, const char *root, - const gnutls_datum_t * data, unsigned int etype) +_gnutls_x509_write_string(ASN1_TYPE c, const char *root, + const gnutls_datum_t * data, unsigned int etype) { - int ret; - gnutls_datum_t val = { NULL, 0 }; - - ret = _gnutls_x509_encode_string(etype, data->data, data->size, &val); - if (ret < 0) - return gnutls_assert_val(ret); - - /* Write the data. - */ - ret = asn1_write_value (c, root, val.data, val.size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = 0; - -cleanup: - _gnutls_free_datum (&val); - return ret; + int ret; + gnutls_datum_t val = { NULL, 0 }; + + ret = + _gnutls_x509_encode_string(etype, data->data, data->size, + &val); + if (ret < 0) + return gnutls_assert_val(ret); + + /* Write the data. + */ + ret = asn1_write_value(c, root, val.data, val.size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = 0; + + cleanup: + _gnutls_free_datum(&val); + return ret; } void -_asnstr_append_name (char *name, size_t name_size, const char *part1, - const char *part2) +_asnstr_append_name(char *name, size_t name_size, const char *part1, + const char *part2) { - if (part1[0] != 0) - { - _gnutls_str_cpy (name, name_size, part1); - _gnutls_str_cat (name, name_size, part2); - } - else - _gnutls_str_cpy (name, name_size, part2 + 1 /* remove initial dot */ ); + if (part1[0] != 0) { + _gnutls_str_cpy(name, name_size, part1); + _gnutls_str_cat(name, name_size, part2); + } else + _gnutls_str_cpy(name, name_size, + part2 + 1 /* remove initial dot */ ); } @@ -1368,206 +1312,203 @@ _asnstr_append_name (char *name, size_t name_size, const char *part1, * */ int -_gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst, - const char *dst_name, - gnutls_pk_algorithm_t - pk_algorithm, gnutls_pk_params_st * params) +_gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm_t + pk_algorithm, + gnutls_pk_params_st * params) { - const char *pk; - gnutls_datum_t der = { NULL, 0 }; - int result; - char name[128]; - - pk = _gnutls_x509_pk_to_oid (pk_algorithm); - if (pk == NULL) - { - gnutls_assert (); - return GNUTLS_E_UNKNOWN_PK_ALGORITHM; - } - - /* write the OID - */ - _asnstr_append_name (name, sizeof (name), dst_name, ".algorithm.algorithm"); - - result = asn1_write_value (dst, name, pk, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_write_pubkey_params (pk_algorithm, params, &der); - if (result < 0) - { - gnutls_assert (); - return result; - } - - _asnstr_append_name (name, sizeof (name), dst_name, - ".algorithm.parameters"); - - result = asn1_write_value (dst, name, der.data, der.size); - - _gnutls_free_datum (&der); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_write_pubkey (pk_algorithm, params, &der); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Write the DER parameters. (in bits) - */ - _asnstr_append_name (name, sizeof (name), dst_name, - ".subjectPublicKey"); - result = asn1_write_value (dst, name, der.data, der.size * 8); - _gnutls_free_datum (&der); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + const char *pk; + gnutls_datum_t der = { NULL, 0 }; + int result; + char name[128]; + + pk = _gnutls_x509_pk_to_oid(pk_algorithm); + if (pk == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_PK_ALGORITHM; + } + + /* write the OID + */ + _asnstr_append_name(name, sizeof(name), dst_name, + ".algorithm.algorithm"); + + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_write_pubkey_params(pk_algorithm, params, &der); + if (result < 0) { + gnutls_assert(); + return result; + } + + _asnstr_append_name(name, sizeof(name), dst_name, + ".algorithm.parameters"); + + result = asn1_write_value(dst, name, der.data, der.size); + + _gnutls_free_datum(&der); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_pubkey(pk_algorithm, params, &der); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Write the DER parameters. (in bits) + */ + _asnstr_append_name(name, sizeof(name), dst_name, + ".subjectPublicKey"); + result = asn1_write_value(dst, name, der.data, der.size * 8); + _gnutls_free_datum(&der); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* Encodes and public key parameters into a * subjectPublicKeyInfo structure and stores it in der. */ int -_gnutls_x509_encode_PKI_params (gnutls_datum_t *der, - gnutls_pk_algorithm_t - pk_algorithm, gnutls_pk_params_st * params) +_gnutls_x509_encode_PKI_params(gnutls_datum_t * der, + gnutls_pk_algorithm_t + pk_algorithm, gnutls_pk_params_st * params) { - int ret; - ASN1_TYPE tmp; - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Certificate", &tmp); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = _gnutls_x509_encode_and_copy_PKI_params (tmp, - "tbsCertificate.subjectPublicKeyInfo", - pk_algorithm, params); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_der_encode(tmp, "tbsCertificate.subjectPublicKeyInfo", der, 0); - -cleanup: - asn1_delete_structure (&tmp); - - return ret; + int ret; + ASN1_TYPE tmp; + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Certificate", &tmp); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = _gnutls_x509_encode_and_copy_PKI_params(tmp, + "tbsCertificate.subjectPublicKeyInfo", + pk_algorithm, + params); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_der_encode(tmp, + "tbsCertificate.subjectPublicKeyInfo", + der, 0); + + cleanup: + asn1_delete_structure(&tmp); + + return ret; } /* Reads and returns the PK algorithm of the given certificate-like * ASN.1 structure. src_name should be something like "tbsCertificate.subjectPublicKeyInfo". */ int -_gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, - unsigned int *bits) +_gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, + unsigned int *bits) { - int result; - int algo; - char oid[64]; - int len; - gnutls_pk_params_st params; - char name[128]; - - gnutls_pk_params_init(¶ms); - - _asnstr_append_name (name, sizeof (name), src_name, ".algorithm.algorithm"); - len = sizeof (oid); - result = asn1_read_value (src, name, oid, &len); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - algo = _gnutls_x509_oid2pk_algorithm (oid); - if (algo == GNUTLS_PK_UNKNOWN) - { - _gnutls_debug_log - ("%s: unknown public key algorithm: %s\n", __func__, oid); - } - - if (bits == NULL) - { - return algo; - } - - /* Now read the parameters' bits - */ - result = _gnutls_get_asn_mpis(src, src_name, ¶ms); - if (result < 0) - return gnutls_assert_val(result); - - bits[0] = pubkey_to_bits(algo, ¶ms); - - gnutls_pk_params_release(¶ms); - return algo; + int result; + int algo; + char oid[64]; + int len; + gnutls_pk_params_st params; + char name[128]; + + gnutls_pk_params_init(¶ms); + + _asnstr_append_name(name, sizeof(name), src_name, + ".algorithm.algorithm"); + len = sizeof(oid); + result = asn1_read_value(src, name, oid, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + algo = _gnutls_x509_oid2pk_algorithm(oid); + if (algo == GNUTLS_PK_UNKNOWN) { + _gnutls_debug_log + ("%s: unknown public key algorithm: %s\n", __func__, + oid); + } + + if (bits == NULL) { + return algo; + } + + /* Now read the parameters' bits + */ + result = _gnutls_get_asn_mpis(src, src_name, ¶ms); + if (result < 0) + return gnutls_assert_val(result); + + bits[0] = pubkey_to_bits(algo, ¶ms); + + gnutls_pk_params_release(¶ms); + return algo; } /* Reads the DER signed data from the certificate and allocates space and * returns them into signed_data. */ int -_gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signed_data) +_gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signed_data) { - gnutls_datum_t der; - int start, end, result; - - result = _gnutls_x509_der_encode (src, "", &der, 0); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Get the signed data - */ - result = asn1_der_decoding_startEnd (src, der.data, der.size, - src_name, &start, &end); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_set_datum (signed_data, &der.data[start], end - start + 1); - - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - _gnutls_free_datum (&der); - - return result; + gnutls_datum_t der; + int start, end, result; + + result = _gnutls_x509_der_encode(src, "", &der, 0); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Get the signed data + */ + result = asn1_der_decoding_startEnd(src, der.data, der.size, + src_name, &start, &end); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_set_datum(signed_data, &der.data[start], + end - start + 1); + + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + _gnutls_free_datum(&der); + + return result; } /*- @@ -1583,28 +1524,26 @@ cleanup: * error. -*/ int -_gnutls_x509_get_signature_algorithm (ASN1_TYPE src, const char *src_name) +_gnutls_x509_get_signature_algorithm(ASN1_TYPE src, const char *src_name) { - int result; - gnutls_datum_t sa; + int result; + gnutls_datum_t sa; - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ - result = - _gnutls_x509_read_value (src, src_name, &sa); + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ + result = _gnutls_x509_read_value(src, src_name, &sa); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_oid2sign_algorithm ( (char*)sa.data); + result = _gnutls_x509_oid2sign_algorithm((char *) sa.data); - _gnutls_free_datum (&sa); + _gnutls_free_datum(&sa); - return result; + return result; } @@ -1612,143 +1551,136 @@ _gnutls_x509_get_signature_algorithm (ASN1_TYPE src, const char *src_name) * returns them into signed_data. */ int -_gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signature) +_gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signature) { - int result, len; - unsigned int bits; - - signature->data = NULL; - signature->size = 0; - - /* Read the signature - */ - len = 0; - result = asn1_read_value (src, src_name, NULL, &len); - - if (result != ASN1_MEM_ERROR) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - bits = len; - if (bits % 8 != 0) - { - gnutls_assert (); - result = GNUTLS_E_CERTIFICATE_ERROR; - goto cleanup; - } - - len = bits / 8; - - signature->data = gnutls_malloc (len); - if (signature->data == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - return result; - } - - /* read the bit string of the signature - */ - bits = len; - result = asn1_read_value (src, src_name, signature->data, (int*)&bits); - - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - signature->size = len; - - return 0; - -cleanup: - return result; + int result, len; + unsigned int bits; + + signature->data = NULL; + signature->size = 0; + + /* Read the signature + */ + len = 0; + result = asn1_read_value(src, src_name, NULL, &len); + + if (result != ASN1_MEM_ERROR) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + bits = len; + if (bits % 8 != 0) { + gnutls_assert(); + result = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; + } + + len = bits / 8; + + signature->data = gnutls_malloc(len); + if (signature->data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + return result; + } + + /* read the bit string of the signature + */ + bits = len; + result = + asn1_read_value(src, src_name, signature->data, (int *) &bits); + + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + signature->size = len; + + return 0; + + cleanup: + return result; } /* ASN.1 PrintableString rules */ static int is_printable(char p) { - if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') || - (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' || - p == '+' || p == ',' || p == '-' || p == '.' || p == '/' || - p == ':' || p == '=' || p == '?') - return 1; - - return 0; + if ((p >= 'a' && p <= 'z') || (p >= 'A' && p <= 'Z') || + (p >= '0' && p <= '9') || p == ' ' || p == '(' || p == ')' || + p == '+' || p == ',' || p == '-' || p == '.' || p == '/' || + p == ':' || p == '=' || p == '?') + return 1; + + return 0; } -static int write_complex_string(ASN1_TYPE asn_struct, const char* where, - const struct oid_to_string* oentry, const uint8_t *data, - size_t data_size) +static int write_complex_string(ASN1_TYPE asn_struct, const char *where, + const struct oid_to_string *oentry, + const uint8_t * data, size_t data_size) { - char tmp[128]; - ASN1_TYPE c2; - int result; - const char *string_type; - unsigned int i; - - result = asn1_create_element (_gnutls_get_pkix (), oentry->asn_desc, &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - tmp[0] = 0; - - string_type = "printableString"; - - /* Check if the data is ASN.1 printable, and use - * the UTF8 string type if not. - */ - for (i = 0; i < data_size; i++) - { - if (!is_printable (data[i])) - { - string_type = "utf8String"; - break; - } - } - - /* if the type is a CHOICE then write the - * type we'll use. - */ - result = asn1_write_value (c2, "", string_type, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - _gnutls_str_cpy (tmp, sizeof (tmp), string_type); - - result = asn1_write_value (c2, tmp, data, data_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy (c2, "", asn_struct, where, 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = 0; - -error: - asn1_delete_structure (&c2); - return result; + char tmp[128]; + ASN1_TYPE c2; + int result; + const char *string_type; + unsigned int i; + + result = + asn1_create_element(_gnutls_get_pkix(), oentry->asn_desc, &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmp[0] = 0; + + string_type = "printableString"; + + /* Check if the data is ASN.1 printable, and use + * the UTF8 string type if not. + */ + for (i = 0; i < data_size; i++) { + if (!is_printable(data[i])) { + string_type = "utf8String"; + break; + } + } + + /* if the type is a CHOICE then write the + * type we'll use. + */ + result = asn1_write_value(c2, "", string_type, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_str_cpy(tmp, sizeof(tmp), string_type); + + result = asn1_write_value(c2, tmp, data, data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + _gnutls_x509_der_encode_and_copy(c2, "", asn_struct, where, 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = 0; + + error: + asn1_delete_structure(&c2); + return result; } @@ -1757,83 +1689,80 @@ error: * In all cases only one value is written. */ int -_gnutls_x509_encode_and_write_attribute (const char *given_oid, - ASN1_TYPE asn1_struct, - const char *where, - const void *_data, - int data_size, int multi) +_gnutls_x509_encode_and_write_attribute(const char *given_oid, + ASN1_TYPE asn1_struct, + const char *where, + const void *_data, + int data_size, int multi) { - const uint8_t *data = _data; - char tmp[128]; - int result; - const struct oid_to_string* oentry; - - oentry = get_oid_entry(given_oid); - if (oentry == NULL) - { - gnutls_assert (); - _gnutls_debug_log ("Cannot find OID: %s\n", given_oid); - return GNUTLS_E_X509_UNSUPPORTED_OID; - } - - /* write the data (value) - */ - - _gnutls_str_cpy (tmp, sizeof (tmp), where); - _gnutls_str_cat (tmp, sizeof (tmp), ".value"); - - if (multi != 0) - { /* if not writing an AttributeTypeAndValue, but an Attribute */ - _gnutls_str_cat (tmp, sizeof (tmp), "s"); /* values */ - - result = asn1_write_value (asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST"); - } - - if (oentry->asn_desc != NULL) /* write a complex string API */ - { - result = write_complex_string(asn1_struct, tmp, oentry, data, data_size); - if (result < 0) - return gnutls_assert_val(result); - } - else /* write a simple string */ - { - gnutls_datum_t td; - - td.data = (void*)data; - td.size = data_size; - result = _gnutls_x509_write_string (asn1_struct, tmp, &td, oentry->etype); - if (result < 0) - { - gnutls_assert (); - goto error; - } - } - - /* write the type - */ - _gnutls_str_cpy (tmp, sizeof (tmp), where); - _gnutls_str_cat (tmp, sizeof (tmp), ".type"); - - result = asn1_write_value (asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = 0; - -error: - return result; + const uint8_t *data = _data; + char tmp[128]; + int result; + const struct oid_to_string *oentry; + + oentry = get_oid_entry(given_oid); + if (oentry == NULL) { + gnutls_assert(); + _gnutls_debug_log("Cannot find OID: %s\n", given_oid); + return GNUTLS_E_X509_UNSUPPORTED_OID; + } + + /* write the data (value) + */ + + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + + if (multi != 0) { /* if not writing an AttributeTypeAndValue, but an Attribute */ + _gnutls_str_cat(tmp, sizeof(tmp), "s"); /* values */ + + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + } + + if (oentry->asn_desc != NULL) { /* write a complex string API */ + result = + write_complex_string(asn1_struct, tmp, oentry, data, + data_size); + if (result < 0) + return gnutls_assert_val(result); + } else { /* write a simple string */ + + gnutls_datum_t td; + + td.data = (void *) data; + td.size = data_size; + result = + _gnutls_x509_write_string(asn1_struct, tmp, &td, + oentry->etype); + if (result < 0) { + gnutls_assert(); + goto error; + } + } + + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = 0; + + error: + return result; } /* copies a datum to a buffer. If it doesn't fit it returns @@ -1842,57 +1771,55 @@ error: * * The buffer will always be null terminated. */ -int _gnutls_strdatum_to_buf (gnutls_datum_t * d, void* buf, size_t * buf_size) +int _gnutls_strdatum_to_buf(gnutls_datum_t * d, void *buf, + size_t * buf_size) { -int ret; -uint8_t *_buf = buf; - - if (buf == NULL || *buf_size < d->size+1) - { - *buf_size = d->size+1; - ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - goto cleanup; - } - memcpy(buf, d->data, d->size); - _buf[d->size] = 0; - - *buf_size = d->size; - ret = 0; - -cleanup: - _gnutls_free_datum(d); - - return ret; + int ret; + uint8_t *_buf = buf; + + if (buf == NULL || *buf_size < d->size + 1) { + *buf_size = d->size + 1; + ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); + goto cleanup; + } + memcpy(buf, d->data, d->size); + _buf[d->size] = 0; + + *buf_size = d->size; + ret = 0; + + cleanup: + _gnutls_free_datum(d); + + return ret; } int -_gnutls_x509_get_raw_dn2 (ASN1_TYPE c2, gnutls_datum_t* raw, - const char *whom, gnutls_datum_t * dn) +_gnutls_x509_get_raw_dn2(ASN1_TYPE c2, gnutls_datum_t * raw, + const char *whom, gnutls_datum_t * dn) { - int result, len1; - int start1, end1; - result = - asn1_der_decoding_startEnd (c2, raw->data, raw->size, - whom, &start1, &end1); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - len1 = end1 - start1 + 1; - - result = _gnutls_set_datum (dn, &raw->data[start1], len1); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = 0; - -cleanup: - return result; + int result, len1; + int start1, end1; + result = + asn1_der_decoding_startEnd(c2, raw->data, raw->size, + whom, &start1, &end1); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + len1 = end1 - start1 + 1; + + result = _gnutls_set_datum(dn, &raw->data[start1], len1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + return result; } diff --git a/lib/x509/common.h b/lib/x509/common.h index 8eec73054a..ade1c9bc7b 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -67,115 +67,121 @@ #define ASN1_NULL "\x05\x00" #define ASN1_NULL_SIZE 2 -int _gnutls_x509_set_time (ASN1_TYPE c2, const char *where, time_t tim, int general); +int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim, + int general); -int _gnutls_x509_decode_string (unsigned int etype, - const uint8_t * der, size_t der_size, - gnutls_datum_t *output); +int _gnutls_x509_decode_string(unsigned int etype, + const uint8_t * der, size_t der_size, + gnutls_datum_t * output); int _gnutls_x509_encode_string(unsigned int etype, - const void* input_data, size_t input_size, - gnutls_datum_t* output); + const void *input_data, size_t input_size, + gnutls_datum_t * output); -int _gnutls_x509_dn_to_string (const char *OID, void *value, - int value_size, gnutls_datum_t* out); -const char* _gnutls_ldap_string_to_oid (const char* str, unsigned str_len); +int _gnutls_x509_dn_to_string(const char *OID, void *value, + int value_size, gnutls_datum_t * out); +const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len); -time_t _gnutls_x509_get_time (ASN1_TYPE c2, const char *when, int general); +time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when, int general); -gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type (char *str_type); +gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type); -int _gnutls_x509_der_encode_and_copy (ASN1_TYPE src, const char *src_name, - ASN1_TYPE dest, const char *dest_name, - int str); -int _gnutls_x509_der_encode (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * res, int str); +int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name, + ASN1_TYPE dest, const char *dest_name, + int str); +int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * res, int str); #define _gnutls_x509_export_int(asn1, format, header, out, out_size) \ _gnutls_x509_export_int_named(asn1, "", format, header, out, out_size) -int _gnutls_x509_export_int_named (ASN1_TYPE asn1_data, const char *name, - gnutls_x509_crt_fmt_t format, - const char *pem_header, - unsigned char *output_data, - size_t * output_data_size); +int _gnutls_x509_export_int_named(ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, + const char *pem_header, + unsigned char *output_data, + size_t * output_data_size); #define _gnutls_x509_export_int2(asn1, format, header, out) \ _gnutls_x509_export_int_named2(asn1, "", format, header, out) -int _gnutls_x509_export_int_named2 (ASN1_TYPE asn1_data, const char *name, - gnutls_x509_crt_fmt_t format, - const char *pem_header, - gnutls_datum_t * out); - -int _gnutls_x509_read_value (ASN1_TYPE c, const char *root, - gnutls_datum_t * ret); -int _gnutls_x509_read_string (ASN1_TYPE c, const char *root, - gnutls_datum_t * ret, unsigned int etype); -int _gnutls_x509_write_value (ASN1_TYPE c, const char *root, - const gnutls_datum_t * data); - -int _gnutls_x509_write_string (ASN1_TYPE c, const char *root, - const gnutls_datum_t * data, unsigned int etype); - -int _gnutls_x509_encode_and_write_attribute (const char *given_oid, - ASN1_TYPE asn1_struct, - const char *where, - const void *data, - int sizeof_data, int multi); -int _gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct, - const char *where, char *oid, - int oid_size, - gnutls_datum_t * value, int multi, - int octet); - -int _gnutls_x509_get_pk_algorithm (ASN1_TYPE src, const char *src_name, - unsigned int *bits); +int _gnutls_x509_export_int_named2(ASN1_TYPE asn1_data, const char *name, + gnutls_x509_crt_fmt_t format, + const char *pem_header, + gnutls_datum_t * out); + +int _gnutls_x509_read_value(ASN1_TYPE c, const char *root, + gnutls_datum_t * ret); +int _gnutls_x509_read_string(ASN1_TYPE c, const char *root, + gnutls_datum_t * ret, unsigned int etype); +int _gnutls_x509_write_value(ASN1_TYPE c, const char *root, + const gnutls_datum_t * data); + +int _gnutls_x509_write_string(ASN1_TYPE c, const char *root, + const gnutls_datum_t * data, + unsigned int etype); + +int _gnutls_x509_encode_and_write_attribute(const char *given_oid, + ASN1_TYPE asn1_struct, + const char *where, + const void *data, + int sizeof_data, int multi); +int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, + const char *where, char *oid, + int oid_size, + gnutls_datum_t * value, + int multi, int octet); + +int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name, + unsigned int *bits); int -_gnutls_x509_get_signature_algorithm (ASN1_TYPE src, const char *src_name); +_gnutls_x509_get_signature_algorithm(ASN1_TYPE src, const char *src_name); -int _gnutls_x509_encode_and_copy_PKI_params (ASN1_TYPE dst, - const char *dst_name, - gnutls_pk_algorithm_t - pk_algorithm, gnutls_pk_params_st * params); -int _gnutls_x509_encode_PKI_params(gnutls_datum_t* der, - gnutls_pk_algorithm_t, gnutls_pk_params_st* params); -int _gnutls_asn1_copy_node (ASN1_TYPE * dst, const char *dst_name, - ASN1_TYPE src, const char *src_name); +int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst, + const char *dst_name, + gnutls_pk_algorithm_t + pk_algorithm, + gnutls_pk_params_st * params); +int _gnutls_x509_encode_PKI_params(gnutls_datum_t * der, + gnutls_pk_algorithm_t, + gnutls_pk_params_st * params); +int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name, + ASN1_TYPE src, const char *src_name); -int _gnutls_x509_get_signed_data (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signed_data); -int _gnutls_x509_get_signature (ASN1_TYPE src, const char *src_name, - gnutls_datum_t * signature); +int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signed_data); +int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name, + gnutls_datum_t * signature); -int _gnutls_get_asn_mpis (ASN1_TYPE asn, const char *root, - gnutls_pk_params_st * params); +int _gnutls_get_asn_mpis(ASN1_TYPE asn, const char *root, + gnutls_pk_params_st * params); -int _gnutls_get_key_id (gnutls_pk_algorithm_t pk, gnutls_pk_params_st*, - unsigned char *output_data, - size_t * output_data_size); +int _gnutls_get_key_id(gnutls_pk_algorithm_t pk, gnutls_pk_params_st *, + unsigned char *output_data, + size_t * output_data_size); -void _asnstr_append_name (char *name, size_t name_size, const char *part1, - const char *part2); +void _asnstr_append_name(char *name, size_t name_size, const char *part1, + const char *part2); int -_gnutls_x509_get_raw_dn2 (ASN1_TYPE c2, gnutls_datum_t* raw, - const char *whom, gnutls_datum_t * dn); +_gnutls_x509_get_raw_dn2(ASN1_TYPE c2, gnutls_datum_t * raw, + const char *whom, gnutls_datum_t * dn); int -_gnutls_check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); +_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1, + gnutls_x509_crt_t cert2); -time_t _gnutls_x509_generalTime2gtime (const char *ttime); +time_t _gnutls_x509_generalTime2gtime(const char *ttime); -int get_extension (ASN1_TYPE asn, const char *root, - const char *extension_id, int indx, - gnutls_datum_t * ret, unsigned int *_critical); +int get_extension(ASN1_TYPE asn, const char *root, + const char *extension_id, int indx, + gnutls_datum_t * ret, unsigned int *_critical); -int set_extension (ASN1_TYPE asn, const char *root, - const char *ext_id, - const gnutls_datum_t * ext_data, unsigned int critical); +int set_extension(ASN1_TYPE asn, const char *root, + const char *ext_id, + const gnutls_datum_t * ext_data, unsigned int critical); -int _gnutls_strdatum_to_buf (gnutls_datum_t * d, void* buf, size_t * sizeof_buf); +int _gnutls_strdatum_to_buf(gnutls_datum_t * d, void *buf, + size_t * sizeof_buf); #endif diff --git a/lib/x509/crl.c b/lib/x509/crl.c index 152ab33ba9..bd2560dc78 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -44,25 +44,22 @@ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crl_init (gnutls_x509_crl_t * crl) +int gnutls_x509_crl_init(gnutls_x509_crl_t * crl) { - *crl = gnutls_calloc (1, sizeof (gnutls_x509_crl_int)); - - if (*crl) - { - int result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.CertificateList", - &(*crl)->crl); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (*crl); - return _gnutls_asn2err (result); - } - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int)); + + if (*crl) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CertificateList", + &(*crl)->crl); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crl); + return _gnutls_asn2err(result); + } + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -71,17 +68,16 @@ gnutls_x509_crl_init (gnutls_x509_crl_t * crl) * * This function will deinitialize a CRL structure. **/ -void -gnutls_x509_crl_deinit (gnutls_x509_crl_t crl) +void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl) { - if (!crl) - return; + if (!crl) + return; - if (crl->crl) - asn1_delete_structure (&crl->crl); - gnutls_free(crl->raw_issuer_dn.data); + if (crl->crl) + asn1_delete_structure(&crl->crl); + gnutls_free(crl->raw_issuer_dn.data); - gnutls_free (crl); + gnutls_free(crl); } /** @@ -99,64 +95,62 @@ gnutls_x509_crl_deinit (gnutls_x509_crl_t crl) * negative error value. **/ int -gnutls_x509_crl_import (gnutls_x509_crl_t crl, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +gnutls_x509_crl_import(gnutls_x509_crl_t crl, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - _data.data = data->data; - _data.size = data->size; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* If the CRL is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - result = _gnutls_fbase64_decode (PEM_CRL, data->data, data->size, &_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - need_free = 1; - } - - result = asn1_der_decoding (&crl->crl, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_raw_dn2 (crl->crl, &_data, - "tbsCertList.issuer.rdnSequence", - &crl->raw_issuer_dn); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (need_free) - _gnutls_free_datum (&_data); - - return 0; - -cleanup: - if (need_free) - _gnutls_free_datum (&_data); - _gnutls_free_datum (&crl->raw_issuer_dn); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + _data.data = data->data; + _data.size = data->size; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* If the CRL is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + result = + _gnutls_fbase64_decode(PEM_CRL, data->data, data->size, + &_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + need_free = 1; + } + + result = + asn1_der_decoding(&crl->crl, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_get_raw_dn2(crl->crl, &_data, + "tbsCertList.issuer.rdnSequence", + &crl->raw_issuer_dn); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + _gnutls_free_datum(&crl->raw_issuer_dn); + return result; } @@ -179,18 +173,17 @@ cleanup: * **/ int -gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf, - size_t * sizeof_buf) +gnutls_x509_crl_get_issuer_dn(const gnutls_x509_crl_t crl, char *buf, + size_t * sizeof_buf) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn (crl->crl, - "tbsCertList.issuer.rdnSequence", - buf, sizeof_buf); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(crl->crl, + "tbsCertList.issuer.rdnSequence", + buf, sizeof_buf); } /** @@ -220,27 +213,26 @@ gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char *buf, * with the required size, and 0 on success. **/ int -gnutls_x509_crl_get_issuer_dn_by_oid (gnutls_x509_crl_t crl, - const char *oid, int indx, - unsigned int raw_flag, void *buf, - size_t * sizeof_buf) +gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * sizeof_buf) { -gnutls_datum_t td; -int ret; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_parse_dn_oid (crl->crl, - "tbsCertList.issuer.rdnSequence", - oid, indx, raw_flag, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, buf, sizeof_buf); + gnutls_datum_t td; + int ret; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_parse_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", + oid, indx, raw_flag, &td); + if (ret < 0) + return gnutls_assert_val(ret); + + return _gnutls_strdatum_to_buf(&td, buf, sizeof_buf); } @@ -261,18 +253,17 @@ int ret; * with the required size. On success 0 is returned. **/ int -gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl, - int indx, void *oid, size_t * sizeof_oid) +gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl, + int indx, void *oid, size_t * sizeof_oid) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid (crl->crl, - "tbsCertList.issuer.rdnSequence", indx, - oid, sizeof_oid); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(crl->crl, + "tbsCertList.issuer.rdnSequence", + indx, oid, sizeof_oid); } /** @@ -291,16 +282,15 @@ gnutls_x509_crl_get_dn_oid (gnutls_x509_crl_t crl, * Since: 3.1.10 **/ int -gnutls_x509_crl_get_issuer_dn2 (gnutls_x509_crl_t crl, gnutls_datum_t * dn) +gnutls_x509_crl_get_issuer_dn2(gnutls_x509_crl_t crl, gnutls_datum_t * dn) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn (crl->crl, - "tbsCertList.issuer.rdnSequence", dn); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn(crl->crl, + "tbsCertList.issuer.rdnSequence", dn); } /** @@ -313,37 +303,34 @@ gnutls_x509_crl_get_issuer_dn2 (gnutls_x509_crl_t crl, gnutls_datum_t * dn) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl) +int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl) { - int result; - gnutls_datum_t sa; + int result; + gnutls_datum_t sa; - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* Read the signature algorithm. Note that parameters are not - * read. They will be read from the issuer's certificate if needed. - */ + /* Read the signature algorithm. Note that parameters are not + * read. They will be read from the issuer's certificate if needed. + */ - result = - _gnutls_x509_read_value (crl->crl, "signatureAlgorithm.algorithm", - &sa); + result = + _gnutls_x509_read_value(crl->crl, + "signatureAlgorithm.algorithm", &sa); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_oid2sign_algorithm ((const char *) sa.data); + result = _gnutls_x509_oid2sign_algorithm((const char *) sa.data); - _gnutls_free_datum (&sa); + _gnutls_free_datum(&sa); - return result; + return result; } /** @@ -358,51 +345,46 @@ gnutls_x509_crl_get_signature_algorithm (gnutls_x509_crl_t crl) * negative error value. and a negative error code on error. **/ int -gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl, - char *sig, size_t * sizeof_sig) +gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl, + char *sig, size_t * sizeof_sig) { - int result; - unsigned int bits; - int len; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = 0; - result = asn1_read_value (crl->crl, "signature", NULL, &len); - - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - bits = len; - if (bits % 8 != 0) - { - gnutls_assert (); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - len = bits / 8; - - if (*sizeof_sig < (unsigned)len) - { - *sizeof_sig = bits / 8; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - result = asn1_read_value (crl->crl, "signature", sig, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + unsigned int bits; + int len; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = 0; + result = asn1_read_value(crl->crl, "signature", NULL, &len); + + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + bits = len; + if (bits % 8 != 0) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + len = bits / 8; + + if (*sizeof_sig < (unsigned) len) { + *sizeof_sig = bits / 8; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + result = asn1_read_value(crl->crl, "signature", sig, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -413,28 +395,25 @@ gnutls_x509_crl_get_signature (gnutls_x509_crl_t crl, * * Returns: The version number, or a negative error code on error. **/ -int -gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) +int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl) { - uint8_t version[8]; - int len, result; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof (version); - if ((result = - asn1_read_value (crl->crl, "tbsCertList.version", version, - &len)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return (int) version[0] + 1; + uint8_t version[8]; + int len, result; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(crl->crl, "tbsCertList.version", version, + &len)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -445,16 +424,15 @@ gnutls_x509_crl_get_version (gnutls_x509_crl_t crl) * * Returns: when the CRL was issued, or (time_t)-1 on error. **/ -time_t -gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) +time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl) { - if (crl == NULL) - { - gnutls_assert (); - return (time_t) - 1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time (crl->crl, "tbsCertList.thisUpdate", 0); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.thisUpdate", + 0); } /** @@ -467,16 +445,15 @@ gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl) * * Returns: when the next CRL will be issued, or (time_t)-1 on error. **/ -time_t -gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) +time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl) { - if (crl == NULL) - { - gnutls_assert (); - return (time_t) - 1; - } + if (crl == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time (crl->crl, "tbsCertList.nextUpdate", 0); + return _gnutls_x509_get_time(crl->crl, "tbsCertList.nextUpdate", + 0); } /** @@ -488,29 +465,27 @@ gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl) * * Returns: number of certificates, a negative error code on failure. **/ -int -gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) +int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl) { - int count, result; + int count, result; - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = - asn1_number_of_elements (crl->crl, - "tbsCertList.revokedCertificates", &count); + result = + asn1_number_of_elements(crl->crl, + "tbsCertList.revokedCertificates", + &count); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return 0; /* no certificates */ - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } - return count; + return count; } /** @@ -528,44 +503,44 @@ gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl) * negative error value. and a negative error code on error. **/ int -gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, - unsigned char *serial, - size_t * serial_size, time_t * t) +gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, int indx, + unsigned char *serial, + size_t * serial_size, time_t * t) { - int result, _serial_size; - char serial_name[ASN1_MAX_NAME_SIZE]; - char date_name[ASN1_MAX_NAME_SIZE]; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (serial_name, sizeof (serial_name), - "tbsCertList.revokedCertificates.?%u.userCertificate", indx + 1); - snprintf (date_name, sizeof (date_name), - "tbsCertList.revokedCertificates.?%u.revocationDate", indx + 1); - - _serial_size = *serial_size; - result = asn1_read_value (crl->crl, serial_name, serial, &_serial_size); - - *serial_size = _serial_size; - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return _gnutls_asn2err (result); - } - - if (t) - { - *t = _gnutls_x509_get_time (crl->crl, date_name, 0); - } - - return 0; + int result, _serial_size; + char serial_name[ASN1_MAX_NAME_SIZE]; + char date_name[ASN1_MAX_NAME_SIZE]; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(serial_name, sizeof(serial_name), + "tbsCertList.revokedCertificates.?%u.userCertificate", + indx + 1); + snprintf(date_name, sizeof(date_name), + "tbsCertList.revokedCertificates.?%u.revocationDate", + indx + 1); + + _serial_size = *serial_size; + result = + asn1_read_value(crl->crl, serial_name, serial, &_serial_size); + + *serial_size = _serial_size; + if (result != ASN1_SUCCESS) { + gnutls_assert(); + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return _gnutls_asn2err(result); + } + + if (t) { + *t = _gnutls_x509_get_time(crl->crl, date_name, 0); + } + + return 0; } /** @@ -581,10 +556,11 @@ gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, int indx, * Since: 2.12.0 **/ int -gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl, - gnutls_datum_t * dn) +gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, + gnutls_datum_t * dn) { - return _gnutls_set_datum (dn, crl->raw_issuer_dn.data, crl->raw_issuer_dn.size); + return _gnutls_set_datum(dn, crl->raw_issuer_dn.data, + crl->raw_issuer_dn.size); } /** @@ -607,18 +583,17 @@ gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl, * negative error value. and a negative error code on failure. **/ int -gnutls_x509_crl_export (gnutls_x509_crl_t crl, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_x509_crl_export(gnutls_x509_crl_t crl, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int (crl->crl, format, PEM_CRL, - output_data, output_data_size); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(crl->crl, format, PEM_CRL, + output_data, output_data_size); } /** @@ -640,16 +615,15 @@ gnutls_x509_crl_export (gnutls_x509_crl_t crl, * Since 3.1.3 **/ int -gnutls_x509_crl_export2 (gnutls_x509_crl_t crl, - gnutls_x509_crt_fmt_t format, gnutls_datum_t *out) +gnutls_x509_crl_export2(gnutls_x509_crl_t crl, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int2 (crl->crl, format, PEM_CRL, out); + return _gnutls_x509_export_int2(crl->crl, format, PEM_CRL, out); } /*- @@ -662,78 +636,71 @@ gnutls_x509_crl_export2 (gnutls_x509_crl_t crl, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ -int -_gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src) +int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src) { - int ret; - gnutls_datum_t tmp; + int ret; + gnutls_datum_t tmp; - ret = gnutls_x509_crl_export2 (src, GNUTLS_X509_FMT_DER, &tmp); - if (ret < 0) - return gnutls_assert_val(ret); + ret = gnutls_x509_crl_export2(src, GNUTLS_X509_FMT_DER, &tmp); + if (ret < 0) + return gnutls_assert_val(ret); - ret = gnutls_x509_crl_import (dest, &tmp, GNUTLS_X509_FMT_DER); + ret = gnutls_x509_crl_import(dest, &tmp, GNUTLS_X509_FMT_DER); - gnutls_free (tmp.data); + gnutls_free(tmp.data); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } static int -_get_authority_key_id (gnutls_x509_crl_t cert, ASN1_TYPE *c2, - unsigned int *critical) +_get_authority_key_id(gnutls_x509_crl_t cert, ASN1_TYPE * c2, + unsigned int *critical) { - int ret; - gnutls_datum_t id; - - *c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((ret = - _gnutls_x509_crl_get_extension (cert, "2.5.29.35", 0, &id, - critical)) < 0) - { - return gnutls_assert_val(ret); - } - - if (id.size == 0 || id.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - ret = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.AuthorityKeyIdentifier", c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&id); - return _gnutls_asn2err (ret); - } - - ret = asn1_der_decoding (c2, id.data, id.size, NULL); - _gnutls_free_datum (&id); - - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (c2); - return _gnutls_asn2err (ret); - } - - return 0; + int ret; + gnutls_datum_t id; + + *c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((ret = + _gnutls_x509_crl_get_extension(cert, "2.5.29.35", 0, &id, + critical)) < 0) { + return gnutls_assert_val(ret); + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + ret = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(ret); + } + + ret = asn1_der_decoding(c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(c2); + return _gnutls_asn2err(ret); + } + + return 0; } /** @@ -760,52 +727,51 @@ _get_authority_key_id (gnutls_x509_crl_t cert, ASN1_TYPE *c2, * Since: 3.0 **/ int -gnutls_x509_crl_get_authority_key_gn_serial (gnutls_x509_crl_t crl, - unsigned int seq, - void *alt, - size_t * alt_size, - unsigned int *alt_type, - void* serial, - size_t *serial_size, - unsigned int *critical) +gnutls_x509_crl_get_authority_key_gn_serial(gnutls_x509_crl_t crl, + unsigned int seq, + void *alt, + size_t * alt_size, + unsigned int *alt_type, + void *serial, + size_t * serial_size, + unsigned int *critical) { - int ret, result, len; - ASN1_TYPE c2; - - ret = _get_authority_key_id(crl, &c2, critical); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = - _gnutls_parse_general_name (c2, "authorityCertIssuer", seq, alt, alt_size, alt_type, - 0); - if (ret < 0) - { - ret = gnutls_assert_val(ret); - goto fail; - } - - if (serial) - { - len = *serial_size; - result = asn1_read_value (c2, "authorityCertSerialNumber", serial, &len); - - *serial_size = len; - - if (result < 0) - { - ret = _gnutls_asn2err(result); - goto fail; - } - - } - - ret = 0; - -fail: - asn1_delete_structure (&c2); - - return ret; + int ret, result, len; + ASN1_TYPE c2; + + ret = _get_authority_key_id(crl, &c2, critical); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + _gnutls_parse_general_name(c2, "authorityCertIssuer", seq, alt, + alt_size, alt_type, 0); + if (ret < 0) { + ret = gnutls_assert_val(ret); + goto fail; + } + + if (serial) { + len = *serial_size; + result = + asn1_read_value(c2, "authorityCertSerialNumber", + serial, &len); + + *serial_size = len; + + if (result < 0) { + ret = _gnutls_asn2err(result); + goto fail; + } + + } + + ret = 0; + + fail: + asn1_delete_structure(&c2); + + return ret; } @@ -831,33 +797,34 @@ fail: * Since: 2.8.0 **/ int -gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t crl, void *id, - size_t * id_size, - unsigned int *critical) +gnutls_x509_crl_get_authority_key_id(gnutls_x509_crl_t crl, void *id, + size_t * id_size, + unsigned int *critical) { - int result, len, ret; - ASN1_TYPE c2; + int result, len, ret; + ASN1_TYPE c2; - ret = _get_authority_key_id(crl, &c2, critical); - if (ret < 0) - return gnutls_assert_val(ret); + ret = _get_authority_key_id(crl, &c2, critical); + if (ret < 0) + return gnutls_assert_val(ret); - len = *id_size; - result = asn1_read_value (c2, "keyIdentifier", id, &len); + len = *id_size; + result = asn1_read_value(c2, "keyIdentifier", id, &len); - *id_size = len; - asn1_delete_structure (&c2); + *id_size = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - return gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION); + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) + return + gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -877,48 +844,46 @@ gnutls_x509_crl_get_authority_key_id (gnutls_x509_crl_t crl, void *id, * Since: 2.8.0 **/ int -gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void *ret, - size_t * ret_size, unsigned int *critical) +gnutls_x509_crl_get_number(gnutls_x509_crl_t crl, void *ret, + size_t * ret_size, unsigned int *critical) { - int result; - gnutls_datum_t id; + int result; + gnutls_datum_t id; - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (ret) - memset (ret, 0, *ret_size); - else - *ret_size = 0; + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; - if ((result = - _gnutls_x509_crl_get_extension (crl, "2.5.29.20", 0, &id, - critical)) < 0) - { - return result; - } + if ((result = + _gnutls_x509_crl_get_extension(crl, "2.5.29.20", 0, &id, + critical)) < 0) { + return result; + } - if (id.size == 0 || id.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - result = _gnutls_x509_ext_extract_number (ret, ret_size, id.data, id.size); + result = + _gnutls_x509_ext_extract_number(ret, ret_size, id.data, + id.size); - _gnutls_free_datum (&id); + _gnutls_free_datum(&id); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -940,24 +905,23 @@ gnutls_x509_crl_get_number (gnutls_x509_crl_t crl, void *ret, * Since: 2.8.0 **/ int -gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, int indx, - void *oid, size_t * sizeof_oid) +gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, int indx, + void *oid, size_t * sizeof_oid) { - int result; + int result; - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_crl_get_extension_oid (crl, indx, oid, sizeof_oid); - if (result < 0) - { - return result; - } + result = + _gnutls_x509_crl_get_extension_oid(crl, indx, oid, sizeof_oid); + if (result < 0) { + return result; + } - return 0; + return 0; } @@ -987,55 +951,51 @@ gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, int indx, * Since: 2.8.0 **/ int -gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl, int indx, - void *oid, size_t * sizeof_oid, - unsigned int *critical) +gnutls_x509_crl_get_extension_info(gnutls_x509_crl_t crl, int indx, + void *oid, size_t * sizeof_oid, + unsigned int *critical) { - int result; - char str_critical[10]; - char name[ASN1_MAX_NAME_SIZE]; - int len; - - if (!crl) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnID", - indx + 1); - - len = *sizeof_oid; - result = asn1_read_value (crl->crl, name, oid, &len); - *sizeof_oid = len; - - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.critical", - indx + 1); - len = sizeof (str_critical); - result = asn1_read_value (crl->crl, name, str_critical, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (critical) - { - if (str_critical[0] == 'T') - *critical = 1; - else - *critical = 0; - } - - return 0; + int result; + char str_critical[10]; + char name[ASN1_MAX_NAME_SIZE]; + int len; + + if (!crl) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsCertList.crlExtensions.?%u.extnID", indx + 1); + + len = *sizeof_oid; + result = asn1_read_value(crl->crl, name, oid, &len); + *sizeof_oid = len; + + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), + "tbsCertList.crlExtensions.?%u.critical", indx + 1); + len = sizeof(str_critical); + result = asn1_read_value(crl->crl, name, str_critical, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (critical) { + if (str_critical[0] == 'T') + *critical = 1; + else + *critical = 0; + } + + return 0; } @@ -1063,34 +1023,32 @@ gnutls_x509_crl_get_extension_info (gnutls_x509_crl_t crl, int indx, * Since: 2.8.0 **/ int -gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t crl, int indx, - void *data, size_t * sizeof_data) +gnutls_x509_crl_get_extension_data(gnutls_x509_crl_t crl, int indx, + void *data, size_t * sizeof_data) { - int result, len; - char name[ASN1_MAX_NAME_SIZE]; - - if (!crl) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), "tbsCertList.crlExtensions.?%u.extnValue", - indx + 1); - - len = *sizeof_data; - result = asn1_read_value (crl->crl, name, data, &len); - *sizeof_data = len; - - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result, len; + char name[ASN1_MAX_NAME_SIZE]; + + if (!crl) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsCertList.crlExtensions.?%u.extnValue", indx + 1); + + len = *sizeof_data; + result = asn1_read_value(crl->crl, name, data, &len); + *sizeof_data = len; + + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -1113,43 +1071,46 @@ gnutls_x509_crl_get_extension_data (gnutls_x509_crl_t crl, int indx, * Since: 3.0 **/ int -gnutls_x509_crl_list_import2 (gnutls_x509_crl_t ** crls, - unsigned int * size, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) +gnutls_x509_crl_list_import2(gnutls_x509_crl_t ** crls, + unsigned int *size, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + unsigned int flags) { -unsigned int init = 1024; -int ret; - - *crls = gnutls_malloc(sizeof(gnutls_x509_crl_t)*init); - if (*crls == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crl_list_import(*crls, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - *crls = gnutls_realloc_fast(*crls, sizeof(gnutls_x509_crl_t)*init); - if (*crls == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crl_list_import(*crls, &init, data, format, flags); - } - - if (ret < 0) - { - gnutls_free(*crls); - *crls = NULL; - return ret; - } - - *size = init; - return 0; + unsigned int init = 1024; + int ret; + + *crls = gnutls_malloc(sizeof(gnutls_x509_crl_t) * init); + if (*crls == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crl_list_import(*crls, &init, data, format, + GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + *crls = + gnutls_realloc_fast(*crls, + sizeof(gnutls_x509_crl_t) * init); + if (*crls == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crl_list_import(*crls, &init, data, format, + flags); + } + + if (ret < 0) { + gnutls_free(*crls); + *crls = NULL; + return ret; + } + + *size = init; + return 0; } /** @@ -1171,116 +1132,110 @@ int ret; * Since: 3.0 **/ int -gnutls_x509_crl_list_import (gnutls_x509_crl_t * crls, - unsigned int *crl_max, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) +gnutls_x509_crl_list_import(gnutls_x509_crl_t * crls, + unsigned int *crl_max, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + unsigned int flags) { - int size; - const char *ptr; - gnutls_datum_t tmp; - int ret, nocopy = 0; - unsigned int count = 0, j; - - if (format == GNUTLS_X509_FMT_DER) - { - if (*crl_max < 1) - { - *crl_max = 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - count = 1; /* import only the first one */ - - ret = gnutls_x509_crl_init (&crls[0]); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = gnutls_x509_crl_import (crls[0], data, format); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - *crl_max = 1; - return 1; - } - - /* move to the certificate - */ - ptr = memmem (data->data, data->size, - PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1); - if (ptr == NULL) - { - gnutls_assert (); - return GNUTLS_E_BASE64_DECODING_ERROR; - } - - count = 0; - - do - { - if (count >= *crl_max) - { - if (!(flags & GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) - break; - else - nocopy = 1; - } - - if (!nocopy) - { - ret = gnutls_x509_crl_init (&crls[count]); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - tmp.data = (void *) ptr; - tmp.size = data->size - (ptr - (char *) data->data); - - ret = - gnutls_x509_crl_import (crls[count], &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - } - - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = data->size - (ptr - (char *) data->data); - - if (size > 0) - { - ptr = memmem (ptr, size, PEM_CRL_SEP, sizeof (PEM_CRL_SEP) - 1); - } - else - ptr = NULL; - - count++; - } - while (ptr != NULL); - - *crl_max = count; - - if (nocopy == 0) - return count; - else - return GNUTLS_E_SHORT_MEMORY_BUFFER; - -error: - for (j = 0; j < count; j++) - gnutls_x509_crl_deinit (crls[j]); - return ret; + int size; + const char *ptr; + gnutls_datum_t tmp; + int ret, nocopy = 0; + unsigned int count = 0, j; + + if (format == GNUTLS_X509_FMT_DER) { + if (*crl_max < 1) { + *crl_max = 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + count = 1; /* import only the first one */ + + ret = gnutls_x509_crl_init(&crls[0]); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = gnutls_x509_crl_import(crls[0], data, format); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + *crl_max = 1; + return 1; + } + + /* move to the certificate + */ + ptr = memmem(data->data, data->size, + PEM_CRL_SEP, sizeof(PEM_CRL_SEP) - 1); + if (ptr == NULL) { + gnutls_assert(); + return GNUTLS_E_BASE64_DECODING_ERROR; + } + + count = 0; + + do { + if (count >= *crl_max) { + if (! + (flags & + GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) + break; + else + nocopy = 1; + } + + if (!nocopy) { + ret = gnutls_x509_crl_init(&crls[count]); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + tmp.data = (void *) ptr; + tmp.size = + data->size - (ptr - (char *) data->data); + + ret = + gnutls_x509_crl_import(crls[count], &tmp, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + goto error; + } + } + + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = data->size - (ptr - (char *) data->data); + + if (size > 0) { + ptr = + memmem(ptr, size, PEM_CRL_SEP, + sizeof(PEM_CRL_SEP) - 1); + } else + ptr = NULL; + + count++; + } + while (ptr != NULL); + + *crl_max = count; + + if (nocopy == 0) + return count; + else + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + error: + for (j = 0; j < count; j++) + gnutls_x509_crl_deinit(crls[j]); + return ret; } - diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c index 5b2210bf75..24d5bf029d 100644 --- a/lib/x509/crl_write.c +++ b/lib/x509/crl_write.c @@ -34,7 +34,7 @@ #include <x509_int.h> #include <libtasn1.h> -static void disable_optional_stuff (gnutls_x509_crl_t crl); +static void disable_optional_stuff(gnutls_x509_crl_t crl); /** * gnutls_x509_crl_set_version: @@ -49,28 +49,27 @@ static void disable_optional_stuff (gnutls_x509_crl_t crl); * negative error value. **/ int -gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) +gnutls_x509_crl_set_version(gnutls_x509_crl_t crl, unsigned int version) { - int result; - uint8_t null = version & 0xFF; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (null > 0) - null -= 1; - - result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + uint8_t null = version & 0xFF; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (null > 0) + null -= 1; + + result = + asn1_write_value(crl->crl, "tbsCertList.version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -92,46 +91,43 @@ gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) * **/ int -gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key, - gnutls_digest_algorithm_t dig, unsigned int flags) +gnutls_x509_crl_sign2(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; - gnutls_privkey_t privkey; - - if (crl == NULL || issuer == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_privkey_init (&privkey); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_privkey_import_x509 (privkey, issuer_key, 0); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = gnutls_x509_crl_privkey_sign (crl, issuer, privkey, dig, flags); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = 0; - -fail: - gnutls_privkey_deinit (privkey); - - return result; + int result; + gnutls_privkey_t privkey; + + if (crl == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_privkey_init(&privkey); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = gnutls_privkey_import_x509(privkey, issuer_key, 0); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = + gnutls_x509_crl_privkey_sign(crl, issuer, privkey, dig, flags); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = 0; + + fail: + gnutls_privkey_deinit(privkey); + + return result; } /** @@ -149,10 +145,11 @@ fail: * Deprecated: Use gnutls_x509_crl_privkey_sign(). */ int -gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key) +gnutls_x509_crl_sign(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key) { - return gnutls_x509_crl_sign2 (crl, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crl_sign2(crl, issuer, issuer_key, + GNUTLS_DIG_SHA1, 0); } /** @@ -165,16 +162,15 @@ gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) +int gnutls_x509_crl_set_this_update(gnutls_x509_crl_t crl, time_t act_time) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_set_time (crl->crl, "tbsCertList.thisUpdate", act_time, 0); + return _gnutls_x509_set_time(crl->crl, "tbsCertList.thisUpdate", + act_time, 0); } /** @@ -187,15 +183,14 @@ gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) +int gnutls_x509_crl_set_next_update(gnutls_x509_crl_t crl, time_t exp_time) { - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time (crl->crl, "tbsCertList.nextUpdate", exp_time, 0); + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(crl->crl, "tbsCertList.nextUpdate", + exp_time, 0); } /** @@ -211,57 +206,53 @@ gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) * negative error value. **/ int -gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, - const void *serial, size_t serial_size, - time_t revocation_time) +gnutls_x509_crl_set_crt_serial(gnutls_x509_crl_t crl, + const void *serial, size_t serial_size, + time_t revocation_time) { - int ret; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = - asn1_write_value (crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = - asn1_write_value (crl->crl, - "tbsCertList.revokedCertificates.?LAST.userCertificate", - serial, serial_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = - _gnutls_x509_set_time (crl->crl, - "tbsCertList.revokedCertificates.?LAST.revocationDate", - revocation_time, 0); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - asn1_write_value (crl->crl, - "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", - NULL, 0); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return 0; + int ret; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", + "NEW", 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.userCertificate", + serial, serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + _gnutls_x509_set_time(crl->crl, + "tbsCertList.revokedCertificates.?LAST.revocationDate", + revocation_time, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + asn1_write_value(crl->crl, + "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", + NULL, 0); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /** @@ -276,53 +267,49 @@ gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, * negative error value. **/ int -gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, - time_t revocation_time) +gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, + time_t revocation_time) { - int ret; - uint8_t serial[128]; - size_t serial_size; - - if (crl == NULL || crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - serial_size = sizeof (serial); - ret = gnutls_x509_crt_get_serial (crt, serial, &serial_size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - gnutls_x509_crl_set_crt_serial (crl, serial, serial_size, - revocation_time); - if (ret < 0) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return 0; + int ret; + uint8_t serial[128]; + size_t serial_size; + + if (crl == NULL || crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + serial_size = sizeof(serial); + ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + gnutls_x509_crl_set_crt_serial(crl, serial, serial_size, + revocation_time); + if (ret < 0) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void -disable_optional_stuff (gnutls_x509_crl_t crl) +static void disable_optional_stuff(gnutls_x509_crl_t crl) { - if (crl->use_extensions == 0) - { - asn1_write_value (crl->crl, "tbsCertList.crlExtensions", NULL, 0); - } + if (crl->use_extensions == 0) { + asn1_write_value(crl->crl, "tbsCertList.crlExtensions", + NULL, 0); + } - return; + return; } /** @@ -342,54 +329,52 @@ disable_optional_stuff (gnutls_x509_crl_t crl) * Since: 2.8.0 **/ int -gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl, - const void *id, size_t id_size) +gnutls_x509_crl_set_authority_key_id(gnutls_x509_crl_t crl, + const void *id, size_t id_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crl_get_extension (crl, "2.5.29.35", 0, &old_id, &critical); - - if (result >= 0) - _gnutls_free_datum (&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crl_set_extension (crl, "2.5.29.35", &der_data, 0); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crl->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crl_get_extension(crl, "2.5.29.35", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_auth_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crl_set_extension(crl, "2.5.29.35", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crl->use_extensions = 1; + + return 0; } /** @@ -408,54 +393,52 @@ gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl, * Since: 2.8.0 **/ int -gnutls_x509_crl_set_number (gnutls_x509_crl_t crl, - const void *nr, size_t nr_size) +gnutls_x509_crl_set_number(gnutls_x509_crl_t crl, + const void *nr, size_t nr_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; - - if (crl == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crl_get_extension (crl, "2.5.29.20", 0, &old_id, &critical); - - if (result >= 0) - _gnutls_free_datum (&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_number (nr, nr_size, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crl_set_extension (crl, "2.5.29.20", &der_data, 0); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crl->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; + + if (crl == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crl_get_extension(crl, "2.5.29.20", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_number(nr, nr_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crl_set_extension(crl, "2.5.29.20", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crl->use_extensions = 1; + + return 0; } /** @@ -478,31 +461,29 @@ gnutls_x509_crl_set_number (gnutls_x509_crl_t crl, * Since 2.12.0 **/ int -gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, - gnutls_privkey_t issuer_key, - gnutls_digest_algorithm_t dig, - unsigned int flags) +gnutls_x509_crl_privkey_sign(gnutls_x509_crl_t crl, + gnutls_x509_crt_t issuer, + gnutls_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, + unsigned int flags) { - int result; - - if (crl == NULL || issuer == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff (crl); - - result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList", - dig, issuer, issuer_key); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; -} + int result; + + if (crl == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crl); + result = _gnutls_x509_pkix_sign(crl->crl, "tbsCertList", + dig, issuer, issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; +} diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 01803c56b4..4e28fedd7c 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -46,26 +46,24 @@ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crq_init (gnutls_x509_crq_t * crq) +int gnutls_x509_crq_init(gnutls_x509_crq_t * crq) { - int result; - - *crq = gnutls_calloc (1, sizeof (gnutls_x509_crq_int)); - if (!*crq) - return GNUTLS_E_MEMORY_ERROR; - - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-10-CertificationRequest", - &((*crq)->crq)); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (*crq); - return _gnutls_asn2err (result); - } - - return 0; + int result; + + *crq = gnutls_calloc(1, sizeof(gnutls_x509_crq_int)); + if (!*crq) + return GNUTLS_E_MEMORY_ERROR; + + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-10-CertificationRequest", + &((*crq)->crq)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*crq); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -75,16 +73,15 @@ gnutls_x509_crq_init (gnutls_x509_crq_t * crq) * This function will deinitialize a PKCS#10 certificate request * structure. **/ -void -gnutls_x509_crq_deinit (gnutls_x509_crq_t crq) +void gnutls_x509_crq_deinit(gnutls_x509_crq_t crq) { - if (!crq) - return; + if (!crq) + return; - if (crq->crq) - asn1_delete_structure (&crq->crq); + if (crq->crq) + asn1_delete_structure(&crq->crq); - gnutls_free (crq); + gnutls_free(crq); } #define PEM_CRQ "NEW CERTIFICATE REQUEST" @@ -107,56 +104,56 @@ gnutls_x509_crq_deinit (gnutls_x509_crq_t crq) * negative error value. **/ int -gnutls_x509_crq_import (gnutls_x509_crq_t crq, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +gnutls_x509_crq_import(gnutls_x509_crq_t crq, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - /* Try the first header */ - result = _gnutls_fbase64_decode (PEM_CRQ, data->data, data->size, &_data); - - if (result < 0) /* Go for the second header */ - result = - _gnutls_fbase64_decode (PEM_CRQ2, data->data, data->size, &_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - need_free = 1; - } - - result = asn1_der_decoding (&crq->crq, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - if (need_free) - _gnutls_free_datum (&_data); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_CRQ, data->data, data->size, + &_data); + + if (result < 0) /* Go for the second header */ + result = + _gnutls_fbase64_decode(PEM_CRQ2, data->data, + data->size, &_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + need_free = 1; + } + + result = + asn1_der_decoding(&crq->crq, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } /** @@ -173,56 +170,54 @@ cleanup: * if the extension is not present, otherwise a negative error value. **/ int -gnutls_x509_crq_get_private_key_usage_period (gnutls_x509_crq_t crq, time_t* activation, time_t* expiration, - unsigned int *critical) +gnutls_x509_crq_get_private_key_usage_period(gnutls_x509_crq_t crq, + time_t * activation, + time_t * expiration, + unsigned int *critical) { - int result, ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - uint8_t buf[128]; - size_t buf_size = sizeof (buf); - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.16", 0, - buf, &buf_size, critical); - if (ret < 0) - return gnutls_assert_val(ret); - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_der_decoding (&c2, buf, buf_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - if (activation) - *activation = _gnutls_x509_get_time (c2, - "notBefore", 1); - - if (expiration) - *expiration = _gnutls_x509_get_time (c2, - "notAfter", 1); - - ret = 0; - -cleanup: - asn1_delete_structure (&c2); - - return ret; + int result, ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + uint8_t buf[128]; + size_t buf_size = sizeof(buf); + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.16", 0, + buf, &buf_size, + critical); + if (ret < 0) + return gnutls_assert_val(ret); + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.PrivateKeyUsagePeriod", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, buf, buf_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + if (activation) + *activation = _gnutls_x509_get_time(c2, "notBefore", 1); + + if (expiration) + *expiration = _gnutls_x509_get_time(c2, "notAfter", 1); + + ret = 0; + + cleanup: + asn1_delete_structure(&c2); + + return ret; } @@ -243,17 +238,16 @@ cleanup: * the required size. On success 0 is returned. **/ int -gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * buf_size) +gnutls_x509_crq_get_dn(gnutls_x509_crq_t crq, char *buf, size_t * buf_size) { - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_parse_dn (crq->crq, - "certificationRequestInfo.subject.rdnSequence", - buf, buf_size); + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_parse_dn(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + buf, buf_size); } /** @@ -271,17 +265,16 @@ gnutls_x509_crq_get_dn (gnutls_x509_crq_t crq, char *buf, size_t * buf_size) * * Since: 3.1.10 **/ -int -gnutls_x509_crq_get_dn2 (gnutls_x509_crq_t crq, gnutls_datum_t * dn) +int gnutls_x509_crq_get_dn2(gnutls_x509_crq_t crq, gnutls_datum_t * dn) { - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn (crq->crq, - "certificationRequestInfo.subject.rdnSequence", dn); + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + dn); } /** @@ -310,27 +303,26 @@ gnutls_x509_crq_get_dn2 (gnutls_x509_crq_t crq, gnutls_datum_t * dn) * updated with the required size. On success 0 is returned. **/ int -gnutls_x509_crq_get_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * buf_size) +gnutls_x509_crq_get_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * buf_size) { -gnutls_datum_t td; -int ret; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_parse_dn_oid - (crq->crq, - "certificationRequestInfo.subject.rdnSequence", - oid, indx, raw_flag, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, buf, buf_size); + gnutls_datum_t td; + int ret; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_parse_dn_oid + (crq->crq, + "certificationRequestInfo.subject.rdnSequence", + oid, indx, raw_flag, &td); + if (ret < 0) + return gnutls_assert_val(ret); + + return _gnutls_strdatum_to_buf(&td, buf, buf_size); } /** @@ -348,18 +340,17 @@ int ret; * updated with the required size. On success 0 is returned. **/ int -gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq, - int indx, void *oid, size_t * sizeof_oid) +gnutls_x509_crq_get_dn_oid(gnutls_x509_crq_t crq, + int indx, void *oid, size_t * sizeof_oid) { - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_get_dn_oid (crq->crq, - "certificationRequestInfo.subject.rdnSequence", - indx, oid, sizeof_oid); + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_get_dn_oid(crq->crq, + "certificationRequestInfo.subject.rdnSequence", + indx, oid, sizeof_oid); } /* Parses an Attribute list in the asn1_struct, and searches for the @@ -373,116 +364,113 @@ gnutls_x509_crq_get_dn_oid (gnutls_x509_crq_t crq, * */ static int -parse_attribute (ASN1_TYPE asn1_struct, - const char *attr_name, const char *given_oid, int indx, - int raw, gnutls_datum_t * out) +parse_attribute(ASN1_TYPE asn1_struct, + const char *attr_name, const char *given_oid, int indx, + int raw, gnutls_datum_t * out) { - int k1, result; - char tmpbuffer1[ASN1_MAX_NAME_SIZE]; - char tmpbuffer3[ASN1_MAX_NAME_SIZE]; - char value[200]; - gnutls_datum_t td; - char oid[MAX_OID_SIZE]; - int len; - - k1 = 0; - do - { - - k1++; - /* create a string like "attribute.?1" - */ - if (attr_name[0] != 0) - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", attr_name, k1); - else - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1); - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Move to the attibute type and values - */ - /* Read the OID - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer1); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - - len = sizeof (oid) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (strcmp (oid, given_oid) == 0) - { /* Found the OID */ - - /* Read the Value - */ - snprintf (tmpbuffer3, sizeof (tmpbuffer3), "%s.values.?%u", - tmpbuffer1, indx + 1); - - len = sizeof (value) - 1; - result = _gnutls_x509_read_value (asn1_struct, tmpbuffer3, &td); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (raw == 0) - { - result = - _gnutls_x509_dn_to_string - (oid, td.data, td.size, out); - - _gnutls_free_datum(&td); - - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - return 0; - } - else - { /* raw!=0 */ - out->data = td.data; - out->size = td.size; - - return 0; - } - } - - } - while (1); - - gnutls_assert (); - - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - -cleanup: - return result; + int k1, result; + char tmpbuffer1[ASN1_MAX_NAME_SIZE]; + char tmpbuffer3[ASN1_MAX_NAME_SIZE]; + char value[200]; + gnutls_datum_t td; + char oid[MAX_OID_SIZE]; + int len; + + k1 = 0; + do { + + k1++; + /* create a string like "attribute.?1" + */ + if (attr_name[0] != 0) + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "%s.?%u", + attr_name, k1); + else + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "?%u", + k1); + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } + + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Move to the attibute type and values + */ + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), + tmpbuffer1); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), ".type"); + + len = sizeof(oid) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer3, oid, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (strcmp(oid, given_oid) == 0) { /* Found the OID */ + + /* Read the Value + */ + snprintf(tmpbuffer3, sizeof(tmpbuffer3), + "%s.values.?%u", tmpbuffer1, indx + 1); + + len = sizeof(value) - 1; + result = + _gnutls_x509_read_value(asn1_struct, + tmpbuffer3, &td); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == 0) { + result = + _gnutls_x509_dn_to_string + (oid, td.data, td.size, out); + + _gnutls_free_datum(&td); + + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + return 0; + } else { /* raw!=0 */ + out->data = td.data; + out->size = td.size; + + return 0; + } + } + + } + while (1); + + gnutls_assert(); + + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /** @@ -499,24 +487,25 @@ cleanup: * negative error value. **/ int -gnutls_x509_crq_get_challenge_password (gnutls_x509_crq_t crq, - char *pass, size_t * pass_size) +gnutls_x509_crq_get_challenge_password(gnutls_x509_crq_t crq, + char *pass, size_t * pass_size) { -gnutls_datum_t td; -int ret; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = parse_attribute (crq->crq, "certificationRequestInfo.attributes", - "1.2.840.113549.1.9.7", 0, 0, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, pass, pass_size); + gnutls_datum_t td; + int ret; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + parse_attribute(crq->crq, + "certificationRequestInfo.attributes", + "1.2.840.113549.1.9.7", 0, 0, &td); + if (ret < 0) + return gnutls_assert_val(ret); + + return _gnutls_strdatum_to_buf(&td, pass, pass_size); } /* This function will attempt to set the requested attribute in @@ -525,155 +514,141 @@ int ret; * Critical will be either 0 or 1. */ static int -add_attribute (ASN1_TYPE asn, const char *root, const char *attribute_id, - const gnutls_datum_t * ext_data) +add_attribute(ASN1_TYPE asn, const char *root, const char *attribute_id, + const gnutls_datum_t * ext_data) { - int result; - char name[ASN1_MAX_NAME_SIZE]; - - snprintf (name, sizeof (name), "%s", root); - - /* Add a new attribute in the list. - */ - result = asn1_write_value (asn, name, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "%s.?LAST.type", root); - - result = asn1_write_value (asn, name, attribute_id, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "%s.?LAST.values", root); - - result = asn1_write_value (asn, name, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "%s.?LAST.values.?LAST", root); - - result = _gnutls_x509_write_value (asn, name, ext_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + char name[ASN1_MAX_NAME_SIZE]; + + snprintf(name, sizeof(name), "%s", root); + + /* Add a new attribute in the list. + */ + result = asn1_write_value(asn, name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), "%s.?LAST.type", root); + + result = asn1_write_value(asn, name, attribute_id, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), "%s.?LAST.values", root); + + result = asn1_write_value(asn, name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), "%s.?LAST.values.?LAST", root); + + result = _gnutls_x509_write_value(asn, name, ext_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* Overwrite the given attribute (using the index) * index here starts from one. */ static int -overwrite_attribute (ASN1_TYPE asn, const char *root, unsigned int indx, - const gnutls_datum_t * ext_data) +overwrite_attribute(ASN1_TYPE asn, const char *root, unsigned int indx, + const gnutls_datum_t * ext_data) { - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - int result; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + int result; - snprintf (name, sizeof (name), "%s.?%u", root, indx); + snprintf(name, sizeof(name), "%s.?%u", root, indx); - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".values.?LAST"); + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".values.?LAST"); - result = _gnutls_x509_write_value (asn, name2, ext_data); - if (result < 0) - { - gnutls_assert (); - return result; - } + result = _gnutls_x509_write_value(asn, name2, ext_data); + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } static int -set_attribute (ASN1_TYPE asn, const char *root, - const char *ext_id, const gnutls_datum_t * ext_data) +set_attribute(ASN1_TYPE asn, const char *root, + const char *ext_id, const gnutls_datum_t * ext_data) { - int result; - int k, len; - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - char extnID[MAX_OID_SIZE]; - - /* Find the index of the given attribute. - */ - k = 0; - do - { - k++; - - snprintf (name, sizeof (name), "%s.?%u", root, k); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name, extnID, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - - do - { - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".type"); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Handle Extension - */ - if (strcmp (extnID, ext_id) == 0) - { - /* attribute was found - */ - return overwrite_attribute (asn, root, k, ext_data); - } - - - } - while (0); - } - while (1); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - return add_attribute (asn, root, ext_id, ext_data); - } - else - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - - return 0; + int result; + int k, len; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + char extnID[MAX_OID_SIZE]; + + /* Find the index of the given attribute. + */ + k = 0; + do { + k++; + + snprintf(name, sizeof(name), "%s.?%u", root, k); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name, extnID, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + + do { + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".type"); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name2, extnID, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (strcmp(extnID, ext_id) == 0) { + /* attribute was found + */ + return overwrite_attribute(asn, root, k, + ext_data); + } + + + } + while (0); + } + while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return add_attribute(asn, root, ext_id, ext_data); + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + return 0; } /** @@ -694,23 +669,23 @@ set_attribute (ASN1_TYPE asn, const char *root, * negative error value. **/ int -gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq, - const char *oid, void *buf, - size_t buf_size) +gnutls_x509_crq_set_attribute_by_oid(gnutls_x509_crq_t crq, + const char *oid, void *buf, + size_t buf_size) { - gnutls_datum_t data; + gnutls_datum_t data; - data.data = buf; - data.size = buf_size; + data.data = buf; + data.size = buf_size; - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return set_attribute (crq->crq, "certificationRequestInfo.attributes", - oid, &data); + return set_attribute(crq->crq, + "certificationRequestInfo.attributes", oid, + &data); } /** @@ -733,25 +708,26 @@ gnutls_x509_crq_set_attribute_by_oid (gnutls_x509_crq_t crq, * negative error value. **/ int -gnutls_x509_crq_get_attribute_by_oid (gnutls_x509_crq_t crq, - const char *oid, int indx, void *buf, - size_t * buf_size) +gnutls_x509_crq_get_attribute_by_oid(gnutls_x509_crq_t crq, + const char *oid, int indx, void *buf, + size_t * buf_size) { -int ret; -gnutls_datum_t td; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = parse_attribute (crq->crq, "certificationRequestInfo.attributes", - oid, indx, 1, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, buf, buf_size); + int ret; + gnutls_datum_t td; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + parse_attribute(crq->crq, + "certificationRequestInfo.attributes", oid, + indx, 1, &td); + if (ret < 0) + return gnutls_assert_val(ret); + + return _gnutls_strdatum_to_buf(&td, buf, buf_size); } /** @@ -776,18 +752,17 @@ gnutls_datum_t td; * negative error value. **/ int -gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, - unsigned int raw_flag, const void *data, - unsigned int sizeof_data) +gnutls_x509_crq_set_dn_by_oid(gnutls_x509_crq_t crq, const char *oid, + unsigned int raw_flag, const void *data, + unsigned int sizeof_data) { - if (sizeof_data == 0 || data == NULL || crq == NULL) - { - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_dn_oid (crq->crq, - "certificationRequestInfo.subject", oid, - raw_flag, data, sizeof_data); + if (sizeof_data == 0 || data == NULL || crq == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_dn_oid(crq->crq, + "certificationRequestInfo.subject", + oid, raw_flag, data, sizeof_data); } /** @@ -802,29 +777,28 @@ gnutls_x509_crq_set_dn_by_oid (gnutls_x509_crq_t crq, const char *oid, * negative error value. **/ int -gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version) +gnutls_x509_crq_set_version(gnutls_x509_crq_t crq, unsigned int version) { - int result; - unsigned char null = version; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (null > 0) - null--; - - result = - asn1_write_value (crq->crq, "certificationRequestInfo.version", &null, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + unsigned char null = version; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (null > 0) + null--; + + result = + asn1_write_value(crq->crq, "certificationRequestInfo.version", + &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -837,31 +811,28 @@ gnutls_x509_crq_set_version (gnutls_x509_crq_t crq, unsigned int version) * Returns: version of certificate request, or a negative error code on * error. **/ -int -gnutls_x509_crq_get_version (gnutls_x509_crq_t crq) +int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq) { - uint8_t version[8]; - int len, result; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof (version); - if ((result = - asn1_read_value (crq->crq, "certificationRequestInfo.version", - version, &len)) != ASN1_SUCCESS) - { - - if (result == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return (int) version[0] + 1; + uint8_t version[8]; + int len, result; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + if ((result = + asn1_read_value(crq->crq, "certificationRequestInfo.version", + version, &len)) != ASN1_SUCCESS) { + + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return (int) version[0] + 1; } /** @@ -876,28 +847,26 @@ gnutls_x509_crq_get_version (gnutls_x509_crq_t crq) * negative error value. **/ int -gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) +gnutls_x509_crq_set_key(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) { - int result; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = _gnutls_x509_encode_and_copy_PKI_params - (crq->crq, - "certificationRequestInfo.subjectPKInfo", - key->pk_algorithm, &key->params); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_encode_and_copy_PKI_params + (crq->crq, + "certificationRequestInfo.subjectPKInfo", + key->pk_algorithm, &key->params); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -916,54 +885,49 @@ gnutls_x509_crq_set_key (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) * Since: 2.8.0 **/ int -gnutls_x509_crq_get_key_rsa_raw (gnutls_x509_crq_t crq, - gnutls_datum_t * m, gnutls_datum_t * e) +gnutls_x509_crq_get_key_rsa_raw(gnutls_x509_crq_t crq, + gnutls_datum_t * m, gnutls_datum_t * e) { - int ret; - gnutls_pk_params_st params; - - gnutls_pk_params_init(¶ms); - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_x509_crq_get_pk_algorithm (crq, NULL); - if (ret != GNUTLS_PK_RSA) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crq_get_mpis (crq, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_mpi_dprint (params.params[0], m); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_mpi_dprint (params.params[1], e); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (m); - goto cleanup; - } - - ret = 0; - -cleanup: - gnutls_pk_params_release(¶ms); - return ret; + int ret; + gnutls_pk_params_st params; + + gnutls_pk_params_init(¶ms); + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crq_get_pk_algorithm(crq, NULL); + if (ret != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crq_get_mpis(crq, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_mpi_dprint(params.params[0], m); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_mpi_dprint(params.params[1], e); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(m); + goto cleanup; + } + + ret = 0; + + cleanup: + gnutls_pk_params_release(¶ms); + return ret; } /** @@ -981,59 +945,55 @@ cleanup: * Since: 2.6.0 **/ int -gnutls_x509_crq_set_key_rsa_raw (gnutls_x509_crq_t crq, - const gnutls_datum_t * m, - const gnutls_datum_t * e) +gnutls_x509_crq_set_key_rsa_raw(gnutls_x509_crq_t crq, + const gnutls_datum_t * m, + const gnutls_datum_t * e) { - int result, ret; - size_t siz = 0; - gnutls_pk_params_st temp_params; - - gnutls_pk_params_init(&temp_params); - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - memset (&temp_params, 0, sizeof (temp_params)); - - siz = m->size; - if (_gnutls_mpi_scan_nz (&temp_params.params[0], m->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto error; - } - - siz = e->size; - if (_gnutls_mpi_scan_nz (&temp_params.params[1], e->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto error; - } - - temp_params.params_nr = RSA_PUBLIC_PARAMS; - - result = _gnutls_x509_encode_and_copy_PKI_params - (crq->crq, - "certificationRequestInfo.subjectPKInfo", - GNUTLS_PK_RSA, &temp_params); - - if (result < 0) - { - gnutls_assert (); - ret = result; - goto error; - } - - ret = 0; - -error: - gnutls_pk_params_release(&temp_params); - return ret; + int result, ret; + size_t siz = 0; + gnutls_pk_params_st temp_params; + + gnutls_pk_params_init(&temp_params); + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + memset(&temp_params, 0, sizeof(temp_params)); + + siz = m->size; + if (_gnutls_mpi_scan_nz(&temp_params.params[0], m->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto error; + } + + siz = e->size; + if (_gnutls_mpi_scan_nz(&temp_params.params[1], e->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto error; + } + + temp_params.params_nr = RSA_PUBLIC_PARAMS; + + result = _gnutls_x509_encode_and_copy_PKI_params + (crq->crq, + "certificationRequestInfo.subjectPKInfo", + GNUTLS_PK_RSA, &temp_params); + + if (result < 0) { + gnutls_assert(); + ret = result; + goto error; + } + + ret = 0; + + error: + gnutls_pk_params_release(&temp_params); + return ret; } /** @@ -1048,37 +1008,37 @@ error: * negative error value. **/ int -gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t crq, - const char *pass) +gnutls_x509_crq_set_challenge_password(gnutls_x509_crq_t crq, + const char *pass) { - int result; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Add the attribute. - */ - result = asn1_write_value (crq->crq, "certificationRequestInfo.attributes", - "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_encode_and_write_attribute - ("1.2.840.113549.1.9.7", crq->crq, - "certificationRequestInfo.attributes.?LAST", pass, strlen (pass), 1); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Add the attribute. + */ + result = + asn1_write_value(crq->crq, + "certificationRequestInfo.attributes", "NEW", + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_encode_and_write_attribute + ("1.2.840.113549.1.9.7", crq->crq, + "certificationRequestInfo.attributes.?LAST", pass, + strlen(pass), 1); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -1103,45 +1063,41 @@ gnutls_x509_crq_set_challenge_password (gnutls_x509_crq_t crq, * **/ int -gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, - gnutls_digest_algorithm_t dig, unsigned int flags) +gnutls_x509_crq_sign2(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; - gnutls_privkey_t privkey; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_privkey_init (&privkey); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_privkey_import_x509 (privkey, key, 0); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = gnutls_x509_crq_privkey_sign (crq, privkey, dig, flags); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = 0; - -fail: - gnutls_privkey_deinit (privkey); - - return result; + int result; + gnutls_privkey_t privkey; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_privkey_init(&privkey); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = gnutls_privkey_import_x509(privkey, key, 0); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = gnutls_x509_crq_privkey_sign(crq, privkey, dig, flags); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = 0; + + fail: + gnutls_privkey_deinit(privkey); + + return result; } /** @@ -1157,10 +1113,9 @@ fail: * * Deprecated: Use gnutls_x509_crq_privkey_sign() instead. */ -int -gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) +int gnutls_x509_crq_sign(gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) { - return gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crq_sign2(crq, key, GNUTLS_DIG_SHA1, 0); } /** @@ -1185,18 +1140,17 @@ gnutls_x509_crq_sign (gnutls_x509_crq_t crq, gnutls_x509_privkey_t key) * negative error value. **/ int -gnutls_x509_crq_export (gnutls_x509_crq_t crq, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_x509_crq_export(gnutls_x509_crq_t crq, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int (crq->crq, format, PEM_CRQ, - output_data, output_data_size); + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(crq->crq, format, PEM_CRQ, + output_data, output_data_size); } /** @@ -1219,16 +1173,15 @@ gnutls_x509_crq_export (gnutls_x509_crq_t crq, * Since 3.1.3 **/ int -gnutls_x509_crq_export2 (gnutls_x509_crq_t crq, - gnutls_x509_crt_fmt_t format, gnutls_datum_t *out) +gnutls_x509_crq_export2(gnutls_x509_crq_t crq, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int2 (crq->crq, format, PEM_CRQ, out); + return _gnutls_x509_export_int2(crq->crq, format, PEM_CRQ, out); } /** @@ -1247,24 +1200,22 @@ gnutls_x509_crq_export2 (gnutls_x509_crq_t crq, * success, or a negative error code on error. **/ int -gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits) +gnutls_x509_crq_get_pk_algorithm(gnutls_x509_crq_t crq, unsigned int *bits) { - int result; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = _gnutls_x509_get_pk_algorithm - (crq->crq, "certificationRequestInfo.subjectPKInfo", bits); - if (result < 0) - { - gnutls_assert (); - } - - return result; + int result; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_get_pk_algorithm + (crq->crq, "certificationRequestInfo.subjectPKInfo", bits); + if (result < 0) { + gnutls_assert(); + } + + return result; } /** @@ -1292,35 +1243,33 @@ gnutls_x509_crq_get_pk_algorithm (gnutls_x509_crq_t crq, unsigned int *bits) * Since: 2.8.0 **/ int -gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t crq, int indx, - void *oid, size_t * sizeof_oid) +gnutls_x509_crq_get_attribute_info(gnutls_x509_crq_t crq, int indx, + void *oid, size_t * sizeof_oid) { - int result; - char name[ASN1_MAX_NAME_SIZE]; - int len; + int result; + char name[ASN1_MAX_NAME_SIZE]; + int len; - if (!crq) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (!crq) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - snprintf (name, sizeof (name), - "certificationRequestInfo.attributes.?%u.type", indx + 1); + snprintf(name, sizeof(name), + "certificationRequestInfo.attributes.?%u.type", indx + 1); - len = *sizeof_oid; - result = asn1_read_value (crq->crq, name, oid, &len); - *sizeof_oid = len; + len = *sizeof_oid; + result = asn1_read_value(crq->crq, name, oid, &len); + *sizeof_oid = len; - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } @@ -1348,34 +1297,33 @@ gnutls_x509_crq_get_attribute_info (gnutls_x509_crq_t crq, int indx, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t crq, int indx, - void *data, size_t * sizeof_data) +gnutls_x509_crq_get_attribute_data(gnutls_x509_crq_t crq, int indx, + void *data, size_t * sizeof_data) { - int result, len; - char name[ASN1_MAX_NAME_SIZE]; - - if (!crq) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), - "certificationRequestInfo.attributes.?%u.values.?1", indx + 1); - - len = *sizeof_data; - result = asn1_read_value (crq->crq, name, data, &len); - *sizeof_data = len; - - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result, len; + char name[ASN1_MAX_NAME_SIZE]; + + if (!crq) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "certificationRequestInfo.attributes.?%u.values.?1", + indx + 1); + + len = *sizeof_data; + result = asn1_read_value(crq->crq, name, data, &len); + *sizeof_data = len; + + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -1404,110 +1352,105 @@ gnutls_x509_crq_get_attribute_data (gnutls_x509_crq_t crq, int indx, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_extension_info (gnutls_x509_crq_t crq, int indx, - void *oid, size_t * sizeof_oid, - unsigned int *critical) +gnutls_x509_crq_get_extension_info(gnutls_x509_crq_t crq, int indx, + void *oid, size_t * sizeof_oid, + unsigned int *critical) { - int result; - char str_critical[10]; - char name[ASN1_MAX_NAME_SIZE]; - char *extensions = NULL; - size_t extensions_size = 0; - ASN1_TYPE c2; - int len; - - if (!crq) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* read extensionRequest */ - result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14", - 0, NULL, &extensions_size); - if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - extensions = gnutls_malloc (extensions_size); - if (extensions == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_attribute_by_oid (crq, - "1.2.840.113549.1.9.14", - 0, extensions, - &extensions_size); - } - if (result < 0) - { - gnutls_assert (); - goto out; - } - - result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto out; - } - - result = asn1_der_decoding (&c2, extensions, extensions_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - result = _gnutls_asn2err (result); - goto out; - } - - snprintf (name, sizeof (name), "?%u.extnID", indx + 1); - - len = *sizeof_oid; - result = asn1_read_value (c2, name, oid, &len); - *sizeof_oid = len; - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - asn1_delete_structure (&c2); - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto out; - } - else if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&c2); - result = _gnutls_asn2err (result); - goto out; - } - - snprintf (name, sizeof (name), "?%u.critical", indx + 1); - len = sizeof (str_critical); - result = asn1_read_value (c2, name, str_critical, &len); - - asn1_delete_structure (&c2); - - if (result < 0) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto out; - } - - if (critical) - { - if (str_critical[0] == 'T') - *critical = 1; - else - *critical = 0; - } - - result = 0; - -out: - gnutls_free (extensions); - return result; + int result; + char str_critical[10]; + char name[ASN1_MAX_NAME_SIZE]; + char *extensions = NULL; + size_t extensions_size = 0; + ASN1_TYPE c2; + int len; + + if (!crq) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* read extensionRequest */ + result = + gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, NULL, + &extensions_size); + if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) { + extensions = gnutls_malloc(extensions_size); + if (extensions == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, + extensions, + &extensions_size); + } + if (result < 0) { + gnutls_assert(); + goto out; + } + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.Extensions", + &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto out; + } + + result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto out; + } + + snprintf(name, sizeof(name), "?%u.extnID", indx + 1); + + len = *sizeof_oid; + result = asn1_read_value(c2, name, oid, &len); + *sizeof_oid = len; + + if (result == ASN1_ELEMENT_NOT_FOUND) { + asn1_delete_structure(&c2); + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto out; + } else if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&c2); + result = _gnutls_asn2err(result); + goto out; + } + + snprintf(name, sizeof(name), "?%u.critical", indx + 1); + len = sizeof(str_critical); + result = asn1_read_value(c2, name, str_critical, &len); + + asn1_delete_structure(&c2); + + if (result < 0) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto out; + } + + if (critical) { + if (str_critical[0] == 'T') + *critical = 1; + else + *critical = 0; + } + + result = 0; + + out: + gnutls_free(extensions); + return result; } /** @@ -1534,82 +1477,82 @@ out: * Since: 2.8.0 **/ int -gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t crq, int indx, - void *data, size_t * sizeof_data) +gnutls_x509_crq_get_extension_data(gnutls_x509_crq_t crq, int indx, + void *data, size_t * sizeof_data) { - int result, len; - char name[ASN1_MAX_NAME_SIZE]; - unsigned char *extensions; - size_t extensions_size = 0; - ASN1_TYPE c2; - - if (!crq) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* read extensionRequest */ - result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14", - 0, NULL, &extensions_size); - if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - if (result == 0) - return GNUTLS_E_INTERNAL_ERROR; - return result; - } - - extensions = gnutls_malloc (extensions_size); - if (extensions == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14", - 0, extensions, - &extensions_size); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (extensions); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, extensions, extensions_size, NULL); - gnutls_free (extensions); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "?%u.extnValue", indx + 1); - - len = *sizeof_data; - result = asn1_read_value (c2, name, data, &len); - *sizeof_data = len; - - asn1_delete_structure (&c2); - - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result, len; + char name[ASN1_MAX_NAME_SIZE]; + unsigned char *extensions; + size_t extensions_size = 0; + ASN1_TYPE c2; + + if (!crq) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* read extensionRequest */ + result = + gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, NULL, + &extensions_size); + if (result != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + if (result == 0) + return GNUTLS_E_INTERNAL_ERROR; + return result; + } + + extensions = gnutls_malloc(extensions_size); + if (extensions == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = + gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, extensions, + &extensions_size); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.Extensions", + &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(extensions); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, extensions, extensions_size, NULL); + gnutls_free(extensions); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), "?%u.extnValue", indx + 1); + + len = *sizeof_data; + result = asn1_read_value(c2, name, data, &len); + *sizeof_data = len; + + asn1_delete_structure(&c2); + + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -1634,40 +1577,38 @@ gnutls_x509_crq_get_extension_data (gnutls_x509_crq_t crq, int indx, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq, - unsigned int *key_usage, - unsigned int *critical) +gnutls_x509_crq_get_key_usage(gnutls_x509_crq_t crq, + unsigned int *key_usage, + unsigned int *critical) { - int result; - uint16_t _usage; - uint8_t buf[128]; - size_t buf_size = sizeof (buf); - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.15", 0, - buf, &buf_size, critical); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_ext_extract_keyUsage (&_usage, buf, buf_size); - - *key_usage = _usage; - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + uint16_t _usage; + uint8_t buf[128]; + size_t buf_size = sizeof(buf); + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.15", 0, + buf, &buf_size, + critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = _gnutls_x509_ext_extract_keyUsage(&_usage, buf, buf_size); + + *key_usage = _usage; + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -1693,124 +1634,117 @@ gnutls_x509_crq_get_key_usage (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_basic_constraints (gnutls_x509_crq_t crq, - unsigned int *critical, - unsigned int *ca, int *pathlen) +gnutls_x509_crq_get_basic_constraints(gnutls_x509_crq_t crq, + unsigned int *critical, + unsigned int *ca, int *pathlen) { - int result; - unsigned int tmp_ca; - uint8_t buf[256]; - size_t buf_size = sizeof (buf); - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.19", 0, - buf, &buf_size, critical); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = - _gnutls_x509_ext_extract_basicConstraints (&tmp_ca, - pathlen, buf, buf_size); - if (ca) - *ca = tmp_ca; - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return tmp_ca; + int result; + unsigned int tmp_ca; + uint8_t buf[256]; + size_t buf_size = sizeof(buf); + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.19", 0, + buf, &buf_size, + critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_ext_extract_basicConstraints(&tmp_ca, + pathlen, buf, + buf_size); + if (ca) + *ca = tmp_ca; + + if (result < 0) { + gnutls_assert(); + return result; + } + + return tmp_ca; } static int -get_subject_alt_name (gnutls_x509_crq_t crq, - unsigned int seq, void *ret, - size_t * ret_size, unsigned int *ret_type, - unsigned int *critical, int othername_oid) +get_subject_alt_name(gnutls_x509_crq_t crq, + unsigned int seq, void *ret, + size_t * ret_size, unsigned int *ret_type, + unsigned int *critical, int othername_oid) { - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_x509_subject_alt_name_t type; - gnutls_datum_t dnsname = { NULL, 0 }; - size_t dns_size = 0; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (ret) - memset (ret, 0, *ret_size); - else - *ret_size = 0; - - /* Extract extension. - */ - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0, - NULL, &dns_size, critical); - if (result < 0) - { - gnutls_assert (); - return result; - } - - dnsname.size = dns_size; - dnsname.data = gnutls_malloc (dnsname.size); - if (dnsname.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0, - dnsname.data, &dns_size, - critical); - if (result < 0) - { - gnutls_assert (); - gnutls_free (dnsname.data); - return result; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.SubjectAltName", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (dnsname.data); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, dnsname.data, dnsname.size, NULL); - gnutls_free (dnsname.data); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - result = _gnutls_parse_general_name (c2, "", seq, ret, ret_size, - ret_type, othername_oid); - asn1_delete_structure (&c2); - if (result < 0) - { - return result; - } - - type = result; - - return type; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_x509_subject_alt_name_t type; + gnutls_datum_t dnsname = { NULL, 0 }; + size_t dns_size = 0; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + /* Extract extension. + */ + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.17", 0, + NULL, &dns_size, + critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + dnsname.size = dns_size; + dnsname.data = gnutls_malloc(dnsname.size); + if (dnsname.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.17", 0, + dnsname.data, + &dns_size, critical); + if (result < 0) { + gnutls_assert(); + gnutls_free(dnsname.data); + return result; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectAltName", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(dnsname.data); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + gnutls_free(dnsname.data); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + result = _gnutls_parse_general_name(c2, "", seq, ret, ret_size, + ret_type, othername_oid); + asn1_delete_structure(&c2); + if (result < 0) { + return result; + } + + type = result; + + return type; } /** @@ -1842,14 +1776,14 @@ get_subject_alt_name (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_subject_alt_name (gnutls_x509_crq_t crq, - unsigned int seq, void *ret, - size_t * ret_size, - unsigned int *ret_type, - unsigned int *critical) +gnutls_x509_crq_get_subject_alt_name(gnutls_x509_crq_t crq, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *ret_type, + unsigned int *critical) { - return get_subject_alt_name (crq, seq, ret, ret_size, ret_type, critical, - 0); + return get_subject_alt_name(crq, seq, ret, ret_size, ret_type, + critical, 0); } /** @@ -1881,11 +1815,12 @@ gnutls_x509_crq_get_subject_alt_name (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_subject_alt_othername_oid (gnutls_x509_crq_t crq, - unsigned int seq, - void *ret, size_t * ret_size) +gnutls_x509_crq_get_subject_alt_othername_oid(gnutls_x509_crq_t crq, + unsigned int seq, + void *ret, size_t * ret_size) { - return get_subject_alt_name (crq, seq, ret, ret_size, NULL, NULL, 1); + return get_subject_alt_name(crq, seq, ret, ret_size, NULL, NULL, + 1); } /** @@ -1910,40 +1845,41 @@ gnutls_x509_crq_get_subject_alt_othername_oid (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t crq, - const char *oid, int indx, - void *buf, size_t * buf_size, - unsigned int *critical) +gnutls_x509_crq_get_extension_by_oid(gnutls_x509_crq_t crq, + const char *oid, int indx, + void *buf, size_t * buf_size, + unsigned int *critical) { - int result; - unsigned int i; - char _oid[MAX_OID_SIZE]; - size_t oid_size; - - for (i = 0;; i++) - { - oid_size = sizeof (_oid); - result = - gnutls_x509_crq_get_extension_info (crq, i, _oid, &oid_size, - critical); - if (result < 0) - { - gnutls_assert (); - return result; - } - - if (strcmp (oid, _oid) == 0) - { /* found */ - if (indx == 0) - return gnutls_x509_crq_get_extension_data (crq, i, buf, - buf_size); - else - indx--; - } - } - - - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + int result; + unsigned int i; + char _oid[MAX_OID_SIZE]; + size_t oid_size; + + for (i = 0;; i++) { + oid_size = sizeof(_oid); + result = + gnutls_x509_crq_get_extension_info(crq, i, _oid, + &oid_size, + critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + if (strcmp(oid, _oid) == 0) { /* found */ + if (indx == 0) + return + gnutls_x509_crq_get_extension_data(crq, + i, + buf, + buf_size); + else + indx--; + } + } + + + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } @@ -1975,91 +1911,93 @@ gnutls_x509_crq_get_extension_by_oid (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_set_subject_alt_name (gnutls_x509_crq_t crq, - gnutls_x509_subject_alt_name_t nt, - const void *data, - unsigned int data_size, - unsigned int flags) +gnutls_x509_crq_set_subject_alt_name(gnutls_x509_crq_t crq, + gnutls_x509_subject_alt_name_t nt, + const void *data, + unsigned int data_size, + unsigned int flags) { - int result = 0; - gnutls_datum_t der_data = { NULL, 0 }; - gnutls_datum_t prev_der_data = { NULL, 0 }; - unsigned int critical = 0; - size_t prev_data_size = 0; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - if (flags == GNUTLS_FSAN_APPEND) - { - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0, - NULL, &prev_data_size, - &critical); - prev_der_data.size = prev_data_size; - - switch (result) - { - case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: - /* Replacing non-existing data means the same as set data. */ - break; - - case GNUTLS_E_SUCCESS: - prev_der_data.data = gnutls_malloc (prev_der_data.size); - if (prev_der_data.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.17", 0, - prev_der_data.data, - &prev_data_size, - &critical); - if (result < 0) - { - gnutls_assert (); - gnutls_free (prev_der_data.data); - return result; - } - break; - - default: - gnutls_assert (); - return result; - } - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_subject_alt_name (nt, data, data_size, - &prev_der_data, &der_data); - gnutls_free (prev_der_data.data); - if (result < 0) - { - gnutls_assert (); - goto finish; - } - - result = _gnutls_x509_crq_set_extension (crq, "2.5.29.17", &der_data, - critical); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; - -finish: - return result; + int result = 0; + gnutls_datum_t der_data = { NULL, 0 }; + gnutls_datum_t prev_der_data = { NULL, 0 }; + unsigned int critical = 0; + size_t prev_data_size = 0; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + if (flags == GNUTLS_FSAN_APPEND) { + result = + gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.17", + 0, NULL, + &prev_data_size, + &critical); + prev_der_data.size = prev_data_size; + + switch (result) { + case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: + /* Replacing non-existing data means the same as set data. */ + break; + + case GNUTLS_E_SUCCESS: + prev_der_data.data = + gnutls_malloc(prev_der_data.size); + if (prev_der_data.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = + gnutls_x509_crq_get_extension_by_oid(crq, + "2.5.29.17", + 0, + prev_der_data. + data, + &prev_data_size, + &critical); + if (result < 0) { + gnutls_assert(); + gnutls_free(prev_der_data.data); + return result; + } + break; + + default: + gnutls_assert(); + return result; + } + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_subject_alt_name(nt, data, data_size, + &prev_der_data, + &der_data); + gnutls_free(prev_der_data.data); + if (result < 0) { + gnutls_assert(); + goto finish; + } + + result = + _gnutls_x509_crq_set_extension(crq, "2.5.29.17", &der_data, + critical); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; + + finish: + return result; } /** @@ -2078,39 +2016,39 @@ finish: * Since: 2.8.0 **/ int -gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t crq, - unsigned int ca, int pathLenConstraint) +gnutls_x509_crq_set_basic_constraints(gnutls_x509_crq_t crq, + unsigned int ca, + int pathLenConstraint) { - int result; - gnutls_datum_t der_data; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint, - &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crq_set_extension (crq, "2.5.29.19", &der_data, 1); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + gnutls_datum_t der_data; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_basicConstraints(ca, pathLenConstraint, + &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crq_set_extension(crq, "2.5.29.19", &der_data, 1); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -2126,37 +2064,36 @@ gnutls_x509_crq_set_basic_constraints (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq, unsigned int usage) +gnutls_x509_crq_set_key_usage(gnutls_x509_crq_t crq, unsigned int usage) { - int result; - gnutls_datum_t der_data; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crq_set_extension (crq, "2.5.29.15", &der_data, 1); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + gnutls_datum_t der_data; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_keyUsage((uint16_t) usage, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crq_set_extension(crq, "2.5.29.15", &der_data, 1); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -2179,92 +2116,89 @@ gnutls_x509_crq_set_key_usage (gnutls_x509_crq_t crq, unsigned int usage) * Since: 2.8.0 **/ int -gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t crq, - int indx, void *oid, size_t * sizeof_oid, - unsigned int *critical) +gnutls_x509_crq_get_key_purpose_oid(gnutls_x509_crq_t crq, + int indx, void *oid, + size_t * sizeof_oid, + unsigned int *critical) { - char tmpstr[ASN1_MAX_NAME_SIZE]; - int result, len; - gnutls_datum_t prev = { NULL, 0 }; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - size_t prev_size = 0; - - if (oid) - memset (oid, 0, *sizeof_oid); - else - *sizeof_oid = 0; - - /* Extract extension. - */ - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0, - NULL, &prev_size, critical); - prev.size = prev_size; - - if (result < 0) - { - gnutls_assert (); - return result; - } - - prev.data = gnutls_malloc (prev.size); - if (prev.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0, - prev.data, &prev_size, - critical); - if (result < 0) - { - gnutls_assert (); - gnutls_free (prev.data); - return result; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (prev.data); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, prev.data, prev.size, NULL); - gnutls_free (prev.data); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - indx++; - /* create a string like "?1" - */ - snprintf (tmpstr, sizeof (tmpstr), "?%u", indx); - - len = *sizeof_oid; - result = asn1_read_value (c2, tmpstr, oid, &len); - - *sizeof_oid = len; - asn1_delete_structure (&c2); - - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (result != ASN1_SUCCESS) - { - if (result != ASN1_MEM_ERROR) - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + char tmpstr[ASN1_MAX_NAME_SIZE]; + int result, len; + gnutls_datum_t prev = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + size_t prev_size = 0; + + if (oid) + memset(oid, 0, *sizeof_oid); + else + *sizeof_oid = 0; + + /* Extract extension. + */ + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.37", 0, + NULL, &prev_size, + critical); + prev.size = prev_size; + + if (result < 0) { + gnutls_assert(); + return result; + } + + prev.data = gnutls_malloc(prev.size); + if (prev.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.37", 0, + prev.data, + &prev_size, + critical); + if (result < 0) { + gnutls_assert(); + gnutls_free(prev.data); + return result; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(prev.data); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, prev.data, prev.size, NULL); + gnutls_free(prev.data); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + indx++; + /* create a string like "?1" + */ + snprintf(tmpstr, sizeof(tmpstr), "?%u", indx); + + len = *sizeof_oid; + result = asn1_read_value(c2, tmpstr, oid, &len); + + *sizeof_oid = len; + asn1_delete_structure(&c2); + + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (result != ASN1_SUCCESS) { + if (result != ASN1_MEM_ERROR) + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -2285,114 +2219,108 @@ gnutls_x509_crq_get_key_purpose_oid (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t crq, - const void *oid, unsigned int critical) +gnutls_x509_crq_set_key_purpose_oid(gnutls_x509_crq_t crq, + const void *oid, unsigned int critical) { - int result; - gnutls_datum_t prev = { NULL, 0 }, der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - size_t prev_size = 0; - - /* Read existing extension, if there is one. - */ - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0, - NULL, &prev_size, &critical); - prev.size = prev_size; - - switch (result) - { - case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: - /* No existing extension, that's fine. */ - break; - - case GNUTLS_E_SUCCESS: - prev.data = gnutls_malloc (prev.size); - if (prev.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_extension_by_oid (crq, "2.5.29.37", 0, - prev.data, &prev_size, - &critical); - if (result < 0) - { - gnutls_assert (); - gnutls_free (prev.data); - return result; - } - break; - - default: - gnutls_assert (); - return result; - } - - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (prev.data); - return _gnutls_asn2err (result); - } - - if (prev.data) - { - /* decode it. - */ - result = asn1_der_decoding (&c2, prev.data, prev.size, NULL); - gnutls_free (prev.data); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - } - - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - /* 2. Add the OID. - */ - result = asn1_write_value (c2, "?LAST", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (c2, "", &der_data, 0); - asn1_delete_structure (&c2); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_crq_set_extension (crq, "2.5.29.37", - &der_data, critical); - _gnutls_free_datum (&der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + gnutls_datum_t prev = { NULL, 0 }, der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + size_t prev_size = 0; + + /* Read existing extension, if there is one. + */ + result = gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.37", 0, + NULL, &prev_size, + &critical); + prev.size = prev_size; + + switch (result) { + case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE: + /* No existing extension, that's fine. */ + break; + + case GNUTLS_E_SUCCESS: + prev.data = gnutls_malloc(prev.size); + if (prev.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = + gnutls_x509_crq_get_extension_by_oid(crq, "2.5.29.37", + 0, prev.data, + &prev_size, + &critical); + if (result < 0) { + gnutls_assert(); + gnutls_free(prev.data); + return result; + } + break; + + default: + gnutls_assert(); + return result; + } + + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(prev.data); + return _gnutls_asn2err(result); + } + + if (prev.data) { + /* decode it. + */ + result = + asn1_der_decoding(&c2, prev.data, prev.size, NULL); + gnutls_free(prev.data); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + } + + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* 2. Add the OID. + */ + result = asn1_write_value(c2, "?LAST", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_crq_set_extension(crq, "2.5.29.37", + &der_data, critical); + _gnutls_free_datum(&der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -2418,38 +2346,36 @@ gnutls_x509_crq_set_key_purpose_oid (gnutls_x509_crq_t crq, * Since: 2.8.0 **/ int -gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq, unsigned int flags, - unsigned char *output_data, - size_t * output_data_size) +gnutls_x509_crq_get_key_id(gnutls_x509_crq_t crq, unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { - int pk, ret = 0; - gnutls_pk_params_st params; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - pk = gnutls_x509_crq_get_pk_algorithm (crq, NULL); - if (pk < 0) - { - gnutls_assert (); - return pk; - } - - ret = _gnutls_x509_crq_get_mpis (crq, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_get_key_id(pk, ¶ms, output_data, output_data_size); - - gnutls_pk_params_release(¶ms); - - return ret; + int pk, ret = 0; + gnutls_pk_params_st params; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + pk = gnutls_x509_crq_get_pk_algorithm(crq, NULL); + if (pk < 0) { + gnutls_assert(); + return pk; + } + + ret = _gnutls_x509_crq_get_mpis(crq, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_get_key_id(pk, ¶ms, output_data, output_data_size); + + gnutls_pk_params_release(¶ms); + + return ret; } /** @@ -2475,76 +2401,73 @@ gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq, unsigned int flags, * Since: 2.12.0 **/ int -gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key, - gnutls_digest_algorithm_t dig, - unsigned int flags) +gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, + gnutls_digest_algorithm_t dig, + unsigned int flags) { - int result; - gnutls_datum_t signature; - gnutls_datum_t tbs; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Make sure version field is set. */ - if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND) - { - result = gnutls_x509_crq_set_version (crq, 1); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - /* Step 1. Self sign the request. - */ - result = _gnutls_x509_get_tbs (crq->crq, "certificationRequestInfo", &tbs); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_privkey_sign_data (key, dig, 0, &tbs, &signature); - gnutls_free (tbs.data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. write the signature (bits) - */ - result = - asn1_write_value (crq->crq, "signature", signature.data, - signature.size * 8); - - _gnutls_free_datum (&signature); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Step 3. Write the signatureAlgorithm field. - */ - result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm", - gnutls_privkey_get_pk_algorithm - (key, NULL), dig); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + gnutls_datum_t signature; + gnutls_datum_t tbs; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Make sure version field is set. */ + if (gnutls_x509_crq_get_version(crq) == + GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + result = gnutls_x509_crq_set_version(crq, 1); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + /* Step 1. Self sign the request. + */ + result = + _gnutls_x509_get_tbs(crq->crq, "certificationRequestInfo", + &tbs); + + if (result < 0) { + gnutls_assert(); + return result; + } + + result = gnutls_privkey_sign_data(key, dig, 0, &tbs, &signature); + gnutls_free(tbs.data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. write the signature (bits) + */ + result = + asn1_write_value(crq->crq, "signature", signature.data, + signature.size * 8); + + _gnutls_free_datum(&signature); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Write the signatureAlgorithm field. + */ + result = + _gnutls_x509_write_sig_params(crq->crq, "signatureAlgorithm", + gnutls_privkey_get_pk_algorithm + (key, NULL), dig); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } @@ -2561,67 +2484,65 @@ gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key, * * Since 2.12.0 **/ -int -gnutls_x509_crq_verify (gnutls_x509_crq_t crq, - unsigned int flags) +int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags) { -gnutls_datum data = { NULL, 0 }; -gnutls_datum signature = { NULL, 0 }; -gnutls_pk_params_st params; -gnutls_digest_algorithm_t algo; -int ret; - - gnutls_pk_params_init(¶ms); - - ret = - _gnutls_x509_get_signed_data (crq->crq, "certificationRequestInfo", &data); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_x509_get_signature_algorithm(crq->crq, "signatureAlgorithm.algorithm"); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - algo = gnutls_sign_get_hash_algorithm(ret); - - ret = _gnutls_x509_get_signature (crq->crq, "signature", &signature); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = - _gnutls_x509_crq_get_mpis(crq, ¶ms); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = pubkey_verify_data(gnutls_x509_crq_get_pk_algorithm (crq, NULL), - mac_to_entry(algo), - &data, &signature, ¶ms); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = 0; - -cleanup: - _gnutls_free_datum (&data); - _gnutls_free_datum (&signature); - gnutls_pk_params_release(¶ms); - - return ret; + gnutls_datum data = { NULL, 0 }; + gnutls_datum signature = { NULL, 0 }; + gnutls_pk_params_st params; + gnutls_digest_algorithm_t algo; + int ret; + + gnutls_pk_params_init(¶ms); + + ret = + _gnutls_x509_get_signed_data(crq->crq, + "certificationRequestInfo", + &data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_get_signature_algorithm(crq->crq, + "signatureAlgorithm.algorithm"); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + algo = gnutls_sign_get_hash_algorithm(ret); + + ret = + _gnutls_x509_get_signature(crq->crq, "signature", &signature); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_x509_crq_get_mpis(crq, ¶ms); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + pubkey_verify_data(gnutls_x509_crq_get_pk_algorithm(crq, NULL), + mac_to_entry(algo), &data, &signature, + ¶ms); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + _gnutls_free_datum(&data); + _gnutls_free_datum(&signature); + gnutls_pk_params_release(¶ms); + + return ret; } /** @@ -2636,60 +2557,52 @@ cleanup: * negative error value. **/ int -gnutls_x509_crq_set_private_key_usage_period (gnutls_x509_crq_t crq, - time_t activation, - time_t expiration) +gnutls_x509_crq_set_private_key_usage_period(gnutls_x509_crq_t crq, + time_t activation, + time_t expiration) { - int result; - gnutls_datum_t der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_set_time (c2, - "notBefore", - activation, 1); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_set_time (c2, - "notAfter", - expiration, 1); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode (c2, "", &der_data, 0); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_crq_set_extension (crq, "2.5.29.16", - &der_data, 0); - - _gnutls_free_datum(&der_data); - -cleanup: - asn1_delete_structure (&c2); - - return result; + int result; + gnutls_datum_t der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.PrivateKeyUsagePeriod", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_set_time(c2, "notBefore", activation, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_set_time(c2, "notAfter", expiration, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_crq_set_extension(crq, "2.5.29.16", + &der_data, 0); + + _gnutls_free_datum(&der_data); + + cleanup: + asn1_delete_structure(&c2); + + return result; } diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 811ef155e0..f16b440a8e 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -34,107 +34,114 @@ */ int -_gnutls_x509_get_dn (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, gnutls_datum_t * dn) +_gnutls_x509_get_dn(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, gnutls_datum_t * dn) { - gnutls_buffer_st out_str; - int k2, k1, result; - char tmpbuffer1[ASN1_MAX_NAME_SIZE]; - char tmpbuffer2[ASN1_MAX_NAME_SIZE]; - char tmpbuffer3[ASN1_MAX_NAME_SIZE]; - uint8_t value[MAX_STRING_LEN]; - gnutls_datum_t td = {NULL, 0}, tvd = {NULL, 0}; - const char *ldap_desc; - char oid[MAX_OID_SIZE]; - int len; - - _gnutls_buffer_init (&out_str); - - k1 = 0; - do - { - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - if (asn1_rdn_name[0] != 0) - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name, - k1); - else - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1); - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - k2 = 0; - - do - { /* Move to the attibute type and values - */ - k2++; - - if (tmpbuffer1[0] != 0) - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1, - k2); - else - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Read the OID - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - - len = sizeof (oid) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Read the Value - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value"); - - len = 0; - - result = _gnutls_x509_read_value(asn1_struct, tmpbuffer3, &tvd); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } + gnutls_buffer_st out_str; + int k2, k1, result; + char tmpbuffer1[ASN1_MAX_NAME_SIZE]; + char tmpbuffer2[ASN1_MAX_NAME_SIZE]; + char tmpbuffer3[ASN1_MAX_NAME_SIZE]; + uint8_t value[MAX_STRING_LEN]; + gnutls_datum_t td = { NULL, 0 }, tvd = { + NULL, 0}; + const char *ldap_desc; + char oid[MAX_OID_SIZE]; + int len; + + _gnutls_buffer_init(&out_str); + + k1 = 0; + do { + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + if (asn1_rdn_name[0] != 0) + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "%s.?%u", + asn1_rdn_name, k1); + else + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "?%u", + k1); + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + k2 = 0; + + do { /* Move to the attibute type and values + */ + k2++; + + if (tmpbuffer1[0] != 0) + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "%s.?%u", tmpbuffer1, k2); + else + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "?%u", k2); + + /* Try to read the RelativeDistinguishedName attributes. + */ + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer2, value, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), + tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), + ".type"); + + len = sizeof(oid) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer3, oid, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), + tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), + ".value"); + + len = 0; + + result = + _gnutls_x509_read_value(asn1_struct, + tmpbuffer3, &tvd); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } #define STR_APPEND(y) if ((result=_gnutls_buffer_append_str( &out_str, y)) < 0) { \ gnutls_assert(); \ goto cleanup; \ @@ -143,63 +150,65 @@ _gnutls_x509_get_dn (ASN1_TYPE asn1_struct, gnutls_assert(); \ goto cleanup; \ } - /* The encodings of adjoining RelativeDistinguishedNames are separated - * by a comma character (',' ASCII 44). - */ - - /* Where there is a multi-valued RDN, the outputs from adjoining - * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) - * character. - */ - if (k1 != 1) - { /* the first time do not append a comma */ - if (k2 != 1) - { /* adjoining multi-value RDN */ - STR_APPEND ("+"); - } - else - { - STR_APPEND (","); - } - } - - ldap_desc = gnutls_x509_dn_oid_name (oid, GNUTLS_X509_DN_OID_RETURN_OID); - - STR_APPEND (ldap_desc); - STR_APPEND ("="); - - result = - _gnutls_x509_dn_to_string (oid, tvd.data, tvd.size, &td); - if (result < 0) - { - gnutls_assert (); - _gnutls_debug_log - ("Cannot parse OID: '%s' with value '%s'\n", - oid, _gnutls_bin2hex (tvd.data, tvd.size, tmpbuffer3, sizeof(tmpbuffer3), - NULL)); - goto cleanup; - } - - DATA_APPEND (td.data, td.size); - _gnutls_free_datum (&td); - _gnutls_free_datum (&tvd); - } - while (1); - } - while (1); - - result = _gnutls_buffer_to_datum (&out_str, dn); - if (result < 0) - gnutls_assert(); - - goto cleanup1; - -cleanup: - _gnutls_buffer_clear (&out_str); -cleanup1: - _gnutls_free_datum (&td); - _gnutls_free_datum (&tvd); - return result; + /* The encodings of adjoining RelativeDistinguishedNames are separated + * by a comma character (',' ASCII 44). + */ + + /* Where there is a multi-valued RDN, the outputs from adjoining + * AttributeTypeAndValues are separated by a plus ('+' ASCII 43) + * character. + */ + if (k1 != 1) { /* the first time do not append a comma */ + if (k2 != 1) { /* adjoining multi-value RDN */ + STR_APPEND("+"); + } else { + STR_APPEND(","); + } + } + + ldap_desc = + gnutls_x509_dn_oid_name(oid, + GNUTLS_X509_DN_OID_RETURN_OID); + + STR_APPEND(ldap_desc); + STR_APPEND("="); + + result = + _gnutls_x509_dn_to_string(oid, tvd.data, + tvd.size, &td); + if (result < 0) { + gnutls_assert(); + _gnutls_debug_log + ("Cannot parse OID: '%s' with value '%s'\n", + oid, _gnutls_bin2hex(tvd.data, + tvd.size, + tmpbuffer3, + sizeof + (tmpbuffer3), + NULL)); + goto cleanup; + } + + DATA_APPEND(td.data, td.size); + _gnutls_free_datum(&td); + _gnutls_free_datum(&tvd); + } + while (1); + } + while (1); + + result = _gnutls_buffer_to_datum(&out_str, dn); + if (result < 0) + gnutls_assert(); + + goto cleanup1; + + cleanup: + _gnutls_buffer_clear(&out_str); + cleanup1: + _gnutls_free_datum(&td); + _gnutls_free_datum(&tvd); + return result; } @@ -211,50 +220,45 @@ cleanup1: * That is to point in the rndSequence. */ int -_gnutls_x509_parse_dn (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, char *buf, - size_t * buf_size) +_gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, char *buf, + size_t * buf_size) { -int ret; -gnutls_datum_t dn; - - if (buf_size == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (*buf_size > 0 && buf) - buf[0] = 0; - else - *buf_size = 0; - - ret = _gnutls_x509_get_dn (asn1_struct, asn1_rdn_name, - &dn); - if (ret < 0) - return gnutls_assert_val(ret); - - if (dn.size >= (unsigned int) *buf_size) - { - gnutls_assert (); - *buf_size = dn.size + 1; - ret = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } - - if (buf) - { - memcpy(buf, dn.data, dn.size); - buf[dn.size] = 0; - *buf_size = dn.size; - } - else - *buf_size = dn.size + 1; - - ret = 0; -cleanup: - _gnutls_free_datum (&dn); - return ret; + int ret; + gnutls_datum_t dn; + + if (buf_size == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (*buf_size > 0 && buf) + buf[0] = 0; + else + *buf_size = 0; + + ret = _gnutls_x509_get_dn(asn1_struct, asn1_rdn_name, &dn); + if (ret < 0) + return gnutls_assert_val(ret); + + if (dn.size >= (unsigned int) *buf_size) { + gnutls_assert(); + *buf_size = dn.size + 1; + ret = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } + + if (buf) { + memcpy(buf, dn.data, dn.size); + buf[dn.size] = 0; + *buf_size = dn.size; + } else + *buf_size = dn.size + 1; + + ret = 0; + cleanup: + _gnutls_free_datum(&dn); + return ret; } /* Parses an X509 DN in the asn1_struct, and searches for the @@ -270,148 +274,155 @@ cleanup: * OID found, 1 the second etc. */ int -_gnutls_x509_parse_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - const char *given_oid, int indx, - unsigned int raw_flag, - gnutls_datum_t* out) +_gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + const char *given_oid, int indx, + unsigned int raw_flag, gnutls_datum_t * out) { - int k2, k1, result; - char tmpbuffer1[ASN1_MAX_NAME_SIZE]; - char tmpbuffer2[ASN1_MAX_NAME_SIZE]; - char tmpbuffer3[ASN1_MAX_NAME_SIZE]; - gnutls_datum_t td; - uint8_t value[256]; - char oid[MAX_OID_SIZE]; - int len; - int i = 0; - - k1 = 0; - do - { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - if (asn1_rdn_name[0] != 0) - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name, - k1); - else - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1); - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - k2 = 0; - - do - { /* Move to the attibute type and values - */ - k2++; - - if (tmpbuffer1[0] != 0) - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1, - k2); - else - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Read the OID - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - - len = sizeof (oid) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (strcmp (oid, given_oid) == 0 && indx == i++) - { /* Found the OID */ - - /* Read the Value - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".value"); - - result = _gnutls_x509_read_value(asn1_struct, tmpbuffer3, &td); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (raw_flag != 0) - { - out->data = td.data; - out->size = td.size; - return 0; - - } - else - { /* parse data. raw_flag == 0 */ - result = - _gnutls_x509_dn_to_string (oid, td.data, td.size, out); - - _gnutls_free_datum(&td); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - return 0; - - } /* raw_flag == 0 */ - } - } - while (1); - - } - while (1); - - gnutls_assert (); - - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - -cleanup: - return result; + int k2, k1, result; + char tmpbuffer1[ASN1_MAX_NAME_SIZE]; + char tmpbuffer2[ASN1_MAX_NAME_SIZE]; + char tmpbuffer3[ASN1_MAX_NAME_SIZE]; + gnutls_datum_t td; + uint8_t value[256]; + char oid[MAX_OID_SIZE]; + int len; + int i = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + if (asn1_rdn_name[0] != 0) + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "%s.?%u", + asn1_rdn_name, k1); + else + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "?%u", + k1); + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } + + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + k2 = 0; + + do { /* Move to the attibute type and values + */ + k2++; + + if (tmpbuffer1[0] != 0) + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "%s.?%u", tmpbuffer1, k2); + else + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "?%u", k2); + + /* Try to read the RelativeDistinguishedName attributes. + */ + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer2, value, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), + tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), + ".type"); + + len = sizeof(oid) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer3, oid, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (strcmp(oid, given_oid) == 0 && indx == i++) { /* Found the OID */ + + /* Read the Value + */ + _gnutls_str_cpy(tmpbuffer3, + sizeof(tmpbuffer3), + tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, + sizeof(tmpbuffer3), + ".value"); + + result = + _gnutls_x509_read_value(asn1_struct, + tmpbuffer3, + &td); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (raw_flag != 0) { + out->data = td.data; + out->size = td.size; + return 0; + + } else { /* parse data. raw_flag == 0 */ + result = + _gnutls_x509_dn_to_string(oid, + td. + data, + td. + size, + out); + + _gnutls_free_datum(&td); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + return 0; + + } /* raw_flag == 0 */ + } + } + while (1); + + } + while (1); + + gnutls_assert(); + + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } @@ -425,124 +436,125 @@ cleanup: * OID found, 1 the second etc. */ int -_gnutls_x509_get_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid) +_gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid) { - int k2, k1, result; - char tmpbuffer1[ASN1_MAX_NAME_SIZE]; - char tmpbuffer2[ASN1_MAX_NAME_SIZE]; - char tmpbuffer3[ASN1_MAX_NAME_SIZE]; - char value[256]; - char oid[MAX_OID_SIZE]; - int len; - int i = 0; - - k1 = 0; - do - { - - k1++; - /* create a string like "tbsCertList.issuer.rdnSequence.?1" - */ - if (asn1_rdn_name[0] != 0) - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "%s.?%u", asn1_rdn_name, - k1); - else - snprintf (tmpbuffer1, sizeof (tmpbuffer1), "?%u", k1); - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer1, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - k2 = 0; - - do - { /* Move to the attibute type and values - */ - k2++; - - if (tmpbuffer1[0] != 0) - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "%s.?%u", tmpbuffer1, - k2); - else - snprintf (tmpbuffer2, sizeof (tmpbuffer2), "?%u", k2); - - /* Try to read the RelativeDistinguishedName attributes. - */ - - len = sizeof (value) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer2, value, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - if (result != ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Read the OID - */ - _gnutls_str_cpy (tmpbuffer3, sizeof (tmpbuffer3), tmpbuffer2); - _gnutls_str_cat (tmpbuffer3, sizeof (tmpbuffer3), ".type"); - - len = sizeof (oid) - 1; - result = asn1_read_value (asn1_struct, tmpbuffer3, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - break; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (indx == i++) - { /* Found the OID */ - - len = strlen (oid) + 1; - - if (*sizeof_oid < (unsigned) len) - { - *sizeof_oid = len; - gnutls_assert (); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy (_oid, oid, len); - *sizeof_oid = len - 1; - - return 0; - } - } - while (1); - - } - while (1); - - gnutls_assert (); - - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - -cleanup: - return result; + int k2, k1, result; + char tmpbuffer1[ASN1_MAX_NAME_SIZE]; + char tmpbuffer2[ASN1_MAX_NAME_SIZE]; + char tmpbuffer3[ASN1_MAX_NAME_SIZE]; + char value[256]; + char oid[MAX_OID_SIZE]; + int len; + int i = 0; + + k1 = 0; + do { + + k1++; + /* create a string like "tbsCertList.issuer.rdnSequence.?1" + */ + if (asn1_rdn_name[0] != 0) + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "%s.?%u", + asn1_rdn_name, k1); + else + snprintf(tmpbuffer1, sizeof(tmpbuffer1), "?%u", + k1); + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer1, value, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } + + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + k2 = 0; + + do { /* Move to the attibute type and values + */ + k2++; + + if (tmpbuffer1[0] != 0) + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "%s.?%u", tmpbuffer1, k2); + else + snprintf(tmpbuffer2, sizeof(tmpbuffer2), + "?%u", k2); + + /* Try to read the RelativeDistinguishedName attributes. + */ + + len = sizeof(value) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer2, value, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + if (result != ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3), + tmpbuffer2); + _gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3), + ".type"); + + len = sizeof(oid) - 1; + result = + asn1_read_value(asn1_struct, tmpbuffer3, oid, + &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) + break; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (indx == i++) { /* Found the OID */ + + len = strlen(oid) + 1; + + if (*sizeof_oid < (unsigned) len) { + *sizeof_oid = len; + gnutls_assert(); + return + GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + memcpy(_oid, oid, len); + *sizeof_oid = len - 1; + + return 0; + } + } + while (1); + + } + while (1); + + gnutls_assert(); + + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + cleanup: + return result; } /* This will write the AttributeTypeAndValue field. The data must be already DER encoded. @@ -550,39 +562,37 @@ cleanup: * In all cases only one value is written. */ static int -_gnutls_x509_write_attribute (const char *given_oid, - ASN1_TYPE asn1_struct, const char *where, - const void *_data, int sizeof_data) +_gnutls_x509_write_attribute(const char *given_oid, + ASN1_TYPE asn1_struct, const char *where, + const void *_data, int sizeof_data) { - char tmp[128]; - int result; - - /* write the data (value) - */ - - _gnutls_str_cpy (tmp, sizeof (tmp), where); - _gnutls_str_cat (tmp, sizeof (tmp), ".value"); - - result = asn1_write_value (asn1_struct, tmp, _data, sizeof_data); - if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* write the type - */ - _gnutls_str_cpy (tmp, sizeof (tmp), where); - _gnutls_str_cat (tmp, sizeof (tmp), ".type"); - - result = asn1_write_value (asn1_struct, tmp, given_oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + char tmp[128]; + int result; + + /* write the data (value) + */ + + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".value"); + + result = asn1_write_value(asn1_struct, tmp, _data, sizeof_data); + if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* write the type + */ + _gnutls_str_cpy(tmp, sizeof(tmp), where); + _gnutls_str_cat(tmp, sizeof(tmp), ".type"); + + result = asn1_write_value(asn1_struct, tmp, given_oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } @@ -595,49 +605,51 @@ _gnutls_x509_write_attribute (const char *given_oid, * The output is allocated and stored in value. */ int -_gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct, - const char *where, char *oid, - int oid_size, gnutls_datum_t * value, - int multi, int octet_string) +_gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct, + const char *where, char *oid, + int oid_size, + gnutls_datum_t * value, int multi, + int octet_string) { - char tmpbuffer[128]; - int len, result; - - /* Read the OID - */ - _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where); - _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".type"); - - len = oid_size - 1; - result = asn1_read_value (asn1_struct, tmpbuffer, oid, &len); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - return result; - } - - /* Read the Value - */ - - _gnutls_str_cpy (tmpbuffer, sizeof (tmpbuffer), where); - _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), ".value"); - - if (multi) - _gnutls_str_cat (tmpbuffer, sizeof (tmpbuffer), "s.?1"); /* .values.?1 */ - - if (octet_string) - result = _gnutls_x509_read_string (asn1_struct, tmpbuffer, value, ASN1_ETYPE_OCTET_STRING); - else - result = _gnutls_x509_read_value (asn1_struct, tmpbuffer, value); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + char tmpbuffer[128]; + int len, result; + + /* Read the OID + */ + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".type"); + + len = oid_size - 1; + result = asn1_read_value(asn1_struct, tmpbuffer, oid, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + return result; + } + + /* Read the Value + */ + + _gnutls_str_cpy(tmpbuffer, sizeof(tmpbuffer), where); + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), ".value"); + + if (multi) + _gnutls_str_cat(tmpbuffer, sizeof(tmpbuffer), "s.?1"); /* .values.?1 */ + + if (octet_string) + result = + _gnutls_x509_read_string(asn1_struct, tmpbuffer, value, + ASN1_ETYPE_OCTET_STRING); + else + result = + _gnutls_x509_read_value(asn1_struct, tmpbuffer, value); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } @@ -649,79 +661,75 @@ _gnutls_x509_decode_and_read_attribute (ASN1_TYPE asn1_struct, * */ int -_gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_name, const char *given_oid, - int raw_flag, const char *name, int sizeof_name) +_gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_name, const char *given_oid, + int raw_flag, const char *name, int sizeof_name) { - int result; - char tmp[ASN1_MAX_NAME_SIZE], asn1_rdn_name[ASN1_MAX_NAME_SIZE]; - - if (sizeof_name == 0 || name == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* create the rdnSequence - */ - result = asn1_write_value (asn1_struct, asn1_name, "rdnSequence", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - _gnutls_str_cpy (asn1_rdn_name, sizeof (asn1_rdn_name), asn1_name); - _gnutls_str_cat (asn1_rdn_name, sizeof (asn1_rdn_name), ".rdnSequence"); - - /* create a new element - */ - result = asn1_write_value (asn1_struct, asn1_rdn_name, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name); - _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST"); - - /* create the set with only one element - */ - result = asn1_write_value (asn1_struct, tmp, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - - /* Encode and write the data - */ - _gnutls_str_cpy (tmp, sizeof (tmp), asn1_rdn_name); - _gnutls_str_cat (tmp, sizeof (tmp), ".?LAST.?LAST"); - - if (!raw_flag) - { - result = - _gnutls_x509_encode_and_write_attribute (given_oid, - asn1_struct, - tmp, name, sizeof_name, 0); - } - else - { - result = - _gnutls_x509_write_attribute (given_oid, asn1_struct, - tmp, name, sizeof_name); - } - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + char tmp[ASN1_MAX_NAME_SIZE], asn1_rdn_name[ASN1_MAX_NAME_SIZE]; + + if (sizeof_name == 0 || name == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* create the rdnSequence + */ + result = + asn1_write_value(asn1_struct, asn1_name, "rdnSequence", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(asn1_rdn_name, sizeof(asn1_rdn_name), asn1_name); + _gnutls_str_cat(asn1_rdn_name, sizeof(asn1_rdn_name), + ".rdnSequence"); + + /* create a new element + */ + result = asn1_write_value(asn1_struct, asn1_rdn_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST"); + + /* create the set with only one element + */ + result = asn1_write_value(asn1_struct, tmp, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + /* Encode and write the data + */ + _gnutls_str_cpy(tmp, sizeof(tmp), asn1_rdn_name); + _gnutls_str_cat(tmp, sizeof(tmp), ".?LAST.?LAST"); + + if (!raw_flag) { + result = + _gnutls_x509_encode_and_write_attribute(given_oid, + asn1_struct, + tmp, name, + sizeof_name, + 0); + } else { + result = + _gnutls_x509_write_attribute(given_oid, asn1_struct, + tmp, name, sizeof_name); + } + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -738,23 +746,21 @@ _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, * * Since: 2.4.0 **/ -int -gnutls_x509_dn_init (gnutls_x509_dn_t * dn) +int gnutls_x509_dn_init(gnutls_x509_dn_t * dn) { - int result; - ASN1_TYPE tmpdn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE tmpdn = ASN1_TYPE_EMPTY; - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Name", &tmpdn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &tmpdn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - *dn = tmpdn; + *dn = tmpdn; - return 0; + return 0; } /** @@ -772,23 +778,21 @@ gnutls_x509_dn_init (gnutls_x509_dn_t * dn) * * Since: 2.4.0 **/ -int -gnutls_x509_dn_import (gnutls_x509_dn_t dn, const gnutls_datum_t * data) +int gnutls_x509_dn_import(gnutls_x509_dn_t dn, const gnutls_datum_t * data) { - int result; - char err[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - - result = asn1_der_decoding ((ASN1_TYPE *) & dn, - data->data, data->size, err); - if (result != ASN1_SUCCESS) - { - /* couldn't decode DER */ - _gnutls_debug_log ("ASN.1 Decoding error: %s\n", err); - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + char err[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; + + result = asn1_der_decoding((ASN1_TYPE *) & dn, + data->data, data->size, err); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + _gnutls_debug_log("ASN.1 Decoding error: %s\n", err); + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -800,10 +804,9 @@ gnutls_x509_dn_import (gnutls_x509_dn_t dn, const gnutls_datum_t * data) * * Since: 2.4.0 **/ -void -gnutls_x509_dn_deinit (gnutls_x509_dn_t dn) +void gnutls_x509_dn_deinit(gnutls_x509_dn_t dn) { - asn1_delete_structure ((ASN1_TYPE *) & dn); + asn1_delete_structure((ASN1_TYPE *) & dn); } /** @@ -822,43 +825,40 @@ gnutls_x509_dn_deinit (gnutls_x509_dn_t dn) * negative error value. **/ int -gnutls_x509_rdn_get (const gnutls_datum_t * idn, - char *buf, size_t * buf_size) +gnutls_x509_rdn_get(const gnutls_datum_t * idn, + char *buf, size_t * buf_size) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; - if (buf_size == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (buf_size == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (buf) - buf[0] = 0; + if (buf) + buf[0] = 0; - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) - { - /* couldn't decode DER */ - gnutls_assert (); - asn1_delete_structure (&dn); - return _gnutls_asn2err (result); - } + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } - result = _gnutls_x509_parse_dn (dn, "rdnSequence", buf, buf_size); + result = _gnutls_x509_parse_dn(dn, "rdnSequence", buf, buf_size); - asn1_delete_structure (&dn); - return result; + asn1_delete_structure(&dn); + return result; } @@ -882,45 +882,42 @@ gnutls_x509_rdn_get (const gnutls_datum_t * idn, * negative error value. **/ int -gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * buf_size) +gnutls_x509_rdn_get_by_oid(const gnutls_datum_t * idn, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * buf_size) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; - gnutls_datum_t td; - - if (buf_size == 0) - { - return GNUTLS_E_INVALID_REQUEST; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) - { - /* couldn't decode DER */ - gnutls_assert (); - asn1_delete_structure (&dn); - return _gnutls_asn2err (result); - } - - result = - _gnutls_x509_parse_dn_oid (dn, "rdnSequence", oid, indx, - raw_flag, &td); - - asn1_delete_structure (&dn); - if (result < 0) - return gnutls_assert_val(result); - - return _gnutls_strdatum_to_buf (&td, buf, buf_size); + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + gnutls_datum_t td; + + if (buf_size == 0) { + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_parse_dn_oid(dn, "rdnSequence", oid, indx, + raw_flag, &td); + + asn1_delete_structure(&dn); + if (result < 0) + return gnutls_assert_val(result); + + return _gnutls_strdatum_to_buf(&td, buf, buf_size); } /** @@ -941,38 +938,37 @@ gnutls_x509_rdn_get_by_oid (const gnutls_datum_t * idn, const char *oid, * Since: 2.4.0 **/ int -gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn, - int indx, void *buf, size_t * buf_size) +gnutls_x509_rdn_get_oid(const gnutls_datum_t * idn, + int indx, void *buf, size_t * buf_size) { - int result; - ASN1_TYPE dn = ASN1_TYPE_EMPTY; - - if (buf_size == 0) - { - return GNUTLS_E_INVALID_REQUEST; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Name", &dn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) - { - /* couldn't decode DER */ - gnutls_assert (); - asn1_delete_structure (&dn); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_get_dn_oid (dn, "rdnSequence", indx, buf, buf_size); - - asn1_delete_structure (&dn); - return result; + int result; + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + + if (buf_size == 0) { + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + gnutls_assert(); + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_get_dn_oid(dn, "rdnSequence", indx, buf, + buf_size); + + asn1_delete_structure(&dn); + return result; } /* @@ -982,21 +978,19 @@ gnutls_x509_rdn_get_oid (const gnutls_datum_t * idn, * a negative error code is returned to indicate error. */ int -_gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, - const gnutls_datum_t * dn2) +_gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, + const gnutls_datum_t * dn2) { - if (dn1->size != dn2->size) - { - gnutls_assert (); - return 0; - } - if (memcmp (dn1->data, dn2->data, dn2->size) != 0) - { - gnutls_assert (); - return 0; - } - return 1; /* they match */ + if (dn1->size != dn2->size) { + gnutls_assert(); + return 0; + } + if (memcmp(dn1->data, dn2->data, dn2->size) != 0) { + gnutls_assert(); + return 0; + } + return 1; /* they match */ } /** @@ -1020,21 +1014,21 @@ _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, * negative error value. **/ int -gnutls_x509_dn_export (gnutls_x509_dn_t dn, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_x509_dn_export(gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - ASN1_TYPE asn1 = dn; + ASN1_TYPE asn1 = dn; - if (asn1 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (asn1 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int_named (asn1, "rdnSequence", - format, "NAME", - output_data, output_data_size); + return _gnutls_x509_export_int_named(asn1, "rdnSequence", + format, "NAME", + output_data, + output_data_size); } /** @@ -1056,17 +1050,16 @@ gnutls_x509_dn_export (gnutls_x509_dn_t dn, * Since: 3.1.3 **/ int -gnutls_x509_dn_export2 (gnutls_x509_dn_t dn, - gnutls_x509_crt_fmt_t format, gnutls_datum_t *out) +gnutls_x509_dn_export2(gnutls_x509_dn_t dn, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - ASN1_TYPE asn1 = dn; + ASN1_TYPE asn1 = dn; - if (asn1 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (asn1 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int_named2 (asn1, "rdnSequence", - format, "NAME", out); + return _gnutls_x509_export_int_named2(asn1, "rdnSequence", + format, "NAME", out); } diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 80ed7f2669..4777931802 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -32,127 +32,122 @@ #include <gnutls_datum.h> int -get_extension (ASN1_TYPE asn, const char *root, - const char *extension_id, int indx, - gnutls_datum_t * ret, unsigned int *_critical) +get_extension(ASN1_TYPE asn, const char *root, + const char *extension_id, int indx, + gnutls_datum_t * ret, unsigned int *_critical) { - int k, result, len; - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - char str[1024]; - char str_critical[10]; - int critical = 0; - char extnID[128]; - gnutls_datum_t value; - int indx_counter = 0; - - ret->data = NULL; - ret->size = 0; - - k = 0; - do - { - k++; - - snprintf (name, sizeof (name), "%s.?%u", root, k); - - len = sizeof (str) - 1; - result = asn1_read_value (asn, name, str, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - - do - { - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Handle Extension - */ - if (strcmp (extnID, extension_id) == 0 && indx == indx_counter++) - { - /* extension was found - */ - - /* read the critical status. - */ - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".critical"); - - len = sizeof (str_critical); - result = asn1_read_value (asn, name2, str_critical, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (str_critical[0] == 'T') - critical = 1; - else - critical = 0; - - /* read the value. - */ - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".extnValue"); - - result = _gnutls_x509_read_value (asn, name2, &value); - if (result < 0) - { - gnutls_assert (); - return result; - } - - ret->data = value.data; - ret->size = value.size; - - if (_critical) - *_critical = critical; - - return 0; - } - - - } - while (0); - } - while (1); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - else - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + int k, result, len; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + char str[1024]; + char str_critical[10]; + int critical = 0; + char extnID[128]; + gnutls_datum_t value; + int indx_counter = 0; + + ret->data = NULL; + ret->size = 0; + + k = 0; + do { + k++; + + snprintf(name, sizeof(name), "%s.?%u", root, k); + + len = sizeof(str) - 1; + result = asn1_read_value(asn, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + + do { + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name2, extnID, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (strcmp(extnID, extension_id) == 0 + && indx == indx_counter++) { + /* extension was found + */ + + /* read the critical status. + */ + _gnutls_str_cpy(name2, sizeof(name2), + name); + _gnutls_str_cat(name2, sizeof(name2), + ".critical"); + + len = sizeof(str_critical); + result = + asn1_read_value(asn, name2, + str_critical, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (str_critical[0] == 'T') + critical = 1; + else + critical = 0; + + /* read the value. + */ + _gnutls_str_cpy(name2, sizeof(name2), + name); + _gnutls_str_cat(name2, sizeof(name2), + ".extnValue"); + + result = + _gnutls_x509_read_value(asn, name2, + &value); + if (result < 0) { + gnutls_assert(); + return result; + } + + ret->data = value.data; + ret->size = value.size; + + if (_critical) + *_critical = critical; + + return 0; + } + + + } + while (0); + } + while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to return the requested extension found in @@ -165,21 +160,23 @@ get_extension (ASN1_TYPE asn, const char *root, * be returned. */ int -_gnutls_x509_crt_get_extension (gnutls_x509_crt_t cert, - const char *extension_id, int indx, - gnutls_datum_t * ret, unsigned int *_critical) +_gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, + const char *extension_id, int indx, + gnutls_datum_t * ret, + unsigned int *_critical) { - return get_extension (cert->cert, "tbsCertificate.extensions", extension_id, - indx, ret, _critical); + return get_extension(cert->cert, "tbsCertificate.extensions", + extension_id, indx, ret, _critical); } int -_gnutls_x509_crl_get_extension (gnutls_x509_crl_t crl, - const char *extension_id, int indx, - gnutls_datum_t * ret, unsigned int *_critical) +_gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl, + const char *extension_id, int indx, + gnutls_datum_t * ret, + unsigned int *_critical) { - return get_extension (crl->crl, "tbsCertList.crlExtensions", extension_id, - indx, ret, _critical); + return get_extension(crl->crl, "tbsCertList.crlExtensions", + extension_id, indx, ret, _critical); } @@ -190,87 +187,77 @@ _gnutls_x509_crl_get_extension (gnutls_x509_crl_t crl, * be returned. */ static int -get_extension_oid (ASN1_TYPE asn, const char *root, - int indx, void *oid, size_t * sizeof_oid) +get_extension_oid(ASN1_TYPE asn, const char *root, + int indx, void *oid, size_t * sizeof_oid) { - int k, result, len; - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - char str[1024]; - char extnID[128]; - int indx_counter = 0; - - k = 0; - do - { - k++; - - snprintf (name, sizeof (name), "%s.?%u", root, k); - - len = sizeof (str) - 1; - result = asn1_read_value (asn, name, str, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - - do - { - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Handle Extension - */ - if (indx == indx_counter++) - { - len = strlen (extnID) + 1; - - if (*sizeof_oid < (unsigned) len) - { - *sizeof_oid = len; - gnutls_assert (); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - memcpy (oid, extnID, len); - *sizeof_oid = len - 1; - - return 0; - } - - - } - while (0); - } - while (1); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - else - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + int k, result, len; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + char str[1024]; + char extnID[128]; + int indx_counter = 0; + + k = 0; + do { + k++; + + snprintf(name, sizeof(name), "%s.?%u", root, k); + + len = sizeof(str) - 1; + result = asn1_read_value(asn, name, str, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + + do { + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name2, extnID, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (indx == indx_counter++) { + len = strlen(extnID) + 1; + + if (*sizeof_oid < (unsigned) len) { + *sizeof_oid = len; + gnutls_assert(); + return + GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + memcpy(oid, extnID, len); + *sizeof_oid = len - 1; + + return 0; + } + + + } + while (0); + } + while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } } /* This function will attempt to return the requested extension OID found in @@ -280,19 +267,21 @@ get_extension_oid (ASN1_TYPE asn, const char *root, * be returned. */ int -_gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, - int indx, void *oid, size_t * sizeof_oid) +_gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, + int indx, void *oid, + size_t * sizeof_oid) { - return get_extension_oid (cert->cert, "tbsCertificate.extensions", indx, - oid, sizeof_oid); + return get_extension_oid(cert->cert, "tbsCertificate.extensions", + indx, oid, sizeof_oid); } int -_gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, - int indx, void *oid, size_t * sizeof_oid) +_gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, + int indx, void *oid, + size_t * sizeof_oid) { - return get_extension_oid (crl->crl, "tbsCertList.crlExtensions", indx, oid, - sizeof_oid); + return get_extension_oid(crl->crl, "tbsCertList.crlExtensions", + indx, oid, sizeof_oid); } /* This function will attempt to set the requested extension in @@ -301,192 +290,179 @@ _gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, * Critical will be either 0 or 1. */ static int -add_extension (ASN1_TYPE asn, const char *root, const char *extension_id, - const gnutls_datum_t * ext_data, unsigned int critical) +add_extension(ASN1_TYPE asn, const char *root, const char *extension_id, + const gnutls_datum_t * ext_data, unsigned int critical) { - int result; - const char *str; - char name[ASN1_MAX_NAME_SIZE]; - - snprintf (name, sizeof (name), "%s", root); - - /* Add a new extension in the list. - */ - result = asn1_write_value (asn, name, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (root[0] != 0) - snprintf (name, sizeof (name), "%s.?LAST.extnID", root); - else - snprintf (name, sizeof (name), "?LAST.extnID"); - - result = asn1_write_value (asn, name, extension_id, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (critical == 0) - str = "FALSE"; - else - str = "TRUE"; - - if (root[0] != 0) - snprintf (name, sizeof (name), "%s.?LAST.critical", root); - else - snprintf (name, sizeof (name), "?LAST.critical"); - - result = asn1_write_value (asn, name, str, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (root[0] != 0) - snprintf (name, sizeof (name), "%s.?LAST.extnValue", root); - else - snprintf (name, sizeof (name), "?LAST.extnValue"); - - result = _gnutls_x509_write_value (asn, name, ext_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + const char *str; + char name[ASN1_MAX_NAME_SIZE]; + + snprintf(name, sizeof(name), "%s", root); + + /* Add a new extension in the list. + */ + result = asn1_write_value(asn, name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (root[0] != 0) + snprintf(name, sizeof(name), "%s.?LAST.extnID", root); + else + snprintf(name, sizeof(name), "?LAST.extnID"); + + result = asn1_write_value(asn, name, extension_id, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + if (root[0] != 0) + snprintf(name, sizeof(name), "%s.?LAST.critical", root); + else + snprintf(name, sizeof(name), "?LAST.critical"); + + result = asn1_write_value(asn, name, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (root[0] != 0) + snprintf(name, sizeof(name), "%s.?LAST.extnValue", root); + else + snprintf(name, sizeof(name), "?LAST.extnValue"); + + result = _gnutls_x509_write_value(asn, name, ext_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* Overwrite the given extension (using the index) * index here starts from one. */ static int -overwrite_extension (ASN1_TYPE asn, const char *root, unsigned int indx, - const gnutls_datum_t * ext_data, unsigned int critical) +overwrite_extension(ASN1_TYPE asn, const char *root, unsigned int indx, + const gnutls_datum_t * ext_data, unsigned int critical) { - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - const char *str; - int result; - - if (root[0] != 0) - snprintf (name, sizeof (name), "%s.?%u", root, indx); - else - snprintf (name, sizeof (name), "?%u", indx); - - if (critical == 0) - str = "FALSE"; - else - str = "TRUE"; - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".critical"); - - result = asn1_write_value (asn, name2, str, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".extnValue"); - - result = _gnutls_x509_write_value (asn, name2, ext_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + const char *str; + int result; + + if (root[0] != 0) + snprintf(name, sizeof(name), "%s.?%u", root, indx); + else + snprintf(name, sizeof(name), "?%u", indx); + + if (critical == 0) + str = "FALSE"; + else + str = "TRUE"; + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".critical"); + + result = asn1_write_value(asn, name2, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnValue"); + + result = _gnutls_x509_write_value(asn, name2, ext_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } int -set_extension (ASN1_TYPE asn, const char *root, - const char *ext_id, - const gnutls_datum_t * ext_data, unsigned int critical) +set_extension(ASN1_TYPE asn, const char *root, + const char *ext_id, + const gnutls_datum_t * ext_data, unsigned int critical) { - int result; - int k, len; - char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; - char extnID[128]; - - /* Find the index of the given extension. - */ - k = 0; - do - { - k++; - - if (root[0] != 0) - snprintf (name, sizeof (name), "%s.?%u", root, k); - else - snprintf (name, sizeof (name), "?%u", k); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name, extnID, &len); - - /* move to next - */ - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - break; - } - - do - { - - _gnutls_str_cpy (name2, sizeof (name2), name); - _gnutls_str_cat (name2, sizeof (name2), ".extnID"); - - len = sizeof (extnID) - 1; - result = asn1_read_value (asn, name2, extnID, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - break; - } - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Handle Extension - */ - if (strcmp (extnID, ext_id) == 0) - { - /* extension was found - */ - return overwrite_extension (asn, root, k, ext_data, critical); - } - - - } - while (0); - } - while (1); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - return add_extension (asn, root, ext_id, ext_data, critical); - } - else - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - - return 0; + int result; + int k, len; + char name[ASN1_MAX_NAME_SIZE], name2[ASN1_MAX_NAME_SIZE]; + char extnID[128]; + + /* Find the index of the given extension. + */ + k = 0; + do { + k++; + + if (root[0] != 0) + snprintf(name, sizeof(name), "%s.?%u", root, k); + else + snprintf(name, sizeof(name), "?%u", k); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name, extnID, &len); + + /* move to next + */ + + if (result == ASN1_ELEMENT_NOT_FOUND) { + break; + } + + do { + + _gnutls_str_cpy(name2, sizeof(name2), name); + _gnutls_str_cat(name2, sizeof(name2), ".extnID"); + + len = sizeof(extnID) - 1; + result = asn1_read_value(asn, name2, extnID, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + break; + } else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Handle Extension + */ + if (strcmp(extnID, ext_id) == 0) { + /* extension was found + */ + return overwrite_extension(asn, root, k, + ext_data, + critical); + } + + + } + while (0); + } + while (1); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + return add_extension(asn, root, ext_id, ext_data, + critical); + } else { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + return 0; } /* This function will attempt to overwrite the requested extension with @@ -495,217 +471,211 @@ set_extension (ASN1_TYPE asn, const char *root, * Critical will be either 0 or 1. */ int -_gnutls_x509_crt_set_extension (gnutls_x509_crt_t cert, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical) +_gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical) { - return set_extension (cert->cert, "tbsCertificate.extensions", ext_id, - ext_data, critical); + return set_extension(cert->cert, "tbsCertificate.extensions", + ext_id, ext_data, critical); } int -_gnutls_x509_crl_set_extension (gnutls_x509_crl_t crl, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical) +_gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical) { - return set_extension (crl->crl, "tbsCertList.crlExtensions", ext_id, - ext_data, critical); + return set_extension(crl->crl, "tbsCertList.crlExtensions", ext_id, + ext_data, critical); } int -_gnutls_x509_crq_set_extension (gnutls_x509_crq_t crq, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical) +_gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical) { - unsigned char *extensions = NULL; - size_t extensions_size = 0; - gnutls_datum_t der; - ASN1_TYPE c2; - int result; - - result = gnutls_x509_crq_get_attribute_by_oid (crq, "1.2.840.113549.1.9.14", - 0, NULL, &extensions_size); - if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - extensions = gnutls_malloc (extensions_size); - if (extensions == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_attribute_by_oid (crq, - "1.2.840.113549.1.9.14", - 0, extensions, - &extensions_size); - } - if (result < 0) - { - if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - extensions_size = 0; - } - else - { - gnutls_assert (); - gnutls_free (extensions); - return result; - } - } - - result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.Extensions", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (extensions); - return _gnutls_asn2err (result); - } - - if (extensions_size > 0) - { - result = asn1_der_decoding (&c2, extensions, extensions_size, NULL); - gnutls_free (extensions); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - } - - result = set_extension (c2, "", ext_id, ext_data, critical); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return result; - } - - result = _gnutls_x509_der_encode (c2, "", &der, 0); - - asn1_delete_structure (&c2); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_x509_crq_set_attribute_by_oid (crq, "1.2.840.113549.1.9.14", - der.data, der.size); - gnutls_free (der.data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - - return 0; + unsigned char *extensions = NULL; + size_t extensions_size = 0; + gnutls_datum_t der; + ASN1_TYPE c2; + int result; + + result = + gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, NULL, + &extensions_size); + if (result == GNUTLS_E_SHORT_MEMORY_BUFFER) { + extensions = gnutls_malloc(extensions_size); + if (extensions == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = gnutls_x509_crq_get_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + 0, + extensions, + &extensions_size); + } + if (result < 0) { + if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + extensions_size = 0; + } else { + gnutls_assert(); + gnutls_free(extensions); + return result; + } + } + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.Extensions", + &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(extensions); + return _gnutls_asn2err(result); + } + + if (extensions_size > 0) { + result = + asn1_der_decoding(&c2, extensions, extensions_size, + NULL); + gnutls_free(extensions); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + } + + result = set_extension(c2, "", ext_id, ext_data, critical); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&c2); + return result; + } + + result = _gnutls_x509_der_encode(c2, "", &der, 0); + + asn1_delete_structure(&c2); + + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + gnutls_x509_crq_set_attribute_by_oid(crq, + "1.2.840.113549.1.9.14", + der.data, der.size); + gnutls_free(der.data); + if (result < 0) { + gnutls_assert(); + return result; + } + + + return 0; } /* Here we only extract the KeyUsage field, from the DER encoded * extension. */ int -_gnutls_x509_ext_extract_keyUsage (uint16_t * keyUsage, - uint8_t * extnValue, int extnValueLen) +_gnutls_x509_ext_extract_keyUsage(uint16_t * keyUsage, + uint8_t * extnValue, int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int len, result; - uint8_t str[2]; - - str[0] = str[1] = 0; - *keyUsage = 0; - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - len = sizeof (str); - result = asn1_read_value (ext, "", str, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return 0; - } - - *keyUsage = str[0] | (str[1] << 8); - - asn1_delete_structure (&ext); - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int len, result; + uint8_t str[2]; + + str[0] = str[1] = 0; + *keyUsage = 0; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.KeyUsage", &ext)) != ASN1_SUCCESS) + { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + len = sizeof(str); + result = asn1_read_value(ext, "", str, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return 0; + } + + *keyUsage = str[0] | (str[1] << 8); + + asn1_delete_structure(&ext); + + return 0; } /* extract the basicConstraints from the DER encoded extension */ int -_gnutls_x509_ext_extract_basicConstraints (unsigned int *CA, - int *pathLenConstraint, - uint8_t * extnValue, - int extnValueLen) +_gnutls_x509_ext_extract_basicConstraints(unsigned int *CA, + int *pathLenConstraint, + uint8_t * extnValue, + int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - char str[128]; - int len, result; - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.BasicConstraints", &ext)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - if (pathLenConstraint) - { - result = _gnutls_x509_read_uint (ext, "pathLenConstraint", - (unsigned int*)pathLenConstraint); - if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - *pathLenConstraint = -1; - else if (result != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - } - - /* the default value of cA is false. - */ - len = sizeof (str) - 1; - result = asn1_read_value (ext, "cA", str, &len); - if (result == ASN1_SUCCESS && strcmp (str, "TRUE") == 0) - *CA = 1; - else - *CA = 0; - - asn1_delete_structure (&ext); - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + char str[128]; + int len, result; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.BasicConstraints", + &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + if (pathLenConstraint) { + result = _gnutls_x509_read_uint(ext, "pathLenConstraint", + (unsigned int *) + pathLenConstraint); + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + *pathLenConstraint = -1; + else if (result != GNUTLS_E_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + } + + /* the default value of cA is false. + */ + len = sizeof(str) - 1; + result = asn1_read_value(ext, "cA", str, &len); + if (result == ASN1_SUCCESS && strcmp(str, "TRUE") == 0) + *CA = 1; + else + *CA = 0; + + asn1_delete_structure(&ext); + + return 0; } /* generate the basicConstraints in a DER encoded extension @@ -714,391 +684,364 @@ _gnutls_x509_ext_extract_basicConstraints (unsigned int *CA, * should not be present, >= 0 to indicate set values. */ int -_gnutls_x509_ext_gen_basicConstraints (int CA, - int pathLenConstraint, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_basicConstraints(int CA, + int pathLenConstraint, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - const char *str; - int result; - - if (CA == 0) - str = "FALSE"; - else - str = "TRUE"; - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.BasicConstraints", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (ext, "cA", str, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - if (pathLenConstraint < 0) - { - result = asn1_write_value (ext, "pathLenConstraint", NULL, 0); - if (result < 0) - result = _gnutls_asn2err (result); - } - else - result = _gnutls_x509_write_uint32 (ext, "pathLenConstraint", - pathLenConstraint); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return result; - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + const char *str; + int result; + + if (CA == 0) + str = "FALSE"; + else + str = "TRUE"; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.BasicConstraints", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "cA", str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + if (pathLenConstraint < 0) { + result = + asn1_write_value(ext, "pathLenConstraint", NULL, 0); + if (result < 0) + result = _gnutls_asn2err(result); + } else + result = + _gnutls_x509_write_uint32(ext, "pathLenConstraint", + pathLenConstraint); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* extract an INTEGER from the DER encoded extension */ int -_gnutls_x509_ext_extract_number (uint8_t * number, - size_t * _nr_size, - uint8_t * extnValue, int extnValueLen) +_gnutls_x509_ext_extract_number(uint8_t * number, + size_t * _nr_size, + uint8_t * extnValue, int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - int nr_size = *_nr_size; - - /* here it doesn't matter so much that we use CertificateSerialNumber. It is equal - * to using INTEGER. - */ - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.CertificateSerialNumber", - &ext)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - /* the default value of cA is false. - */ - result = asn1_read_value (ext, "", number, &nr_size); - if (result != ASN1_SUCCESS) - result = _gnutls_asn2err (result); - else - result = 0; - - *_nr_size = nr_size; - - asn1_delete_structure (&ext); - - return result; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + int nr_size = *_nr_size; + + /* here it doesn't matter so much that we use CertificateSerialNumber. It is equal + * to using INTEGER. + */ + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.CertificateSerialNumber", + &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + /* the default value of cA is false. + */ + result = asn1_read_value(ext, "", number, &nr_size); + if (result != ASN1_SUCCESS) + result = _gnutls_asn2err(result); + else + result = 0; + + *_nr_size = nr_size; + + asn1_delete_structure(&ext); + + return result; } /* generate an INTEGER in a DER encoded extension */ int -_gnutls_x509_ext_gen_number (const uint8_t * number, size_t nr_size, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_number(const uint8_t * number, size_t nr_size, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.CertificateSerialNumber", - &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (ext, "", number, nr_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CertificateSerialNumber", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "", number, nr_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* generate the keyUsage in a DER encoded extension * Use an ORed SEQUENCE of GNUTLS_KEY_* for usage. */ -int -_gnutls_x509_ext_gen_keyUsage (uint16_t usage, gnutls_datum_t * der_ext) +int _gnutls_x509_ext_gen_keyUsage(uint16_t usage, gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - uint8_t str[2]; - - result = asn1_create_element (_gnutls_get_pkix (), "PKIX1.KeyUsage", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - str[0] = usage & 0xff; - str[1] = usage >> 8; - - result = asn1_write_value (ext, "", str, 9); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + uint8_t str[2]; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + str[0] = usage & 0xff; + str[1] = usage >> 8; + + result = asn1_write_value(ext, "", str, 9); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } static int -write_new_general_name (ASN1_TYPE ext, const char *ext_name, - gnutls_x509_subject_alt_name_t type, - const void *data, unsigned int data_size) +write_new_general_name(ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name_t type, + const void *data, unsigned int data_size) { - const char *str; - int result; - char name[128]; - - result = asn1_write_value (ext, ext_name, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - switch (type) - { - case GNUTLS_SAN_DNSNAME: - str = "dNSName"; - break; - case GNUTLS_SAN_RFC822NAME: - str = "rfc822Name"; - break; - case GNUTLS_SAN_URI: - str = "uniformResourceIdentifier"; - break; - case GNUTLS_SAN_IPADDRESS: - str = "iPAddress"; - break; - default: - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (ext_name[0] == 0) - { /* no dot */ - _gnutls_str_cpy (name, sizeof (name), "?LAST"); - } - else - { - _gnutls_str_cpy (name, sizeof (name), ext_name); - _gnutls_str_cat (name, sizeof (name), ".?LAST"); - } - - result = asn1_write_value (ext, name, str, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - _gnutls_str_cat (name, sizeof (name), "."); - _gnutls_str_cat (name, sizeof (name), str); - - result = asn1_write_value (ext, name, data, data_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - return 0; + const char *str; + int result; + char name[128]; + + result = asn1_write_value(ext, ext_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + switch (type) { + case GNUTLS_SAN_DNSNAME: + str = "dNSName"; + break; + case GNUTLS_SAN_RFC822NAME: + str = "rfc822Name"; + break; + case GNUTLS_SAN_URI: + str = "uniformResourceIdentifier"; + break; + case GNUTLS_SAN_IPADDRESS: + str = "iPAddress"; + break; + default: + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (ext_name[0] == 0) { /* no dot */ + _gnutls_str_cpy(name, sizeof(name), "?LAST"); + } else { + _gnutls_str_cpy(name, sizeof(name), ext_name); + _gnutls_str_cat(name, sizeof(name), ".?LAST"); + } + + result = asn1_write_value(ext, name, str, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cat(name, sizeof(name), "."); + _gnutls_str_cat(name, sizeof(name), str); + + result = asn1_write_value(ext, name, data, data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + return 0; } /* Convert the given name to GeneralNames in a DER encoded extension. * This is the same as subject alternative name. */ int -_gnutls_x509_ext_gen_subject_alt_name (gnutls_x509_subject_alt_name_t - type, const void *data, - unsigned int data_size, - gnutls_datum_t * prev_der_ext, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t + type, const void *data, + unsigned int data_size, + gnutls_datum_t * prev_der_ext, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.GeneralNames", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (prev_der_ext != NULL && prev_der_ext->data != NULL - && prev_der_ext->size != 0) - { - result = - asn1_der_decoding (&ext, prev_der_ext->data, prev_der_ext->size, - NULL); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - } - - result = write_new_general_name (ext, "", type, data, data_size); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return result; - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", + &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (prev_der_ext != NULL && prev_der_ext->data != NULL + && prev_der_ext->size != 0) { + result = + asn1_der_decoding(&ext, prev_der_ext->data, + prev_der_ext->size, NULL); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + } + + result = write_new_general_name(ext, "", type, data, data_size); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* generate the SubjectKeyID in a DER encoded extension */ int -_gnutls_x509_ext_gen_key_id (const void *id, size_t id_size, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.SubjectKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (ext, "", id, id_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.SubjectKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /* generate the AuthorityKeyID in a DER encoded extension */ int -_gnutls_x509_ext_gen_auth_key_id (const void *id, size_t id_size, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.AuthorityKeyIdentifier", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (ext, "keyIdentifier", id, id_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - asn1_write_value (ext, "authorityCertIssuer", NULL, 0); - asn1_write_value (ext, "authorityCertSerialNumber", NULL, 0); - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.AuthorityKeyIdentifier", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "keyIdentifier", id, id_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + asn1_write_value(ext, "authorityCertIssuer", NULL, 0); + asn1_write_value(ext, "authorityCertSerialNumber", NULL, 0); + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } @@ -1108,253 +1051,233 @@ _gnutls_x509_ext_gen_auth_key_id (const void *id, size_t id_size, * */ int -_gnutls_x509_ext_gen_crl_dist_points (gnutls_x509_subject_alt_name_t - type, const void *data, - unsigned int data_size, - unsigned int reason_flags, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name_t + type, const void *data, + unsigned int data_size, + unsigned int reason_flags, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - gnutls_datum_t gnames = { NULL, 0 }; - int result; - uint8_t reasons[2]; - - reasons[0] = reason_flags & 0xff; - reasons[1] = reason_flags >> 8; - - result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.CRLDistributionPoints", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (ext, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (reason_flags) - { - result = asn1_write_value (ext, "?LAST.reasons", reasons, 9); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - } - else - { - result = asn1_write_value (ext, "?LAST.reasons", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - } - - result = asn1_write_value (ext, "?LAST.cRLIssuer", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* When used as type CHOICE. - */ - result = asn1_write_value (ext, "?LAST.distributionPoint", "fullName", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + gnutls_datum_t gnames = { NULL, 0 }; + int result; + uint8_t reasons[2]; + + reasons[0] = reason_flags & 0xff; + reasons[1] = reason_flags >> 8; + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.CRLDistributionPoints", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(ext, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (reason_flags) { + result = + asn1_write_value(ext, "?LAST.reasons", reasons, 9); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } else { + result = asn1_write_value(ext, "?LAST.reasons", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } + + result = asn1_write_value(ext, "?LAST.cRLIssuer", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* When used as type CHOICE. + */ + result = + asn1_write_value(ext, "?LAST.distributionPoint", "fullName", + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } #if 0 - /* only needed in old code (where defined as SEQUENCE OF) */ - asn1_write_value (ext, - "?LAST.distributionPoint.nameRelativeToCRLIssuer", - NULL, 0); + /* only needed in old code (where defined as SEQUENCE OF) */ + asn1_write_value(ext, + "?LAST.distributionPoint.nameRelativeToCRLIssuer", + NULL, 0); #endif - result = - write_new_general_name (ext, "?LAST.distributionPoint.fullName", - type, data, data_size); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } + result = + write_new_general_name(ext, "?LAST.distributionPoint.fullName", + type, data, data_size); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = 0; + result = 0; -cleanup: - _gnutls_free_datum (&gnames); - asn1_delete_structure (&ext); + cleanup: + _gnutls_free_datum(&gnames); + asn1_delete_structure(&ext); - return result; + return result; } /* extract the proxyCertInfo from the DER encoded extension */ int -_gnutls_x509_ext_extract_proxyCertInfo (int *pathLenConstraint, - char **policyLanguage, - char **policy, - size_t * sizeof_policy, - uint8_t * extnValue, int extnValueLen) +_gnutls_x509_ext_extract_proxyCertInfo(int *pathLenConstraint, + char **policyLanguage, + char **policy, + size_t * sizeof_policy, + uint8_t * extnValue, + int extnValueLen) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - gnutls_datum_t value; - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.ProxyCertInfo", &ext)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&ext, extnValue, extnValueLen, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - if (pathLenConstraint) - { - result = _gnutls_x509_read_uint (ext, "pCPathLenConstraint", - (unsigned int*)pathLenConstraint); - if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - *pathLenConstraint = -1; - else if (result != GNUTLS_E_SUCCESS) - { - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - } - - result = _gnutls_x509_read_value (ext, "proxyPolicy.policyLanguage", - &value); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return result; - } - - if (policyLanguage) - *policyLanguage = gnutls_strdup ((char*)value.data); - - result = _gnutls_x509_read_value (ext, "proxyPolicy.policy", &value); - if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - { - if (policy) - *policy = NULL; - if (sizeof_policy) - *sizeof_policy = 0; - } - else if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return result; - } - else - { - if (policy) - *policy = (char*)value.data; - if (sizeof_policy) - *sizeof_policy = value.size; - } - - asn1_delete_structure (&ext); - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + gnutls_datum_t value; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo", + &ext)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&ext, extnValue, extnValueLen, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + if (pathLenConstraint) { + result = _gnutls_x509_read_uint(ext, "pCPathLenConstraint", + (unsigned int *) + pathLenConstraint); + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + *pathLenConstraint = -1; + else if (result != GNUTLS_E_SUCCESS) { + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + } + + result = _gnutls_x509_read_value(ext, "proxyPolicy.policyLanguage", + &value); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } + + if (policyLanguage) + *policyLanguage = gnutls_strdup((char *) value.data); + + result = + _gnutls_x509_read_value(ext, "proxyPolicy.policy", &value); + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) { + if (policy) + *policy = NULL; + if (sizeof_policy) + *sizeof_policy = 0; + } else if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } else { + if (policy) + *policy = (char *) value.data; + if (sizeof_policy) + *sizeof_policy = value.size; + } + + asn1_delete_structure(&ext); + + return 0; } /* generate the proxyCertInfo in a DER encoded extension */ int -_gnutls_x509_ext_gen_proxyCertInfo (int pathLenConstraint, - const char *policyLanguage, - const char *policy, - size_t sizeof_policy, - gnutls_datum_t * der_ext) +_gnutls_x509_ext_gen_proxyCertInfo(int pathLenConstraint, + const char *policyLanguage, + const char *policy, + size_t sizeof_policy, + gnutls_datum_t * der_ext) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; - int result; - - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.ProxyCertInfo", &ext); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (pathLenConstraint < 0) - { - result = asn1_write_value (ext, "pCPathLenConstraint", NULL, 0); - if (result < 0) - result = _gnutls_asn2err (result); - } - else - result = _gnutls_x509_write_uint32 (ext, "pCPathLenConstraint", - pathLenConstraint); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return result; - } - - result = asn1_write_value (ext, "proxyPolicy.policyLanguage", - policyLanguage, 1); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (ext, "proxyPolicy.policy", - policy, sizeof_policy); - if (result < 0) - { - gnutls_assert (); - asn1_delete_structure (&ext); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (ext, "", der_ext, 0); - - asn1_delete_structure (&ext); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + ASN1_TYPE ext = ASN1_TYPE_EMPTY; + int result; + + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.ProxyCertInfo", &ext); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (pathLenConstraint < 0) { + result = + asn1_write_value(ext, "pCPathLenConstraint", NULL, 0); + if (result < 0) + result = _gnutls_asn2err(result); + } else + result = + _gnutls_x509_write_uint32(ext, "pCPathLenConstraint", + pathLenConstraint); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return result; + } + + result = asn1_write_value(ext, "proxyPolicy.policyLanguage", + policyLanguage, 1); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(ext, "proxyPolicy.policy", + policy, sizeof_policy); + if (result < 0) { + gnutls_assert(); + asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(ext, "", der_ext, 0); + + asn1_delete_structure(&ext); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c index b2267af5da..0a5e753eb8 100644 --- a/lib/x509/key_decode.c +++ b/lib/x509/key_decode.c @@ -30,15 +30,16 @@ #include <gnutls_num.h> #include <gnutls_ecc.h> -static int _gnutls_x509_read_rsa_pubkey (uint8_t * der, int dersize, - gnutls_pk_params_st* params); -static int _gnutls_x509_read_dsa_pubkey (uint8_t * der, int dersize, - gnutls_pk_params_st * params); -static int _gnutls_x509_read_ecc_pubkey (uint8_t * der, int dersize, - gnutls_pk_params_st * params); +static int _gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params); +static int _gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params); +static int _gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params); static int -_gnutls_x509_read_dsa_params (uint8_t * der, int dersize, gnutls_pk_params_st * params); +_gnutls_x509_read_dsa_params(uint8_t * der, int dersize, + gnutls_pk_params_st * params); /* * some x509 certificate parsing functions that relate to MPI parameter @@ -46,48 +47,47 @@ _gnutls_x509_read_dsa_params (uint8_t * der, int dersize, gnutls_pk_params_st * * Returns 2 parameters (m,e). It does not set params_nr. */ int -_gnutls_x509_read_rsa_pubkey (uint8_t * der, int dersize, gnutls_pk_params_st * params) +_gnutls_x509_read_rsa_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&spk, der, dersize, NULL); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return _gnutls_asn2err (result); - } - - - if ((result = _gnutls_x509_read_int (spk, "modulus", ¶ms->params[0])) < 0) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - - if ((result = _gnutls_x509_read_int (spk, "publicExponent", - ¶ms->params[1])) < 0) - { - gnutls_assert (); - _gnutls_mpi_release (¶ms->params[0]); - asn1_delete_structure (&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - - asn1_delete_structure (&spk); - - return 0; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&spk, der, dersize, NULL); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } + + + if ((result = + _gnutls_x509_read_int(spk, "modulus", + ¶ms->params[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + + if ((result = _gnutls_x509_read_int(spk, "publicExponent", + ¶ms->params[1])) < 0) { + gnutls_assert(); + _gnutls_mpi_release(¶ms->params[0]); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + + asn1_delete_structure(&spk); + + return 0; } @@ -97,13 +97,15 @@ _gnutls_x509_read_rsa_pubkey (uint8_t * der, int dersize, gnutls_pk_params_st * * Returns 2 parameters (m,e). It does not set params_nr. */ int -_gnutls_x509_read_ecc_pubkey (uint8_t * der, int dersize, gnutls_pk_params_st * params) +_gnutls_x509_read_ecc_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params) { /* Eventhough RFC5480 defines the public key to be an ECPoint (i.e. OCTET STRING), * it is actually copied in raw there. Why do they use ASN.1 anyway? */ - return _gnutls_ecc_ansi_x963_import (der, dersize, ¶ms->params[ECC_X], - ¶ms->params[ECC_Y]); + return _gnutls_ecc_ansi_x963_import(der, dersize, + ¶ms->params[ECC_X], + ¶ms->params[ECC_Y]); } @@ -112,65 +114,65 @@ _gnutls_x509_read_ecc_pubkey (uint8_t * der, int dersize, gnutls_pk_params_st * * params[0-2]. It does NOT set params_nr. */ static int -_gnutls_x509_read_dsa_params (uint8_t * der, int dersize, gnutls_pk_params_st * params) +_gnutls_x509_read_dsa_params(uint8_t * der, int dersize, + gnutls_pk_params_st * params) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.Dss-Parms", &spk)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&spk, der, dersize, NULL); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return _gnutls_asn2err (result); - } - - /* FIXME: If the parameters are not included in the certificate - * then the issuer's parameters should be used. This is not - * done yet. - */ - - /* Read p */ - - if ((result = _gnutls_x509_read_int (spk, "p", ¶ms->params[0])) < 0) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - - /* Read q */ - - if ((result = _gnutls_x509_read_int (spk, "q", ¶ms->params[1])) < 0) - { - gnutls_assert (); - asn1_delete_structure (&spk); - _gnutls_mpi_release (¶ms->params[0]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - - /* Read g */ - - if ((result = _gnutls_x509_read_int (spk, "g", ¶ms->params[2])) < 0) - { - gnutls_assert (); - asn1_delete_structure (&spk); - _gnutls_mpi_release (¶ms->params[0]); - _gnutls_mpi_release (¶ms->params[1]); - return GNUTLS_E_ASN1_GENERIC_ERROR; - } - - asn1_delete_structure (&spk); - - return 0; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.Dss-Parms", + &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&spk, der, dersize, NULL); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } + + /* FIXME: If the parameters are not included in the certificate + * then the issuer's parameters should be used. This is not + * done yet. + */ + + /* Read p */ + + if ((result = + _gnutls_x509_read_int(spk, "p", ¶ms->params[0])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + + /* Read q */ + + if ((result = + _gnutls_x509_read_int(spk, "q", ¶ms->params[1])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms->params[0]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + + /* Read g */ + + if ((result = + _gnutls_x509_read_int(spk, "g", ¶ms->params[2])) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + _gnutls_mpi_release(¶ms->params[0]); + _gnutls_mpi_release(¶ms->params[1]); + return GNUTLS_E_ASN1_GENERIC_ERROR; + } + + asn1_delete_structure(&spk); + + return 0; } @@ -178,99 +180,99 @@ _gnutls_x509_read_dsa_params (uint8_t * der, int dersize, gnutls_pk_params_st * * params[0-4]. It does NOT set params_nr. */ int -_gnutls_x509_read_ecc_params (uint8_t * der, int dersize, gnutls_pk_params_st * params) +_gnutls_x509_read_ecc_params(uint8_t * der, int dersize, + gnutls_pk_params_st * params) { - int ret; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - char oid[MAX_OID_SIZE]; - int oid_size; - - if ((ret = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.ECParameters", &spk)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = asn1_der_decoding (&spk, der, dersize, NULL); - - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - /* Read curve */ - /* read the curve */ - oid_size = sizeof(oid); - ret = asn1_read_value(spk, "namedCurve", oid, &oid_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - params->flags = _gnutls_oid_to_ecc_curve(oid); - if (params->flags == GNUTLS_ECC_CURVE_INVALID) - { - _gnutls_debug_log("Curve %s is not supported\n", oid); - gnutls_assert(); - ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE; - goto cleanup; - } - - ret = 0; - -cleanup: - - asn1_delete_structure (&spk); - - return ret; + int ret; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + char oid[MAX_OID_SIZE]; + int oid_size; + + if ((ret = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.ECParameters", + &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = asn1_der_decoding(&spk, der, dersize, NULL); + + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + /* Read curve */ + /* read the curve */ + oid_size = sizeof(oid); + ret = asn1_read_value(spk, "namedCurve", oid, &oid_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + params->flags = _gnutls_oid_to_ecc_curve(oid); + if (params->flags == GNUTLS_ECC_CURVE_INVALID) { + _gnutls_debug_log("Curve %s is not supported\n", oid); + gnutls_assert(); + ret = GNUTLS_E_ECC_UNSUPPORTED_CURVE; + goto cleanup; + } + + ret = 0; + + cleanup: + + asn1_delete_structure(&spk); + + return ret; } -int _gnutls_x509_read_pubkey (gnutls_pk_algorithm_t algo, uint8_t * der, int dersize, - gnutls_pk_params_st * params) +int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t * der, + int dersize, gnutls_pk_params_st * params) { -int ret; - - switch(algo) - { - case GNUTLS_PK_RSA: - ret = _gnutls_x509_read_rsa_pubkey(der, dersize, params); - if (ret >= 0) params->params_nr = RSA_PUBLIC_PARAMS; - break; - case GNUTLS_PK_DSA: - ret = _gnutls_x509_read_dsa_pubkey(der, dersize, params); - if (ret >= 0) params->params_nr = DSA_PUBLIC_PARAMS; - break; - case GNUTLS_PK_EC: - ret = _gnutls_x509_read_ecc_pubkey(der, dersize, params); - if (ret >= 0) params->params_nr = ECC_PUBLIC_PARAMS; - break; - default: - ret = gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - break; - } - return ret; + int ret; + + switch (algo) { + case GNUTLS_PK_RSA: + ret = _gnutls_x509_read_rsa_pubkey(der, dersize, params); + if (ret >= 0) + params->params_nr = RSA_PUBLIC_PARAMS; + break; + case GNUTLS_PK_DSA: + ret = _gnutls_x509_read_dsa_pubkey(der, dersize, params); + if (ret >= 0) + params->params_nr = DSA_PUBLIC_PARAMS; + break; + case GNUTLS_PK_EC: + ret = _gnutls_x509_read_ecc_pubkey(der, dersize, params); + if (ret >= 0) + params->params_nr = ECC_PUBLIC_PARAMS; + break; + default: + ret = gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + break; + } + return ret; } -int _gnutls_x509_read_pubkey_params (gnutls_pk_algorithm_t algo, uint8_t * der, int dersize, - gnutls_pk_params_st * params) +int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t algo, + uint8_t * der, int dersize, + gnutls_pk_params_st * params) { - switch(algo) - { - case GNUTLS_PK_RSA: - return 0; - case GNUTLS_PK_DSA: - return _gnutls_x509_read_dsa_params(der, dersize, params); - case GNUTLS_PK_EC: - return _gnutls_x509_read_ecc_params(der, dersize, params); - default: - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } + switch (algo) { + case GNUTLS_PK_RSA: + return 0; + case GNUTLS_PK_DSA: + return _gnutls_x509_read_dsa_params(der, dersize, params); + case GNUTLS_PK_EC: + return _gnutls_x509_read_ecc_params(der, dersize, params); + default: + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + } } /* reads DSA's Y @@ -278,10 +280,10 @@ int _gnutls_x509_read_pubkey_params (gnutls_pk_algorithm_t algo, uint8_t * der, * only sets params[3] */ int -_gnutls_x509_read_dsa_pubkey (uint8_t * der, int dersize, gnutls_pk_params_st * params) +_gnutls_x509_read_dsa_pubkey(uint8_t * der, int dersize, + gnutls_pk_params_st * params) { - /* do not set a number */ - params->params_nr = 0; - return _gnutls_x509_read_der_int (der, dersize, ¶ms->params[3]); + /* do not set a number */ + params->params_nr = 0; + return _gnutls_x509_read_der_int(der, dersize, ¶ms->params[3]); } - diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c index 47141093d5..b22c1b860a 100644 --- a/lib/x509/key_encode.c +++ b/lib/x509/key_encode.c @@ -32,12 +32,12 @@ #include <gnutls_mpi.h> #include <gnutls_ecc.h> -static int _gnutls_x509_write_rsa_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der); -static int _gnutls_x509_write_dsa_params (gnutls_pk_params_st * params, - gnutls_datum_t * der); -static int _gnutls_x509_write_dsa_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der); +static int _gnutls_x509_write_rsa_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der); +static int _gnutls_x509_write_dsa_params(gnutls_pk_params_st * params, + gnutls_datum_t * der); +static int _gnutls_x509_write_dsa_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der); /* * some x509 certificate functions that relate to MPI parameter @@ -47,57 +47,55 @@ static int _gnutls_x509_write_dsa_pubkey (gnutls_pk_params_st * params, * Allocates the space used to store the DER data. */ static int -_gnutls_x509_write_rsa_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der) +_gnutls_x509_write_rsa_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params->params_nr < RSA_PUBLIC_PARAMS) - { - gnutls_assert (); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPublicKey", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_write_int (spk, "modulus", params->params[0], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_write_int (spk, "publicExponent", params->params[1], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_der_encode (spk, "", der, 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - asn1_delete_structure (&spk); - - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params->params_nr < RSA_PUBLIC_PARAMS) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + _gnutls_x509_write_int(spk, "modulus", params->params[0], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_write_int(spk, "publicExponent", + params->params[1], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + asn1_delete_structure(&spk); + + return result; } /* @@ -107,64 +105,66 @@ cleanup: * Allocates the space used to store the DER data. */ int -_gnutls_x509_write_ecc_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der) +_gnutls_x509_write_ecc_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der) { - int result; + int result; - der->data = NULL; - der->size = 0; + der->data = NULL; + der->size = 0; - if (params->params_nr < ECC_PUBLIC_PARAMS) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + if (params->params_nr < ECC_PUBLIC_PARAMS) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - result = _gnutls_ecc_ansi_x963_export(params->flags, params->params[ECC_X], params->params[ECC_Y], /*&out*/der); - if (result < 0) - return gnutls_assert_val(result); + result = + _gnutls_ecc_ansi_x963_export(params->flags, + params->params[ECC_X], + params->params[ECC_Y], /*&out */ + der); + if (result < 0) + return gnutls_assert_val(result); - return 0; + return 0; } int -_gnutls_x509_write_pubkey_params (gnutls_pk_algorithm_t algo, - gnutls_pk_params_st* params, - gnutls_datum_t * der) +_gnutls_x509_write_pubkey_params(gnutls_pk_algorithm_t algo, + gnutls_pk_params_st * params, + gnutls_datum_t * der) { - switch(algo) - { - case GNUTLS_PK_DSA: - return _gnutls_x509_write_dsa_params(params, der); - case GNUTLS_PK_RSA: - der->data = gnutls_malloc(ASN1_NULL_SIZE); - if (der->data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - memcpy(der->data, ASN1_NULL, ASN1_NULL_SIZE); - der->size = ASN1_NULL_SIZE; - return 0; - case GNUTLS_PK_EC: - return _gnutls_x509_write_ecc_params(params, der); - default: - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } + switch (algo) { + case GNUTLS_PK_DSA: + return _gnutls_x509_write_dsa_params(params, der); + case GNUTLS_PK_RSA: + der->data = gnutls_malloc(ASN1_NULL_SIZE); + if (der->data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + memcpy(der->data, ASN1_NULL, ASN1_NULL_SIZE); + der->size = ASN1_NULL_SIZE; + return 0; + case GNUTLS_PK_EC: + return _gnutls_x509_write_ecc_params(params, der); + default: + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + } } int -_gnutls_x509_write_pubkey (gnutls_pk_algorithm_t algo, - gnutls_pk_params_st* params, - gnutls_datum_t * der) +_gnutls_x509_write_pubkey(gnutls_pk_algorithm_t algo, + gnutls_pk_params_st * params, + gnutls_datum_t * der) { - switch(algo) - { - case GNUTLS_PK_DSA: - return _gnutls_x509_write_dsa_pubkey(params, der); - case GNUTLS_PK_RSA: - return _gnutls_x509_write_rsa_pubkey(params, der); - case GNUTLS_PK_EC: - return _gnutls_x509_write_ecc_pubkey(params, der); - default: - return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - } + switch (algo) { + case GNUTLS_PK_DSA: + return _gnutls_x509_write_dsa_pubkey(params, der); + case GNUTLS_PK_RSA: + return _gnutls_x509_write_rsa_pubkey(params, der); + case GNUTLS_PK_EC: + return _gnutls_x509_write_ecc_pubkey(params, der); + default: + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + } } /* @@ -174,63 +174,57 @@ _gnutls_x509_write_pubkey (gnutls_pk_algorithm_t algo, * Allocates the space used to store the DER data. */ static int -_gnutls_x509_write_dsa_params (gnutls_pk_params_st* params, - gnutls_datum_t * der) +_gnutls_x509_write_dsa_params(gnutls_pk_params_st * params, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params->params_nr < DSA_PUBLIC_PARAMS-1) - { - gnutls_assert (); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.DSAParameters", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_write_int (spk, "p", params->params[0], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_write_int (spk, "q", params->params[1], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_write_int (spk, "g", params->params[2], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_der_encode (spk, "", der, 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - asn1_delete_structure (&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params->params_nr < DSA_PUBLIC_PARAMS - 1) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAParameters", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "p", params->params[0], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "q", params->params[1], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_write_int(spk, "g", params->params[2], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } /* @@ -240,62 +234,60 @@ cleanup: * Allocates the space used to store the DER data. */ int -_gnutls_x509_write_ecc_params (gnutls_pk_params_st* params, - gnutls_datum_t * der) +_gnutls_x509_write_ecc_params(gnutls_pk_params_st * params, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - const char* oid; - - der->data = NULL; - der->size = 0; - - if (params->params_nr < ECC_PUBLIC_PARAMS) - { - gnutls_assert (); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - oid = _gnutls_ecc_curve_get_oid(params->flags); - if (oid == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.ECParameters", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if ((result = asn1_write_value (spk, "", "namedCurve", 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (spk, "namedCurve", oid, 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = _gnutls_x509_der_encode (spk, "", der, 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - asn1_delete_structure (&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + const char *oid; + + der->data = NULL; + der->size = 0; + + if (params->params_nr < ECC_PUBLIC_PARAMS) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + oid = _gnutls_ecc_curve_get_oid(params->flags); + if (oid == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.ECParameters", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if ((result = + asn1_write_value(spk, "", "namedCurve", 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = + asn1_write_value(spk, "namedCurve", oid, + 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } /* @@ -305,484 +297,466 @@ cleanup: * Allocates the space used to store the DER data. */ static int -_gnutls_x509_write_dsa_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der) +_gnutls_x509_write_dsa_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - der->data = NULL; - der->size = 0; - - if (params->params_nr < DSA_PUBLIC_PARAMS) - { - gnutls_assert (); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPublicKey", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_write_int (spk, "", params->params[3], 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_der_encode (spk, "", der, 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - asn1_delete_structure (&spk); - return result; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + der->data = NULL; + der->size = 0; + + if (params->params_nr < DSA_PUBLIC_PARAMS) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_write_int(spk, "", params->params[3], 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(spk, "", der, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + asn1_delete_structure(&spk); + return result; } /* Encodes the RSA parameters into an ASN.1 RSA private key structure. */ static int -_gnutls_asn1_encode_rsa (ASN1_TYPE * c2, gnutls_pk_params_st * params) +_gnutls_asn1_encode_rsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { - int result; - uint8_t null = '\0'; - gnutls_pk_params_st pk_params; - gnutls_datum_t m, e, d, p, q, u, exp1, exp2; - - gnutls_pk_params_init(&pk_params); - - memset (&m, 0, sizeof (m)); - memset (&p, 0, sizeof (p)); - memset (&q, 0, sizeof (q)); - memset (&p, 0, sizeof (p)); - memset (&u, 0, sizeof (u)); - memset (&e, 0, sizeof (e)); - memset (&d, 0, sizeof (d)); - memset (&exp1, 0, sizeof (exp1)); - memset (&exp2, 0, sizeof (exp2)); - - result = _gnutls_pk_params_copy (&pk_params, params); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_pk_fixup (GNUTLS_PK_RSA, GNUTLS_EXPORT, &pk_params); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* retrieve as data */ - - result = _gnutls_mpi_dprint_lz (pk_params.params[0], &m); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[1], &e); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[2], &d); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[3], &p); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[4], &q); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[5], &u); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[6], &exp1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_mpi_dprint_lz (pk_params.params[7], &exp2); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* Ok. Now we have the data. Create the asn1 structures - */ - - /* first make sure that no previously allocated data are leaked */ - if (*c2 != ASN1_TYPE_EMPTY) - { - asn1_delete_structure (c2); - *c2 = ASN1_TYPE_EMPTY; - } - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.RSAPrivateKey", c2)) - != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value (*c2, "modulus", - m.data, m.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "publicExponent", - e.data, e.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "privateExponent", - d.data, d.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "prime1", - p.data, p.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "prime2", - q.data, q.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "coefficient", - u.data, u.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "exponent1", - exp1.data, exp1.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "exponent2", - exp2.data, exp2.size)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "otherPrimeInfos", - NULL, 0)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "version", &null, 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = 0; - -cleanup: - if (result != 0) - asn1_delete_structure (c2); - - gnutls_pk_params_release (&pk_params); - - _gnutls_free_datum (&m); - _gnutls_free_datum (&d); - _gnutls_free_datum (&e); - _gnutls_free_datum (&p); - _gnutls_free_datum (&q); - _gnutls_free_datum (&u); - _gnutls_free_datum (&exp1); - _gnutls_free_datum (&exp2); - - return result; + int result; + uint8_t null = '\0'; + gnutls_pk_params_st pk_params; + gnutls_datum_t m, e, d, p, q, u, exp1, exp2; + + gnutls_pk_params_init(&pk_params); + + memset(&m, 0, sizeof(m)); + memset(&p, 0, sizeof(p)); + memset(&q, 0, sizeof(q)); + memset(&p, 0, sizeof(p)); + memset(&u, 0, sizeof(u)); + memset(&e, 0, sizeof(e)); + memset(&d, 0, sizeof(d)); + memset(&exp1, 0, sizeof(exp1)); + memset(&exp2, 0, sizeof(exp2)); + + result = _gnutls_pk_params_copy(&pk_params, params); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_EXPORT, &pk_params); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* retrieve as data */ + + result = _gnutls_mpi_dprint_lz(pk_params.params[0], &m); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[1], &e); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[2], &d); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[3], &p); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[4], &q); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[5], &u); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[6], &exp1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_mpi_dprint_lz(pk_params.params[7], &exp2); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Ok. Now we have the data. Create the asn1 structures + */ + + /* first make sure that no previously allocated data are leaked */ + if (*c2 != ASN1_TYPE_EMPTY) { + asn1_delete_structure(c2); + *c2 = ASN1_TYPE_EMPTY; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.RSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = asn1_write_value(*c2, "modulus", + m.data, m.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "publicExponent", + e.data, e.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "privateExponent", + d.data, d.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime1", + p.data, p.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "prime2", + q.data, q.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "coefficient", + u.data, u.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent1", + exp1.data, + exp1.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "exponent2", + exp2.data, + exp2.size)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "otherPrimeInfos", + NULL, 0)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = + asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = 0; + + cleanup: + if (result != 0) + asn1_delete_structure(c2); + + gnutls_pk_params_release(&pk_params); + + _gnutls_free_datum(&m); + _gnutls_free_datum(&d); + _gnutls_free_datum(&e); + _gnutls_free_datum(&p); + _gnutls_free_datum(&q); + _gnutls_free_datum(&u); + _gnutls_free_datum(&exp1); + _gnutls_free_datum(&exp2); + + return result; } /* Encodes the ECC parameters into an ASN.1 ECPrivateKey structure. */ static int -_gnutls_asn1_encode_ecc (ASN1_TYPE * c2, gnutls_pk_params_st * params) +_gnutls_asn1_encode_ecc(ASN1_TYPE * c2, gnutls_pk_params_st * params) { - int ret; - uint8_t one = '\x01'; - gnutls_datum pubkey = { NULL, 0 }; - const char *oid; - - oid = _gnutls_ecc_curve_get_oid(params->flags); - - if (params->params_nr != ECC_PRIVATE_PARAMS || oid == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - ret = _gnutls_ecc_ansi_x963_export(params->flags, params->params[ECC_X], params->params[ECC_Y], &pubkey); - if (ret < 0) - return gnutls_assert_val(ret); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - /* first make sure that no previously allocated data are leaked */ - if (*c2 != ASN1_TYPE_EMPTY) - { - asn1_delete_structure (c2); - *c2 = ASN1_TYPE_EMPTY; - } - - if ((ret = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.ECPrivateKey", c2)) - != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - if ((ret = asn1_write_value (*c2, "Version", &one, 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_int (*c2, "privateKey", params->params[ECC_K], 1); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if ((ret = asn1_write_value (*c2, "publicKey", pubkey.data, pubkey.size*8)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - /* write our choice */ - if ((ret = asn1_write_value (*c2, "parameters", "namedCurve", 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - if ((ret = asn1_write_value (*c2, "parameters.namedCurve", oid, 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - _gnutls_free_datum(&pubkey); - return 0; - -cleanup: - asn1_delete_structure (c2); - _gnutls_free_datum(&pubkey); - - return ret; + int ret; + uint8_t one = '\x01'; + gnutls_datum pubkey = { NULL, 0 }; + const char *oid; + + oid = _gnutls_ecc_curve_get_oid(params->flags); + + if (params->params_nr != ECC_PRIVATE_PARAMS || oid == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + ret = + _gnutls_ecc_ansi_x963_export(params->flags, + params->params[ECC_X], + params->params[ECC_Y], &pubkey); + if (ret < 0) + return gnutls_assert_val(ret); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + /* first make sure that no previously allocated data are leaked */ + if (*c2 != ASN1_TYPE_EMPTY) { + asn1_delete_structure(c2); + *c2 = ASN1_TYPE_EMPTY; + } + + if ((ret = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.ECPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + if ((ret = + asn1_write_value(*c2, "Version", &one, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_write_int(*c2, "privateKey", + params->params[ECC_K], 1); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if ((ret = + asn1_write_value(*c2, "publicKey", pubkey.data, + pubkey.size * 8)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + /* write our choice */ + if ((ret = + asn1_write_value(*c2, "parameters", "namedCurve", + 1)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + if ((ret = + asn1_write_value(*c2, "parameters.namedCurve", oid, + 1)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + _gnutls_free_datum(&pubkey); + return 0; + + cleanup: + asn1_delete_structure(c2); + _gnutls_free_datum(&pubkey); + + return ret; } /* Encodes the DSA parameters into an ASN.1 DSAPrivateKey structure. */ static int -_gnutls_asn1_encode_dsa (ASN1_TYPE * c2, gnutls_pk_params_st * params) +_gnutls_asn1_encode_dsa(ASN1_TYPE * c2, gnutls_pk_params_st * params) { - int result, i; - size_t size[DSA_PRIVATE_PARAMS], total; - uint8_t *p_data, *q_data, *g_data, *x_data, *y_data; - uint8_t *all_data = NULL, *p; - uint8_t null = '\0'; - - /* Read all the sizes */ - total = 0; - for (i = 0; i < DSA_PRIVATE_PARAMS; i++) - { - _gnutls_mpi_print_lz (params->params[i], NULL, &size[i]); - total += size[i]; - } - - /* Encoding phase. - * allocate data enough to hold everything - */ - all_data = gnutls_malloc (total); - if (all_data == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - p = all_data; - p_data = p; - p += size[0]; - q_data = p; - p += size[1]; - g_data = p; - p += size[2]; - y_data = p; - p += size[3]; - x_data = p; - - _gnutls_mpi_print_lz (params->params[0], p_data, &size[0]); - _gnutls_mpi_print_lz (params->params[1], q_data, &size[1]); - _gnutls_mpi_print_lz (params->params[2], g_data, &size[2]); - _gnutls_mpi_print_lz (params->params[3], y_data, &size[3]); - _gnutls_mpi_print_lz (params->params[4], x_data, &size[4]); - - /* Ok. Now we have the data. Create the asn1 structures - */ - - /* first make sure that no previously allocated data are leaked */ - if (*c2 != ASN1_TYPE_EMPTY) - { - asn1_delete_structure (c2); - *c2 = ASN1_TYPE_EMPTY; - } - - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPrivateKey", c2)) - != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Write PRIME - */ - if ((result = asn1_write_value (*c2, "p", p_data, size[0])) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "q", q_data, size[1])) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "g", g_data, size[2])) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "Y", y_data, size[3])) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if ((result = asn1_write_value (*c2, "priv", - x_data, size[4])) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - gnutls_free (all_data); - - if ((result = asn1_write_value (*c2, "version", &null, 1)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - return 0; - -cleanup: - asn1_delete_structure (c2); - gnutls_free (all_data); - - return result; + int result, i; + size_t size[DSA_PRIVATE_PARAMS], total; + uint8_t *p_data, *q_data, *g_data, *x_data, *y_data; + uint8_t *all_data = NULL, *p; + uint8_t null = '\0'; + + /* Read all the sizes */ + total = 0; + for (i = 0; i < DSA_PRIVATE_PARAMS; i++) { + _gnutls_mpi_print_lz(params->params[i], NULL, &size[i]); + total += size[i]; + } + + /* Encoding phase. + * allocate data enough to hold everything + */ + all_data = gnutls_malloc(total); + if (all_data == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + p = all_data; + p_data = p; + p += size[0]; + q_data = p; + p += size[1]; + g_data = p; + p += size[2]; + y_data = p; + p += size[3]; + x_data = p; + + _gnutls_mpi_print_lz(params->params[0], p_data, &size[0]); + _gnutls_mpi_print_lz(params->params[1], q_data, &size[1]); + _gnutls_mpi_print_lz(params->params[2], g_data, &size[2]); + _gnutls_mpi_print_lz(params->params[3], y_data, &size[3]); + _gnutls_mpi_print_lz(params->params[4], x_data, &size[4]); + + /* Ok. Now we have the data. Create the asn1 structures + */ + + /* first make sure that no previously allocated data are leaked */ + if (*c2 != ASN1_TYPE_EMPTY) { + asn1_delete_structure(c2); + *c2 = ASN1_TYPE_EMPTY; + } + + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPrivateKey", c2)) + != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write PRIME + */ + if ((result = + asn1_write_value(*c2, "p", p_data, + size[0])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = + asn1_write_value(*c2, "q", q_data, + size[1])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = + asn1_write_value(*c2, "g", g_data, + size[2])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = + asn1_write_value(*c2, "Y", y_data, + size[3])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if ((result = asn1_write_value(*c2, "priv", + x_data, size[4])) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + gnutls_free(all_data); + + if ((result = + asn1_write_value(*c2, "version", &null, 1)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(c2); + gnutls_free(all_data); + + return result; } -int _gnutls_asn1_encode_privkey (gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, gnutls_pk_params_st * params) +int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, + gnutls_pk_params_st * params) { - switch(pk) - { - case GNUTLS_PK_RSA: - return _gnutls_asn1_encode_rsa(c2, params); - case GNUTLS_PK_DSA: - return _gnutls_asn1_encode_dsa(c2, params); - case GNUTLS_PK_EC: - return _gnutls_asn1_encode_ecc(c2, params); - default: - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } + switch (pk) { + case GNUTLS_PK_RSA: + return _gnutls_asn1_encode_rsa(c2, params); + case GNUTLS_PK_DSA: + return _gnutls_asn1_encode_dsa(c2, params); + case GNUTLS_PK_EC: + return _gnutls_asn1_encode_ecc(c2, params); + default: + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } } diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index c737b10980..e5b9dddf8b 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -32,42 +32,38 @@ /* Reads an Integer from the DER encoded data */ -int -_gnutls_x509_read_der_int (uint8_t * der, int dersize, bigint_t * out) +int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out) { - int result; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; + int result; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; - /* == INTEGER */ - if ((result = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPublicKey", - &spk)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + /* == INTEGER */ + if ((result = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", + &spk)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - result = asn1_der_decoding (&spk, der, dersize, NULL); + result = asn1_der_decoding(&spk, der, dersize, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - /* Read Y */ + /* Read Y */ - if ((result = _gnutls_x509_read_int (spk, "", out)) < 0) - { - gnutls_assert (); - asn1_delete_structure (&spk); - return _gnutls_asn2err (result); - } + if ((result = _gnutls_x509_read_int(spk, "", out)) < 0) { + gnutls_assert(); + asn1_delete_structure(&spk); + return _gnutls_asn2err(result); + } - asn1_delete_structure (&spk); + asn1_delete_structure(&spk); - return 0; + return 0; } @@ -75,102 +71,100 @@ _gnutls_x509_read_der_int (uint8_t * der, int dersize, bigint_t * out) /* Extracts DSA and RSA parameters from a certificate. */ int -_gnutls_get_asn_mpis (ASN1_TYPE asn, const char *root, - gnutls_pk_params_st * params) +_gnutls_get_asn_mpis(ASN1_TYPE asn, const char *root, + gnutls_pk_params_st * params) { - int result; - char name[256]; - gnutls_datum_t tmp = { NULL, 0 }; - gnutls_pk_algorithm_t pk_algorithm; - - gnutls_pk_params_init(params); - - result = _gnutls_x509_get_pk_algorithm (asn, root, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } - - pk_algorithm = result; - - /* Read the algorithm's parameters - */ - _asnstr_append_name (name, sizeof (name), root, ".subjectPublicKey"); - result = _gnutls_x509_read_value (asn, name, &tmp); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - if ((result = - _gnutls_x509_read_pubkey (pk_algorithm, tmp.data, tmp.size, params)) < 0) - { - gnutls_assert (); - goto error; - } - - /* Now read the parameters - */ - _gnutls_free_datum (&tmp); - - _asnstr_append_name (name, sizeof (name), root, - ".algorithm.parameters"); - - /* FIXME: If the parameters are not included in the certificate - * then the issuer's parameters should be used. This is not - * done yet. - */ - - if (pk_algorithm != GNUTLS_PK_RSA) /* RSA doesn't use parameters */ - { - result = _gnutls_x509_read_value (asn, name, &tmp); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - if ((result = - _gnutls_x509_read_pubkey_params (pk_algorithm, tmp.data, tmp.size, params)) < 0) - { - gnutls_assert (); - goto error; - } - } - - result = 0; - -error: - _gnutls_free_datum (&tmp); - return result; + int result; + char name[256]; + gnutls_datum_t tmp = { NULL, 0 }; + gnutls_pk_algorithm_t pk_algorithm; + + gnutls_pk_params_init(params); + + result = _gnutls_x509_get_pk_algorithm(asn, root, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + pk_algorithm = result; + + /* Read the algorithm's parameters + */ + _asnstr_append_name(name, sizeof(name), root, ".subjectPublicKey"); + result = _gnutls_x509_read_value(asn, name, &tmp); + + if (result < 0) { + gnutls_assert(); + return result; + } + + if ((result = + _gnutls_x509_read_pubkey(pk_algorithm, tmp.data, tmp.size, + params)) < 0) { + gnutls_assert(); + goto error; + } + + /* Now read the parameters + */ + _gnutls_free_datum(&tmp); + + _asnstr_append_name(name, sizeof(name), root, + ".algorithm.parameters"); + + /* FIXME: If the parameters are not included in the certificate + * then the issuer's parameters should be used. This is not + * done yet. + */ + + if (pk_algorithm != GNUTLS_PK_RSA) { /* RSA doesn't use parameters */ + result = _gnutls_x509_read_value(asn, name, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_pubkey_params(pk_algorithm, + tmp.data, tmp.size, + params)) < 0) { + gnutls_assert(); + goto error; + } + } + + result = 0; + + error: + _gnutls_free_datum(&tmp); + return result; } /* Extracts DSA and RSA parameters from a certificate. */ int -_gnutls_x509_crt_get_mpis (gnutls_x509_crt_t cert, - gnutls_pk_params_st * params) +_gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, + gnutls_pk_params_st * params) { - /* Read the algorithm's OID - */ - return _gnutls_get_asn_mpis (cert->cert, - "tbsCertificate.subjectPublicKeyInfo", params); + /* Read the algorithm's OID + */ + return _gnutls_get_asn_mpis(cert->cert, + "tbsCertificate.subjectPublicKeyInfo", + params); } /* Extracts DSA and RSA parameters from a certificate. */ int -_gnutls_x509_crq_get_mpis (gnutls_x509_crq_t cert, - gnutls_pk_params_st* params) +_gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert, + gnutls_pk_params_st * params) { - /* Read the algorithm's OID - */ - return _gnutls_get_asn_mpis (cert->crq, - "certificationRequestInfo.subjectPKInfo", - params); + /* Read the algorithm's OID + */ + return _gnutls_get_asn_mpis(cert->crq, + "certificationRequestInfo.subjectPKInfo", + params); } /* @@ -178,55 +172,53 @@ _gnutls_x509_crq_get_mpis (gnutls_x509_crq_t cert, * This is the "signatureAlgorithm" fields. */ int -_gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, - gnutls_pk_algorithm_t pk_algorithm, - gnutls_digest_algorithm_t dig) +_gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm_t pk_algorithm, + gnutls_digest_algorithm_t dig) { - int result; - char name[128]; - const char *pk; - - _gnutls_str_cpy (name, sizeof (name), dst_name); - _gnutls_str_cat (name, sizeof (name), ".algorithm"); - - pk = _gnutls_x509_sign_to_oid (pk_algorithm, dig); - if (pk == NULL) - { - gnutls_assert (); - _gnutls_debug_log - ("Cannot find OID for sign algorithm pk: %d dig: %d\n", - (int) pk_algorithm, (int) dig); - return GNUTLS_E_INVALID_REQUEST; - } - - /* write the OID. - */ - result = asn1_write_value (dst, name, pk, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - - _gnutls_str_cpy (name, sizeof (name), dst_name); - _gnutls_str_cat (name, sizeof (name), ".parameters"); - - if (pk_algorithm == GNUTLS_PK_RSA) - result = asn1_write_value (dst, name, ASN1_NULL, ASN1_NULL_SIZE); - else - result = asn1_write_value (dst, name, NULL, 0); - - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) - { - /* Here we ignore the element not found error, since this - * may have been disabled before. - */ - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + char name[128]; + const char *pk; + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".algorithm"); + + pk = _gnutls_x509_sign_to_oid(pk_algorithm, dig); + if (pk == NULL) { + gnutls_assert(); + _gnutls_debug_log + ("Cannot find OID for sign algorithm pk: %d dig: %d\n", + (int) pk_algorithm, (int) dig); + return GNUTLS_E_INVALID_REQUEST; + } + + /* write the OID. + */ + result = asn1_write_value(dst, name, pk, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + _gnutls_str_cpy(name, sizeof(name), dst_name); + _gnutls_str_cat(name, sizeof(name), ".parameters"); + + if (pk_algorithm == GNUTLS_PK_RSA) + result = + asn1_write_value(dst, name, ASN1_NULL, ASN1_NULL_SIZE); + else + result = asn1_write_value(dst, name, NULL, 0); + + if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) { + /* Here we ignore the element not found error, since this + * may have been disabled before. + */ + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /* this function reads a (small) unsigned integer @@ -234,72 +226,68 @@ _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, * steps. */ int -_gnutls_x509_read_uint (ASN1_TYPE node, const char *value, unsigned int *ret) +_gnutls_x509_read_uint(ASN1_TYPE node, const char *value, + unsigned int *ret) { - int len, result; - uint8_t *tmpstr; - - len = 0; - result = asn1_read_value (node, value, NULL, &len); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - tmpstr = gnutls_malloc (len); - if (tmpstr == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value (node, value, tmpstr, &len); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (tmpstr); - return _gnutls_asn2err (result); - } - - if (len == 1) - *ret = tmpstr[0]; - else if (len == 2) - *ret = _gnutls_read_uint16 (tmpstr); - else if (len == 3) - *ret = _gnutls_read_uint24 (tmpstr); - else if (len == 4) - *ret = _gnutls_read_uint32 (tmpstr); - else - { - gnutls_assert (); - gnutls_free (tmpstr); - return GNUTLS_E_INTERNAL_ERROR; - } - - gnutls_free (tmpstr); - - return 0; + int len, result; + uint8_t *tmpstr; + + len = 0; + result = asn1_read_value(node, value, NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + tmpstr = gnutls_malloc(len); + if (tmpstr == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(node, value, tmpstr, &len); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmpstr); + return _gnutls_asn2err(result); + } + + if (len == 1) + *ret = tmpstr[0]; + else if (len == 2) + *ret = _gnutls_read_uint16(tmpstr); + else if (len == 3) + *ret = _gnutls_read_uint24(tmpstr); + else if (len == 4) + *ret = _gnutls_read_uint32(tmpstr); + else { + gnutls_assert(); + gnutls_free(tmpstr); + return GNUTLS_E_INTERNAL_ERROR; + } + + gnutls_free(tmpstr); + + return 0; } /* Writes the specified integer into the specified node. */ int -_gnutls_x509_write_uint32 (ASN1_TYPE node, const char *value, uint32_t num) +_gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, uint32_t num) { - uint8_t tmpstr[4]; - int result; + uint8_t tmpstr[4]; + int result; - _gnutls_write_uint32 (num, tmpstr); + _gnutls_write_uint32(num, tmpstr); - result = asn1_write_value (node, value, tmpstr, 4); + result = asn1_write_value(node, value, tmpstr, 4); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index d7186b475c..4e6adf850c 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -33,16 +33,14 @@ #include <gnutls/ocsp.h> #include <auth/cert.h> -typedef struct gnutls_ocsp_req_int -{ - ASN1_TYPE req; +typedef struct gnutls_ocsp_req_int { + ASN1_TYPE req; } gnutls_ocsp_req_int; -typedef struct gnutls_ocsp_resp_int -{ - ASN1_TYPE resp; - gnutls_datum_t response_type_oid; - ASN1_TYPE basicresp; +typedef struct gnutls_ocsp_resp_int { + ASN1_TYPE resp; + gnutls_datum_t response_type_oid; + ASN1_TYPE basicresp; } gnutls_ocsp_resp_int; #define MAX_TIME 64 @@ -56,27 +54,26 @@ typedef struct gnutls_ocsp_resp_int * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_ocsp_req_init (gnutls_ocsp_req_t * req) +int gnutls_ocsp_req_init(gnutls_ocsp_req_t * req) { - gnutls_ocsp_req_t tmp = gnutls_calloc (1, sizeof (gnutls_ocsp_req_int)); - int ret; - - if (!tmp) - return GNUTLS_E_MEMORY_ERROR; - - ret = asn1_create_element (_gnutls_get_pkix (), "PKIX1.OCSPRequest", - &tmp->req); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (tmp); - return _gnutls_asn2err (ret); - } + gnutls_ocsp_req_t tmp = + gnutls_calloc(1, sizeof(gnutls_ocsp_req_int)); + int ret; + + if (!tmp) + return GNUTLS_E_MEMORY_ERROR; + + ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.OCSPRequest", + &tmp->req); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmp); + return _gnutls_asn2err(ret); + } - *req = tmp; + *req = tmp; - return GNUTLS_E_SUCCESS; + return GNUTLS_E_SUCCESS; } /** @@ -85,18 +82,17 @@ gnutls_ocsp_req_init (gnutls_ocsp_req_t * req) * * This function will deinitialize a OCSP request structure. **/ -void -gnutls_ocsp_req_deinit (gnutls_ocsp_req_t req) +void gnutls_ocsp_req_deinit(gnutls_ocsp_req_t req) { - if (!req) - return; + if (!req) + return; - if (req->req) - asn1_delete_structure (&req->req); + if (req->req) + asn1_delete_structure(&req->req); - req->req = NULL; + req->req = NULL; - gnutls_free (req); + gnutls_free(req); } /** @@ -108,37 +104,36 @@ gnutls_ocsp_req_deinit (gnutls_ocsp_req_t req) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * resp) +int gnutls_ocsp_resp_init(gnutls_ocsp_resp_t * resp) { - gnutls_ocsp_resp_t tmp = gnutls_calloc (1, sizeof (gnutls_ocsp_resp_int)); - int ret; - - if (!tmp) - return GNUTLS_E_MEMORY_ERROR; - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.OCSPResponse", &tmp->resp); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (tmp); - return _gnutls_asn2err (ret); - } - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.BasicOCSPResponse", &tmp->basicresp); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&tmp->resp); - gnutls_free (tmp); - return _gnutls_asn2err (ret); - } - - *resp = tmp; - - return GNUTLS_E_SUCCESS; + gnutls_ocsp_resp_t tmp = + gnutls_calloc(1, sizeof(gnutls_ocsp_resp_int)); + int ret; + + if (!tmp) + return GNUTLS_E_MEMORY_ERROR; + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.OCSPResponse", &tmp->resp); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmp); + return _gnutls_asn2err(ret); + } + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.BasicOCSPResponse", + &tmp->basicresp); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&tmp->resp); + gnutls_free(tmp); + return _gnutls_asn2err(ret); + } + + *resp = tmp; + + return GNUTLS_E_SUCCESS; } /** @@ -147,23 +142,22 @@ gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * resp) * * This function will deinitialize a OCSP response structure. **/ -void -gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t resp) +void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp) { - if (!resp) - return; + if (!resp) + return; - if (resp->resp) - asn1_delete_structure (&resp->resp); - gnutls_free (resp->response_type_oid.data); - if (resp->basicresp) - asn1_delete_structure (&resp->basicresp); + if (resp->resp) + asn1_delete_structure(&resp->resp); + gnutls_free(resp->response_type_oid.data); + if (resp->basicresp) + asn1_delete_structure(&resp->basicresp); - resp->resp = NULL; - resp->response_type_oid.data = NULL; - resp->basicresp = NULL; + resp->resp = NULL; + resp->response_type_oid.data = NULL; + resp->basicresp = NULL; - gnutls_free (resp); + gnutls_free(resp); } /** @@ -179,41 +173,36 @@ gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t resp) * negative error value. **/ int -gnutls_ocsp_req_import (gnutls_ocsp_req_t req, - const gnutls_datum_t * data) +gnutls_ocsp_req_import(gnutls_ocsp_req_t req, const gnutls_datum_t * data) { - int ret = 0; - - if (req == NULL || data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (req->req) - { - /* Any earlier asn1_der_decoding will modify the ASN.1 - structure, so we need to replace it with a fresh - structure. */ - asn1_delete_structure (&req->req); - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.OCSPRequest", &req->req); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - } - - ret = asn1_der_decoding (&req->req, data->data, data->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return GNUTLS_E_SUCCESS; + int ret = 0; + + if (req == NULL || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (req->req) { + /* Any earlier asn1_der_decoding will modify the ASN.1 + structure, so we need to replace it with a fresh + structure. */ + asn1_delete_structure(&req->req); + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.OCSPRequest", &req->req); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + } + + ret = asn1_der_decoding(&req->req, data->data, data->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return GNUTLS_E_SUCCESS; } /** @@ -229,118 +218,111 @@ gnutls_ocsp_req_import (gnutls_ocsp_req_t req, * negative error value. **/ int -gnutls_ocsp_resp_import (gnutls_ocsp_resp_t resp, - const gnutls_datum_t * data) +gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp, + const gnutls_datum_t * data) { - int ret = 0; - - if (resp == NULL || data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (resp->resp) - { - /* Any earlier asn1_der_decoding will modify the ASN.1 - structure, so we need to replace it with a fresh - structure. */ - asn1_delete_structure (&resp->resp); - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.OCSPResponse", &resp->resp); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - } - - ret = asn1_der_decoding (&resp->resp, data->data, data->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - if (gnutls_ocsp_resp_get_status (resp) != GNUTLS_OCSP_RESP_SUCCESSFUL) - return GNUTLS_E_SUCCESS; - - ret = _gnutls_x509_read_value (resp->resp, "responseBytes.responseType", - &resp->response_type_oid); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + int ret = 0; + if (resp == NULL || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (resp->resp) { + /* Any earlier asn1_der_decoding will modify the ASN.1 + structure, so we need to replace it with a fresh + structure. */ + asn1_delete_structure(&resp->resp); + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.OCSPResponse", + &resp->resp); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + } + + ret = asn1_der_decoding(&resp->resp, data->data, data->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + if (gnutls_ocsp_resp_get_status(resp) != + GNUTLS_OCSP_RESP_SUCCESSFUL) + return GNUTLS_E_SUCCESS; + + ret = + _gnutls_x509_read_value(resp->resp, + "responseBytes.responseType", + &resp->response_type_oid); + if (ret < 0) { + gnutls_assert(); + return ret; + } #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - if (resp->response_type_oid.size == sizeof (OCSP_BASIC) - && memcmp (resp->response_type_oid.data, OCSP_BASIC, - resp->response_type_oid.size) == 0) - { - gnutls_datum_t d; - - if (resp->basicresp) - { - asn1_delete_structure (&resp->basicresp); - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.BasicOCSPResponse", &resp->basicresp); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - } - - ret = _gnutls_x509_read_value (resp->resp, "responseBytes.response", - &d); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = asn1_der_decoding (&resp->basicresp, d.data, d.size, NULL); - gnutls_free (d.data); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - } - else - resp->basicresp = NULL; - - return GNUTLS_E_SUCCESS; + if (resp->response_type_oid.size == sizeof(OCSP_BASIC) + && memcmp(resp->response_type_oid.data, OCSP_BASIC, + resp->response_type_oid.size) == 0) { + gnutls_datum_t d; + + if (resp->basicresp) { + asn1_delete_structure(&resp->basicresp); + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.BasicOCSPResponse", + &resp->basicresp); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + } + + ret = + _gnutls_x509_read_value(resp->resp, + "responseBytes.response", &d); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + asn1_der_decoding(&resp->basicresp, d.data, d.size, + NULL); + gnutls_free(d.data); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + } else + resp->basicresp = NULL; + + return GNUTLS_E_SUCCESS; } -static int -export (ASN1_TYPE node, const char *name, gnutls_datum_t * data) +static int export(ASN1_TYPE node, const char *name, gnutls_datum_t * data) { - int ret; - int len = 0; - - ret = asn1_der_coding (node, name, NULL, &len, NULL); - if (ret != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - data->size = len; - data->data = gnutls_malloc (len); - if (data->data == NULL) - return GNUTLS_E_MEMORY_ERROR; - ret = asn1_der_coding (node, name, data->data, &len, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return GNUTLS_E_SUCCESS; + int ret; + int len = 0; + + ret = asn1_der_coding(node, name, NULL, &len, NULL); + if (ret != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + data->size = len; + data->data = gnutls_malloc(len); + if (data->data == NULL) + return GNUTLS_E_MEMORY_ERROR; + ret = asn1_der_coding(node, name, data->data, &len, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return GNUTLS_E_SUCCESS; } /** @@ -353,27 +335,26 @@ export (ASN1_TYPE node, const char *name, gnutls_datum_t * data) * Returns: In case of failure a negative error code will be * returned, and 0 on success. **/ -int -gnutls_ocsp_req_export (gnutls_ocsp_req_t req, gnutls_datum_t * data) +int gnutls_ocsp_req_export(gnutls_ocsp_req_t req, gnutls_datum_t * data) { - int ret; + int ret; - if (req == NULL || data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (req == NULL || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* XXX remove when we support these fields */ - asn1_write_value (req->req, "tbsRequest.requestorName", NULL, 0); - asn1_write_value (req->req, "optionalSignature", NULL, 0); + /* XXX remove when we support these fields */ + asn1_write_value(req->req, "tbsRequest.requestorName", NULL, 0); + asn1_write_value(req->req, "optionalSignature", NULL, 0); - /* prune extension field if we don't have any extension */ - ret = gnutls_ocsp_req_get_extension (req, 0, NULL, NULL, NULL); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - asn1_write_value (req->req, "tbsRequest.requestExtensions", NULL, 0); + /* prune extension field if we don't have any extension */ + ret = gnutls_ocsp_req_get_extension(req, 0, NULL, NULL, NULL); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + asn1_write_value(req->req, "tbsRequest.requestExtensions", + NULL, 0); - return export (req->req, "", data); + return export(req->req, "", data); } /** @@ -386,16 +367,14 @@ gnutls_ocsp_req_export (gnutls_ocsp_req_t req, gnutls_datum_t * data) * Returns: In case of failure a negative error code will be * returned, and 0 on success. **/ -int -gnutls_ocsp_resp_export (gnutls_ocsp_resp_t resp, gnutls_datum_t * data) +int gnutls_ocsp_resp_export(gnutls_ocsp_resp_t resp, gnutls_datum_t * data) { - if (resp == NULL || data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (resp == NULL || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return export (resp->resp, "", data); + return export(resp->resp, "", data); } /** @@ -407,29 +386,27 @@ gnutls_ocsp_resp_export (gnutls_ocsp_resp_t resp, gnutls_datum_t * data) * * Returns: version of OCSP request, or a negative error code on error. **/ -int -gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req) +int gnutls_ocsp_req_get_version(gnutls_ocsp_req_t req) { - uint8_t version[8]; - int len, ret; - - if (req == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof (version); - ret = asn1_read_value (req->req, "tbsRequest.version", version, &len); - if (ret != ASN1_SUCCESS) - { - if (ret == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return (int) version[0] + 1; + uint8_t version[8]; + int len, ret; + + if (req == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + ret = + asn1_read_value(req->req, "tbsRequest.version", version, &len); + if (ret != ASN1_SUCCESS) { + if (ret == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return (int) version[0] + 1; } /** @@ -462,89 +439,88 @@ gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req) * returned. **/ int -gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t req, - unsigned indx, - gnutls_digest_algorithm_t *digest, - gnutls_datum_t *issuer_name_hash, - gnutls_datum_t *issuer_key_hash, - gnutls_datum_t *serial_number) +gnutls_ocsp_req_get_cert_id(gnutls_ocsp_req_t req, + unsigned indx, + gnutls_digest_algorithm_t * digest, + gnutls_datum_t * issuer_name_hash, + gnutls_datum_t * issuer_key_hash, + gnutls_datum_t * serial_number) { - gnutls_datum_t sa; - char name[ASN1_MAX_NAME_SIZE]; - int ret; - - if (req == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), - "tbsRequest.requestList.?%u.reqCert.hashAlgorithm.algorithm", - indx + 1); - ret = _gnutls_x509_read_value (req->req, name, &sa); - if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_x509_oid_to_digest ((char*)sa.data); - _gnutls_free_datum (&sa); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (digest) - *digest = ret; - - if (issuer_name_hash) - { - snprintf (name, sizeof (name), - "tbsRequest.requestList.?%u.reqCert.issuerNameHash", indx + 1); - ret = _gnutls_x509_read_value (req->req, name, issuer_name_hash); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - } - - if (issuer_key_hash) - { - snprintf (name, sizeof (name), - "tbsRequest.requestList.?%u.reqCert.issuerKeyHash", indx + 1); - ret = _gnutls_x509_read_value (req->req, name, issuer_key_hash); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (issuer_name_hash) - gnutls_free (issuer_name_hash->data); - return ret; - } - } - - if (serial_number) - { - snprintf (name, sizeof (name), - "tbsRequest.requestList.?%u.reqCert.serialNumber", indx + 1); - ret = _gnutls_x509_read_value (req->req, name, serial_number); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (issuer_name_hash) - gnutls_free (issuer_name_hash->data); - if (issuer_key_hash) - gnutls_free (issuer_key_hash->data); - return ret; - } - } - - return GNUTLS_E_SUCCESS; + gnutls_datum_t sa; + char name[ASN1_MAX_NAME_SIZE]; + int ret; + + if (req == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsRequest.requestList.?%u.reqCert.hashAlgorithm.algorithm", + indx + 1); + ret = _gnutls_x509_read_value(req->req, name, &sa); + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_x509_oid_to_digest((char *) sa.data); + _gnutls_free_datum(&sa); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (digest) + *digest = ret; + + if (issuer_name_hash) { + snprintf(name, sizeof(name), + "tbsRequest.requestList.?%u.reqCert.issuerNameHash", + indx + 1); + ret = + _gnutls_x509_read_value(req->req, name, + issuer_name_hash); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + } + + if (issuer_key_hash) { + snprintf(name, sizeof(name), + "tbsRequest.requestList.?%u.reqCert.issuerKeyHash", + indx + 1); + ret = + _gnutls_x509_read_value(req->req, name, + issuer_key_hash); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (issuer_name_hash) + gnutls_free(issuer_name_hash->data); + return ret; + } + } + + if (serial_number) { + snprintf(name, sizeof(name), + "tbsRequest.requestList.?%u.reqCert.serialNumber", + indx + 1); + ret = + _gnutls_x509_read_value(req->req, name, serial_number); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (issuer_name_hash) + gnutls_free(issuer_name_hash->data); + if (issuer_key_hash) + gnutls_free(issuer_key_hash->data); + return ret; + } + } + + return GNUTLS_E_SUCCESS; } /** @@ -574,93 +550,90 @@ gnutls_ocsp_req_get_cert_id (gnutls_ocsp_req_t req, * negative error code is returned. **/ int -gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t req, - gnutls_digest_algorithm_t digest, - const gnutls_datum_t *issuer_name_hash, - const gnutls_datum_t *issuer_key_hash, - const gnutls_datum_t *serial_number) +gnutls_ocsp_req_add_cert_id(gnutls_ocsp_req_t req, + gnutls_digest_algorithm_t digest, + const gnutls_datum_t * issuer_name_hash, + const gnutls_datum_t * issuer_key_hash, + const gnutls_datum_t * serial_number) { - int result; - const char *oid; - - if (req == NULL || issuer_name_hash == NULL - || issuer_key_hash == NULL || serial_number == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - oid = _gnutls_x509_digest_to_oid (mac_to_entry(digest)); - if (oid == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = asn1_write_value (req->req, "tbsRequest.requestList", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.reqCert.hashAlgorithm.algorithm", - oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* XXX we don't support any algorithm with parameters */ - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.reqCert.hashAlgorithm.parameters", - ASN1_NULL, ASN1_NULL_SIZE); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.reqCert.issuerNameHash", - issuer_name_hash->data, issuer_name_hash->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.reqCert.issuerKeyHash", - issuer_key_hash->data, issuer_key_hash->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.reqCert.serialNumber", - serial_number->data, serial_number->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* XXX add separate function that can add extensions too */ - result = asn1_write_value - (req->req, "tbsRequest.requestList.?LAST.singleRequestExtensions", - NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return GNUTLS_E_SUCCESS; + int result; + const char *oid; + + if (req == NULL || issuer_name_hash == NULL + || issuer_key_hash == NULL || serial_number == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + oid = _gnutls_x509_digest_to_oid(mac_to_entry(digest)); + if (oid == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + asn1_write_value(req->req, "tbsRequest.requestList", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value + (req->req, + "tbsRequest.requestList.?LAST.reqCert.hashAlgorithm.algorithm", + oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* XXX we don't support any algorithm with parameters */ + result = asn1_write_value + (req->req, + "tbsRequest.requestList.?LAST.reqCert.hashAlgorithm.parameters", + ASN1_NULL, ASN1_NULL_SIZE); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value + (req->req, + "tbsRequest.requestList.?LAST.reqCert.issuerNameHash", + issuer_name_hash->data, issuer_name_hash->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value + (req->req, + "tbsRequest.requestList.?LAST.reqCert.issuerKeyHash", + issuer_key_hash->data, issuer_key_hash->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value + (req->req, "tbsRequest.requestList.?LAST.reqCert.serialNumber", + serial_number->data, serial_number->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* XXX add separate function that can add extensions too */ + result = asn1_write_value + (req->req, + "tbsRequest.requestList.?LAST.singleRequestExtensions", NULL, + 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return GNUTLS_E_SUCCESS; } /** @@ -681,79 +654,72 @@ gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t req, * negative error code is returned. **/ int -gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req, - gnutls_digest_algorithm_t digest, - gnutls_x509_crt_t issuer, - gnutls_x509_crt_t cert) +gnutls_ocsp_req_add_cert(gnutls_ocsp_req_t req, + gnutls_digest_algorithm_t digest, + gnutls_x509_crt_t issuer, gnutls_x509_crt_t cert) { - int ret; - gnutls_datum_t sn, tmp, inh, ikh; - uint8_t inh_buf[MAX_HASH_SIZE]; - uint8_t ikh_buf[MAX_HASH_SIZE]; - size_t inhlen = MAX_HASH_SIZE; - size_t ikhlen = MAX_HASH_SIZE; - - if (req == NULL || issuer == NULL || cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_der_encode (cert->cert, - "tbsCertificate.issuer.rdnSequence", - &tmp, 0); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = gnutls_fingerprint (digest, &tmp, inh_buf, &inhlen); - gnutls_free (tmp.data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - inh.size = inhlen; - inh.data = inh_buf; - - ret = _gnutls_x509_read_value - (issuer->cert, "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", - &tmp); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = gnutls_fingerprint (digest, &tmp, ikh_buf, &ikhlen); - gnutls_free (tmp.data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - ikh.size = ikhlen; - ikh.data = ikh_buf; - - ret = _gnutls_x509_read_value (cert->cert, "tbsCertificate.serialNumber", - &sn); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = gnutls_ocsp_req_add_cert_id (req, digest, &inh, &ikh, &sn); - gnutls_free (sn.data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - return GNUTLS_E_SUCCESS; + int ret; + gnutls_datum_t sn, tmp, inh, ikh; + uint8_t inh_buf[MAX_HASH_SIZE]; + uint8_t ikh_buf[MAX_HASH_SIZE]; + size_t inhlen = MAX_HASH_SIZE; + size_t ikhlen = MAX_HASH_SIZE; + + if (req == NULL || issuer == NULL || cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_der_encode(cert->cert, + "tbsCertificate.issuer.rdnSequence", + &tmp, 0); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = gnutls_fingerprint(digest, &tmp, inh_buf, &inhlen); + gnutls_free(tmp.data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + inh.size = inhlen; + inh.data = inh_buf; + + ret = _gnutls_x509_read_value + (issuer->cert, + "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey", &tmp); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = gnutls_fingerprint(digest, &tmp, ikh_buf, &ikhlen); + gnutls_free(tmp.data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + ikh.size = ikhlen; + ikh.data = ikh_buf; + + ret = + _gnutls_x509_read_value(cert->cert, + "tbsCertificate.serialNumber", &sn); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = gnutls_ocsp_req_add_cert_id(req, digest, &inh, &ikh, &sn); + gnutls_free(sn.data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + return GNUTLS_E_SUCCESS; } /** @@ -780,70 +746,65 @@ gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req, * be returned. **/ int -gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t req, - unsigned indx, - gnutls_datum_t *oid, - unsigned int *critical, - gnutls_datum_t *data) +gnutls_ocsp_req_get_extension(gnutls_ocsp_req_t req, + unsigned indx, + gnutls_datum_t * oid, + unsigned int *critical, + gnutls_datum_t * data) { - int ret; - char str_critical[10]; - char name[ASN1_MAX_NAME_SIZE]; - int len; - - if (!req) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), "tbsRequest.requestExtensions.?%u.critical", - indx + 1); - len = sizeof (str_critical); - ret = asn1_read_value (req->req, name, str_critical, &len); - if (ret == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - if (critical) - { - if (str_critical[0] == 'T') - *critical = 1; - else - *critical = 0; - } - - if (oid) - { - snprintf (name, sizeof (name), - "tbsRequest.requestExtensions.?%u.extnID", indx + 1); - ret = _gnutls_x509_read_value (req->req, name, oid); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - } - - if (data) - { - snprintf (name, sizeof (name), - "tbsRequest.requestExtensions.?%u.extnValue", indx + 1); - ret = _gnutls_x509_read_value (req->req, name, data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (oid) - gnutls_free (oid->data); - return ret; - } - } - - return GNUTLS_E_SUCCESS; + int ret; + char str_critical[10]; + char name[ASN1_MAX_NAME_SIZE]; + int len; + + if (!req) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsRequest.requestExtensions.?%u.critical", indx + 1); + len = sizeof(str_critical); + ret = asn1_read_value(req->req, name, str_critical, &len); + if (ret == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + if (critical) { + if (str_critical[0] == 'T') + *critical = 1; + else + *critical = 0; + } + + if (oid) { + snprintf(name, sizeof(name), + "tbsRequest.requestExtensions.?%u.extnID", + indx + 1); + ret = _gnutls_x509_read_value(req->req, name, oid); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + } + + if (data) { + snprintf(name, sizeof(name), + "tbsRequest.requestExtensions.?%u.extnValue", + indx + 1); + ret = _gnutls_x509_read_value(req->req, name, data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (oid) + gnutls_free(oid->data); + return ret; + } + } + + return GNUTLS_E_SUCCESS; } /** @@ -861,19 +822,18 @@ gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t req, * negative error code is returned. **/ int -gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req, - const char *oid, - unsigned int critical, - const gnutls_datum_t *data) +gnutls_ocsp_req_set_extension(gnutls_ocsp_req_t req, + const char *oid, + unsigned int critical, + const gnutls_datum_t * data) { - if (req == NULL || oid == NULL || data == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return set_extension (req->req, "tbsRequest.requestExtensions", oid, - data, critical); + if (req == NULL || oid == NULL || data == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return set_extension(req->req, "tbsRequest.requestExtensions", oid, + data, critical); } /** @@ -891,40 +851,36 @@ gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req, * negative error code is returned. **/ int -gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req, - unsigned int *critical, - gnutls_datum_t *nonce) +gnutls_ocsp_req_get_nonce(gnutls_ocsp_req_t req, + unsigned int *critical, gnutls_datum_t * nonce) { - int ret; - gnutls_datum_t tmp; - - if (req == NULL || nonce == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = get_extension (req->req, "tbsRequest.requestExtensions", - GNUTLS_OCSP_NONCE, 0, - &tmp, critical); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_x509_decode_string (ASN1_ETYPE_OCTET_STRING, tmp.data, (size_t) tmp.size, - nonce); - if (ret < 0) - { - gnutls_assert (); - gnutls_free (tmp.data); - return ret; - } - - gnutls_free (tmp.data); - - return GNUTLS_E_SUCCESS; + int ret; + gnutls_datum_t tmp; + + if (req == NULL || nonce == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = get_extension(req->req, "tbsRequest.requestExtensions", + GNUTLS_OCSP_NONCE, 0, &tmp, critical); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING, tmp.data, + (size_t) tmp.size, nonce); + if (ret < 0) { + gnutls_assert(); + gnutls_free(tmp.data); + return ret; + } + + gnutls_free(tmp.data); + + return GNUTLS_E_SUCCESS; } /** @@ -941,45 +897,42 @@ gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req, * negative error code is returned. **/ int -gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req, - unsigned int critical, - const gnutls_datum_t *nonce) +gnutls_ocsp_req_set_nonce(gnutls_ocsp_req_t req, + unsigned int critical, + const gnutls_datum_t * nonce) { - int ret; - gnutls_datum_t dernonce; - unsigned char temp[SIZEOF_UNSIGNED_LONG_INT + 1]; - int len; - - if (req == NULL || nonce == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - asn1_length_der (nonce->size, temp, &len); - - dernonce.size = 1 + len + nonce->size; - dernonce.data = gnutls_malloc (dernonce.size); - if (dernonce.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - dernonce.data[0] = '\x04'; - memcpy (dernonce.data + 1, temp, len); - memcpy (dernonce.data + 1 + len, nonce->data, nonce->size); - - ret = set_extension (req->req, "tbsRequest.requestExtensions", - GNUTLS_OCSP_NONCE, &dernonce, critical); - gnutls_free (dernonce.data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - return ret; + int ret; + gnutls_datum_t dernonce; + unsigned char temp[SIZEOF_UNSIGNED_LONG_INT + 1]; + int len; + + if (req == NULL || nonce == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + asn1_length_der(nonce->size, temp, &len); + + dernonce.size = 1 + len + nonce->size; + dernonce.data = gnutls_malloc(dernonce.size); + if (dernonce.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + dernonce.data[0] = '\x04'; + memcpy(dernonce.data + 1, temp, len); + memcpy(dernonce.data + 1 + len, nonce->data, nonce->size); + + ret = set_extension(req->req, "tbsRequest.requestExtensions", + GNUTLS_OCSP_NONCE, &dernonce, critical); + gnutls_free(dernonce.data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + return ret; } /** @@ -992,34 +945,30 @@ gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error code is returned. **/ -int -gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req) +int gnutls_ocsp_req_randomize_nonce(gnutls_ocsp_req_t req) { - int ret; - uint8_t rndbuf[23]; - gnutls_datum_t nonce = { rndbuf, sizeof (rndbuf) }; - - if (req == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_rnd (GNUTLS_RND_NONCE, rndbuf, sizeof (rndbuf)); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = gnutls_ocsp_req_set_nonce (req, 0, &nonce); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - return GNUTLS_E_SUCCESS; + int ret; + uint8_t rndbuf[23]; + gnutls_datum_t nonce = { rndbuf, sizeof(rndbuf) }; + + if (req == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_rnd(GNUTLS_RND_NONCE, rndbuf, sizeof(rndbuf)); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = gnutls_ocsp_req_set_nonce(req, 0, &nonce); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + return GNUTLS_E_SUCCESS; } /** @@ -1032,40 +981,36 @@ gnutls_ocsp_req_randomize_nonce (gnutls_ocsp_req_t req) * Returns: status of OCSP request as a #gnutls_ocsp_resp_status_t, or * a negative error code on error. **/ -int -gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t resp) +int gnutls_ocsp_resp_get_status(gnutls_ocsp_resp_t resp) { - uint8_t str[1]; - int len, ret; - - if (resp == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof (str); - ret = asn1_read_value (resp->resp, "responseStatus", str, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - switch (str[0]) - { - case GNUTLS_OCSP_RESP_SUCCESSFUL: - case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: - case GNUTLS_OCSP_RESP_INTERNALERROR: - case GNUTLS_OCSP_RESP_TRYLATER: - case GNUTLS_OCSP_RESP_SIGREQUIRED: - case GNUTLS_OCSP_RESP_UNAUTHORIZED: - break; - default: - return GNUTLS_E_UNEXPECTED_PACKET; - } - - return (int) str[0]; + uint8_t str[1]; + int len, ret; + + if (resp == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(str); + ret = asn1_read_value(resp->resp, "responseStatus", str, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + switch (str[0]) { + case GNUTLS_OCSP_RESP_SUCCESSFUL: + case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: + case GNUTLS_OCSP_RESP_INTERNALERROR: + case GNUTLS_OCSP_RESP_TRYLATER: + case GNUTLS_OCSP_RESP_SIGREQUIRED: + case GNUTLS_OCSP_RESP_UNAUTHORIZED: + break; + default: + return GNUTLS_E_UNEXPECTED_PACKET; + } + + return (int) str[0]; } /** @@ -1089,41 +1034,40 @@ gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t resp) * negative error value. **/ int -gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t resp, - gnutls_datum_t *response_type_oid, - gnutls_datum_t *response) +gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_t resp, + gnutls_datum_t * response_type_oid, + gnutls_datum_t * response) { - int ret; - - if (resp == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (response_type_oid != NULL) - { - ret = _gnutls_x509_read_value (resp->resp, "responseBytes.responseType", - response_type_oid); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - - if (response != NULL) - { - ret = _gnutls_x509_read_value (resp->resp, "responseBytes.response", - response); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - - return GNUTLS_E_SUCCESS; + int ret; + + if (resp == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (response_type_oid != NULL) { + ret = + _gnutls_x509_read_value(resp->resp, + "responseBytes.responseType", + response_type_oid); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + if (response != NULL) { + ret = + _gnutls_x509_read_value(resp->resp, + "responseBytes.response", + response); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + + return GNUTLS_E_SUCCESS; } /** @@ -1136,29 +1080,28 @@ gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t resp, * Returns: version of Basic OCSP response, or a negative error code * on error. **/ -int -gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t resp) +int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_t resp) { - uint8_t version[8]; - int len, ret; - - if (resp == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = sizeof (version); - ret = asn1_read_value (resp->resp, "tbsResponseData.version", version, &len); - if (ret != ASN1_SUCCESS) - { - if (ret == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - return (int) version[0] + 1; + uint8_t version[8]; + int len, ret; + + if (resp == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = sizeof(version); + ret = + asn1_read_value(resp->resp, "tbsResponseData.version", version, + &len); + if (ret != ASN1_SUCCESS) { + if (ret == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + return (int) version[0] + 1; } /** @@ -1178,46 +1121,42 @@ gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t resp) * negative error code is returned. **/ int -gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t resp, - gnutls_datum_t *dn) +gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp, + gnutls_datum_t * dn) { - int ret; - size_t l = 0; - - if (resp == NULL || dn == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_parse_dn - (resp->basicresp, "tbsResponseData.responderID.byName", - NULL, &l); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - return ret; - } - - dn->data = gnutls_malloc (l); - if (dn->data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = _gnutls_x509_parse_dn - (resp->basicresp, "tbsResponseData.responderID.byName", - (char*)dn->data, &l); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - dn->size = l; - - return GNUTLS_E_SUCCESS; + int ret; + size_t l = 0; + + if (resp == NULL || dn == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_parse_dn + (resp->basicresp, "tbsResponseData.responderID.byName", + NULL, &l); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + dn->data = gnutls_malloc(l); + if (dn->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = _gnutls_x509_parse_dn + (resp->basicresp, "tbsResponseData.responderID.byName", + (char *) dn->data, &l); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + dn->size = l; + + return GNUTLS_E_SUCCESS; } /** @@ -1229,31 +1168,29 @@ gnutls_ocsp_resp_get_responder (gnutls_ocsp_resp_t resp, * * Returns: signing time, or (time_t)-1 on error. **/ -time_t -gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp) +time_t gnutls_ocsp_resp_get_produced(gnutls_ocsp_resp_t resp) { - char ttime[MAX_TIME]; - int len, ret; - time_t c_time; - - if (resp == NULL || resp->basicresp == NULL) - { - gnutls_assert (); - return (time_t) (-1); - } - - len = sizeof (ttime) - 1; - ret = asn1_read_value (resp->basicresp, "tbsResponseData.producedAt", - ttime, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return (time_t) (-1); - } - - c_time = _gnutls_x509_generalTime2gtime (ttime); - - return c_time; + char ttime[MAX_TIME]; + int len, ret; + time_t c_time; + + if (resp == NULL || resp->basicresp == NULL) { + gnutls_assert(); + return (time_t) (-1); + } + + len = sizeof(ttime) - 1; + ret = + asn1_read_value(resp->basicresp, "tbsResponseData.producedAt", + ttime, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return (time_t) (-1); + } + + c_time = _gnutls_x509_generalTime2gtime(ttime); + + return c_time; } /** @@ -1271,89 +1208,84 @@ gnutls_ocsp_resp_get_produced (gnutls_ocsp_resp_t resp) * Since: 3.1.3 **/ int -gnutls_ocsp_resp_check_crt (gnutls_ocsp_resp_t resp, - unsigned int indx, - gnutls_x509_crt_t crt) +gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp, + unsigned int indx, gnutls_x509_crt_t crt) { -int ret; -gnutls_digest_algorithm_t digest; -gnutls_datum_t rdn_hash = {NULL, 0}, rserial = {NULL, 0}; -gnutls_datum_t cserial = {NULL, 0}; -gnutls_datum_t dn = {NULL, 0}; -uint8_t cdn_hash[MAX_HASH_SIZE]; -size_t t, hash_len; - - ret = gnutls_ocsp_resp_get_single (resp, indx, &digest, &rdn_hash, NULL, - &rserial, NULL, NULL, NULL, NULL, NULL); - if (ret < 0) - return gnutls_assert_val(ret); - - if (rserial.size == 0 || digest == GNUTLS_DIG_UNKNOWN) - { - ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR); - goto cleanup; - } - - hash_len = _gnutls_hash_get_algo_len(mac_to_entry(digest)); - if (hash_len != rdn_hash.size) - { - ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR); - goto cleanup; - } - - cserial.size = rserial.size; - cserial.data = gnutls_malloc(cserial.size); - if (cserial.data == NULL) - { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto cleanup; - } - - t = cserial.size; - ret = gnutls_x509_crt_get_serial(crt, cserial.data, &t); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - if (rserial.size != cserial.size || memcmp(cserial.data, rserial.data, rserial.size) != 0) - { - ret = GNUTLS_E_OCSP_RESPONSE_ERROR; - gnutls_assert(); - goto cleanup; - } - - ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &dn); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - ret = _gnutls_hash_fast( digest, dn.data, dn.size, cdn_hash); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - if (memcmp(cdn_hash, rdn_hash.data, hash_len) != 0) - { - ret = GNUTLS_E_OCSP_RESPONSE_ERROR; - gnutls_assert(); - goto cleanup; - } - - ret = 0; - -cleanup: - gnutls_free(rdn_hash.data); - gnutls_free(rserial.data); - gnutls_free(cserial.data); - gnutls_free(dn.data); - - return ret; + int ret; + gnutls_digest_algorithm_t digest; + gnutls_datum_t rdn_hash = { NULL, 0 }, rserial = { + NULL, 0}; + gnutls_datum_t cserial = { NULL, 0 }; + gnutls_datum_t dn = { NULL, 0 }; + uint8_t cdn_hash[MAX_HASH_SIZE]; + size_t t, hash_len; + + ret = + gnutls_ocsp_resp_get_single(resp, indx, &digest, &rdn_hash, + NULL, &rserial, NULL, NULL, NULL, + NULL, NULL); + if (ret < 0) + return gnutls_assert_val(ret); + + if (rserial.size == 0 || digest == GNUTLS_DIG_UNKNOWN) { + ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR); + goto cleanup; + } + + hash_len = _gnutls_hash_get_algo_len(mac_to_entry(digest)); + if (hash_len != rdn_hash.size) { + ret = gnutls_assert_val(GNUTLS_E_OCSP_RESPONSE_ERROR); + goto cleanup; + } + + cserial.size = rserial.size; + cserial.data = gnutls_malloc(cserial.size); + if (cserial.data == NULL) { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto cleanup; + } + + t = cserial.size; + ret = gnutls_x509_crt_get_serial(crt, cserial.data, &t); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { + ret = GNUTLS_E_OCSP_RESPONSE_ERROR; + gnutls_assert(); + goto cleanup; + } + + ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &dn); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_hash_fast(digest, dn.data, dn.size, cdn_hash); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (memcmp(cdn_hash, rdn_hash.data, hash_len) != 0) { + ret = GNUTLS_E_OCSP_RESPONSE_ERROR; + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + gnutls_free(rdn_hash.data); + gnutls_free(rserial.data); + gnutls_free(cserial.data); + gnutls_free(dn.data); + + return ret; } /** @@ -1384,194 +1316,177 @@ cleanup: * returned. **/ int -gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t resp, - unsigned indx, - gnutls_digest_algorithm_t *digest, - gnutls_datum_t *issuer_name_hash, - gnutls_datum_t *issuer_key_hash, - gnutls_datum_t *serial_number, - unsigned int *cert_status, - time_t *this_update, - time_t *next_update, - time_t *revocation_time, - unsigned int *revocation_reason) +gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp, + unsigned indx, + gnutls_digest_algorithm_t * digest, + gnutls_datum_t * issuer_name_hash, + gnutls_datum_t * issuer_key_hash, + gnutls_datum_t * serial_number, + unsigned int *cert_status, + time_t * this_update, + time_t * next_update, + time_t * revocation_time, + unsigned int *revocation_reason) { - gnutls_datum_t sa; - char name[ASN1_MAX_NAME_SIZE]; - int ret; - - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certID.hashAlgorithm.algorithm", - indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, &sa); - if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_x509_oid_to_digest ((char*)sa.data); - _gnutls_free_datum (&sa); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (digest) - *digest = ret; - - if (issuer_name_hash) - { - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certID.issuerNameHash", - indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, - issuer_name_hash); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - } - - if (issuer_key_hash) - { - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certID.issuerKeyHash", - indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, - issuer_key_hash); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (issuer_name_hash) - gnutls_free (issuer_name_hash->data); - return ret; - } - } - - if (serial_number) - { - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certID.serialNumber", - indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, - serial_number); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (issuer_name_hash) - gnutls_free (issuer_name_hash->data); - if (issuer_key_hash) - gnutls_free (issuer_key_hash->data); - return ret; - } - } - - if (cert_status) - { - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certStatus", - indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, &sa); - if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (ret < 0) - { - gnutls_assert (); - return ret; - } - if (sa.size == 5 && memcmp (sa.data, "good", sa.size) == 0) - *cert_status = GNUTLS_OCSP_CERT_GOOD; - else if (sa.size == 8 && memcmp (sa.data, "revoked", sa.size) == 0) - *cert_status = GNUTLS_OCSP_CERT_REVOKED; - else if (sa.size == 8 && memcmp (sa.data, "unknown", sa.size) == 0) - *cert_status = GNUTLS_OCSP_CERT_UNKNOWN; - else - { - gnutls_assert (); - gnutls_free (sa.data); - return GNUTLS_E_ASN1_DER_ERROR; - } - gnutls_free (sa.data); - } - - if (this_update) - { - char ttime[MAX_TIME]; - int len; - - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.thisUpdate", - indx + 1); - len = sizeof (ttime) - 1; - ret = asn1_read_value (resp->basicresp, name, ttime, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - *this_update = (time_t) (-1); - } - else - *this_update = _gnutls_x509_generalTime2gtime (ttime); - } - - if (next_update) - { - char ttime[MAX_TIME]; - int len; - - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.nextUpdate", - indx + 1); - len = sizeof (ttime) - 1; - ret = asn1_read_value (resp->basicresp, name, ttime, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - *next_update = (time_t) (-1); - } - else - *next_update = _gnutls_x509_generalTime2gtime (ttime); - } - - if (revocation_time) - { - char ttime[MAX_TIME]; - int len; - - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certStatus." - "revoked.revocationTime", - indx + 1); - len = sizeof (ttime) - 1; - ret = asn1_read_value (resp->basicresp, name, ttime, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - *revocation_time = (time_t) (-1); - } - else - *revocation_time = _gnutls_x509_generalTime2gtime (ttime); - } - - /* revocation_reason */ - if (revocation_reason) - { - snprintf (name, sizeof (name), - "tbsResponseData.responses.?%u.certStatus." - "revoked.revocationReason", - indx + 1); - - ret = _gnutls_x509_read_uint (resp->basicresp, name, - revocation_reason); - if (ret < 0) - *revocation_reason = GNUTLS_X509_CRLREASON_UNSPECIFIED; - } - - return GNUTLS_E_SUCCESS; + gnutls_datum_t sa; + char name[ASN1_MAX_NAME_SIZE]; + int ret; + + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certID.hashAlgorithm.algorithm", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, &sa); + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_x509_oid_to_digest((char *) sa.data); + _gnutls_free_datum(&sa); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (digest) + *digest = ret; + + if (issuer_name_hash) { + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certID.issuerNameHash", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, + issuer_name_hash); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + } + + if (issuer_key_hash) { + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certID.issuerKeyHash", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, + issuer_key_hash); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (issuer_name_hash) + gnutls_free(issuer_name_hash->data); + return ret; + } + } + + if (serial_number) { + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certID.serialNumber", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, + serial_number); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (issuer_name_hash) + gnutls_free(issuer_name_hash->data); + if (issuer_key_hash) + gnutls_free(issuer_key_hash->data); + return ret; + } + } + + if (cert_status) { + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certStatus", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, &sa); + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (ret < 0) { + gnutls_assert(); + return ret; + } + if (sa.size == 5 && memcmp(sa.data, "good", sa.size) == 0) + *cert_status = GNUTLS_OCSP_CERT_GOOD; + else if (sa.size == 8 + && memcmp(sa.data, "revoked", sa.size) == 0) + *cert_status = GNUTLS_OCSP_CERT_REVOKED; + else if (sa.size == 8 + && memcmp(sa.data, "unknown", sa.size) == 0) + *cert_status = GNUTLS_OCSP_CERT_UNKNOWN; + else { + gnutls_assert(); + gnutls_free(sa.data); + return GNUTLS_E_ASN1_DER_ERROR; + } + gnutls_free(sa.data); + } + + if (this_update) { + char ttime[MAX_TIME]; + int len; + + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.thisUpdate", + indx + 1); + len = sizeof(ttime) - 1; + ret = asn1_read_value(resp->basicresp, name, ttime, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + *this_update = (time_t) (-1); + } else + *this_update = + _gnutls_x509_generalTime2gtime(ttime); + } + + if (next_update) { + char ttime[MAX_TIME]; + int len; + + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.nextUpdate", + indx + 1); + len = sizeof(ttime) - 1; + ret = asn1_read_value(resp->basicresp, name, ttime, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + *next_update = (time_t) (-1); + } else + *next_update = + _gnutls_x509_generalTime2gtime(ttime); + } + + if (revocation_time) { + char ttime[MAX_TIME]; + int len; + + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certStatus." + "revoked.revocationTime", indx + 1); + len = sizeof(ttime) - 1; + ret = asn1_read_value(resp->basicresp, name, ttime, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + *revocation_time = (time_t) (-1); + } else + *revocation_time = + _gnutls_x509_generalTime2gtime(ttime); + } + + /* revocation_reason */ + if (revocation_reason) { + snprintf(name, sizeof(name), + "tbsResponseData.responses.?%u.certStatus." + "revoked.revocationReason", indx + 1); + + ret = _gnutls_x509_read_uint(resp->basicresp, name, + revocation_reason); + if (ret < 0) + *revocation_reason = + GNUTLS_X509_CRLREASON_UNSPECIFIED; + } + + return GNUTLS_E_SUCCESS; } /** @@ -1598,71 +1513,66 @@ gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t resp, * be returned. **/ int -gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t resp, - unsigned indx, - gnutls_datum_t *oid, - unsigned int *critical, - gnutls_datum_t *data) +gnutls_ocsp_resp_get_extension(gnutls_ocsp_resp_t resp, + unsigned indx, + gnutls_datum_t * oid, + unsigned int *critical, + gnutls_datum_t * data) { - int ret; - char str_critical[10]; - char name[ASN1_MAX_NAME_SIZE]; - int len; - - if (!resp) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), - "tbsResponseData.responseExtensions.?%u.critical", - indx + 1); - len = sizeof (str_critical); - ret = asn1_read_value (resp->basicresp, name, str_critical, &len); - if (ret == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - if (critical) - { - if (str_critical[0] == 'T') - *critical = 1; - else - *critical = 0; - } - - if (oid) - { - snprintf (name, sizeof (name), - "tbsResponseData.responseExtensions.?%u.extnID", indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, oid); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - } - - if (data) - { - snprintf (name, sizeof (name), - "tbsResponseData.responseExtensions.?%u.extnValue", indx + 1); - ret = _gnutls_x509_read_value (resp->basicresp, name, data); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - if (oid) - gnutls_free (oid->data); - return ret; - } - } - - return GNUTLS_E_SUCCESS; + int ret; + char str_critical[10]; + char name[ASN1_MAX_NAME_SIZE]; + int len; + + if (!resp) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsResponseData.responseExtensions.?%u.critical", + indx + 1); + len = sizeof(str_critical); + ret = asn1_read_value(resp->basicresp, name, str_critical, &len); + if (ret == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + if (critical) { + if (str_critical[0] == 'T') + *critical = 1; + else + *critical = 0; + } + + if (oid) { + snprintf(name, sizeof(name), + "tbsResponseData.responseExtensions.?%u.extnID", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, oid); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + } + + if (data) { + snprintf(name, sizeof(name), + "tbsResponseData.responseExtensions.?%u.extnValue", + indx + 1); + ret = _gnutls_x509_read_value(resp->basicresp, name, data); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + if (oid) + gnutls_free(oid->data); + return ret; + } + } + + return GNUTLS_E_SUCCESS; } /** @@ -1681,34 +1591,33 @@ gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t resp, * negative error code is returned. **/ int -gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp, - unsigned int *critical, - gnutls_datum_t *nonce) +gnutls_ocsp_resp_get_nonce(gnutls_ocsp_resp_t resp, + unsigned int *critical, gnutls_datum_t * nonce) { - int ret; - gnutls_datum_t tmp; - - ret = get_extension (resp->basicresp, "tbsResponseData.responseExtensions", - GNUTLS_OCSP_NONCE, 0, - &tmp, critical); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_x509_decode_string (ASN1_ETYPE_OCTET_STRING, tmp.data, (size_t) tmp.size, - nonce); - if (ret < 0) - { - gnutls_assert (); - gnutls_free (tmp.data); - return ret; - } - - gnutls_free (tmp.data); - - return GNUTLS_E_SUCCESS; + int ret; + gnutls_datum_t tmp; + + ret = + get_extension(resp->basicresp, + "tbsResponseData.responseExtensions", + GNUTLS_OCSP_NONCE, 0, &tmp, critical); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_decode_string(ASN1_ETYPE_OCTET_STRING, tmp.data, + (size_t) tmp.size, nonce); + if (ret < 0) { + gnutls_assert(); + gnutls_free(tmp.data); + return ret; + } + + gnutls_free(tmp.data); + + return GNUTLS_E_SUCCESS; } /** @@ -1722,25 +1631,23 @@ gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp, * Returns: a #gnutls_sign_algorithm_t value, or a negative error code * on error. **/ -int -gnutls_ocsp_resp_get_signature_algorithm (gnutls_ocsp_resp_t resp) +int gnutls_ocsp_resp_get_signature_algorithm(gnutls_ocsp_resp_t resp) { - int ret; - gnutls_datum_t sa; - - ret = _gnutls_x509_read_value (resp->basicresp, - "signatureAlgorithm.algorithm", &sa); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + int ret; + gnutls_datum_t sa; + + ret = _gnutls_x509_read_value(resp->basicresp, + "signatureAlgorithm.algorithm", &sa); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_x509_oid2sign_algorithm ((char*)sa.data); + ret = _gnutls_x509_oid2sign_algorithm((char *) sa.data); - _gnutls_free_datum (&sa); + _gnutls_free_datum(&sa); - return ret; + return ret; } /** @@ -1754,25 +1661,23 @@ gnutls_ocsp_resp_get_signature_algorithm (gnutls_ocsp_resp_t resp) * negative error value. **/ int -gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t resp, - gnutls_datum_t *sig) +gnutls_ocsp_resp_get_signature(gnutls_ocsp_resp_t resp, + gnutls_datum_t * sig) { - int ret; - - if (resp == NULL || sig == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_read_value (resp->basicresp, "signature", sig); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return ret; - } - - return GNUTLS_E_SUCCESS; + int ret; + + if (resp == NULL || sig == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_read_value(resp->basicresp, "signature", sig); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return ret; + } + + return GNUTLS_E_SUCCESS; } /** @@ -1798,302 +1703,271 @@ gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t resp, * negative error value. **/ int -gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t resp, - gnutls_x509_crt_t ** certs, - size_t *ncerts) +gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_t resp, + gnutls_x509_crt_t ** certs, size_t * ncerts) { - int ret; - size_t ctr = 0, i; - gnutls_x509_crt_t *tmpcerts = NULL, *tmpcerts2; - gnutls_datum_t c = { NULL, 0 }; - - if (resp == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - tmpcerts = gnutls_malloc (sizeof (*tmpcerts)); - if (tmpcerts == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - for (;;) - { - char name[ASN1_MAX_NAME_SIZE]; - - snprintf (name, sizeof (name), "certs.?%u", (unsigned int)(ctr + 1)); - ret = _gnutls_x509_der_encode (resp->basicresp, name, &c, 0); - if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - break; - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto error; - } - - tmpcerts2 = gnutls_realloc_fast (tmpcerts, (ctr + 2) * sizeof (*tmpcerts)); - if (tmpcerts2 == NULL) - { - gnutls_assert (); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - tmpcerts = tmpcerts2; - - ret = gnutls_x509_crt_init (&tmpcerts[ctr]); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto error; - } - ctr++; - - ret = gnutls_x509_crt_import (tmpcerts[ctr - 1], &c, - GNUTLS_X509_FMT_DER); - if (ret != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto error; - } - - gnutls_free (c.data); - c.data = NULL; - } - - tmpcerts[ctr] = NULL; - - if (ncerts) - *ncerts = ctr; - if (certs) - *certs = tmpcerts; - else - { - /* clean up memory */ - ret = GNUTLS_E_SUCCESS; - goto error; - } - - return GNUTLS_E_SUCCESS; - - error: - gnutls_free (c.data); - for (i = 0; i < ctr; i++) - gnutls_x509_crt_deinit (tmpcerts[i]); - gnutls_free (tmpcerts); - return ret; + int ret; + size_t ctr = 0, i; + gnutls_x509_crt_t *tmpcerts = NULL, *tmpcerts2; + gnutls_datum_t c = { NULL, 0 }; + + if (resp == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + tmpcerts = gnutls_malloc(sizeof(*tmpcerts)); + if (tmpcerts == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + for (;;) { + char name[ASN1_MAX_NAME_SIZE]; + + snprintf(name, sizeof(name), "certs.?%u", + (unsigned int) (ctr + 1)); + ret = + _gnutls_x509_der_encode(resp->basicresp, name, &c, 0); + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + break; + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto error; + } + + tmpcerts2 = + gnutls_realloc_fast(tmpcerts, + (ctr + 2) * sizeof(*tmpcerts)); + if (tmpcerts2 == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + tmpcerts = tmpcerts2; + + ret = gnutls_x509_crt_init(&tmpcerts[ctr]); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto error; + } + ctr++; + + ret = gnutls_x509_crt_import(tmpcerts[ctr - 1], &c, + GNUTLS_X509_FMT_DER); + if (ret != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto error; + } + + gnutls_free(c.data); + c.data = NULL; + } + + tmpcerts[ctr] = NULL; + + if (ncerts) + *ncerts = ctr; + if (certs) + *certs = tmpcerts; + else { + /* clean up memory */ + ret = GNUTLS_E_SUCCESS; + goto error; + } + + return GNUTLS_E_SUCCESS; + + error: + gnutls_free(c.data); + for (i = 0; i < ctr; i++) + gnutls_x509_crt_deinit(tmpcerts[i]); + gnutls_free(tmpcerts); + return ret; } /* Search the OCSP response for a certificate matching the responderId mentioned in the OCSP response. */ -static gnutls_x509_crt_t -find_signercert (gnutls_ocsp_resp_t resp) +static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp) { - int rc; - gnutls_x509_crt_t * certs; - size_t ncerts = 0, i; - gnutls_datum_t riddn; - gnutls_x509_crt_t signercert = NULL; - - rc = gnutls_ocsp_resp_get_responder (resp, &riddn); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return NULL; - } - - rc = gnutls_ocsp_resp_get_certs (resp, &certs, &ncerts); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - gnutls_free (riddn.data); - return NULL; - } - - for (i = 0; i < ncerts; i++) - { - char *crtdn; - size_t crtdnsize = 0; - int cmpok; - - rc = gnutls_x509_crt_get_dn (certs[i], NULL, &crtdnsize); - if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - goto quit; - } - - crtdn = gnutls_malloc (crtdnsize); - if (crtdn == NULL) - { - gnutls_assert (); - goto quit; - } - - rc = gnutls_x509_crt_get_dn (certs[i], crtdn, &crtdnsize); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - gnutls_free (crtdn); - goto quit; - } - - cmpok = (crtdnsize == riddn.size) - && memcmp (riddn.data, crtdn, crtdnsize); - - gnutls_free (crtdn); - - if (cmpok == 0) - { - signercert = certs[i]; - goto quit; - } - } - - gnutls_assert (); - signercert = NULL; - - quit: - gnutls_free (riddn.data); - for (i = 0; i < ncerts; i++) - if (certs[i] != signercert) - gnutls_x509_crt_deinit (certs[i]); - gnutls_free (certs); - return signercert; + int rc; + gnutls_x509_crt_t *certs; + size_t ncerts = 0, i; + gnutls_datum_t riddn; + gnutls_x509_crt_t signercert = NULL; + + rc = gnutls_ocsp_resp_get_responder(resp, &riddn); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return NULL; + } + + rc = gnutls_ocsp_resp_get_certs(resp, &certs, &ncerts); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + gnutls_free(riddn.data); + return NULL; + } + + for (i = 0; i < ncerts; i++) { + char *crtdn; + size_t crtdnsize = 0; + int cmpok; + + rc = gnutls_x509_crt_get_dn(certs[i], NULL, &crtdnsize); + if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + goto quit; + } + + crtdn = gnutls_malloc(crtdnsize); + if (crtdn == NULL) { + gnutls_assert(); + goto quit; + } + + rc = gnutls_x509_crt_get_dn(certs[i], crtdn, &crtdnsize); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + gnutls_free(crtdn); + goto quit; + } + + cmpok = (crtdnsize == riddn.size) + && memcmp(riddn.data, crtdn, crtdnsize); + + gnutls_free(crtdn); + + if (cmpok == 0) { + signercert = certs[i]; + goto quit; + } + } + + gnutls_assert(); + signercert = NULL; + + quit: + gnutls_free(riddn.data); + for (i = 0; i < ncerts; i++) + if (certs[i] != signercert) + gnutls_x509_crt_deinit(certs[i]); + gnutls_free(certs); + return signercert; } static int -_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp, - gnutls_x509_crt_t signercert, - unsigned int *verify, - unsigned int flags) +_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, + gnutls_x509_crt_t signercert, + unsigned int *verify, unsigned int flags) { - gnutls_datum_t sig = { NULL }; - gnutls_datum_t data = { NULL }; - gnutls_pubkey_t pubkey = NULL; - int sigalg; - int rc; - - if (resp == NULL || signercert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - rc = gnutls_ocsp_resp_get_signature_algorithm (resp); - if (rc < 0) - { - gnutls_assert (); - goto done; - } - sigalg = rc; - - rc = export (resp->basicresp, "tbsResponseData", &data); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - rc = gnutls_pubkey_init (&pubkey); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - rc = gnutls_pubkey_import_x509 (pubkey, signercert, 0); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - rc = gnutls_ocsp_resp_get_signature (resp, &sig); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - rc = gnutls_pubkey_verify_data2 (pubkey, sigalg, 0, &data, &sig); - if (rc == GNUTLS_E_PK_SIG_VERIFY_FAILED) - { - gnutls_assert (); - *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE; - } - else if (rc < 0) - { - gnutls_assert (); - goto done; - } - else - *verify = 0; - - rc = GNUTLS_E_SUCCESS; - - done: - gnutls_free (data.data); - gnutls_free (sig.data); - gnutls_pubkey_deinit (pubkey); - - return rc; + gnutls_datum_t sig = { NULL }; + gnutls_datum_t data = { NULL }; + gnutls_pubkey_t pubkey = NULL; + int sigalg; + int rc; + + if (resp == NULL || signercert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + rc = gnutls_ocsp_resp_get_signature_algorithm(resp); + if (rc < 0) { + gnutls_assert(); + goto done; + } + sigalg = rc; + + rc = export(resp->basicresp, "tbsResponseData", &data); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + rc = gnutls_pubkey_init(&pubkey); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + rc = gnutls_pubkey_import_x509(pubkey, signercert, 0); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + rc = gnutls_ocsp_resp_get_signature(resp, &sig); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + rc = gnutls_pubkey_verify_data2(pubkey, sigalg, 0, &data, &sig); + if (rc == GNUTLS_E_PK_SIG_VERIFY_FAILED) { + gnutls_assert(); + *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE; + } else if (rc < 0) { + gnutls_assert(); + goto done; + } else + *verify = 0; + + rc = GNUTLS_E_SUCCESS; + + done: + gnutls_free(data.data); + gnutls_free(sig.data); + gnutls_pubkey_deinit(pubkey); + + return rc; } static inline unsigned int vstatus_to_ocsp_status(unsigned int status) { -unsigned int ostatus; - - if (status & GNUTLS_CERT_INSECURE_ALGORITHM) - ostatus = GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM; - else if (status & GNUTLS_CERT_NOT_ACTIVATED) - ostatus = GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED; - else if (status & GNUTLS_CERT_EXPIRED) - ostatus = GNUTLS_OCSP_VERIFY_CERT_EXPIRED; - else - ostatus = GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER; - - return ostatus; + unsigned int ostatus; + + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) + ostatus = GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM; + else if (status & GNUTLS_CERT_NOT_ACTIVATED) + ostatus = GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED; + else if (status & GNUTLS_CERT_EXPIRED) + ostatus = GNUTLS_OCSP_VERIFY_CERT_EXPIRED; + else + ostatus = GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER; + + return ostatus; } static int check_ocsp_purpose(gnutls_x509_crt_t signercert) { -char oidtmp[sizeof (GNUTLS_KP_OCSP_SIGNING)]; -size_t oidsize; -int indx, rc; - - for (indx = 0; ; indx++) - { - oidsize = sizeof (oidtmp); - rc = gnutls_x509_crt_get_key_purpose_oid (signercert, indx, - oidtmp, &oidsize, - NULL); - if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert(); - return rc; - } - else if (rc == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - continue; - } - else if (rc != GNUTLS_E_SUCCESS) - { - return gnutls_assert_val(rc); - } - - if (memcmp (oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) - { - gnutls_assert (); - continue; - } - break; - } - - return 0; + char oidtmp[sizeof(GNUTLS_KP_OCSP_SIGNING)]; + size_t oidsize; + int indx, rc; + + for (indx = 0;; indx++) { + oidsize = sizeof(oidtmp); + rc = gnutls_x509_crt_get_key_purpose_oid(signercert, indx, + oidtmp, &oidsize, + NULL); + if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return rc; + } else if (rc == GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + continue; + } else if (rc != GNUTLS_E_SUCCESS) { + return gnutls_assert_val(rc); + } + + if (memcmp(oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0) { + gnutls_assert(); + continue; + } + break; + } + + return 0; } /** @@ -2121,61 +1995,55 @@ int indx, rc; * negative error value. **/ int -gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp, - gnutls_x509_crt_t issuer, - unsigned int *verify, - unsigned int flags) +gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp, + gnutls_x509_crt_t issuer, + unsigned int *verify, unsigned int flags) { - gnutls_x509_crt_t signercert; - int rc; - - if (resp == NULL || issuer == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - signercert = find_signercert (resp); - if (!signercert) - { - signercert = issuer; - } - else /* response contains a signer. Verify him */ - { - unsigned int vtmp; - - rc = gnutls_x509_crt_verify (signercert, &issuer, 1, 0, &vtmp); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - if (vtmp != 0) - { - *verify = vstatus_to_ocsp_status(vtmp); - gnutls_assert (); - rc = GNUTLS_E_SUCCESS; - goto done; - } - - rc = check_ocsp_purpose(signercert); - if (rc < 0) - { - gnutls_assert (); - *verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR; - rc = GNUTLS_E_SUCCESS; - goto done; - } - } - - rc = _ocsp_resp_verify_direct(resp, signercert, verify, flags); - - done: - if (signercert != issuer) - gnutls_x509_crt_deinit(signercert); - - return rc; + gnutls_x509_crt_t signercert; + int rc; + + if (resp == NULL || issuer == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + signercert = find_signercert(resp); + if (!signercert) { + signercert = issuer; + } else { /* response contains a signer. Verify him */ + + unsigned int vtmp; + + rc = gnutls_x509_crt_verify(signercert, &issuer, 1, 0, + &vtmp); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + if (vtmp != 0) { + *verify = vstatus_to_ocsp_status(vtmp); + gnutls_assert(); + rc = GNUTLS_E_SUCCESS; + goto done; + } + + rc = check_ocsp_purpose(signercert); + if (rc < 0) { + gnutls_assert(); + *verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR; + rc = GNUTLS_E_SUCCESS; + goto done; + } + } + + rc = _ocsp_resp_verify_direct(resp, signercert, verify, flags); + + done: + if (signercert != issuer) + gnutls_x509_crt_deinit(signercert); + + return rc; } /** @@ -2209,85 +2077,80 @@ gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp, * negative error value. **/ int -gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp, - gnutls_x509_trust_list_t trustlist, - unsigned int *verify, - unsigned int flags) +gnutls_ocsp_resp_verify(gnutls_ocsp_resp_t resp, + gnutls_x509_trust_list_t trustlist, + unsigned int *verify, unsigned int flags) { - gnutls_x509_crt_t signercert = NULL; - int rc; - - /* Algorithm: - 1. Find signer cert. - 1a. Search in OCSP response Certificate field for responderID. - 1b. Verify that signer cert is trusted. - 2a. It is in trustlist? - 2b. It has OCSP key usage and directly signed by a CA in trustlist? - 3. Verify signature of Basic Response using public key from signer cert. - */ - - signercert = find_signercert (resp); - if (!signercert) - { - /* XXX Search in trustlist for certificate matching - responderId as well? */ - gnutls_assert (); - *verify = GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND; - rc = GNUTLS_E_SUCCESS; - goto done; - } - - /* Either the signer is directly trusted (i.e., in trustlist) or it - is directly signed by something in trustlist and has proper OCSP - extkeyusage. */ - rc = _gnutls_trustlist_inlist (trustlist, signercert); - if (rc == 0) - { - /* not in trustlist, need to verify signature and bits */ - gnutls_x509_crt_t issuer; - unsigned vtmp; - - gnutls_assert (); - - rc = gnutls_x509_trust_list_get_issuer (trustlist, signercert, - &issuer, 0); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - *verify = GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER; - rc = GNUTLS_E_SUCCESS; - goto done; - } - - rc = gnutls_x509_crt_verify (signercert, &issuer, 1, 0, &vtmp); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - goto done; - } - - if (vtmp != 0) - { - *verify = vstatus_to_ocsp_status(vtmp); - gnutls_assert (); - rc = GNUTLS_E_SUCCESS; - goto done; - } - - rc = check_ocsp_purpose(signercert); - if (rc < 0) - { - gnutls_assert (); - *verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR; - rc = GNUTLS_E_SUCCESS; - goto done; - } - } - - rc = _ocsp_resp_verify_direct (resp, signercert, verify, flags); - - done: - gnutls_x509_crt_deinit (signercert); - - return rc; + gnutls_x509_crt_t signercert = NULL; + int rc; + + /* Algorithm: + 1. Find signer cert. + 1a. Search in OCSP response Certificate field for responderID. + 1b. Verify that signer cert is trusted. + 2a. It is in trustlist? + 2b. It has OCSP key usage and directly signed by a CA in trustlist? + 3. Verify signature of Basic Response using public key from signer cert. + */ + + signercert = find_signercert(resp); + if (!signercert) { + /* XXX Search in trustlist for certificate matching + responderId as well? */ + gnutls_assert(); + *verify = GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND; + rc = GNUTLS_E_SUCCESS; + goto done; + } + + /* Either the signer is directly trusted (i.e., in trustlist) or it + is directly signed by something in trustlist and has proper OCSP + extkeyusage. */ + rc = _gnutls_trustlist_inlist(trustlist, signercert); + if (rc == 0) { + /* not in trustlist, need to verify signature and bits */ + gnutls_x509_crt_t issuer; + unsigned vtmp; + + gnutls_assert(); + + rc = gnutls_x509_trust_list_get_issuer(trustlist, + signercert, &issuer, + 0); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + *verify = GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER; + rc = GNUTLS_E_SUCCESS; + goto done; + } + + rc = gnutls_x509_crt_verify(signercert, &issuer, 1, 0, + &vtmp); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + goto done; + } + + if (vtmp != 0) { + *verify = vstatus_to_ocsp_status(vtmp); + gnutls_assert(); + rc = GNUTLS_E_SUCCESS; + goto done; + } + + rc = check_ocsp_purpose(signercert); + if (rc < 0) { + gnutls_assert(); + *verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR; + rc = GNUTLS_E_SUCCESS; + goto done; + } + } + + rc = _ocsp_resp_verify_direct(resp, signercert, verify, flags); + + done: + gnutls_x509_crt_deinit(signercert); + + return rc; } diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c index a2752dbe76..8a2e0e4797 100644 --- a/lib/x509/ocsp_output.c +++ b/lib/x509/ocsp_output.c @@ -38,118 +38,119 @@ #define addf _gnutls_buffer_append_printf #define adds _gnutls_buffer_append_str -static void -print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req) +static void print_req(gnutls_buffer_st * str, gnutls_ocsp_req_t req) { - int ret; - unsigned indx; - - /* Version. */ - { - int version = gnutls_ocsp_req_get_version (req); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* XXX requestorName */ - - /* requestList */ - addf (str, "\tRequest List:\n"); - for (indx = 0; ; indx++) - { - gnutls_digest_algorithm_t digest; - gnutls_datum_t in, ik, sn; - - ret = gnutls_ocsp_req_get_cert_id (req, indx, &digest, &in, &ik, &sn); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "\t\tCertificate ID:\n"); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_cert_id: %s\n", - gnutls_strerror (ret)); - continue; - } - addf (str, "\t\t\tHash Algorithm: %s\n", - _gnutls_digest_get_name (mac_to_entry(digest))); - - adds (str, "\t\t\tIssuer Name Hash: "); - _gnutls_buffer_hexprint (str, in.data, in.size); - adds (str, "\n"); - - adds (str, "\t\t\tIssuer Key Hash: "); - _gnutls_buffer_hexprint (str, ik.data, ik.size); - adds (str, "\n"); - - adds (str, "\t\t\tSerial Number: "); - _gnutls_buffer_hexprint (str, sn.data, sn.size); - adds (str, "\n"); - - gnutls_free (in.data); - gnutls_free (ik.data); - gnutls_free (sn.data); - - /* XXX singleRequestExtensions */ - } - - for (indx = 0; ; indx++) - { - gnutls_datum_t oid; - unsigned int critical; - gnutls_datum_t data; - - ret = gnutls_ocsp_req_get_extension (req, indx, &oid, &critical, &data); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_extension: %s\n", - gnutls_strerror (ret)); - continue; - } - if (indx == 0) - adds (str, "\tExtensions:\n"); + int ret; + unsigned indx; - if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) + /* Version. */ { - gnutls_datum_t nonce; - unsigned int critical; - - ret = gnutls_ocsp_req_get_nonce (req, &critical, &nonce); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_nonce: %s\n", - gnutls_strerror (ret)); - } - else - { - addf (str, "\t\tNonce%s: ", critical ? " (critical)" : ""); - _gnutls_buffer_hexprint (str, nonce.data, nonce.size); - adds (str, "\n"); - gnutls_free (nonce.data); - } + int version = gnutls_ocsp_req_get_version(req); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); } - else - { - addf (str, "\t\tUnknown extension %s (%s):\n", oid.data, - critical ? "critical" : "not critical"); - - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, (char*)data.data, data.size); - addf (str, "\n"); - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, (char*)data.data, data.size); - adds (str, "\n"); + /* XXX requestorName */ + + /* requestList */ + addf(str, "\tRequest List:\n"); + for (indx = 0;; indx++) { + gnutls_digest_algorithm_t digest; + gnutls_datum_t in, ik, sn; + + ret = + gnutls_ocsp_req_get_cert_id(req, indx, &digest, &in, + &ik, &sn); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, "\t\tCertificate ID:\n"); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_cert_id: %s\n", + gnutls_strerror(ret)); + continue; + } + addf(str, "\t\t\tHash Algorithm: %s\n", + _gnutls_digest_get_name(mac_to_entry(digest))); + + adds(str, "\t\t\tIssuer Name Hash: "); + _gnutls_buffer_hexprint(str, in.data, in.size); + adds(str, "\n"); + + adds(str, "\t\t\tIssuer Key Hash: "); + _gnutls_buffer_hexprint(str, ik.data, ik.size); + adds(str, "\n"); + + adds(str, "\t\t\tSerial Number: "); + _gnutls_buffer_hexprint(str, sn.data, sn.size); + adds(str, "\n"); + + gnutls_free(in.data); + gnutls_free(ik.data); + gnutls_free(sn.data); + + /* XXX singleRequestExtensions */ } - gnutls_free (oid.data); - gnutls_free (data.data); - } + for (indx = 0;; indx++) { + gnutls_datum_t oid; + unsigned int critical; + gnutls_datum_t data; + + ret = + gnutls_ocsp_req_get_extension(req, indx, &oid, + &critical, &data); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + else if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_extension: %s\n", + gnutls_strerror(ret)); + continue; + } + if (indx == 0) + adds(str, "\tExtensions:\n"); + + if (memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { + gnutls_datum_t nonce; + unsigned int critical; + + ret = + gnutls_ocsp_req_get_nonce(req, &critical, + &nonce); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_nonce: %s\n", + gnutls_strerror(ret)); + } else { + addf(str, "\t\tNonce%s: ", + critical ? " (critical)" : ""); + _gnutls_buffer_hexprint(str, nonce.data, + nonce.size); + adds(str, "\n"); + gnutls_free(nonce.data); + } + } else { + addf(str, "\t\tUnknown extension %s (%s):\n", + oid.data, + critical ? "critical" : "not critical"); + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, (char *) data.data, + data.size); + addf(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, (char *) data.data, + data.size); + adds(str, "\n"); + } + + gnutls_free(oid.data); + gnutls_free(data.data); + } - /* XXX Signature */ + /* XXX Signature */ } /** @@ -170,423 +171,444 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req) * negative error value. **/ int -gnutls_ocsp_req_print (gnutls_ocsp_req_t req, - gnutls_ocsp_print_formats_t format, - gnutls_datum_t * out) +gnutls_ocsp_req_print(gnutls_ocsp_req_t req, + gnutls_ocsp_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int rc; + gnutls_buffer_st str; + int rc; - if (format != GNUTLS_OCSP_PRINT_FULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (format != GNUTLS_OCSP_PRINT_FULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("OCSP Request Information:\n")); + _gnutls_buffer_append_str(&str, _("OCSP Request Information:\n")); - print_req (&str, req); + print_req(&str, req); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - rc = _gnutls_buffer_to_datum (&str, out); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return rc; - } + rc = _gnutls_buffer_to_datum(&str, out); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return rc; + } - return GNUTLS_E_SUCCESS; + return GNUTLS_E_SUCCESS; } static void -print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, - gnutls_ocsp_print_formats_t format) +print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, + gnutls_ocsp_print_formats_t format) { - int ret; - unsigned indx; - - ret = gnutls_ocsp_resp_get_status (resp); - if (ret < 0) - { - addf (str, "error: ocsp_resp_get_status: %s\n", - gnutls_strerror (ret)); - return; - } - - adds (str, "\tResponse Status: "); - switch (ret) - { - case GNUTLS_OCSP_RESP_SUCCESSFUL: - adds (str, "Successful\n"); - break; - - case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: - adds (str, "malformedRequest\n"); - return; - - case GNUTLS_OCSP_RESP_INTERNALERROR: - adds (str, "internalError\n"); - return; - - case GNUTLS_OCSP_RESP_TRYLATER: - adds (str, "tryLater\n"); - return; - - case GNUTLS_OCSP_RESP_SIGREQUIRED: - adds (str, "sigRequired\n"); - return; - - case GNUTLS_OCSP_RESP_UNAUTHORIZED: - adds (str, "unauthorized\n"); - return; - - default: - adds (str, "unknown\n"); - return; - } - - { - gnutls_datum_t oid; - - ret = gnutls_ocsp_resp_get_response (resp, &oid, NULL); - if (ret < 0) - { - addf (str, "error: get_response: %s\n", gnutls_strerror (ret)); - return; - } - - adds (str, "\tResponse Type: "); -#define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - - if (oid.size == sizeof (OCSP_BASIC) - && memcmp (oid.data, OCSP_BASIC, oid.size) == 0) - { - adds (str, "Basic OCSP Response\n"); - gnutls_free (oid.data); - } - else - { - addf (str, "Unknown response type (%.*s)\n", oid.size, oid.data); - gnutls_free (oid.data); - return; - } - } - - /* Version. */ - { - int version = gnutls_ocsp_resp_get_version (resp); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* responderID */ - { - gnutls_datum_t dn; - - /* XXX byKey */ - - ret = gnutls_ocsp_resp_get_responder (resp, &dn); - if (ret < 0) - addf (str, "error: get_dn: %s\n", gnutls_strerror (ret)); - else - { - addf (str, _("\tResponder ID: %.*s\n"), dn.size, dn.data); - gnutls_free (dn.data); - } - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - time_t tim = gnutls_ocsp_resp_get_produced (resp); - - if (tim == (time_t) -1) - addf (str, "error: ocsp_resp_get_produced\n"); - else if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\tProduced At: %s\n"), s); - } - - addf (str, "\tResponses:\n"); - for (indx = 0; ; indx++) - { - gnutls_digest_algorithm_t digest; - gnutls_datum_t in, ik, sn; - unsigned int cert_status; - time_t this_update; - time_t next_update; - time_t revocation_time; - unsigned int revocation_reason; - - ret = gnutls_ocsp_resp_get_single (resp, - indx, - &digest, &in, &ik, &sn, - &cert_status, - &this_update, - &next_update, - &revocation_time, - &revocation_reason); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "\t\tCertificate ID:\n"); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_singleresponse: %s\n", - gnutls_strerror (ret)); - continue; + int ret; + unsigned indx; + + ret = gnutls_ocsp_resp_get_status(resp); + if (ret < 0) { + addf(str, "error: ocsp_resp_get_status: %s\n", + gnutls_strerror(ret)); + return; } - addf (str, "\t\t\tHash Algorithm: %s\n", - _gnutls_digest_get_name (mac_to_entry(digest))); - adds (str, "\t\t\tIssuer Name Hash: "); - _gnutls_buffer_hexprint (str, in.data, in.size); - adds (str, "\n"); + adds(str, "\tResponse Status: "); + switch (ret) { + case GNUTLS_OCSP_RESP_SUCCESSFUL: + adds(str, "Successful\n"); + break; - adds (str, "\t\t\tIssuer Key Hash: "); - _gnutls_buffer_hexprint (str, ik.data, ik.size); - adds (str, "\n"); + case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: + adds(str, "malformedRequest\n"); + return; - adds (str, "\t\t\tSerial Number: "); - _gnutls_buffer_hexprint (str, sn.data, sn.size); - adds (str, "\n"); + case GNUTLS_OCSP_RESP_INTERNALERROR: + adds(str, "internalError\n"); + return; - gnutls_free (in.data); - gnutls_free (ik.data); - gnutls_free (sn.data); + case GNUTLS_OCSP_RESP_TRYLATER: + adds(str, "tryLater\n"); + return; - { - const char *p = NULL; + case GNUTLS_OCSP_RESP_SIGREQUIRED: + adds(str, "sigRequired\n"); + return; - switch (cert_status) - { - case GNUTLS_OCSP_CERT_GOOD: - p = "good"; - break; + case GNUTLS_OCSP_RESP_UNAUTHORIZED: + adds(str, "unauthorized\n"); + return; - case GNUTLS_OCSP_CERT_REVOKED: - p = "revoked"; - break; + default: + adds(str, "unknown\n"); + return; + } - case GNUTLS_OCSP_CERT_UNKNOWN: - p = "unknown"; - break; + { + gnutls_datum_t oid; - default: - addf (str, "\t\tCertificate Status: unexpected value %d\n", - cert_status); - break; - } + ret = gnutls_ocsp_resp_get_response(resp, &oid, NULL); + if (ret < 0) { + addf(str, "error: get_response: %s\n", + gnutls_strerror(ret)); + return; + } - if (p) - addf (str, "\t\tCertificate Status: %s\n", p); - } + adds(str, "\tResponse Type: "); +#define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - /* XXX revocation reason */ + if (oid.size == sizeof(OCSP_BASIC) + && memcmp(oid.data, OCSP_BASIC, oid.size) == 0) { + adds(str, "Basic OCSP Response\n"); + gnutls_free(oid.data); + } else { + addf(str, "Unknown response type (%.*s)\n", + oid.size, oid.data); + gnutls_free(oid.data); + return; + } + } - if (cert_status == GNUTLS_OCSP_CERT_REVOKED) - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (revocation_time == (time_t) -1) - addf (str, "error: revocation_time\n"); - else if (gmtime_r (&revocation_time, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", - (unsigned long) revocation_time); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", - (unsigned long) revocation_time); - else - addf (str, _("\t\tRevocation time: %s\n"), s); - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (this_update == (time_t) -1) - addf (str, "error: this_update\n"); - else if (gmtime_r (&this_update, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) this_update); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) this_update); - else - addf (str, _("\t\tThis Update: %s\n"), s); - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (next_update == (time_t) -1) - addf (str, "error: next_update\n"); - else if (gmtime_r (&next_update, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) next_update); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) next_update); - else - addf (str, _("\t\tNext Update: %s\n"), s); - } - - /* XXX singleRequestExtensions */ - } - - adds (str, "\tExtensions:\n"); - for (indx = 0; ; indx++) - { - gnutls_datum_t oid; - unsigned int critical; - gnutls_datum_t data; - - ret = gnutls_ocsp_resp_get_extension (resp, indx, &oid, &critical, &data); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret != GNUTLS_E_SUCCESS) + /* Version. */ { - addf (str, "error: get_extension: %s\n", - gnutls_strerror (ret)); - continue; + int version = gnutls_ocsp_resp_get_version(resp); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); } - if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) + /* responderID */ { - gnutls_datum_t nonce; - unsigned int critical; - - ret = gnutls_ocsp_resp_get_nonce (resp, &critical, &nonce); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_nonce: %s\n", - gnutls_strerror (ret)); - } - else - { - addf (str, "\t\tNonce%s: ", critical ? " (critical)" : ""); - _gnutls_buffer_hexprint (str, nonce.data, nonce.size); - adds (str, "\n"); - gnutls_free (nonce.data); - } + gnutls_datum_t dn; + + /* XXX byKey */ + + ret = gnutls_ocsp_resp_get_responder(resp, &dn); + if (ret < 0) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(ret)); + else { + addf(str, _("\tResponder ID: %.*s\n"), dn.size, + dn.data); + gnutls_free(dn.data); + } } - else + { - addf (str, "\t\tUnknown extension %s (%s):\n", oid.data, - critical ? "critical" : "not critical"); + char s[42]; + size_t max = sizeof(s); + struct tm t; + time_t tim = gnutls_ocsp_resp_get_produced(resp); + + if (tim == (time_t) - 1) + addf(str, "error: ocsp_resp_get_produced\n"); + else if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime(s, max, "%a %b %d %H:%M:%S UTC %Y", &t) + == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\tProduced At: %s\n"), s); + } - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, (char*)data.data, data.size); - addf (str, "\n"); + addf(str, "\tResponses:\n"); + for (indx = 0;; indx++) { + gnutls_digest_algorithm_t digest; + gnutls_datum_t in, ik, sn; + unsigned int cert_status; + time_t this_update; + time_t next_update; + time_t revocation_time; + unsigned int revocation_reason; + + ret = gnutls_ocsp_resp_get_single(resp, + indx, + &digest, &in, &ik, &sn, + &cert_status, + &this_update, + &next_update, + &revocation_time, + &revocation_reason); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, "\t\tCertificate ID:\n"); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_singleresponse: %s\n", + gnutls_strerror(ret)); + continue; + } + addf(str, "\t\t\tHash Algorithm: %s\n", + _gnutls_digest_get_name(mac_to_entry(digest))); + + adds(str, "\t\t\tIssuer Name Hash: "); + _gnutls_buffer_hexprint(str, in.data, in.size); + adds(str, "\n"); + + adds(str, "\t\t\tIssuer Key Hash: "); + _gnutls_buffer_hexprint(str, ik.data, ik.size); + adds(str, "\n"); + + adds(str, "\t\t\tSerial Number: "); + _gnutls_buffer_hexprint(str, sn.data, sn.size); + adds(str, "\n"); + + gnutls_free(in.data); + gnutls_free(ik.data); + gnutls_free(sn.data); + + { + const char *p = NULL; + + switch (cert_status) { + case GNUTLS_OCSP_CERT_GOOD: + p = "good"; + break; + + case GNUTLS_OCSP_CERT_REVOKED: + p = "revoked"; + break; + + case GNUTLS_OCSP_CERT_UNKNOWN: + p = "unknown"; + break; + + default: + addf(str, + "\t\tCertificate Status: unexpected value %d\n", + cert_status); + break; + } + + if (p) + addf(str, "\t\tCertificate Status: %s\n", + p); + } + + /* XXX revocation reason */ + + if (cert_status == GNUTLS_OCSP_CERT_REVOKED) { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (revocation_time == (time_t) - 1) + addf(str, "error: revocation_time\n"); + else if (gmtime_r(&revocation_time, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) revocation_time); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) revocation_time); + else + addf(str, _("\t\tRevocation time: %s\n"), + s); + } + + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (this_update == (time_t) - 1) + addf(str, "error: this_update\n"); + else if (gmtime_r(&this_update, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) this_update); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) this_update); + else + addf(str, _("\t\tThis Update: %s\n"), s); + } + + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (next_update == (time_t) - 1) + addf(str, "error: next_update\n"); + else if (gmtime_r(&next_update, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) next_update); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) next_update); + else + addf(str, _("\t\tNext Update: %s\n"), s); + } + + /* XXX singleRequestExtensions */ + } - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, (char*)data.data, data.size); - adds (str, "\n"); + adds(str, "\tExtensions:\n"); + for (indx = 0;; indx++) { + gnutls_datum_t oid; + unsigned int critical; + gnutls_datum_t data; + + ret = + gnutls_ocsp_resp_get_extension(resp, indx, &oid, + &critical, &data); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + else if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_extension: %s\n", + gnutls_strerror(ret)); + continue; + } + + if (memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { + gnutls_datum_t nonce; + unsigned int critical; + + ret = + gnutls_ocsp_resp_get_nonce(resp, &critical, + &nonce); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_nonce: %s\n", + gnutls_strerror(ret)); + } else { + addf(str, "\t\tNonce%s: ", + critical ? " (critical)" : ""); + _gnutls_buffer_hexprint(str, nonce.data, + nonce.size); + adds(str, "\n"); + gnutls_free(nonce.data); + } + } else { + addf(str, "\t\tUnknown extension %s (%s):\n", + oid.data, + critical ? "critical" : "not critical"); + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, (char *) data.data, + data.size); + addf(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, (char *) data.data, + data.size); + adds(str, "\n"); + } + + gnutls_free(oid.data); + gnutls_free(data.data); } - gnutls_free (oid.data); - gnutls_free (data.data); - } - - /* Signature. */ - if (format == GNUTLS_OCSP_PRINT_FULL) - { - gnutls_datum_t sig; - - ret = gnutls_ocsp_resp_get_signature_algorithm (resp); - if (ret < 0) - addf (str, "error: get_signature_algorithm: %s\n", - gnutls_strerror (ret)); - else - { - const char *name = gnutls_sign_algorithm_get_name (ret); - if (name == NULL) - name = _("unknown"); - addf (str, _("\tSignature Algorithm: %s\n"), name); - } - if (gnutls_sign_is_secure(ret) == 0) - { - adds (str, _("warning: signed using a broken signature " - "algorithm that can be forged.\n")); - } - - ret = gnutls_ocsp_resp_get_signature (resp, &sig); - if (ret < 0) - addf (str, "error: get_signature: %s\n", gnutls_strerror (ret)); - else - { - adds (str, _("\tSignature:\n")); - _gnutls_buffer_hexdump (str, sig.data, sig.size, "\t\t"); - - gnutls_free (sig.data); - } - } - - /* certs */ - if (format == GNUTLS_OCSP_PRINT_FULL) - { - gnutls_x509_crt_t *certs; - size_t ncerts, i; - gnutls_datum_t out; - - ret = gnutls_ocsp_resp_get_certs (resp, &certs, &ncerts); - if (ret < 0) - addf (str, "error: get_certs: %s\n", gnutls_strerror (ret)); - else - { - for (i = 0; i < ncerts; i++) - { - size_t s = 0; - - ret = gnutls_x509_crt_print (certs[i], GNUTLS_CRT_PRINT_FULL, - &out); - if (ret < 0) - addf (str, "error: crt_print: %s\n", gnutls_strerror (ret)); - else - { - addf (str, "%.*s", out.size, out.data); - gnutls_free (out.data); - } - - ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM, - NULL, &s); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: crt_export: %s\n", gnutls_strerror (ret)); - else - { - out.data = gnutls_malloc (s); - if (out.data == NULL) - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM, - out.data, &s); - if (ret < 0) - addf (str, "error: crt_export: %s\n", gnutls_strerror (ret)); - else - { - out.size = s; - addf (str, "%.*s", out.size, out.data); - } - gnutls_free (out.data); - } - } - - gnutls_x509_crt_deinit (certs[i]); - } - gnutls_free (certs); - } - } + /* Signature. */ + if (format == GNUTLS_OCSP_PRINT_FULL) { + gnutls_datum_t sig; + + ret = gnutls_ocsp_resp_get_signature_algorithm(resp); + if (ret < 0) + addf(str, "error: get_signature_algorithm: %s\n", + gnutls_strerror(ret)); + else { + const char *name = + gnutls_sign_algorithm_get_name(ret); + if (name == NULL) + name = _("unknown"); + addf(str, _("\tSignature Algorithm: %s\n"), name); + } + if (gnutls_sign_is_secure(ret) == 0) { + adds(str, + _("warning: signed using a broken signature " + "algorithm that can be forged.\n")); + } + + ret = gnutls_ocsp_resp_get_signature(resp, &sig); + if (ret < 0) + addf(str, "error: get_signature: %s\n", + gnutls_strerror(ret)); + else { + adds(str, _("\tSignature:\n")); + _gnutls_buffer_hexdump(str, sig.data, sig.size, + "\t\t"); + + gnutls_free(sig.data); + } + } + + /* certs */ + if (format == GNUTLS_OCSP_PRINT_FULL) { + gnutls_x509_crt_t *certs; + size_t ncerts, i; + gnutls_datum_t out; + + ret = gnutls_ocsp_resp_get_certs(resp, &certs, &ncerts); + if (ret < 0) + addf(str, "error: get_certs: %s\n", + gnutls_strerror(ret)); + else { + for (i = 0; i < ncerts; i++) { + size_t s = 0; + + ret = + gnutls_x509_crt_print(certs[i], + GNUTLS_CRT_PRINT_FULL, + &out); + if (ret < 0) + addf(str, "error: crt_print: %s\n", + gnutls_strerror(ret)); + else { + addf(str, "%.*s", out.size, + out.data); + gnutls_free(out.data); + } + + ret = + gnutls_x509_crt_export(certs[i], + GNUTLS_X509_FMT_PEM, + NULL, &s); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, + "error: crt_export: %s\n", + gnutls_strerror(ret)); + else { + out.data = gnutls_malloc(s); + if (out.data == NULL) + addf(str, + "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + ret = + gnutls_x509_crt_export + (certs[i], + GNUTLS_X509_FMT_PEM, + out.data, &s); + if (ret < 0) + addf(str, + "error: crt_export: %s\n", + gnutls_strerror + (ret)); + else { + out.size = s; + addf(str, "%.*s", + out.size, + out.data); + } + gnutls_free(out.data); + } + } + + gnutls_x509_crt_deinit(certs[i]); + } + gnutls_free(certs); + } + } } /** @@ -607,27 +629,26 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, * negative error value. **/ int -gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp, - gnutls_ocsp_print_formats_t format, - gnutls_datum_t * out) +gnutls_ocsp_resp_print(gnutls_ocsp_resp_t resp, + gnutls_ocsp_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int rc; + gnutls_buffer_st str; + int rc; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("OCSP Response Information:\n")); + _gnutls_buffer_append_str(&str, _("OCSP Response Information:\n")); - print_resp (&str, resp, format); + print_resp(&str, resp, format); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - rc = _gnutls_buffer_to_datum (&str, out); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return rc; - } + rc = _gnutls_buffer_to_datum(&str, out); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return rc; + } - return GNUTLS_E_SUCCESS; + return GNUTLS_E_SUCCESS; } diff --git a/lib/x509/output.c b/lib/x509/output.c index 22cf6b02c1..048a307800 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -36,225 +36,222 @@ #define ERROR_STR (char*) "(error)" -static char * -ip_to_string (void *_ip, int ip_size, char *string, int string_size) +static char *ip_to_string(void *_ip, int ip_size, char *string, + int string_size) { - uint8_t *ip; - - if (ip_size != 4 && ip_size != 16) - { - gnutls_assert (); - return NULL; - } - - if (ip_size == 4 && string_size < 16) - { - gnutls_assert (); - return NULL; - } - - if (ip_size == 16 && string_size < 48) - { - gnutls_assert (); - return NULL; - } - - ip = _ip; - switch (ip_size) - { - case 4: - snprintf (string, string_size, "%u.%u.%u.%u", ip[0], ip[1], ip[2], - ip[3]); - break; - case 16: - snprintf (string, string_size, "%x:%x:%x:%x:%x:%x:%x:%x", - (ip[0] << 8) | ip[1], (ip[2] << 8) | ip[3], - (ip[4] << 8) | ip[5], (ip[6] << 8) | ip[7], - (ip[8] << 8) | ip[9], (ip[10] << 8) | ip[11], - (ip[12] << 8) | ip[13], (ip[14] << 8) | ip[15]); - break; - } - - return string; + uint8_t *ip; + + if (ip_size != 4 && ip_size != 16) { + gnutls_assert(); + return NULL; + } + + if (ip_size == 4 && string_size < 16) { + gnutls_assert(); + return NULL; + } + + if (ip_size == 16 && string_size < 48) { + gnutls_assert(); + return NULL; + } + + ip = _ip; + switch (ip_size) { + case 4: + snprintf(string, string_size, "%u.%u.%u.%u", ip[0], ip[1], + ip[2], ip[3]); + break; + case 16: + snprintf(string, string_size, "%x:%x:%x:%x:%x:%x:%x:%x", + (ip[0] << 8) | ip[1], (ip[2] << 8) | ip[3], + (ip[4] << 8) | ip[5], (ip[6] << 8) | ip[7], + (ip[8] << 8) | ip[9], (ip[10] << 8) | ip[11], + (ip[12] << 8) | ip[13], (ip[14] << 8) | ip[15]); + break; + } + + return string; } static void -add_altname (gnutls_buffer_st * str, const char *prefix, - unsigned int alt_type, char *name, size_t name_size) +add_altname(gnutls_buffer_st * str, const char *prefix, + unsigned int alt_type, char *name, size_t name_size) { - char str_ip[64]; - char *p; - - if ((alt_type == GNUTLS_SAN_DNSNAME - || alt_type == GNUTLS_SAN_RFC822NAME - || alt_type == GNUTLS_SAN_URI) && strlen (name) != name_size) - { - adds (str, _("warning: altname contains an embedded NUL, " - "replacing with '!'\n")); - while (strlen (name) < name_size) - name[strlen (name)] = '!'; - } - - switch (alt_type) - { - case GNUTLS_SAN_DNSNAME: - addf (str, "%s\t\t\tDNSname: %.*s\n", prefix, (int) name_size, name); - break; - - case GNUTLS_SAN_RFC822NAME: - addf (str, "%s\t\t\tRFC822name: %.*s\n", prefix, (int) name_size, name); - break; - - case GNUTLS_SAN_URI: - addf (str, "%s\t\t\tURI: %.*s\n", prefix, (int) name_size, name); - break; - - case GNUTLS_SAN_IPADDRESS: - p = ip_to_string (name, name_size, str_ip, sizeof (str_ip)); - if (p == NULL) - p = ERROR_STR; - addf (str, "%s\t\t\tIPAddress: %s\n", prefix, p); - break; - - case GNUTLS_SAN_DN: - addf (str, "%s\t\t\tdirectoryName: %.*s\n", prefix, - (int) name_size, name); - break; - default: - addf (str, "error: unknown altname\n"); - break; - } + char str_ip[64]; + char *p; + + if ((alt_type == GNUTLS_SAN_DNSNAME + || alt_type == GNUTLS_SAN_RFC822NAME + || alt_type == GNUTLS_SAN_URI) && strlen(name) != name_size) { + adds(str, _("warning: altname contains an embedded NUL, " + "replacing with '!'\n")); + while (strlen(name) < name_size) + name[strlen(name)] = '!'; + } + + switch (alt_type) { + case GNUTLS_SAN_DNSNAME: + addf(str, "%s\t\t\tDNSname: %.*s\n", prefix, + (int) name_size, name); + break; + + case GNUTLS_SAN_RFC822NAME: + addf(str, "%s\t\t\tRFC822name: %.*s\n", prefix, + (int) name_size, name); + break; + + case GNUTLS_SAN_URI: + addf(str, "%s\t\t\tURI: %.*s\n", prefix, (int) name_size, + name); + break; + + case GNUTLS_SAN_IPADDRESS: + p = ip_to_string(name, name_size, str_ip, sizeof(str_ip)); + if (p == NULL) + p = ERROR_STR; + addf(str, "%s\t\t\tIPAddress: %s\n", prefix, p); + break; + + case GNUTLS_SAN_DN: + addf(str, "%s\t\t\tdirectoryName: %.*s\n", prefix, + (int) name_size, name); + break; + default: + addf(str, "error: unknown altname\n"); + break; + } } -static void -print_proxy (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_proxy(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - int pathlen; - char *policyLanguage; - char *policy; - size_t npolicy; - int err; - - err = gnutls_x509_crt_get_proxy (cert, NULL, - &pathlen, &policyLanguage, - &policy, &npolicy); - if (err < 0) - { - addf (str, "error: get_proxy: %s\n", gnutls_strerror (err)); - return; - } - - if (pathlen >= 0) - addf (str, _("\t\t\tPath Length Constraint: %d\n"), pathlen); - addf (str, _("\t\t\tPolicy Language: %s"), policyLanguage); - if (strcmp (policyLanguage, "1.3.6.1.5.5.7.21.1") == 0) - adds (str, " (id-ppl-inheritALL)\n"); - else if (strcmp (policyLanguage, "1.3.6.1.5.5.7.21.2") == 0) - adds (str, " (id-ppl-independent)\n"); - else - adds (str, "\n"); - if (npolicy) - { - adds (str, _("\t\t\tPolicy:\n\t\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, policy, npolicy); - adds (str, _("\n\t\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, policy, npolicy); - adds (str, "\n"); - } + int pathlen; + char *policyLanguage; + char *policy; + size_t npolicy; + int err; + + err = gnutls_x509_crt_get_proxy(cert, NULL, + &pathlen, &policyLanguage, + &policy, &npolicy); + if (err < 0) { + addf(str, "error: get_proxy: %s\n", gnutls_strerror(err)); + return; + } + + if (pathlen >= 0) + addf(str, _("\t\t\tPath Length Constraint: %d\n"), + pathlen); + addf(str, _("\t\t\tPolicy Language: %s"), policyLanguage); + if (strcmp(policyLanguage, "1.3.6.1.5.5.7.21.1") == 0) + adds(str, " (id-ppl-inheritALL)\n"); + else if (strcmp(policyLanguage, "1.3.6.1.5.5.7.21.2") == 0) + adds(str, " (id-ppl-independent)\n"); + else + adds(str, "\n"); + if (npolicy) { + adds(str, _("\t\t\tPolicy:\n\t\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, policy, npolicy); + adds(str, _("\n\t\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, policy, npolicy); + adds(str, "\n"); + } } -static void -print_aia (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_aia(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - int err; - int seq = 0; - gnutls_datum_t data; - - for (;;) - { - err = gnutls_x509_crt_get_authority_info_access - (cert, seq, GNUTLS_IA_ACCESSMETHOD_OID, &data, NULL); - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - return; - if (err < 0) - { - addf (str, "error: get_aia: %s\n", gnutls_strerror (err)); - return; - } - - addf (str, _("\t\t\tAccess Method: %.*s"), data.size, data.data); - if (data.size == sizeof (GNUTLS_OID_AD_OCSP) && - memcmp (data.data, GNUTLS_OID_AD_OCSP, data.size) == 0) - adds (str, " (id-ad-ocsp)\n"); - else if (data.size == sizeof (GNUTLS_OID_AD_CAISSUERS) && - memcmp (data.data, GNUTLS_OID_AD_CAISSUERS, data.size) == 0) - adds (str, " (id-ad-caIssuers)\n"); - else - adds (str, " (UNKNOWN)\n"); - - err = gnutls_x509_crt_get_authority_info_access - (cert, seq, GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, &data, NULL); - if (err < 0) - { - addf (str, "error: get_aia type: %s\n", gnutls_strerror (err)); - return; - } - - if (data.size == sizeof ("uniformResourceIdentifier") && - memcmp (data.data, "uniformResourceIdentifier", data.size) == 0) - { - adds (str, "\t\t\tAccess Location URI: "); - err = gnutls_x509_crt_get_authority_info_access - (cert, seq, GNUTLS_IA_URI, &data, NULL); - if (err < 0) - { - addf (str, "error: get_aia uri: %s\n", gnutls_strerror (err)); - return; - } - addf (str, "%.*s\n", data.size, data.data); - } - else - adds (str, "\t\t\tUnsupported accessLocation type\n"); - - seq++; - } + int err; + int seq = 0; + gnutls_datum_t data; + + for (;;) { + err = gnutls_x509_crt_get_authority_info_access + (cert, seq, GNUTLS_IA_ACCESSMETHOD_OID, &data, NULL); + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return; + if (err < 0) { + addf(str, "error: get_aia: %s\n", + gnutls_strerror(err)); + return; + } + + addf(str, _("\t\t\tAccess Method: %.*s"), data.size, + data.data); + if (data.size == sizeof(GNUTLS_OID_AD_OCSP) + && memcmp(data.data, GNUTLS_OID_AD_OCSP, + data.size) == 0) + adds(str, " (id-ad-ocsp)\n"); + else if (data.size == sizeof(GNUTLS_OID_AD_CAISSUERS) && + memcmp(data.data, GNUTLS_OID_AD_CAISSUERS, + data.size) == 0) + adds(str, " (id-ad-caIssuers)\n"); + else + adds(str, " (UNKNOWN)\n"); + + err = gnutls_x509_crt_get_authority_info_access + (cert, seq, GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE, + &data, NULL); + if (err < 0) { + addf(str, "error: get_aia type: %s\n", + gnutls_strerror(err)); + return; + } + + if (data.size == sizeof("uniformResourceIdentifier") && + memcmp(data.data, "uniformResourceIdentifier", + data.size) == 0) { + adds(str, "\t\t\tAccess Location URI: "); + err = gnutls_x509_crt_get_authority_info_access + (cert, seq, GNUTLS_IA_URI, &data, NULL); + if (err < 0) { + addf(str, "error: get_aia uri: %s\n", + gnutls_strerror(err)); + return; + } + addf(str, "%.*s\n", data.size, data.data); + } else + adds(str, + "\t\t\tUnsupported accessLocation type\n"); + + seq++; + } } -static void -print_ski (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_ski(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - char *buffer = NULL; - size_t size = 0; - int err; - - err = gnutls_x509_crt_get_subject_key_id (cert, buffer, &size, NULL); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_subject_key_id: %s\n", gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - err = gnutls_x509_crt_get_subject_key_id (cert, buffer, &size, NULL); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_subject_key_id2: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, "\t\t\t"); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); - - gnutls_free (buffer); + char *buffer = NULL; + size_t size = 0; + int err; + + err = + gnutls_x509_crt_get_subject_key_id(cert, buffer, &size, NULL); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_subject_key_id: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + err = + gnutls_x509_crt_get_subject_key_id(cert, buffer, &size, NULL); + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_subject_key_id2: %s\n", + gnutls_strerror(err)); + return; + } + + adds(str, "\t\t\t"); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); + + gnutls_free(buffer); } #define TYPE_CRL 1 @@ -266,1539 +263,1682 @@ print_ski (gnutls_buffer_st * str, gnutls_x509_crt_t cert) #define TYPE_CRQ_SAN TYPE_CRQ #define TYPE_CRT_IAN 4 -typedef union -{ - gnutls_x509_crt_t crt; - gnutls_x509_crq_t crq; - gnutls_x509_crl_t crl; - gnutls_pubkey_t pubkey; +typedef union { + gnutls_x509_crt_t crt; + gnutls_x509_crq_t crq; + gnutls_x509_crl_t crl; + gnutls_pubkey_t pubkey; } cert_type_t; static void -print_aki_gn_serial (gnutls_buffer_st * str, int type, cert_type_t cert) +print_aki_gn_serial(gnutls_buffer_st * str, int type, cert_type_t cert) { - char *buffer = NULL; - char serial[128]; - size_t size = 0, serial_size = sizeof (serial); - unsigned int alt_type; - int err; - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_authority_key_gn_serial (cert.crt, 0, NULL, &size, - &alt_type, serial, - &serial_size, NULL); - else if (type == TYPE_CRL) - err = - gnutls_x509_crl_get_authority_key_gn_serial (cert.crl, 0, NULL, &size, - &alt_type, serial, - &serial_size, NULL); - else - { - gnutls_assert (); - return; - } - - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_authority_key_gn_serial: %s\n", - gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_authority_key_gn_serial (cert.crt, 0, buffer, &size, - &alt_type, serial, - &serial_size, NULL); - else - err = - gnutls_x509_crl_get_authority_key_gn_serial (cert.crl, 0, buffer, &size, - &alt_type, serial, - &serial_size, NULL); - - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_authority_key_gn_serial2: %s\n", - gnutls_strerror (err)); - return; - } - - add_altname (str, "", alt_type, buffer, size); - adds (str, "\t\t\tserial: "); - _gnutls_buffer_hexprint (str, serial, serial_size); - adds (str, "\n"); - - gnutls_free (buffer); + char *buffer = NULL; + char serial[128]; + size_t size = 0, serial_size = sizeof(serial); + unsigned int alt_type; + int err; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_authority_key_gn_serial(cert.crt, + 0, NULL, + &size, + &alt_type, + serial, + &serial_size, + NULL); + else if (type == TYPE_CRL) + err = + gnutls_x509_crl_get_authority_key_gn_serial(cert.crl, + 0, NULL, + &size, + &alt_type, + serial, + &serial_size, + NULL); + else { + gnutls_assert(); + return; + } + + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_authority_key_gn_serial: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_authority_key_gn_serial(cert.crt, + 0, buffer, + &size, + &alt_type, + serial, + &serial_size, + NULL); + else + err = + gnutls_x509_crl_get_authority_key_gn_serial(cert.crl, + 0, buffer, + &size, + &alt_type, + serial, + &serial_size, + NULL); + + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_authority_key_gn_serial2: %s\n", + gnutls_strerror(err)); + return; + } + + add_altname(str, "", alt_type, buffer, size); + adds(str, "\t\t\tserial: "); + _gnutls_buffer_hexprint(str, serial, serial_size); + adds(str, "\n"); + + gnutls_free(buffer); } -static void -print_aki (gnutls_buffer_st * str, int type, cert_type_t cert) +static void print_aki(gnutls_buffer_st * str, int type, cert_type_t cert) { - char *buffer = NULL; - size_t size = 0; - int err; - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_authority_key_id (cert.crt, buffer, &size, NULL); - else if (type == TYPE_CRL) - err = - gnutls_x509_crl_get_authority_key_id (cert.crl, buffer, &size, NULL); - else - { - gnutls_assert (); - return; - } - - if (err == GNUTLS_E_X509_UNSUPPORTED_EXTENSION) - { - /* Check if an alternative name is there */ - print_aki_gn_serial (str, type, cert); - return; - } - - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_authority_key_id: %s\n", gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_authority_key_id (cert.crt, buffer, &size, NULL); - else - err = - gnutls_x509_crl_get_authority_key_id (cert.crl, buffer, &size, NULL); - - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_authority_key_id2: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, "\t\t\t"); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); - - gnutls_free (buffer); + char *buffer = NULL; + size_t size = 0; + int err; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_authority_key_id(cert.crt, buffer, + &size, NULL); + else if (type == TYPE_CRL) + err = + gnutls_x509_crl_get_authority_key_id(cert.crl, buffer, + &size, NULL); + else { + gnutls_assert(); + return; + } + + if (err == GNUTLS_E_X509_UNSUPPORTED_EXTENSION) { + /* Check if an alternative name is there */ + print_aki_gn_serial(str, type, cert); + return; + } + + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_authority_key_id: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_authority_key_id(cert.crt, buffer, + &size, NULL); + else + err = + gnutls_x509_crl_get_authority_key_id(cert.crl, buffer, + &size, NULL); + + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_authority_key_id2: %s\n", + gnutls_strerror(err)); + return; + } + + adds(str, "\t\t\t"); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); + + gnutls_free(buffer); } static void -print_key_usage (gnutls_buffer_st * str, const char *prefix, int type, - cert_type_t cert) +print_key_usage(gnutls_buffer_st * str, const char *prefix, int type, + cert_type_t cert) { - unsigned int key_usage; - int err; - - if (type == TYPE_CRT) - err = gnutls_x509_crt_get_key_usage (cert.crt, &key_usage, NULL); - else if (type == TYPE_CRQ) - err = gnutls_x509_crq_get_key_usage (cert.crq, &key_usage, NULL); - else if (type == TYPE_PUBKEY) - err = gnutls_pubkey_get_key_usage (cert.pubkey, &key_usage); - else - return; - - if (err < 0) - { - addf (str, "error: get_key_usage: %s\n", gnutls_strerror (err)); - return; - } - - if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) - addf (str, _("%sDigital signature.\n"), prefix); - if (key_usage & GNUTLS_KEY_NON_REPUDIATION) - addf (str, _("%sNon repudiation.\n"), prefix); - if (key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) - addf (str, _("%sKey encipherment.\n"), prefix); - if (key_usage & GNUTLS_KEY_DATA_ENCIPHERMENT) - addf (str, _("%sData encipherment.\n"), prefix); - if (key_usage & GNUTLS_KEY_KEY_AGREEMENT) - addf (str, _("%sKey agreement.\n"), prefix); - if (key_usage & GNUTLS_KEY_KEY_CERT_SIGN) - addf (str, _("%sCertificate signing.\n"), prefix); - if (key_usage & GNUTLS_KEY_CRL_SIGN) - addf (str, _("%sCRL signing.\n"), prefix); - if (key_usage & GNUTLS_KEY_ENCIPHER_ONLY) - addf (str, _("%sKey encipher only.\n"), prefix); - if (key_usage & GNUTLS_KEY_DECIPHER_ONLY) - addf (str, _("%sKey decipher only.\n"), prefix); + unsigned int key_usage; + int err; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_key_usage(cert.crt, &key_usage, + NULL); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_key_usage(cert.crq, &key_usage, + NULL); + else if (type == TYPE_PUBKEY) + err = gnutls_pubkey_get_key_usage(cert.pubkey, &key_usage); + else + return; + + if (err < 0) { + addf(str, "error: get_key_usage: %s\n", + gnutls_strerror(err)); + return; + } + + if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) + addf(str, _("%sDigital signature.\n"), prefix); + if (key_usage & GNUTLS_KEY_NON_REPUDIATION) + addf(str, _("%sNon repudiation.\n"), prefix); + if (key_usage & GNUTLS_KEY_KEY_ENCIPHERMENT) + addf(str, _("%sKey encipherment.\n"), prefix); + if (key_usage & GNUTLS_KEY_DATA_ENCIPHERMENT) + addf(str, _("%sData encipherment.\n"), prefix); + if (key_usage & GNUTLS_KEY_KEY_AGREEMENT) + addf(str, _("%sKey agreement.\n"), prefix); + if (key_usage & GNUTLS_KEY_KEY_CERT_SIGN) + addf(str, _("%sCertificate signing.\n"), prefix); + if (key_usage & GNUTLS_KEY_CRL_SIGN) + addf(str, _("%sCRL signing.\n"), prefix); + if (key_usage & GNUTLS_KEY_ENCIPHER_ONLY) + addf(str, _("%sKey encipher only.\n"), prefix); + if (key_usage & GNUTLS_KEY_DECIPHER_ONLY) + addf(str, _("%sKey decipher only.\n"), prefix); } static void -print_private_key_usage_period (gnutls_buffer_st * str, const char *prefix, - int type, cert_type_t cert) +print_private_key_usage_period(gnutls_buffer_st * str, const char *prefix, + int type, cert_type_t cert) { - time_t activation, expiration; - int err; - char s[42]; - struct tm t; - size_t max; - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_private_key_usage_period (cert.crt, &activation, - &expiration, NULL); - else if (type == TYPE_CRQ) - err = - gnutls_x509_crq_get_private_key_usage_period (cert.crq, &activation, - &expiration, NULL); - else - return; - - if (err < 0) - { - addf (str, "error: get_private_key_usage_period: %s\n", - gnutls_strerror (err)); - return; - } - - max = sizeof (s); - - if (gmtime_r (&activation, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) activation); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) activation); - else - addf (str, _("\t\t\tNot Before: %s\n"), s); - - if (gmtime_r (&expiration, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) expiration); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) expiration); - else - addf (str, _("\t\t\tNot After: %s\n"), s); + time_t activation, expiration; + int err; + char s[42]; + struct tm t; + size_t max; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_private_key_usage_period(cert.crt, + &activation, + &expiration, + NULL); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_private_key_usage_period(cert.crq, + &activation, + &expiration, + NULL); + else + return; + + if (err < 0) { + addf(str, "error: get_private_key_usage_period: %s\n", + gnutls_strerror(err)); + return; + } + + max = sizeof(s); + + if (gmtime_r(&activation, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) activation); + else if (strftime(s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) activation); + else + addf(str, _("\t\t\tNot Before: %s\n"), s); + + if (gmtime_r(&expiration, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) expiration); + else if (strftime(s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) expiration); + else + addf(str, _("\t\t\tNot After: %s\n"), s); } -static void -print_crldist (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_crldist(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - char *buffer = NULL; - size_t size; - char str_ip[64]; - char *p; - int err; - int indx; - - for (indx = 0;; indx++) - { - size = 0; - err = gnutls_x509_crt_get_crl_dist_points (cert, indx, buffer, &size, - NULL, NULL); - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - return; - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_crl_dist_points: %s\n", - gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - err = gnutls_x509_crt_get_crl_dist_points (cert, indx, buffer, &size, - NULL, NULL); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_crl_dist_points2: %s\n", - gnutls_strerror (err)); - return; - } - - if ((err == GNUTLS_SAN_DNSNAME - || err == GNUTLS_SAN_RFC822NAME - || err == GNUTLS_SAN_URI) && strlen (buffer) != size) - { - adds (str, _("warning: distributionPoint contains an embedded NUL, " - "replacing with '!'\n")); - while (strlen (buffer) < size) - buffer[strlen (buffer)] = '!'; - } - - switch (err) - { - case GNUTLS_SAN_DNSNAME: - addf (str, "\t\t\tDNSname: %.*s\n", (int) size, buffer); - break; - - case GNUTLS_SAN_RFC822NAME: - addf (str, "\t\t\tRFC822name: %.*s\n", (int) size, buffer); - break; - - case GNUTLS_SAN_URI: - addf (str, "\t\t\tURI: %.*s\n", (int) size, buffer); - break; - - case GNUTLS_SAN_IPADDRESS: - p = ip_to_string (buffer, size, str_ip, sizeof (str_ip)); - if (p == NULL) - p = ERROR_STR; - addf (str, "\t\t\tIPAddress: %s\n", p); - break; - - case GNUTLS_SAN_DN: - addf (str, "\t\t\tdirectoryName: %.*s\n", (int) size, buffer); - break; - - default: - addf (str, "error: unknown SAN\n"); - break; - } - gnutls_free (buffer); - } + char *buffer = NULL; + size_t size; + char str_ip[64]; + char *p; + int err; + int indx; + + for (indx = 0;; indx++) { + size = 0; + err = + gnutls_x509_crt_get_crl_dist_points(cert, indx, buffer, + &size, NULL, NULL); + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return; + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_crl_dist_points: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + err = + gnutls_x509_crt_get_crl_dist_points(cert, indx, buffer, + &size, NULL, NULL); + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_crl_dist_points2: %s\n", + gnutls_strerror(err)); + return; + } + + if ((err == GNUTLS_SAN_DNSNAME + || err == GNUTLS_SAN_RFC822NAME + || err == GNUTLS_SAN_URI) && strlen(buffer) != size) { + adds(str, + _ + ("warning: distributionPoint contains an embedded NUL, " + "replacing with '!'\n")); + while (strlen(buffer) < size) + buffer[strlen(buffer)] = '!'; + } + + switch (err) { + case GNUTLS_SAN_DNSNAME: + addf(str, "\t\t\tDNSname: %.*s\n", (int) size, + buffer); + break; + + case GNUTLS_SAN_RFC822NAME: + addf(str, "\t\t\tRFC822name: %.*s\n", (int) size, + buffer); + break; + + case GNUTLS_SAN_URI: + addf(str, "\t\t\tURI: %.*s\n", (int) size, buffer); + break; + + case GNUTLS_SAN_IPADDRESS: + p = ip_to_string(buffer, size, str_ip, + sizeof(str_ip)); + if (p == NULL) + p = ERROR_STR; + addf(str, "\t\t\tIPAddress: %s\n", p); + break; + + case GNUTLS_SAN_DN: + addf(str, "\t\t\tdirectoryName: %.*s\n", + (int) size, buffer); + break; + + default: + addf(str, "error: unknown SAN\n"); + break; + } + gnutls_free(buffer); + } } static void -print_key_purpose (gnutls_buffer_st * str, const char *prefix, int type, - cert_type_t cert) +print_key_purpose(gnutls_buffer_st * str, const char *prefix, int type, + cert_type_t cert) { - int indx; - char *buffer = NULL; - size_t size; - int err; - - for (indx = 0;; indx++) - { - size = 0; - if (type == TYPE_CRT) - err = gnutls_x509_crt_get_key_purpose_oid (cert.crt, indx, buffer, - &size, NULL); - else if (type == TYPE_CRQ) - err = gnutls_x509_crq_get_key_purpose_oid (cert.crq, indx, buffer, - &size, NULL); - else - return; - - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - return; - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_key_purpose_oid: %s\n", - gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - if (type == TYPE_CRT) - err = gnutls_x509_crt_get_key_purpose_oid (cert.crt, indx, buffer, - &size, NULL); - else - err = gnutls_x509_crq_get_key_purpose_oid (cert.crq, indx, buffer, - &size, NULL); - - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_key_purpose_oid2: %s\n", - gnutls_strerror (err)); - return; - } - - if (strcmp (buffer, GNUTLS_KP_TLS_WWW_SERVER) == 0) - addf (str, _("%s\t\t\tTLS WWW Server.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_TLS_WWW_CLIENT) == 0) - addf (str, _("%s\t\t\tTLS WWW Client.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_CODE_SIGNING) == 0) - addf (str, _("%s\t\t\tCode signing.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_EMAIL_PROTECTION) == 0) - addf (str, _("%s\t\t\tEmail protection.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_TIME_STAMPING) == 0) - addf (str, _("%s\t\t\tTime stamping.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_OCSP_SIGNING) == 0) - addf (str, _("%s\t\t\tOCSP signing.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_IPSEC_IKE) == 0) - addf (str, _("%s\t\t\tIpsec IKE.\n"), prefix); - else if (strcmp (buffer, GNUTLS_KP_ANY) == 0) - addf (str, _("%s\t\t\tAny purpose.\n"), prefix); - else - addf (str, "%s\t\t\t%s\n", prefix, buffer); - - gnutls_free (buffer); - } + int indx; + char *buffer = NULL; + size_t size; + int err; + + for (indx = 0;; indx++) { + size = 0; + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_key_purpose_oid(cert.crt, + indx, + buffer, + &size, + NULL); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_key_purpose_oid(cert.crq, + indx, + buffer, + &size, + NULL); + else + return; + + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return; + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_key_purpose_oid: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_key_purpose_oid(cert.crt, + indx, + buffer, + &size, + NULL); + else + err = + gnutls_x509_crq_get_key_purpose_oid(cert.crq, + indx, + buffer, + &size, + NULL); + + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_key_purpose_oid2: %s\n", + gnutls_strerror(err)); + return; + } + + if (strcmp(buffer, GNUTLS_KP_TLS_WWW_SERVER) == 0) + addf(str, _("%s\t\t\tTLS WWW Server.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_TLS_WWW_CLIENT) == 0) + addf(str, _("%s\t\t\tTLS WWW Client.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_CODE_SIGNING) == 0) + addf(str, _("%s\t\t\tCode signing.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_EMAIL_PROTECTION) == 0) + addf(str, _("%s\t\t\tEmail protection.\n"), + prefix); + else if (strcmp(buffer, GNUTLS_KP_TIME_STAMPING) == 0) + addf(str, _("%s\t\t\tTime stamping.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_OCSP_SIGNING) == 0) + addf(str, _("%s\t\t\tOCSP signing.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_IPSEC_IKE) == 0) + addf(str, _("%s\t\t\tIpsec IKE.\n"), prefix); + else if (strcmp(buffer, GNUTLS_KP_ANY) == 0) + addf(str, _("%s\t\t\tAny purpose.\n"), prefix); + else + addf(str, "%s\t\t\t%s\n", prefix, buffer); + + gnutls_free(buffer); + } } static void -print_basic (gnutls_buffer_st * str, const char *prefix, int type, - cert_type_t cert) +print_basic(gnutls_buffer_st * str, const char *prefix, int type, + cert_type_t cert) { - int pathlen; - int err; - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_basic_constraints (cert.crt, NULL, NULL, &pathlen); - else if (type == TYPE_CRQ) - err = - gnutls_x509_crq_get_basic_constraints (cert.crq, NULL, NULL, &pathlen); - else - return; - - if (err < 0) - { - addf (str, "error: get_basic_constraints: %s\n", gnutls_strerror (err)); - return; - } - - if (err == 0) - addf (str, _("%s\t\t\tCertificate Authority (CA): FALSE\n"), prefix); - else - addf (str, _("%s\t\t\tCertificate Authority (CA): TRUE\n"), prefix); - - if (pathlen >= 0) - addf (str, _("%s\t\t\tPath Length Constraint: %d\n"), prefix, pathlen); + int pathlen; + int err; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_basic_constraints(cert.crt, NULL, + NULL, &pathlen); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_basic_constraints(cert.crq, NULL, + NULL, &pathlen); + else + return; + + if (err < 0) { + addf(str, "error: get_basic_constraints: %s\n", + gnutls_strerror(err)); + return; + } + + if (err == 0) + addf(str, _("%s\t\t\tCertificate Authority (CA): FALSE\n"), + prefix); + else + addf(str, _("%s\t\t\tCertificate Authority (CA): TRUE\n"), + prefix); + + if (pathlen >= 0) + addf(str, _("%s\t\t\tPath Length Constraint: %d\n"), + prefix, pathlen); } static void -print_altname (gnutls_buffer_st * str, const char *prefix, - unsigned int altname_type, cert_type_t cert) +print_altname(gnutls_buffer_st * str, const char *prefix, + unsigned int altname_type, cert_type_t cert) { - unsigned int altname_idx; - - for (altname_idx = 0;; altname_idx++) - { - char *buffer = NULL; - size_t size = 0; - int err; - - if (altname_type == TYPE_CRT_SAN) - err = - gnutls_x509_crt_get_subject_alt_name (cert.crt, altname_idx, buffer, - &size, NULL); - else if (altname_type == TYPE_CRQ_SAN) - err = - gnutls_x509_crq_get_subject_alt_name (cert.crq, altname_idx, buffer, - &size, NULL, NULL); - else if (altname_type == TYPE_CRT_IAN) - err = - gnutls_x509_crt_get_issuer_alt_name (cert.crt, altname_idx, buffer, - &size, NULL); - else - return; - - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_subject/issuer_alt_name: %s\n", - gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - if (altname_type == TYPE_CRT_SAN) - err = - gnutls_x509_crt_get_subject_alt_name (cert.crt, altname_idx, buffer, - &size, NULL); - else if (altname_type == TYPE_CRQ_SAN) - err = - gnutls_x509_crq_get_subject_alt_name (cert.crq, altname_idx, buffer, - &size, NULL, NULL); - else if (altname_type == TYPE_CRT_IAN) - err = gnutls_x509_crt_get_issuer_alt_name (cert.crt, altname_idx, - buffer, &size, NULL); - - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_subject/issuer_alt_name2: %s\n", - gnutls_strerror (err)); - return; - } - - - if (err == GNUTLS_SAN_OTHERNAME) - { - char *oid = NULL; - size_t oidsize; - - oidsize = 0; - if (altname_type == TYPE_CRT_SAN) - err = gnutls_x509_crt_get_subject_alt_othername_oid - (cert.crt, altname_idx, oid, &oidsize); - else if (altname_type == TYPE_CRQ_SAN) - err = gnutls_x509_crq_get_subject_alt_othername_oid - (cert.crq, altname_idx, oid, &oidsize); - else if (altname_type == TYPE_CRT_IAN) - err = gnutls_x509_crt_get_issuer_alt_othername_oid - (cert.crt, altname_idx, oid, &oidsize); - - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_free (buffer); - addf (str, - "error: get_subject/issuer_alt_othername_oid: %s\n", - gnutls_strerror (err)); - return; - } - - oid = gnutls_malloc (oidsize); - if (!oid) - { - gnutls_free (buffer); - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - if (altname_type == TYPE_CRT_SAN) - err = gnutls_x509_crt_get_subject_alt_othername_oid - (cert.crt, altname_idx, oid, &oidsize); - else if (altname_type == TYPE_CRQ_SAN) - err = gnutls_x509_crq_get_subject_alt_othername_oid - (cert.crq, altname_idx, oid, &oidsize); - else if (altname_type == TYPE_CRT_IAN) - err = gnutls_x509_crt_get_issuer_alt_othername_oid - (cert.crt, altname_idx, oid, &oidsize); - - if (err < 0) - { - gnutls_free (buffer); - gnutls_free (oid); - addf (str, "error: get_subject_alt_othername_oid2: %s\n", - gnutls_strerror (err)); - return; - } - - if (err == GNUTLS_SAN_OTHERNAME_XMPP) - { - if (strlen (buffer) != size) - { - adds (str, _("warning: altname contains an embedded NUL, " - "replacing with '!'\n")); - while (strlen (buffer) < size) - buffer[strlen (buffer)] = '!'; - } - - addf (str, _("%s\t\t\tXMPP Address: %.*s\n"), prefix, - (int) size, buffer); - } - else - { - addf (str, _("%s\t\t\totherName OID: %.*s\n"), prefix, - (int) oidsize, oid); - addf (str, _("%s\t\t\totherName DER: "), prefix); - _gnutls_buffer_hexprint (str, buffer, size); - addf (str, _("\n%s\t\t\totherName ASCII: "), prefix); - _gnutls_buffer_asciiprint (str, buffer, size); - addf (str, "\n"); - } - gnutls_free (oid); - } - else - add_altname (str, prefix, err, buffer, size); - - gnutls_free (buffer); - } + unsigned int altname_idx; + + for (altname_idx = 0;; altname_idx++) { + char *buffer = NULL; + size_t size = 0; + int err; + + if (altname_type == TYPE_CRT_SAN) + err = + gnutls_x509_crt_get_subject_alt_name(cert.crt, + altname_idx, + buffer, + &size, + NULL); + else if (altname_type == TYPE_CRQ_SAN) + err = + gnutls_x509_crq_get_subject_alt_name(cert.crq, + altname_idx, + buffer, + &size, + NULL, + NULL); + else if (altname_type == TYPE_CRT_IAN) + err = + gnutls_x509_crt_get_issuer_alt_name(cert.crt, + altname_idx, + buffer, + &size, + NULL); + else + return; + + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, + "error: get_subject/issuer_alt_name: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + if (altname_type == TYPE_CRT_SAN) + err = + gnutls_x509_crt_get_subject_alt_name(cert.crt, + altname_idx, + buffer, + &size, + NULL); + else if (altname_type == TYPE_CRQ_SAN) + err = + gnutls_x509_crq_get_subject_alt_name(cert.crq, + altname_idx, + buffer, + &size, + NULL, + NULL); + else if (altname_type == TYPE_CRT_IAN) + err = + gnutls_x509_crt_get_issuer_alt_name(cert.crt, + altname_idx, + buffer, + &size, + NULL); + + if (err < 0) { + gnutls_free(buffer); + addf(str, + "error: get_subject/issuer_alt_name2: %s\n", + gnutls_strerror(err)); + return; + } + + + if (err == GNUTLS_SAN_OTHERNAME) { + char *oid = NULL; + size_t oidsize; + + oidsize = 0; + if (altname_type == TYPE_CRT_SAN) + err = + gnutls_x509_crt_get_subject_alt_othername_oid + (cert.crt, altname_idx, oid, &oidsize); + else if (altname_type == TYPE_CRQ_SAN) + err = + gnutls_x509_crq_get_subject_alt_othername_oid + (cert.crq, altname_idx, oid, &oidsize); + else if (altname_type == TYPE_CRT_IAN) + err = + gnutls_x509_crt_get_issuer_alt_othername_oid + (cert.crt, altname_idx, oid, &oidsize); + + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_free(buffer); + addf(str, + "error: get_subject/issuer_alt_othername_oid: %s\n", + gnutls_strerror(err)); + return; + } + + oid = gnutls_malloc(oidsize); + if (!oid) { + gnutls_free(buffer); + addf(str, "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + return; + } + + if (altname_type == TYPE_CRT_SAN) + err = + gnutls_x509_crt_get_subject_alt_othername_oid + (cert.crt, altname_idx, oid, &oidsize); + else if (altname_type == TYPE_CRQ_SAN) + err = + gnutls_x509_crq_get_subject_alt_othername_oid + (cert.crq, altname_idx, oid, &oidsize); + else if (altname_type == TYPE_CRT_IAN) + err = + gnutls_x509_crt_get_issuer_alt_othername_oid + (cert.crt, altname_idx, oid, &oidsize); + + if (err < 0) { + gnutls_free(buffer); + gnutls_free(oid); + addf(str, + "error: get_subject_alt_othername_oid2: %s\n", + gnutls_strerror(err)); + return; + } + + if (err == GNUTLS_SAN_OTHERNAME_XMPP) { + if (strlen(buffer) != size) { + adds(str, + _ + ("warning: altname contains an embedded NUL, " + "replacing with '!'\n")); + while (strlen(buffer) < size) + buffer[strlen(buffer)] = + '!'; + } + + addf(str, + _("%s\t\t\tXMPP Address: %.*s\n"), + prefix, (int) size, buffer); + } else { + addf(str, + _("%s\t\t\totherName OID: %.*s\n"), + prefix, (int) oidsize, oid); + addf(str, _("%s\t\t\totherName DER: "), + prefix); + _gnutls_buffer_hexprint(str, buffer, size); + addf(str, _("\n%s\t\t\totherName ASCII: "), + prefix); + _gnutls_buffer_asciiprint(str, buffer, + size); + addf(str, "\n"); + } + gnutls_free(oid); + } else + add_altname(str, prefix, err, buffer, size); + + gnutls_free(buffer); + } } static void -guiddump (gnutls_buffer_st * str, const char *data, size_t len, - const char *spc) +guiddump(gnutls_buffer_st * str, const char *data, size_t len, + const char *spc) { - size_t j; - - if (spc) - adds (str, spc); - addf (str, "{"); - addf (str, "%.2X", (unsigned char) data[3]); - addf (str, "%.2X", (unsigned char) data[2]); - addf (str, "%.2X", (unsigned char) data[1]); - addf (str, "%.2X", (unsigned char) data[0]); - addf (str, "-"); - addf (str, "%.2X", (unsigned char) data[5]); - addf (str, "%.2X", (unsigned char) data[4]); - addf (str, "-"); - addf (str, "%.2X", (unsigned char) data[7]); - addf (str, "%.2X", (unsigned char) data[6]); - addf (str, "-"); - addf (str, "%.2X", (unsigned char) data[8]); - addf (str, "%.2X", (unsigned char) data[9]); - addf (str, "-"); - for (j = 10; j < 16; j++) - { - addf (str, "%.2X", (unsigned char) data[j]); - } - addf (str, "}\n"); + size_t j; + + if (spc) + adds(str, spc); + addf(str, "{"); + addf(str, "%.2X", (unsigned char) data[3]); + addf(str, "%.2X", (unsigned char) data[2]); + addf(str, "%.2X", (unsigned char) data[1]); + addf(str, "%.2X", (unsigned char) data[0]); + addf(str, "-"); + addf(str, "%.2X", (unsigned char) data[5]); + addf(str, "%.2X", (unsigned char) data[4]); + addf(str, "-"); + addf(str, "%.2X", (unsigned char) data[7]); + addf(str, "%.2X", (unsigned char) data[6]); + addf(str, "-"); + addf(str, "%.2X", (unsigned char) data[8]); + addf(str, "%.2X", (unsigned char) data[9]); + addf(str, "-"); + for (j = 10; j < 16; j++) { + addf(str, "%.2X", (unsigned char) data[j]); + } + addf(str, "}\n"); } static void -print_unique_ids (gnutls_buffer_st * str, const gnutls_x509_crt_t cert) +print_unique_ids(gnutls_buffer_st * str, const gnutls_x509_crt_t cert) { - int result; - char buf[256]; /* if its longer, we won't bother to print it */ - size_t buf_size = 256; - - result = gnutls_x509_crt_get_issuer_unique_id (cert, buf, &buf_size); - if (result >= 0) - { - addf (str, ("\t\tIssuer Unique ID:\n")); - _gnutls_buffer_hexdump (str, buf, buf_size, "\t\t\t"); - if (buf_size == 16) - { /* this could be a GUID */ - guiddump (str, buf, buf_size, "\t\t\t"); - } - } - - buf_size = 256; - result = gnutls_x509_crt_get_subject_unique_id (cert, buf, &buf_size); - if (result >= 0) - { - addf (str, ("\t\tSubject Unique ID:\n")); - _gnutls_buffer_hexdump (str, buf, buf_size, "\t\t\t"); - if (buf_size == 16) - { /* this could be a GUID */ - guiddump (str, buf, buf_size, "\t\t\t"); - } - } + int result; + char buf[256]; /* if its longer, we won't bother to print it */ + size_t buf_size = 256; + + result = + gnutls_x509_crt_get_issuer_unique_id(cert, buf, &buf_size); + if (result >= 0) { + addf(str, ("\t\tIssuer Unique ID:\n")); + _gnutls_buffer_hexdump(str, buf, buf_size, "\t\t\t"); + if (buf_size == 16) { /* this could be a GUID */ + guiddump(str, buf, buf_size, "\t\t\t"); + } + } + + buf_size = 256; + result = + gnutls_x509_crt_get_subject_unique_id(cert, buf, &buf_size); + if (result >= 0) { + addf(str, ("\t\tSubject Unique ID:\n")); + _gnutls_buffer_hexdump(str, buf, buf_size, "\t\t\t"); + if (buf_size == 16) { /* this could be a GUID */ + guiddump(str, buf, buf_size, "\t\t\t"); + } + } } static void -print_extensions (gnutls_buffer_st * str, const char *prefix, int type, - cert_type_t cert) +print_extensions(gnutls_buffer_st * str, const char *prefix, int type, + cert_type_t cert) { - unsigned i, j; - int err; - int san_idx = 0; - int ian_idx = 0; - int proxy_idx = 0; - int basic_idx = 0; - int keyusage_idx = 0; - int keypurpose_idx = 0; - int ski_idx = 0; - int aki_idx = 0; - int crldist_idx = 0, pkey_usage_period_idx = 0; - char pfx[16]; - - for (i = 0;; i++) - { - char oid[MAX_OID_SIZE] = ""; - size_t sizeof_oid = sizeof (oid); - unsigned int critical; - - if (type == TYPE_CRT) - err = gnutls_x509_crt_get_extension_info (cert.crt, i, - oid, &sizeof_oid, - &critical); - - else if (type == TYPE_CRQ) - err = gnutls_x509_crq_get_extension_info (cert.crq, i, - oid, &sizeof_oid, - &critical); - else - { - gnutls_assert (); - return; - } - - if (err < 0) - { - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "error: get_extension_info: %s\n", - gnutls_strerror (err)); - continue; - } - - if (i == 0) - addf (str, _("%s\tExtensions:\n"), prefix); - - if (strcmp (oid, "2.5.29.19") == 0) - { - if (basic_idx) - { - addf (str, "error: more than one basic constraint\n"); - continue; - } - - addf (str, _("%s\t\tBasic Constraints (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - print_basic (str, prefix, type, cert); - - basic_idx++; - } - else if (strcmp (oid, "2.5.29.14") == 0) - { - if (ski_idx) - { - addf (str, "error: more than one SKI extension\n"); - continue; - } - - addf (str, _("%s\t\tSubject Key Identifier (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - print_ski (str, cert.crt); - - ski_idx++; - } - else if (strcmp (oid, "2.5.29.32") == 0) - { - struct gnutls_x509_policy_st policy; - const char *name; - int x; - - for (x = 0;; x++) - { - err = - gnutls_x509_crt_get_policy (cert.crt, x, &policy, &critical); - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - - if (err < 0) - { - addf (str, "error: certificate policy: %s\n", - gnutls_strerror (err)); - break; - } - - if (x == 0) - addf (str, "%s\t\tCertificate Policies (%s):\n", prefix, - critical ? _("critical") : _("not critical")); - - addf (str, "%s\t\t\t%s\n", prefix, policy.oid); - for (j = 0; j < policy.qualifiers; j++) - { - if (policy.qualifier[j].type == GNUTLS_X509_QUALIFIER_URI) - name = "URI"; - else if (policy.qualifier[j].type == - GNUTLS_X509_QUALIFIER_NOTICE) - name = "Note"; - else - name = "Unknown qualifier"; - addf (str, "%s\t\t\t\t%s: %s\n", prefix, name, - policy.qualifier[j].data); - } - - gnutls_x509_policy_release (&policy); - } - } - else if (strcmp (oid, "2.5.29.35") == 0) - { - - if (aki_idx) - { - addf (str, "error: more than one AKI extension\n"); - continue; - } - - addf (str, _("%s\t\tAuthority Key Identifier (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - print_aki (str, TYPE_CRT, cert); - - aki_idx++; - } - else if (strcmp (oid, "2.5.29.15") == 0) - { - if (keyusage_idx) - { - addf (str, "error: more than one key usage extension\n"); - continue; - } - - addf (str, _("%s\t\tKey Usage (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - snprintf(pfx, sizeof(pfx), "%s\t\t\t", prefix); - print_key_usage (str, pfx, type, cert); - - keyusage_idx++; - } - else if (strcmp (oid, "2.5.29.16") == 0) - { - if (pkey_usage_period_idx) - { - addf (str, - "error: more than one private key usage period extension\n"); - continue; - } - - addf (str, _("%s\t\tPrivate Key Usage Period (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - print_private_key_usage_period (str, prefix, type, cert); - - pkey_usage_period_idx++; - } - else if (strcmp (oid, "2.5.29.37") == 0) - { - if (keypurpose_idx) - { - addf (str, "error: more than one key purpose extension\n"); - continue; - } - - addf (str, _("%s\t\tKey Purpose (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - print_key_purpose (str, prefix, type, cert); - keypurpose_idx++; - } - else if (strcmp (oid, "2.5.29.17") == 0) - { - if (san_idx) - { - addf (str, "error: more than one SKI extension\n"); - continue; - } - - addf (str, _("%s\t\tSubject Alternative Name (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - print_altname (str, prefix, type, cert); - - san_idx++; - } - else if (strcmp (oid, "2.5.29.18") == 0) - { - if (ian_idx) - { - addf (str, "error: more than one Issuer AltName extension\n"); - continue; - } - - addf (str, _("%s\t\tIssuer Alternative Name (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - print_altname (str, prefix, TYPE_CRT_IAN, cert); - - ian_idx++; - } - else if (strcmp (oid, "2.5.29.31") == 0) - { - if (crldist_idx) - { - addf (str, "error: more than one CRL distribution point\n"); - continue; - } - - addf (str, _("%s\t\tCRL Distribution points (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - print_crldist (str, cert.crt); - crldist_idx++; - } - else if (strcmp (oid, "1.3.6.1.5.5.7.1.14") == 0) - { - if (proxy_idx) - { - addf (str, "error: more than one proxy extension\n"); - continue; - } - - addf (str, _("%s\t\tProxy Certificate Information (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - print_proxy (str, cert.crt); - - proxy_idx++; - } - else if (strcmp (oid, "1.3.6.1.5.5.7.1.1") == 0) - { - addf (str, _("%s\t\tAuthority Information " - "Access (%s):\n"), prefix, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - print_aia (str, cert.crt); - } - else - { - char *buffer; - size_t extlen = 0; - - addf (str, _("%s\t\tUnknown extension %s (%s):\n"), prefix, oid, - critical ? _("critical") : _("not critical")); - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_extension_data (cert.crt, i, NULL, &extlen); - else if (type == TYPE_CRQ) - err = - gnutls_x509_crq_get_extension_data (cert.crq, i, NULL, &extlen); - else - { - gnutls_assert (); - return; - } - - if (err < 0) - { - addf (str, "error: get_extension_data: %s\n", - gnutls_strerror (err)); - continue; - } - - buffer = gnutls_malloc (extlen); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - continue; - } - - if (type == TYPE_CRT) - err = - gnutls_x509_crt_get_extension_data (cert.crt, i, buffer, - &extlen); - else if (type == TYPE_CRQ) - err = - gnutls_x509_crq_get_extension_data (cert.crq, i, buffer, - &extlen); - - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_extension_data2: %s\n", - gnutls_strerror (err)); - continue; - } - - addf (str, _("%s\t\t\tASCII: "), prefix); - _gnutls_buffer_asciiprint (str, buffer, extlen); - addf (str, "\n"); - - addf (str, _("%s\t\t\tHexdump: "), prefix); - _gnutls_buffer_hexprint (str, buffer, extlen); - adds (str, "\n"); - - gnutls_free (buffer); - } - } + unsigned i, j; + int err; + int san_idx = 0; + int ian_idx = 0; + int proxy_idx = 0; + int basic_idx = 0; + int keyusage_idx = 0; + int keypurpose_idx = 0; + int ski_idx = 0; + int aki_idx = 0; + int crldist_idx = 0, pkey_usage_period_idx = 0; + char pfx[16]; + + for (i = 0;; i++) { + char oid[MAX_OID_SIZE] = ""; + size_t sizeof_oid = sizeof(oid); + unsigned int critical; + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_extension_info(cert.crt, i, + oid, + &sizeof_oid, + &critical); + + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_extension_info(cert.crq, i, + oid, + &sizeof_oid, + &critical); + else { + gnutls_assert(); + return; + } + + if (err < 0) { + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, "error: get_extension_info: %s\n", + gnutls_strerror(err)); + continue; + } + + if (i == 0) + addf(str, _("%s\tExtensions:\n"), prefix); + + if (strcmp(oid, "2.5.29.19") == 0) { + if (basic_idx) { + addf(str, + "error: more than one basic constraint\n"); + continue; + } + + addf(str, _("%s\t\tBasic Constraints (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + print_basic(str, prefix, type, cert); + + basic_idx++; + } else if (strcmp(oid, "2.5.29.14") == 0) { + if (ski_idx) { + addf(str, + "error: more than one SKI extension\n"); + continue; + } + + addf(str, + _("%s\t\tSubject Key Identifier (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_ski(str, cert.crt); + + ski_idx++; + } else if (strcmp(oid, "2.5.29.32") == 0) { + struct gnutls_x509_policy_st policy; + const char *name; + int x; + + for (x = 0;; x++) { + err = + gnutls_x509_crt_get_policy(cert.crt, x, + &policy, + &critical); + if (err == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + + if (err < 0) { + addf(str, + "error: certificate policy: %s\n", + gnutls_strerror(err)); + break; + } + + if (x == 0) + addf(str, + "%s\t\tCertificate Policies (%s):\n", + prefix, + critical ? _("critical") : + _("not critical")); + + addf(str, "%s\t\t\t%s\n", prefix, + policy.oid); + for (j = 0; j < policy.qualifiers; j++) { + if (policy.qualifier[j].type == + GNUTLS_X509_QUALIFIER_URI) + name = "URI"; + else if (policy.qualifier[j]. + type == + GNUTLS_X509_QUALIFIER_NOTICE) + name = "Note"; + else + name = "Unknown qualifier"; + addf(str, "%s\t\t\t\t%s: %s\n", + prefix, name, + policy.qualifier[j].data); + } + + gnutls_x509_policy_release(&policy); + } + } else if (strcmp(oid, "2.5.29.35") == 0) { + + if (aki_idx) { + addf(str, + "error: more than one AKI extension\n"); + continue; + } + + addf(str, + _("%s\t\tAuthority Key Identifier (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_aki(str, TYPE_CRT, cert); + + aki_idx++; + } else if (strcmp(oid, "2.5.29.15") == 0) { + if (keyusage_idx) { + addf(str, + "error: more than one key usage extension\n"); + continue; + } + + addf(str, _("%s\t\tKey Usage (%s):\n"), prefix, + critical ? _("critical") : _("not critical")); + + snprintf(pfx, sizeof(pfx), "%s\t\t\t", prefix); + print_key_usage(str, pfx, type, cert); + + keyusage_idx++; + } else if (strcmp(oid, "2.5.29.16") == 0) { + if (pkey_usage_period_idx) { + addf(str, + "error: more than one private key usage period extension\n"); + continue; + } + + addf(str, + _("%s\t\tPrivate Key Usage Period (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + print_private_key_usage_period(str, prefix, type, + cert); + + pkey_usage_period_idx++; + } else if (strcmp(oid, "2.5.29.37") == 0) { + if (keypurpose_idx) { + addf(str, + "error: more than one key purpose extension\n"); + continue; + } + + addf(str, _("%s\t\tKey Purpose (%s):\n"), prefix, + critical ? _("critical") : _("not critical")); + + print_key_purpose(str, prefix, type, cert); + keypurpose_idx++; + } else if (strcmp(oid, "2.5.29.17") == 0) { + if (san_idx) { + addf(str, + "error: more than one SKI extension\n"); + continue; + } + + addf(str, + _("%s\t\tSubject Alternative Name (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + print_altname(str, prefix, type, cert); + + san_idx++; + } else if (strcmp(oid, "2.5.29.18") == 0) { + if (ian_idx) { + addf(str, + "error: more than one Issuer AltName extension\n"); + continue; + } + + addf(str, + _("%s\t\tIssuer Alternative Name (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + print_altname(str, prefix, TYPE_CRT_IAN, cert); + + ian_idx++; + } else if (strcmp(oid, "2.5.29.31") == 0) { + if (crldist_idx) { + addf(str, + "error: more than one CRL distribution point\n"); + continue; + } + + addf(str, + _("%s\t\tCRL Distribution points (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_crldist(str, cert.crt); + crldist_idx++; + } else if (strcmp(oid, "1.3.6.1.5.5.7.1.14") == 0) { + if (proxy_idx) { + addf(str, + "error: more than one proxy extension\n"); + continue; + } + + addf(str, + _ + ("%s\t\tProxy Certificate Information (%s):\n"), + prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_proxy(str, cert.crt); + + proxy_idx++; + } else if (strcmp(oid, "1.3.6.1.5.5.7.1.1") == 0) { + addf(str, _("%s\t\tAuthority Information " + "Access (%s):\n"), prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_aia(str, cert.crt); + } else { + char *buffer; + size_t extlen = 0; + + addf(str, _("%s\t\tUnknown extension %s (%s):\n"), + prefix, oid, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_extension_data + (cert.crt, i, NULL, &extlen); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_extension_data + (cert.crq, i, NULL, &extlen); + else { + gnutls_assert(); + return; + } + + if (err < 0) { + addf(str, + "error: get_extension_data: %s\n", + gnutls_strerror(err)); + continue; + } + + buffer = gnutls_malloc(extlen); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + continue; + } + + if (type == TYPE_CRT) + err = + gnutls_x509_crt_get_extension_data + (cert.crt, i, buffer, &extlen); + else if (type == TYPE_CRQ) + err = + gnutls_x509_crq_get_extension_data + (cert.crq, i, buffer, &extlen); + + if (err < 0) { + gnutls_free(buffer); + addf(str, + "error: get_extension_data2: %s\n", + gnutls_strerror(err)); + continue; + } + + addf(str, _("%s\t\t\tASCII: "), prefix); + _gnutls_buffer_asciiprint(str, buffer, extlen); + addf(str, "\n"); + + addf(str, _("%s\t\t\tHexdump: "), prefix); + _gnutls_buffer_hexprint(str, buffer, extlen); + adds(str, "\n"); + + gnutls_free(buffer); + } + } } static void -print_pubkey (gnutls_buffer_st * str, const char* key_name, gnutls_pubkey_t pubkey, gnutls_certificate_print_formats_t format) +print_pubkey(gnutls_buffer_st * str, const char *key_name, + gnutls_pubkey_t pubkey, + gnutls_certificate_print_formats_t format) { - int err, pk; - const char *name; - unsigned bits; - - err = gnutls_pubkey_get_pk_algorithm (pubkey, &bits); - if (err < 0) - { - addf (str, "error: get_pk_algorithm: %s\n", gnutls_strerror (err)); - return; - } - - name = gnutls_pk_algorithm_get_name (err); - if (name == NULL) - name = _("unknown"); - - pk = err; - - addf (str, _("\t%sPublic Key Algorithm: %s\n"), key_name, name); - addf (str, _("\tAlgorithm Security Level: %s (%d bits)\n"), - gnutls_sec_param_get_name (gnutls_pk_bits_to_sec_param - (err, bits)), bits); - switch (pk) - { - case GNUTLS_PK_RSA: - { - gnutls_datum_t m, e; - - err = gnutls_pubkey_get_pk_rsa_raw (pubkey, &m, &e); - if (err < 0) - addf (str, "error: get_pk_rsa_raw: %s\n", gnutls_strerror (err)); - else - { - if (format == GNUTLS_CRT_PRINT_FULL_NUMBERS) - { - addf (str, _("\t\tModulus (bits %d): "), bits); - _gnutls_buffer_hexprint (str, m.data, m.size); - adds (str, "\n"); - addf (str, _("\t\tExponent (bits %d): "), e.size * 8); - _gnutls_buffer_hexprint (str, e.data, e.size); - adds (str, "\n"); - } - else - { - addf (str, _("\t\tModulus (bits %d):\n"), bits); - _gnutls_buffer_hexdump (str, m.data, m.size, "\t\t\t"); - addf (str, _("\t\tExponent (bits %d):\n"), e.size * 8); - _gnutls_buffer_hexdump (str, e.data, e.size, "\t\t\t"); - } - - gnutls_free (m.data); - gnutls_free (e.data); - } - - } - break; - - case GNUTLS_PK_EC: - { - gnutls_datum_t x, y; - gnutls_ecc_curve_t curve; - - err = gnutls_pubkey_get_pk_ecc_raw (pubkey, &curve, &x, &y); - if (err < 0) - addf (str, "error: get_pk_ecc_raw: %s\n", gnutls_strerror (err)); - else - { - addf (str, _("\t\tCurve:\t%s\n"), - gnutls_ecc_curve_get_name (curve)); - if (format == GNUTLS_CRT_PRINT_FULL_NUMBERS) - { - adds (str, _("\t\tX: ")); - _gnutls_buffer_hexprint (str, x.data, x.size); - adds (str, "\n"); - adds (str, _("\t\tY: ")); - _gnutls_buffer_hexprint (str, y.data, y.size); - adds (str, "\n"); - } - else - { - adds (str, _("\t\tX:\n")); - _gnutls_buffer_hexdump (str, x.data, x.size, "\t\t\t"); - adds (str, _("\t\tY:\n")); - _gnutls_buffer_hexdump (str, y.data, y.size, "\t\t\t"); - } - - gnutls_free (x.data); - gnutls_free (y.data); - - } - } - break; - case GNUTLS_PK_DSA: - { - gnutls_datum_t p, q, g, y; - - err = gnutls_pubkey_get_pk_dsa_raw (pubkey, &p, &q, &g, &y); - if (err < 0) - addf (str, "error: get_pk_dsa_raw: %s\n", gnutls_strerror (err)); - else - { - if (format == GNUTLS_CRT_PRINT_FULL_NUMBERS) - { - addf (str, _("\t\tPublic key (bits %d): "), bits); - _gnutls_buffer_hexprint (str, y.data, y.size); - adds (str, "\n"); - addf (str, _("\t\tP: ")); - _gnutls_buffer_hexprint (str, p.data, p.size); - adds (str, "\n"); - addf (str, _("\t\tQ: ")); - _gnutls_buffer_hexprint (str, q.data, q.size); - adds (str, "\n"); - addf (str, _("\t\tG: ")); - _gnutls_buffer_hexprint (str, g.data, g.size); - adds (str, "\n"); - } - else - { - addf (str, _("\t\tPublic key (bits %d):\n"), bits); - _gnutls_buffer_hexdump (str, y.data, y.size, "\t\t\t"); - adds (str, _("\t\tP:\n")); - _gnutls_buffer_hexdump (str, p.data, p.size, "\t\t\t"); - adds (str, _("\t\tQ:\n")); - _gnutls_buffer_hexdump (str, q.data, q.size, "\t\t\t"); - adds (str, _("\t\tG:\n")); - _gnutls_buffer_hexdump (str, g.data, g.size, "\t\t\t"); - } - - gnutls_free (p.data); - gnutls_free (q.data); - gnutls_free (g.data); - gnutls_free (y.data); - - } - } - break; - - default: - break; - } + int err, pk; + const char *name; + unsigned bits; + + err = gnutls_pubkey_get_pk_algorithm(pubkey, &bits); + if (err < 0) { + addf(str, "error: get_pk_algorithm: %s\n", + gnutls_strerror(err)); + return; + } + + name = gnutls_pk_algorithm_get_name(err); + if (name == NULL) + name = _("unknown"); + + pk = err; + + addf(str, _("\t%sPublic Key Algorithm: %s\n"), key_name, name); + addf(str, _("\tAlgorithm Security Level: %s (%d bits)\n"), + gnutls_sec_param_get_name(gnutls_pk_bits_to_sec_param + (err, bits)), bits); + switch (pk) { + case GNUTLS_PK_RSA: + { + gnutls_datum_t m, e; + + err = gnutls_pubkey_get_pk_rsa_raw(pubkey, &m, &e); + if (err < 0) + addf(str, "error: get_pk_rsa_raw: %s\n", + gnutls_strerror(err)); + else { + if (format == + GNUTLS_CRT_PRINT_FULL_NUMBERS) { + addf(str, + _("\t\tModulus (bits %d): "), + bits); + _gnutls_buffer_hexprint(str, + m.data, + m.size); + adds(str, "\n"); + addf(str, + _("\t\tExponent (bits %d): "), + e.size * 8); + _gnutls_buffer_hexprint(str, + e.data, + e.size); + adds(str, "\n"); + } else { + addf(str, + _("\t\tModulus (bits %d):\n"), + bits); + _gnutls_buffer_hexdump(str, m.data, + m.size, + "\t\t\t"); + addf(str, + _ + ("\t\tExponent (bits %d):\n"), + e.size * 8); + _gnutls_buffer_hexdump(str, e.data, + e.size, + "\t\t\t"); + } + + gnutls_free(m.data); + gnutls_free(e.data); + } + + } + break; + + case GNUTLS_PK_EC: + { + gnutls_datum_t x, y; + gnutls_ecc_curve_t curve; + + err = + gnutls_pubkey_get_pk_ecc_raw(pubkey, &curve, + &x, &y); + if (err < 0) + addf(str, "error: get_pk_ecc_raw: %s\n", + gnutls_strerror(err)); + else { + addf(str, _("\t\tCurve:\t%s\n"), + gnutls_ecc_curve_get_name(curve)); + if (format == + GNUTLS_CRT_PRINT_FULL_NUMBERS) { + adds(str, _("\t\tX: ")); + _gnutls_buffer_hexprint(str, + x.data, + x.size); + adds(str, "\n"); + adds(str, _("\t\tY: ")); + _gnutls_buffer_hexprint(str, + y.data, + y.size); + adds(str, "\n"); + } else { + adds(str, _("\t\tX:\n")); + _gnutls_buffer_hexdump(str, x.data, + x.size, + "\t\t\t"); + adds(str, _("\t\tY:\n")); + _gnutls_buffer_hexdump(str, y.data, + y.size, + "\t\t\t"); + } + + gnutls_free(x.data); + gnutls_free(y.data); + + } + } + break; + case GNUTLS_PK_DSA: + { + gnutls_datum_t p, q, g, y; + + err = + gnutls_pubkey_get_pk_dsa_raw(pubkey, &p, &q, + &g, &y); + if (err < 0) + addf(str, "error: get_pk_dsa_raw: %s\n", + gnutls_strerror(err)); + else { + if (format == + GNUTLS_CRT_PRINT_FULL_NUMBERS) { + addf(str, + _ + ("\t\tPublic key (bits %d): "), + bits); + _gnutls_buffer_hexprint(str, + y.data, + y.size); + adds(str, "\n"); + addf(str, _("\t\tP: ")); + _gnutls_buffer_hexprint(str, + p.data, + p.size); + adds(str, "\n"); + addf(str, _("\t\tQ: ")); + _gnutls_buffer_hexprint(str, + q.data, + q.size); + adds(str, "\n"); + addf(str, _("\t\tG: ")); + _gnutls_buffer_hexprint(str, + g.data, + g.size); + adds(str, "\n"); + } else { + addf(str, + _ + ("\t\tPublic key (bits %d):\n"), + bits); + _gnutls_buffer_hexdump(str, y.data, + y.size, + "\t\t\t"); + adds(str, _("\t\tP:\n")); + _gnutls_buffer_hexdump(str, p.data, + p.size, + "\t\t\t"); + adds(str, _("\t\tQ:\n")); + _gnutls_buffer_hexdump(str, q.data, + q.size, + "\t\t\t"); + adds(str, _("\t\tG:\n")); + _gnutls_buffer_hexdump(str, g.data, + g.size, + "\t\t\t"); + } + + gnutls_free(p.data); + gnutls_free(q.data); + gnutls_free(g.data); + gnutls_free(y.data); + + } + } + break; + + default: + break; + } } static void -print_crt_pubkey (gnutls_buffer_st * str, gnutls_x509_crt_t crt, gnutls_certificate_print_formats_t format) +print_crt_pubkey(gnutls_buffer_st * str, gnutls_x509_crt_t crt, + gnutls_certificate_print_formats_t format) { - gnutls_pubkey_t pubkey; - int ret; + gnutls_pubkey_t pubkey; + int ret; - ret = gnutls_pubkey_init (&pubkey); - if (ret < 0) - return; + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + return; - ret = gnutls_pubkey_import_x509 (pubkey, crt, 0); - if (ret < 0) - goto cleanup; + ret = gnutls_pubkey_import_x509(pubkey, crt, 0); + if (ret < 0) + goto cleanup; - print_pubkey (str, _("Subject "), pubkey, format); + print_pubkey(str, _("Subject "), pubkey, format); -cleanup: - gnutls_pubkey_deinit (pubkey); - return; + cleanup: + gnutls_pubkey_deinit(pubkey); + return; } static void -print_cert (gnutls_buffer_st * str, gnutls_x509_crt_t cert, - gnutls_certificate_print_formats_t format) +print_cert(gnutls_buffer_st * str, gnutls_x509_crt_t cert, + gnutls_certificate_print_formats_t format) { - /* Version. */ - { - int version = gnutls_x509_crt_get_version (cert); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* Serial. */ - { - char serial[128]; - size_t serial_size = sizeof (serial); - int err; - - err = gnutls_x509_crt_get_serial (cert, serial, &serial_size); - if (err < 0) - addf (str, "error: get_serial: %s\n", gnutls_strerror (err)); - else - { - adds (str, _("\tSerial Number (hex): ")); - _gnutls_buffer_hexprint (str, serial, serial_size); - adds (str, "\n"); - } - } - - /* Issuer. */ - if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) - { - char *dn; - size_t dn_size = 0; - int err; - - err = gnutls_x509_crt_get_issuer_dn (cert, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: get_issuer_dn: %s\n", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "error: malloc (%d): %s\n", (int) dn_size, - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crt_get_issuer_dn (cert, dn, &dn_size); - if (err < 0) - addf (str, "error: get_issuer_dn: %s\n", - gnutls_strerror (err)); - else - addf (str, _("\tIssuer: %s\n"), dn); - gnutls_free (dn); - } - } - } - - /* Validity. */ - { - time_t tim; - - adds (str, _("\tValidity:\n")); - - tim = gnutls_x509_crt_get_activation_time (cert); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\t\tNot Before: %s\n"), s); - } - - tim = gnutls_x509_crt_get_expiration_time (cert); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\t\tNot After: %s\n"), s); - } - } - - /* Subject. */ - { - char *dn; - size_t dn_size = 0; - int err; - - err = gnutls_x509_crt_get_dn (cert, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: get_dn: %s\n", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "error: malloc (%d): %s\n", (int) dn_size, - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crt_get_dn (cert, dn, &dn_size); - if (err < 0) - addf (str, "error: get_dn: %s\n", gnutls_strerror (err)); - else - addf (str, _("\tSubject: %s\n"), dn); - gnutls_free (dn); - } - } - } - - /* SubjectPublicKeyInfo. */ - print_crt_pubkey(str, cert, format); - - print_unique_ids (str, cert); - - /* Extensions. */ - if (gnutls_x509_crt_get_version (cert) >= 3) - { - cert_type_t ccert; - - ccert.crt = cert; - print_extensions (str, "", TYPE_CRT, ccert); - } - - /* Signature. */ - if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) - { - int err; - size_t size = 0; - char *buffer = NULL; - - err = gnutls_x509_crt_get_signature_algorithm (cert); - if (err < 0) - addf (str, "error: get_signature_algorithm: %s\n", - gnutls_strerror (err)); - else - { - const char *name = gnutls_sign_algorithm_get_name (err); - if (name == NULL) - name = _("unknown"); - addf (str, _("\tSignature Algorithm: %s\n"), name); - } - if (gnutls_sign_is_secure (err) == 0) - { - adds (str, _("warning: signed using a broken signature " - "algorithm that can be forged.\n")); - } - - err = gnutls_x509_crt_get_signature (cert, buffer, &size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_signature: %s\n", gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - err = gnutls_x509_crt_get_signature (cert, buffer, &size); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_signature2: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, _("\tSignature:\n")); - _gnutls_buffer_hexdump (str, buffer, size, "\t\t"); - - gnutls_free (buffer); - } + /* Version. */ + { + int version = gnutls_x509_crt_get_version(cert); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); + } + + /* Serial. */ + { + char serial[128]; + size_t serial_size = sizeof(serial); + int err; + + err = + gnutls_x509_crt_get_serial(cert, serial, &serial_size); + if (err < 0) + addf(str, "error: get_serial: %s\n", + gnutls_strerror(err)); + else { + adds(str, _("\tSerial Number (hex): ")); + _gnutls_buffer_hexprint(str, serial, serial_size); + adds(str, "\n"); + } + } + + /* Issuer. */ + if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) { + char *dn; + size_t dn_size = 0; + int err; + + err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "error: get_issuer_dn: %s\n", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "error: malloc (%d): %s\n", + (int) dn_size, + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crt_get_issuer_dn(cert, dn, + &dn_size); + if (err < 0) + addf(str, + "error: get_issuer_dn: %s\n", + gnutls_strerror(err)); + else + addf(str, _("\tIssuer: %s\n"), dn); + gnutls_free(dn); + } + } + } + + /* Validity. */ + { + time_t tim; + + adds(str, _("\tValidity:\n")); + + tim = gnutls_x509_crt_get_activation_time(cert); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\t\tNot Before: %s\n"), s); + } + + tim = gnutls_x509_crt_get_expiration_time(cert); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\t\tNot After: %s\n"), s); + } + } + + /* Subject. */ + { + char *dn; + size_t dn_size = 0; + int err; + + err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "error: malloc (%d): %s\n", + (int) dn_size, + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crt_get_dn(cert, dn, + &dn_size); + if (err < 0) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(err)); + else + addf(str, _("\tSubject: %s\n"), + dn); + gnutls_free(dn); + } + } + } + + /* SubjectPublicKeyInfo. */ + print_crt_pubkey(str, cert, format); + + print_unique_ids(str, cert); + + /* Extensions. */ + if (gnutls_x509_crt_get_version(cert) >= 3) { + cert_type_t ccert; + + ccert.crt = cert; + print_extensions(str, "", TYPE_CRT, ccert); + } + + /* Signature. */ + if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) { + int err; + size_t size = 0; + char *buffer = NULL; + + err = gnutls_x509_crt_get_signature_algorithm(cert); + if (err < 0) + addf(str, "error: get_signature_algorithm: %s\n", + gnutls_strerror(err)); + else { + const char *name = + gnutls_sign_algorithm_get_name(err); + if (name == NULL) + name = _("unknown"); + addf(str, _("\tSignature Algorithm: %s\n"), name); + } + if (gnutls_sign_is_secure(err) == 0) { + adds(str, + _("warning: signed using a broken signature " + "algorithm that can be forged.\n")); + } + + err = gnutls_x509_crt_get_signature(cert, buffer, &size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_signature: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + err = gnutls_x509_crt_get_signature(cert, buffer, &size); + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_signature2: %s\n", + gnutls_strerror(err)); + return; + } + + adds(str, _("\tSignature:\n")); + _gnutls_buffer_hexdump(str, buffer, size, "\t\t"); + + gnutls_free(buffer); + } } static void -print_fingerprint (gnutls_buffer_st * str, gnutls_x509_crt_t cert, - gnutls_digest_algorithm_t algo) +print_fingerprint(gnutls_buffer_st * str, gnutls_x509_crt_t cert, + gnutls_digest_algorithm_t algo) { - int err; - char buffer[MAX_HASH_SIZE]; - size_t size = sizeof (buffer); - - err = gnutls_x509_crt_get_fingerprint (cert, algo, buffer, &size); - if (err < 0) - { - addf (str, "error: get_fingerprint: %s\n", gnutls_strerror (err)); - return; - } - - if (algo == GNUTLS_DIG_MD5) - adds (str, _("\tMD5 fingerprint:\n\t\t")); - else - adds (str, _("\tSHA-1 fingerprint:\n\t\t")); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); + int err; + char buffer[MAX_HASH_SIZE]; + size_t size = sizeof(buffer); + + err = gnutls_x509_crt_get_fingerprint(cert, algo, buffer, &size); + if (err < 0) { + addf(str, "error: get_fingerprint: %s\n", + gnutls_strerror(err)); + return; + } + + if (algo == GNUTLS_DIG_MD5) + adds(str, _("\tMD5 fingerprint:\n\t\t")); + else + adds(str, _("\tSHA-1 fingerprint:\n\t\t")); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); } -static void -print_keyid (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_keyid(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - int err; - unsigned char buffer[32]; - size_t size = sizeof (buffer); - const char *name; - char *p; - unsigned int bits; - - err = gnutls_x509_crt_get_key_id (cert, 0, buffer, &size); - if (err < 0) - { - addf (str, "error: get_key_id: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, _("\tPublic Key ID:\n\t\t")); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); - - err = gnutls_x509_crt_get_pk_algorithm (cert, &bits); - if (err < 0) - return; - - name = gnutls_pk_get_name (err); - if (name == NULL) - return; - - p = _gnutls_key_fingerprint_randomart (buffer, size, name, bits, "\t\t"); - if (p == NULL) - return; - - adds (str, _("\tPublic key's random art:\n")); - adds (str, p); - adds (str, "\n"); - - gnutls_free (p); + int err; + unsigned char buffer[32]; + size_t size = sizeof(buffer); + const char *name; + char *p; + unsigned int bits; + + err = gnutls_x509_crt_get_key_id(cert, 0, buffer, &size); + if (err < 0) { + addf(str, "error: get_key_id: %s\n", gnutls_strerror(err)); + return; + } + + adds(str, _("\tPublic Key ID:\n\t\t")); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); + + err = gnutls_x509_crt_get_pk_algorithm(cert, &bits); + if (err < 0) + return; + + name = gnutls_pk_get_name(err); + if (name == NULL) + return; + + p = _gnutls_key_fingerprint_randomart(buffer, size, name, bits, + "\t\t"); + if (p == NULL) + return; + + adds(str, _("\tPublic key's random art:\n")); + adds(str, p); + adds(str, "\n"); + + gnutls_free(p); } static void -print_other (gnutls_buffer_st * str, gnutls_x509_crt_t cert, - gnutls_certificate_print_formats_t format) +print_other(gnutls_buffer_st * str, gnutls_x509_crt_t cert, + gnutls_certificate_print_formats_t format) { - if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) - { - print_fingerprint (str, cert, GNUTLS_DIG_SHA1); - } - print_keyid (str, cert); + if (format != GNUTLS_CRT_PRINT_UNSIGNED_FULL) { + print_fingerprint(str, cert, GNUTLS_DIG_SHA1); + } + print_keyid(str, cert); } -static void -print_oneline (gnutls_buffer_st * str, gnutls_x509_crt_t cert) +static void print_oneline(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { - int err; - - /* Subject. */ - { - char *dn; - size_t dn_size = 0; - - err = gnutls_x509_crt_get_dn (cert, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "unknown subject (%s), ", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "unknown subject (%s), ", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crt_get_dn (cert, dn, &dn_size); - if (err < 0) - addf (str, "unknown subject (%s), ", gnutls_strerror (err)); - else - addf (str, "subject `%s', ", dn); - gnutls_free (dn); - } - } - } - - /* Issuer. */ - { - char *dn; - size_t dn_size = 0; - - err = gnutls_x509_crt_get_issuer_dn (cert, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "unknown issuer (%s), ", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "unknown issuer (%s), ", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crt_get_issuer_dn (cert, dn, &dn_size); - if (err < 0) - addf (str, "unknown issuer (%s), ", gnutls_strerror (err)); - else - addf (str, "issuer `%s', ", dn); - gnutls_free (dn); - } - } - } - - /* Key algorithm and size. */ - { - unsigned int bits; - const char *name = gnutls_pk_algorithm_get_name - (gnutls_x509_crt_get_pk_algorithm (cert, &bits)); - if (name == NULL) - name = "Unknown"; - addf (str, "%s key %d bits, ", name, bits); - } - - /* Signature Algorithm. */ - { - err = gnutls_x509_crt_get_signature_algorithm (cert); - if (err < 0) - addf (str, "unknown signature algorithm (%s), ", gnutls_strerror (err)); - else - { - const char *name = gnutls_sign_algorithm_get_name (err); - if (name == NULL) - name = _("unknown"); - if (gnutls_sign_is_secure (err) == 0) - addf (str, _("signed using %s (broken!), "), name); - else - addf (str, _("signed using %s, "), name); - } - } - - /* Validity. */ - { - time_t tim; - - tim = gnutls_x509_crt_get_activation_time (cert); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "unknown activation (%ld), ", (unsigned long) tim); - else if (strftime (s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) - addf (str, "failed activation (%ld), ", (unsigned long) tim); - else - addf (str, "activated `%s', ", s); - } - - tim = gnutls_x509_crt_get_expiration_time (cert); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "unknown expiry (%ld), ", (unsigned long) tim); - else if (strftime (s, max, "%Y-%m-%d %H:%M:%S UTC", &t) == 0) - addf (str, "failed expiry (%ld), ", (unsigned long) tim); - else - addf (str, "expires `%s', ", s); - } - } - - { - int pathlen; - char *policyLanguage; - - err = gnutls_x509_crt_get_proxy (cert, NULL, - &pathlen, &policyLanguage, NULL, NULL); - if (err == 0) - { - addf (str, "proxy certificate (policy="); - if (strcmp (policyLanguage, "1.3.6.1.5.5.7.21.1") == 0) - addf (str, "id-ppl-inheritALL"); - else if (strcmp (policyLanguage, "1.3.6.1.5.5.7.21.2") == 0) - addf (str, "id-ppl-independent"); - else - addf (str, "%s", policyLanguage); - if (pathlen >= 0) - addf (str, ", pathlen=%d), ", pathlen); - else - addf (str, "), "); - gnutls_free (policyLanguage); - } - } - - { - char buffer[20]; - size_t size = sizeof (buffer); - - err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, - buffer, &size); - if (err < 0) - { - addf (str, "unknown fingerprint (%s)", gnutls_strerror (err)); - } - else - { - addf (str, "SHA-1 fingerprint `"); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "'"); - } - } + int err; + + /* Subject. */ + { + char *dn; + size_t dn_size = 0; + + err = gnutls_x509_crt_get_dn(cert, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "unknown subject (%s), ", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "unknown subject (%s), ", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crt_get_dn(cert, dn, + &dn_size); + if (err < 0) + addf(str, "unknown subject (%s), ", + gnutls_strerror(err)); + else + addf(str, "subject `%s', ", dn); + gnutls_free(dn); + } + } + } + + /* Issuer. */ + { + char *dn; + size_t dn_size = 0; + + err = gnutls_x509_crt_get_issuer_dn(cert, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "unknown issuer (%s), ", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "unknown issuer (%s), ", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crt_get_issuer_dn(cert, dn, + &dn_size); + if (err < 0) + addf(str, "unknown issuer (%s), ", + gnutls_strerror(err)); + else + addf(str, "issuer `%s', ", dn); + gnutls_free(dn); + } + } + } + + /* Key algorithm and size. */ + { + unsigned int bits; + const char *name = gnutls_pk_algorithm_get_name + (gnutls_x509_crt_get_pk_algorithm(cert, &bits)); + if (name == NULL) + name = "Unknown"; + addf(str, "%s key %d bits, ", name, bits); + } + + /* Signature Algorithm. */ + { + err = gnutls_x509_crt_get_signature_algorithm(cert); + if (err < 0) + addf(str, "unknown signature algorithm (%s), ", + gnutls_strerror(err)); + else { + const char *name = + gnutls_sign_algorithm_get_name(err); + if (name == NULL) + name = _("unknown"); + if (gnutls_sign_is_secure(err) == 0) + addf(str, _("signed using %s (broken!), "), + name); + else + addf(str, _("signed using %s, "), name); + } + } + + /* Validity. */ + { + time_t tim; + + tim = gnutls_x509_crt_get_activation_time(cert); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (gmtime_r(&tim, &t) == NULL) + addf(str, "unknown activation (%ld), ", + (unsigned long) tim); + else if (strftime + (s, max, "%Y-%m-%d %H:%M:%S UTC", + &t) == 0) + addf(str, "failed activation (%ld), ", + (unsigned long) tim); + else + addf(str, "activated `%s', ", s); + } + + tim = gnutls_x509_crt_get_expiration_time(cert); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (gmtime_r(&tim, &t) == NULL) + addf(str, "unknown expiry (%ld), ", + (unsigned long) tim); + else if (strftime + (s, max, "%Y-%m-%d %H:%M:%S UTC", + &t) == 0) + addf(str, "failed expiry (%ld), ", + (unsigned long) tim); + else + addf(str, "expires `%s', ", s); + } + } + + { + int pathlen; + char *policyLanguage; + + err = gnutls_x509_crt_get_proxy(cert, NULL, + &pathlen, &policyLanguage, + NULL, NULL); + if (err == 0) { + addf(str, "proxy certificate (policy="); + if (strcmp(policyLanguage, "1.3.6.1.5.5.7.21.1") == + 0) + addf(str, "id-ppl-inheritALL"); + else if (strcmp + (policyLanguage, + "1.3.6.1.5.5.7.21.2") == 0) + addf(str, "id-ppl-independent"); + else + addf(str, "%s", policyLanguage); + if (pathlen >= 0) + addf(str, ", pathlen=%d), ", pathlen); + else + addf(str, "), "); + gnutls_free(policyLanguage); + } + } + + { + char buffer[20]; + size_t size = sizeof(buffer); + + err = + gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, + buffer, &size); + if (err < 0) { + addf(str, "unknown fingerprint (%s)", + gnutls_strerror(err)); + } else { + addf(str, "SHA-1 fingerprint `"); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "'"); + } + } } @@ -1822,361 +1962,394 @@ print_oneline (gnutls_buffer_st * str, gnutls_x509_crt_t cert) * negative error value. **/ int -gnutls_x509_crt_print (gnutls_x509_crt_t cert, - gnutls_certificate_print_formats_t format, - gnutls_datum_t * out) +gnutls_x509_crt_print(gnutls_x509_crt_t cert, + gnutls_certificate_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int ret; + gnutls_buffer_st str; + int ret; - if (format == GNUTLS_CRT_PRINT_COMPACT) - { - _gnutls_buffer_init (&str); + if (format == GNUTLS_CRT_PRINT_COMPACT) { + _gnutls_buffer_init(&str); - print_oneline (&str, cert); + print_oneline(&str, cert); - _gnutls_buffer_append_data (&str, "\n", 1); - print_keyid (&str, cert); + _gnutls_buffer_append_data(&str, "\n", 1); + print_keyid(&str, cert); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; - } - else if (format == GNUTLS_CRT_PRINT_ONELINE) - { - _gnutls_buffer_init (&str); + return ret; + } else if (format == GNUTLS_CRT_PRINT_ONELINE) { + _gnutls_buffer_init(&str); - print_oneline (&str, cert); + print_oneline(&str, cert); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; - } - else - { - _gnutls_buffer_init (&str); + return ret; + } else { + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("X.509 Certificate Information:\n")); + _gnutls_buffer_append_str(&str, + _ + ("X.509 Certificate Information:\n")); - print_cert (&str, cert, format); + print_cert(&str, cert, format); - _gnutls_buffer_append_str (&str, _("Other Information:\n")); + _gnutls_buffer_append_str(&str, _("Other Information:\n")); - print_other (&str, cert, format); + print_other(&str, cert, format); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; - } + return ret; + } } static void -print_crl (gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) +print_crl(gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) { - /* Version. */ - { - int version = gnutls_x509_crl_get_version (crl); - if (version == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - adds (str, _("\tVersion: 1 (default)\n")); - else if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* Issuer. */ - if (!notsigned) - { - char *dn; - size_t dn_size = 0; - int err; - - err = gnutls_x509_crl_get_issuer_dn (crl, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: get_issuer_dn: %s\n", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "error: malloc (%d): %s\n", (int) dn_size, - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crl_get_issuer_dn (crl, dn, &dn_size); - if (err < 0) - addf (str, "error: get_issuer_dn: %s\n", - gnutls_strerror (err)); - else - addf (str, _("\tIssuer: %s\n"), dn); - } - gnutls_free (dn); - } - } - - /* Validity. */ - { - time_t tim; - - adds (str, _("\tUpdate dates:\n")); - - tim = gnutls_x509_crl_get_this_update (crl); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\t\tIssued: %s\n"), s); - } - - tim = gnutls_x509_crl_get_next_update (crl); - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (tim == -1) - addf (str, "\t\tNo next update time.\n"); - else if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\t\tNext at: %s\n"), s); - } - } - - /* Extensions. */ - if (gnutls_x509_crl_get_version (crl) >= 2) - { - size_t i; - int err = 0; - int aki_idx = 0; - int crl_nr = 0; - - for (i = 0;; i++) - { - char oid[MAX_OID_SIZE] = ""; - size_t sizeof_oid = sizeof (oid); - unsigned int critical; - - err = gnutls_x509_crl_get_extension_info (crl, i, - oid, &sizeof_oid, - &critical); - if (err < 0) - { - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "error: get_extension_info: %s\n", - gnutls_strerror (err)); - continue; - } - - if (i == 0) - adds (str, _("\tExtensions:\n")); - - if (strcmp (oid, "2.5.29.20") == 0) - { - char nr[128]; - size_t nr_size = sizeof (nr); - - if (crl_nr) - { - addf (str, "error: more than one CRL number\n"); - continue; - } - - err = gnutls_x509_crl_get_number (crl, nr, &nr_size, &critical); - - addf (str, _("\t\tCRL Number (%s): "), - critical ? _("critical") : _("not critical")); - - if (err < 0) - addf (str, "error: get_number: %s\n", gnutls_strerror (err)); - else - { - _gnutls_buffer_hexprint (str, nr, nr_size); - addf (str, "\n"); - } - - crl_nr++; - } - else if (strcmp (oid, "2.5.29.35") == 0) - { - cert_type_t ccert; - - if (aki_idx) - { - addf (str, "error: more than one AKI extension\n"); - continue; - } - - addf (str, _("\t\tAuthority Key Identifier (%s):\n"), - critical ? _("critical") : _("not critical")); - - ccert.crl = crl; - print_aki (str, TYPE_CRL, ccert); - - aki_idx++; - } - else - { - char *buffer; - size_t extlen = 0; - - addf (str, _("\t\tUnknown extension %s (%s):\n"), oid, - critical ? _("critical") : _("not critical")); - - err = gnutls_x509_crl_get_extension_data (crl, i, - NULL, &extlen); - if (err < 0) - { - addf (str, "error: get_extension_data: %s\n", - gnutls_strerror (err)); - continue; - } - - buffer = gnutls_malloc (extlen); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - continue; - } - - err = gnutls_x509_crl_get_extension_data (crl, i, - buffer, &extlen); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_extension_data2: %s\n", - gnutls_strerror (err)); - continue; - } - - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, buffer, extlen); - adds (str, "\n"); - - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, buffer, extlen); - adds (str, "\n"); - - gnutls_free (buffer); - } - } - } - - - /* Revoked certificates. */ - { - int num = gnutls_x509_crl_get_crt_count (crl); - int j; - - if (num) - addf (str, _("\tRevoked certificates (%d):\n"), num); - else - adds (str, _("\tNo revoked certificates.\n")); - - for (j = 0; j < num; j++) - { - unsigned char serial[128]; - size_t serial_size = sizeof (serial); - int err; - time_t tim; - - err = gnutls_x509_crl_get_crt_serial (crl, j, serial, - &serial_size, &tim); - if (err < 0) - addf (str, "error: get_crt_serial: %s\n", gnutls_strerror (err)); - else - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - adds (str, _("\t\tSerial Number (hex): ")); - _gnutls_buffer_hexprint (str, serial, serial_size); - adds (str, "\n"); - - if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\t\tRevoked at: %s\n"), s); - } - } - } - - /* Signature. */ - if (!notsigned) - { - int err; - size_t size = 0; - char *buffer = NULL; - - err = gnutls_x509_crl_get_signature_algorithm (crl); - if (err < 0) - addf (str, "error: get_signature_algorithm: %s\n", - gnutls_strerror (err)); - else - { - const char *name = gnutls_sign_algorithm_get_name (err); - if (name == NULL) - name = _("unknown"); - addf (str, _("\tSignature Algorithm: %s\n"), name); - } - if (gnutls_sign_is_secure (err) == 0) - { - adds (str, _("warning: signed using a broken signature " - "algorithm that can be forged.\n")); - } - - err = gnutls_x509_crl_get_signature (crl, buffer, &size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_signature: %s\n", gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - err = gnutls_x509_crl_get_signature (crl, buffer, &size); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_signature2: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, _("\tSignature:\n")); - _gnutls_buffer_hexdump (str, buffer, size, "\t\t"); - - gnutls_free (buffer); - } + /* Version. */ + { + int version = gnutls_x509_crl_get_version(crl); + if (version == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + adds(str, _("\tVersion: 1 (default)\n")); + else if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); + } + + /* Issuer. */ + if (!notsigned) { + char *dn; + size_t dn_size = 0; + int err; + + err = gnutls_x509_crl_get_issuer_dn(crl, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "error: get_issuer_dn: %s\n", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "error: malloc (%d): %s\n", + (int) dn_size, + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crl_get_issuer_dn(crl, dn, + &dn_size); + if (err < 0) + addf(str, + "error: get_issuer_dn: %s\n", + gnutls_strerror(err)); + else + addf(str, _("\tIssuer: %s\n"), dn); + } + gnutls_free(dn); + } + } + + /* Validity. */ + { + time_t tim; + + adds(str, _("\tUpdate dates:\n")); + + tim = gnutls_x509_crl_get_this_update(crl); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\t\tIssued: %s\n"), s); + } + + tim = gnutls_x509_crl_get_next_update(crl); + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (tim == -1) + addf(str, "\t\tNo next update time.\n"); + else if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\t\tNext at: %s\n"), s); + } + } + + /* Extensions. */ + if (gnutls_x509_crl_get_version(crl) >= 2) { + size_t i; + int err = 0; + int aki_idx = 0; + int crl_nr = 0; + + for (i = 0;; i++) { + char oid[MAX_OID_SIZE] = ""; + size_t sizeof_oid = sizeof(oid); + unsigned int critical; + + err = gnutls_x509_crl_get_extension_info(crl, i, + oid, + &sizeof_oid, + &critical); + if (err < 0) { + if (err == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, + "error: get_extension_info: %s\n", + gnutls_strerror(err)); + continue; + } + + if (i == 0) + adds(str, _("\tExtensions:\n")); + + if (strcmp(oid, "2.5.29.20") == 0) { + char nr[128]; + size_t nr_size = sizeof(nr); + + if (crl_nr) { + addf(str, + "error: more than one CRL number\n"); + continue; + } + + err = + gnutls_x509_crl_get_number(crl, nr, + &nr_size, + &critical); + + addf(str, _("\t\tCRL Number (%s): "), + critical ? _("critical") : + _("not critical")); + + if (err < 0) + addf(str, + "error: get_number: %s\n", + gnutls_strerror(err)); + else { + _gnutls_buffer_hexprint(str, nr, + nr_size); + addf(str, "\n"); + } + + crl_nr++; + } else if (strcmp(oid, "2.5.29.35") == 0) { + cert_type_t ccert; + + if (aki_idx) { + addf(str, + "error: more than one AKI extension\n"); + continue; + } + + addf(str, + _ + ("\t\tAuthority Key Identifier (%s):\n"), + critical ? _("critical") : + _("not critical")); + + ccert.crl = crl; + print_aki(str, TYPE_CRL, ccert); + + aki_idx++; + } else { + char *buffer; + size_t extlen = 0; + + addf(str, + _("\t\tUnknown extension %s (%s):\n"), + oid, + critical ? _("critical") : + _("not critical")); + + err = + gnutls_x509_crl_get_extension_data(crl, + i, + NULL, + &extlen); + if (err < 0) { + addf(str, + "error: get_extension_data: %s\n", + gnutls_strerror(err)); + continue; + } + + buffer = gnutls_malloc(extlen); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + continue; + } + + err = + gnutls_x509_crl_get_extension_data(crl, + i, + buffer, + &extlen); + if (err < 0) { + gnutls_free(buffer); + addf(str, + "error: get_extension_data2: %s\n", + gnutls_strerror(err)); + continue; + } + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, buffer, + extlen); + adds(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, buffer, + extlen); + adds(str, "\n"); + + gnutls_free(buffer); + } + } + } + + + /* Revoked certificates. */ + { + int num = gnutls_x509_crl_get_crt_count(crl); + int j; + + if (num) + addf(str, _("\tRevoked certificates (%d):\n"), + num); + else + adds(str, _("\tNo revoked certificates.\n")); + + for (j = 0; j < num; j++) { + unsigned char serial[128]; + size_t serial_size = sizeof(serial); + int err; + time_t tim; + + err = + gnutls_x509_crl_get_crt_serial(crl, j, serial, + &serial_size, + &tim); + if (err < 0) + addf(str, "error: get_crt_serial: %s\n", + gnutls_strerror(err)); + else { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + adds(str, _("\t\tSerial Number (hex): ")); + _gnutls_buffer_hexprint(str, serial, + serial_size); + adds(str, "\n"); + + if (gmtime_r(&tim, &t) == NULL) + addf(str, + "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime + (s, max, + "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, + "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, + _("\t\tRevoked at: %s\n"), s); + } + } + } + + /* Signature. */ + if (!notsigned) { + int err; + size_t size = 0; + char *buffer = NULL; + + err = gnutls_x509_crl_get_signature_algorithm(crl); + if (err < 0) + addf(str, "error: get_signature_algorithm: %s\n", + gnutls_strerror(err)); + else { + const char *name = + gnutls_sign_algorithm_get_name(err); + if (name == NULL) + name = _("unknown"); + addf(str, _("\tSignature Algorithm: %s\n"), name); + } + if (gnutls_sign_is_secure(err) == 0) { + adds(str, + _("warning: signed using a broken signature " + "algorithm that can be forged.\n")); + } + + err = gnutls_x509_crl_get_signature(crl, buffer, &size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_signature: %s\n", + gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + err = gnutls_x509_crl_get_signature(crl, buffer, &size); + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_signature2: %s\n", + gnutls_strerror(err)); + return; + } + + adds(str, _("\tSignature:\n")); + _gnutls_buffer_hexdump(str, buffer, size, "\t\t"); + + gnutls_free(buffer); + } } /** @@ -2194,264 +2367,285 @@ print_crl (gnutls_buffer_st * str, gnutls_x509_crl_t crl, int notsigned) * negative error value. **/ int -gnutls_x509_crl_print (gnutls_x509_crl_t crl, - gnutls_certificate_print_formats_t format, - gnutls_datum_t * out) +gnutls_x509_crl_print(gnutls_x509_crl_t crl, + gnutls_certificate_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int ret; + gnutls_buffer_st str; + int ret; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str - (&str, _("X.509 Certificate Revocation List Information:\n")); + _gnutls_buffer_append_str + (&str, _("X.509 Certificate Revocation List Information:\n")); - print_crl (&str, crl, format == GNUTLS_CRT_PRINT_UNSIGNED_FULL); + print_crl(&str, crl, format == GNUTLS_CRT_PRINT_UNSIGNED_FULL); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; + return ret; } static void -print_crq_pubkey (gnutls_buffer_st * str, gnutls_x509_crq_t crq, gnutls_certificate_print_formats_t format) +print_crq_pubkey(gnutls_buffer_st * str, gnutls_x509_crq_t crq, + gnutls_certificate_print_formats_t format) { - gnutls_pubkey_t pubkey; - int ret; + gnutls_pubkey_t pubkey; + int ret; - ret = gnutls_pubkey_init (&pubkey); - if (ret < 0) - return; + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) + return; - ret = gnutls_pubkey_import_x509_crq (pubkey, crq, 0); - if (ret < 0) - goto cleanup; + ret = gnutls_pubkey_import_x509_crq(pubkey, crq, 0); + if (ret < 0) + goto cleanup; - print_pubkey (str, _("Subject "), pubkey, format); + print_pubkey(str, _("Subject "), pubkey, format); -cleanup: - gnutls_pubkey_deinit (pubkey); - return; + cleanup: + gnutls_pubkey_deinit(pubkey); + return; } static void -print_crq (gnutls_buffer_st * str, gnutls_x509_crq_t cert, gnutls_certificate_print_formats_t format) +print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert, + gnutls_certificate_print_formats_t format) { - /* Version. */ - { - int version = gnutls_x509_crq_get_version (cert); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* Subject */ - { - char *dn; - size_t dn_size = 0; - int err; - - err = gnutls_x509_crq_get_dn (cert, NULL, &dn_size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: get_dn: %s\n", gnutls_strerror (err)); - else - { - dn = gnutls_malloc (dn_size); - if (!dn) - addf (str, "error: malloc (%d): %s\n", (int) dn_size, - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - err = gnutls_x509_crq_get_dn (cert, dn, &dn_size); - if (err < 0) - addf (str, "error: get_dn: %s\n", gnutls_strerror (err)); - else - addf (str, _("\tSubject: %s\n"), dn); - gnutls_free (dn); - } - } - } - - /* SubjectPublicKeyInfo. */ - { - int err; - unsigned int bits; - - err = gnutls_x509_crq_get_pk_algorithm (cert, &bits); - if (err < 0) - addf (str, "error: get_pk_algorithm: %s\n", gnutls_strerror (err)); - else - print_crq_pubkey (str, cert, format); - } - - /* parse attributes */ - { - size_t i; - int err = 0; - int extensions = 0; - int challenge = 0; - - for (i = 0;; i++) - { - char oid[MAX_OID_SIZE] = ""; - size_t sizeof_oid = sizeof (oid); - - err = gnutls_x509_crq_get_attribute_info (cert, i, oid, &sizeof_oid); - if (err < 0) - { - if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "error: get_extension_info: %s\n", - gnutls_strerror (err)); - continue; - } - - if (i == 0) - adds (str, _("\tAttributes:\n")); - - if (strcmp (oid, "1.2.840.113549.1.9.14") == 0) - { - cert_type_t ccert; - - if (extensions) - { - addf (str, "error: more than one extensionsRequest\n"); - continue; - } - - ccert.crq = cert; - print_extensions (str, "\t", TYPE_CRQ, ccert); - - extensions++; - } - else if (strcmp (oid, "1.2.840.113549.1.9.7") == 0) - { - char *pass; - size_t size; - - if (challenge) - { - adds (str, - "error: more than one Challenge password attribute\n"); - continue; - } - - err = gnutls_x509_crq_get_challenge_password (cert, NULL, &size); - if (err < 0 && err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_challenge_password: %s\n", - gnutls_strerror (err)); - continue; - } - - size++; - - pass = gnutls_malloc (size); - if (!pass) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - continue; - } - - err = gnutls_x509_crq_get_challenge_password (cert, pass, &size); - if (err < 0) - addf (str, "error: get_challenge_password: %s\n", - gnutls_strerror (err)); - else - addf (str, _("\t\tChallenge password: %s\n"), pass); - - gnutls_free (pass); - - challenge++; - } - else - { - char *buffer; - size_t extlen = 0; - - addf (str, _("\t\tUnknown attribute %s:\n"), oid); - - err = gnutls_x509_crq_get_attribute_data (cert, i, NULL, &extlen); - if (err < 0) - { - addf (str, "error: get_attribute_data: %s\n", - gnutls_strerror (err)); - continue; - } - - buffer = gnutls_malloc (extlen); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - continue; - } - - err = gnutls_x509_crq_get_attribute_data (cert, i, - buffer, &extlen); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_attribute_data2: %s\n", - gnutls_strerror (err)); - continue; - } - - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, buffer, extlen); - adds (str, "\n"); - - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, buffer, extlen); - adds (str, "\n"); - - gnutls_free (buffer); - } - } - } + /* Version. */ + { + int version = gnutls_x509_crq_get_version(cert); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); + } + + /* Subject */ + { + char *dn; + size_t dn_size = 0; + int err; + + err = gnutls_x509_crq_get_dn(cert, NULL, &dn_size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(err)); + else { + dn = gnutls_malloc(dn_size); + if (!dn) + addf(str, "error: malloc (%d): %s\n", + (int) dn_size, + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + err = + gnutls_x509_crq_get_dn(cert, dn, + &dn_size); + if (err < 0) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(err)); + else + addf(str, _("\tSubject: %s\n"), + dn); + gnutls_free(dn); + } + } + } + + /* SubjectPublicKeyInfo. */ + { + int err; + unsigned int bits; + + err = gnutls_x509_crq_get_pk_algorithm(cert, &bits); + if (err < 0) + addf(str, "error: get_pk_algorithm: %s\n", + gnutls_strerror(err)); + else + print_crq_pubkey(str, cert, format); + } + + /* parse attributes */ + { + size_t i; + int err = 0; + int extensions = 0; + int challenge = 0; + + for (i = 0;; i++) { + char oid[MAX_OID_SIZE] = ""; + size_t sizeof_oid = sizeof(oid); + + err = + gnutls_x509_crq_get_attribute_info(cert, i, + oid, + &sizeof_oid); + if (err < 0) { + if (err == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, + "error: get_extension_info: %s\n", + gnutls_strerror(err)); + continue; + } + + if (i == 0) + adds(str, _("\tAttributes:\n")); + + if (strcmp(oid, "1.2.840.113549.1.9.14") == 0) { + cert_type_t ccert; + + if (extensions) { + addf(str, + "error: more than one extensionsRequest\n"); + continue; + } + + ccert.crq = cert; + print_extensions(str, "\t", TYPE_CRQ, + ccert); + + extensions++; + } else if (strcmp(oid, "1.2.840.113549.1.9.7") == + 0) { + char *pass; + size_t size; + + if (challenge) { + adds(str, + "error: more than one Challenge password attribute\n"); + continue; + } + + err = + gnutls_x509_crq_get_challenge_password + (cert, NULL, &size); + if (err < 0 + && err != + GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, + "error: get_challenge_password: %s\n", + gnutls_strerror(err)); + continue; + } + + size++; + + pass = gnutls_malloc(size); + if (!pass) { + addf(str, "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + continue; + } + + err = + gnutls_x509_crq_get_challenge_password + (cert, pass, &size); + if (err < 0) + addf(str, + "error: get_challenge_password: %s\n", + gnutls_strerror(err)); + else + addf(str, + _ + ("\t\tChallenge password: %s\n"), + pass); + + gnutls_free(pass); + + challenge++; + } else { + char *buffer; + size_t extlen = 0; + + addf(str, _("\t\tUnknown attribute %s:\n"), + oid); + + err = + gnutls_x509_crq_get_attribute_data + (cert, i, NULL, &extlen); + if (err < 0) { + addf(str, + "error: get_attribute_data: %s\n", + gnutls_strerror(err)); + continue; + } + + buffer = gnutls_malloc(extlen); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + continue; + } + + err = + gnutls_x509_crq_get_attribute_data + (cert, i, buffer, &extlen); + if (err < 0) { + gnutls_free(buffer); + addf(str, + "error: get_attribute_data2: %s\n", + gnutls_strerror(err)); + continue; + } + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, buffer, + extlen); + adds(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, buffer, + extlen); + adds(str, "\n"); + + gnutls_free(buffer); + } + } + } } -static void -print_crq_other (gnutls_buffer_st * str, gnutls_x509_crq_t crq) +static void print_crq_other(gnutls_buffer_st * str, gnutls_x509_crq_t crq) { - int err; - size_t size = 0; - unsigned char *buffer = NULL; - - err = gnutls_x509_crq_get_key_id (crq, 0, buffer, &size); - if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - addf (str, "error: get_key_id: %s\n", gnutls_strerror (err)); - return; - } - - buffer = gnutls_malloc (size); - if (!buffer) - { - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - return; - } - - err = gnutls_x509_crq_get_key_id (crq, 0, buffer, &size); - if (err < 0) - { - gnutls_free (buffer); - addf (str, "error: get_key_id2: %s\n", gnutls_strerror (err)); - return; - } - - adds (str, _("\tPublic Key ID:\n\t\t")); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); - - gnutls_free (buffer); + int err; + size_t size = 0; + unsigned char *buffer = NULL; + + err = gnutls_x509_crq_get_key_id(crq, 0, buffer, &size); + if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) { + addf(str, "error: get_key_id: %s\n", gnutls_strerror(err)); + return; + } + + buffer = gnutls_malloc(size); + if (!buffer) { + addf(str, "error: malloc: %s\n", + gnutls_strerror(GNUTLS_E_MEMORY_ERROR)); + return; + } + + err = gnutls_x509_crq_get_key_id(crq, 0, buffer, &size); + if (err < 0) { + gnutls_free(buffer); + addf(str, "error: get_key_id2: %s\n", + gnutls_strerror(err)); + return; + } + + adds(str, _("\tPublic Key ID:\n\t\t")); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); + + gnutls_free(buffer); } /** @@ -2471,66 +2665,66 @@ print_crq_other (gnutls_buffer_st * str, gnutls_x509_crq_t crq) * Since: 2.8.0 **/ int -gnutls_x509_crq_print (gnutls_x509_crq_t crq, - gnutls_certificate_print_formats_t format, - gnutls_datum_t * out) +gnutls_x509_crq_print(gnutls_x509_crq_t crq, + gnutls_certificate_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int ret; + gnutls_buffer_st str; + int ret; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str - (&str, _("PKCS #10 Certificate Request Information:\n")); + _gnutls_buffer_append_str + (&str, _("PKCS #10 Certificate Request Information:\n")); - print_crq (&str, crq, format); + print_crq(&str, crq, format); - _gnutls_buffer_append_str (&str, _("Other Information:\n")); + _gnutls_buffer_append_str(&str, _("Other Information:\n")); - print_crq_other (&str, crq); + print_crq_other(&str, crq); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; + return ret; } static void -print_pubkey_other (gnutls_buffer_st * str, gnutls_pubkey_t pubkey, gnutls_certificate_print_formats_t format) +print_pubkey_other(gnutls_buffer_st * str, gnutls_pubkey_t pubkey, + gnutls_certificate_print_formats_t format) { - uint8_t buffer[MAX_HASH_SIZE]; - size_t size = sizeof(buffer); - int ret; - unsigned int usage; - cert_type_t ccert; - - ccert.pubkey = pubkey; - - ret = gnutls_pubkey_get_key_usage (pubkey, &usage); - if (ret < 0) - { - addf (str, "error: get_key_usage: %s\n", gnutls_strerror (ret)); - return; - } - - adds (str, "\n"); - adds (str, _("Public Key Usage:\n")); - print_key_usage (str, "\t", TYPE_PUBKEY, ccert); - - ret = gnutls_pubkey_get_key_id (pubkey, 0, buffer, &size); - if (ret < 0) - { - addf (str, "error: get_key_id: %s\n", gnutls_strerror (ret)); - return; - } - - adds (str, "\n"); - adds (str, _("Public Key ID: ")); - _gnutls_buffer_hexprint (str, buffer, size); - adds (str, "\n"); + uint8_t buffer[MAX_HASH_SIZE]; + size_t size = sizeof(buffer); + int ret; + unsigned int usage; + cert_type_t ccert; + + ccert.pubkey = pubkey; + + ret = gnutls_pubkey_get_key_usage(pubkey, &usage); + if (ret < 0) { + addf(str, "error: get_key_usage: %s\n", + gnutls_strerror(ret)); + return; + } + + adds(str, "\n"); + adds(str, _("Public Key Usage:\n")); + print_key_usage(str, "\t", TYPE_PUBKEY, ccert); + + ret = gnutls_pubkey_get_key_id(pubkey, 0, buffer, &size); + if (ret < 0) { + addf(str, "error: get_key_id: %s\n", gnutls_strerror(ret)); + return; + } + + adds(str, "\n"); + adds(str, _("Public Key ID: ")); + _gnutls_buffer_hexprint(str, buffer, size); + adds(str, "\n"); } /** @@ -2553,25 +2747,25 @@ print_pubkey_other (gnutls_buffer_st * str, gnutls_pubkey_t pubkey, gnutls_certi * Since: 3.1.5 **/ int -gnutls_pubkey_print (gnutls_pubkey_t pubkey, - gnutls_certificate_print_formats_t format, - gnutls_datum_t * out) +gnutls_pubkey_print(gnutls_pubkey_t pubkey, + gnutls_certificate_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int ret; + gnutls_buffer_st str; + int ret; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("Public Key Information:\n")); + _gnutls_buffer_append_str(&str, _("Public Key Information:\n")); - print_pubkey (&str, "", pubkey, format); - print_pubkey_other (&str, pubkey, format); + print_pubkey(&str, "", pubkey, format); + print_pubkey_other(&str, pubkey, format); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - ret = _gnutls_buffer_to_datum (&str, out); - if (out->size > 0) - out->size--; + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; - return ret; + return ret; } diff --git a/lib/x509/pbkdf2-sha1.c b/lib/x509/pbkdf2-sha1.c index b43ce5963c..5cb1ea858f 100644 --- a/lib/x509/pbkdf2-sha1.c +++ b/lib/x509/pbkdf2-sha1.c @@ -52,146 +52,139 @@ */ int -_gnutls_pbkdf2_sha1 (const char *P, size_t Plen, - const unsigned char *S, size_t Slen, - unsigned int c, unsigned char *DK, size_t dkLen) +_gnutls_pbkdf2_sha1(const char *P, size_t Plen, + const unsigned char *S, size_t Slen, + unsigned int c, unsigned char *DK, size_t dkLen) { - unsigned int hLen = 20; - char U[20]; - char T[20]; - unsigned int u; - unsigned int l; - unsigned int r; - unsigned int i; - unsigned int k; - int rc; - char *tmp; - size_t tmplen = Slen + 4; - - if (c == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (dkLen == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - /* - * - * Steps: - * - * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and - * stop. - */ - - if (dkLen > 4294967295U) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* - * 2. Let l be the number of hLen-octet blocks in the derived key, - * rounding up, and let r be the number of octets in the last - * block: - * - * l = CEIL (dkLen / hLen) , - * r = dkLen - (l - 1) * hLen . - * - * Here, CEIL (x) is the "ceiling" function, i.e. the smallest - * integer greater than, or equal to, x. - */ - - l = ((dkLen - 1) / hLen) + 1; - r = dkLen - (l - 1) * hLen; - - /* - * 3. For each block of the derived key apply the function F defined - * below to the password P, the salt S, the iteration count c, and - * the block index to compute the block: - * - * T_1 = F (P, S, c, 1) , - * T_2 = F (P, S, c, 2) , - * ... - * T_l = F (P, S, c, l) , - * - * where the function F is defined as the exclusive-or sum of the - * first c iterates of the underlying pseudorandom function PRF - * applied to the password P and the concatenation of the salt S - * and the block index i: - * - * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c - * - * where - * - * U_1 = PRF (P, S || INT (i)) , - * U_2 = PRF (P, U_1) , - * ... - * U_c = PRF (P, U_{c-1}) . - * - * Here, INT (i) is a four-octet encoding of the integer i, most - * significant octet first. - * - * 4. Concatenate the blocks and extract the first dkLen octets to - * produce a derived key DK: - * - * DK = T_1 || T_2 || ... || T_l<0..r-1> - * - * 5. Output the derived key DK. - * - * Note. The construction of the function F follows a "belt-and- - * suspenders" approach. The iterates U_i are computed recursively to - * remove a degree of parallelism from an opponent; they are exclusive- - * ored together to reduce concerns about the recursion degenerating - * into a small set of values. - * - */ - - tmp = gnutls_malloc (tmplen); - if (tmp == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy (tmp, S, Slen); - - for (i = 1; i <= l; i++) - { - memset (T, 0, hLen); - - for (u = 1; u <= c; u++) - { - if (u == 1) - { - tmp[Slen + 0] = (i & 0xff000000) >> 24; - tmp[Slen + 1] = (i & 0x00ff0000) >> 16; - tmp[Slen + 2] = (i & 0x0000ff00) >> 8; - tmp[Slen + 3] = (i & 0x000000ff) >> 0; - - rc = - _gnutls_mac_fast (GNUTLS_MAC_SHA1, P, Plen, tmp, tmplen, U); - } - else - rc = _gnutls_mac_fast (GNUTLS_MAC_SHA1, P, Plen, U, hLen, U); - - if (rc < 0) - { - gnutls_free (tmp); - return rc; - } - - for (k = 0; k < hLen; k++) - T[k] ^= U[k]; - } - - memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen); - } - - gnutls_free (tmp); - - return 0; + unsigned int hLen = 20; + char U[20]; + char T[20]; + unsigned int u; + unsigned int l; + unsigned int r; + unsigned int i; + unsigned int k; + int rc; + char *tmp; + size_t tmplen = Slen + 4; + + if (c == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (dkLen == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + /* + * + * Steps: + * + * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + * stop. + */ + + if (dkLen > 4294967295U) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* + * 2. Let l be the number of hLen-octet blocks in the derived key, + * rounding up, and let r be the number of octets in the last + * block: + * + * l = CEIL (dkLen / hLen) , + * r = dkLen - (l - 1) * hLen . + * + * Here, CEIL (x) is the "ceiling" function, i.e. the smallest + * integer greater than, or equal to, x. + */ + + l = ((dkLen - 1) / hLen) + 1; + r = dkLen - (l - 1) * hLen; + + /* + * 3. For each block of the derived key apply the function F defined + * below to the password P, the salt S, the iteration count c, and + * the block index to compute the block: + * + * T_1 = F (P, S, c, 1) , + * T_2 = F (P, S, c, 2) , + * ... + * T_l = F (P, S, c, l) , + * + * where the function F is defined as the exclusive-or sum of the + * first c iterates of the underlying pseudorandom function PRF + * applied to the password P and the concatenation of the salt S + * and the block index i: + * + * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + * + * where + * + * U_1 = PRF (P, S || INT (i)) , + * U_2 = PRF (P, U_1) , + * ... + * U_c = PRF (P, U_{c-1}) . + * + * Here, INT (i) is a four-octet encoding of the integer i, most + * significant octet first. + * + * 4. Concatenate the blocks and extract the first dkLen octets to + * produce a derived key DK: + * + * DK = T_1 || T_2 || ... || T_l<0..r-1> + * + * 5. Output the derived key DK. + * + * Note. The construction of the function F follows a "belt-and- + * suspenders" approach. The iterates U_i are computed recursively to + * remove a degree of parallelism from an opponent; they are exclusive- + * ored together to reduce concerns about the recursion degenerating + * into a small set of values. + * + */ + + tmp = gnutls_malloc(tmplen); + if (tmp == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(tmp, S, Slen); + + for (i = 1; i <= l; i++) { + memset(T, 0, hLen); + + for (u = 1; u <= c; u++) { + if (u == 1) { + tmp[Slen + 0] = (i & 0xff000000) >> 24; + tmp[Slen + 1] = (i & 0x00ff0000) >> 16; + tmp[Slen + 2] = (i & 0x0000ff00) >> 8; + tmp[Slen + 3] = (i & 0x000000ff) >> 0; + + rc = _gnutls_mac_fast(GNUTLS_MAC_SHA1, P, + Plen, tmp, tmplen, + U); + } else + rc = _gnutls_mac_fast(GNUTLS_MAC_SHA1, P, + Plen, U, hLen, U); + + if (rc < 0) { + gnutls_free(tmp); + return rc; + } + + for (k = 0; k < hLen; k++) + T[k] ^= U[k]; + } + + memcpy(DK + (i - 1) * hLen, T, i == l ? r : hLen); + } + + gnutls_free(tmp); + + return 0; } diff --git a/lib/x509/pbkdf2-sha1.h b/lib/x509/pbkdf2-sha1.h index 8ea3f18558..a874392f5f 100644 --- a/lib/x509/pbkdf2-sha1.h +++ b/lib/x509/pbkdf2-sha1.h @@ -16,6 +16,6 @@ */ -int _gnutls_pbkdf2_sha1 (const char *P, size_t Plen, - const unsigned char *S, size_t Slen, - unsigned int c, unsigned char *DK, size_t dkLen); +int _gnutls_pbkdf2_sha1(const char *P, size_t Plen, + const unsigned char *S, size_t Slen, + unsigned int c, unsigned char *DK, size_t dkLen); diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index f169afeb81..7ccdcc23bc 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -41,84 +41,81 @@ * which holds them. Returns an ASN1_TYPE of authenticatedSafe. */ static int -_decode_pkcs12_auth_safe (ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, - gnutls_datum_t * raw) +_decode_pkcs12_auth_safe(ASN1_TYPE pkcs12, ASN1_TYPE * authen_safe, + gnutls_datum_t * raw) { - char oid[MAX_OID_SIZE]; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - gnutls_datum_t auth_safe = { NULL, 0 }; - int len, result; - char error_str[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - - len = sizeof (oid) - 1; - result = asn1_read_value (pkcs12, "authSafe.contentType", oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (strcmp (oid, DATA_OID) != 0) - { - gnutls_assert (); - _gnutls_debug_log ("Unknown PKCS12 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - /* Step 1. Read the content data - */ - - result = - _gnutls_x509_read_string (pkcs12, "authSafe.content", &auth_safe, ASN1_ETYPE_OCTET_STRING); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* Step 2. Extract the authenticatedSafe. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-12-AuthenticatedSafe", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_der_decoding (&c2, auth_safe.data, auth_safe.size, error_str); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_debug_log ("DER error: %s\n", error_str); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (raw == NULL) - { - _gnutls_free_datum (&auth_safe); - } - else - { - raw->data = auth_safe.data; - raw->size = auth_safe.size; - } - - if (authen_safe) - *authen_safe = c2; - else - asn1_delete_structure (&c2); - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - _gnutls_free_datum (&auth_safe); - return result; + char oid[MAX_OID_SIZE]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + gnutls_datum_t auth_safe = { NULL, 0 }; + int len, result; + char error_str[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; + + len = sizeof(oid) - 1; + result = + asn1_read_value(pkcs12, "authSafe.contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, DATA_OID) != 0) { + gnutls_assert(); + _gnutls_debug_log("Unknown PKCS12 Content OID '%s'\n", + oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + /* Step 1. Read the content data + */ + + result = + _gnutls_x509_read_string(pkcs12, "authSafe.content", + &auth_safe, ASN1_ETYPE_OCTET_STRING); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Step 2. Extract the authenticatedSafe. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, auth_safe.data, auth_safe.size, + error_str); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_debug_log("DER error: %s\n", error_str); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + _gnutls_free_datum(&auth_safe); + } else { + raw->data = auth_safe.data; + raw->size = auth_safe.size; + } + + if (authen_safe) + *authen_safe = c2; + else + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + _gnutls_free_datum(&auth_safe); + return result; } /** @@ -132,25 +129,22 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs12_init (gnutls_pkcs12_t * pkcs12) +int gnutls_pkcs12_init(gnutls_pkcs12_t * pkcs12) { - *pkcs12 = gnutls_calloc (1, sizeof (gnutls_pkcs12_int)); - - if (*pkcs12) - { - int result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-PFX", - &(*pkcs12)->pkcs12); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (*pkcs12); - return _gnutls_asn2err (result); - } - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + *pkcs12 = gnutls_calloc(1, sizeof(gnutls_pkcs12_int)); + + if (*pkcs12) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PFX", + &(*pkcs12)->pkcs12); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs12); + return _gnutls_asn2err(result); + } + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -159,16 +153,15 @@ gnutls_pkcs12_init (gnutls_pkcs12_t * pkcs12) * * This function will deinitialize a PKCS12 structure. **/ -void -gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12) +void gnutls_pkcs12_deinit(gnutls_pkcs12_t pkcs12) { - if (!pkcs12) - return; + if (!pkcs12) + return; - if (pkcs12->pkcs12) - asn1_delete_structure (&pkcs12->pkcs12); + if (pkcs12->pkcs12) + asn1_delete_structure(&pkcs12->pkcs12); - gnutls_free (pkcs12); + gnutls_free(pkcs12); } /** @@ -187,58 +180,56 @@ gnutls_pkcs12_deinit (gnutls_pkcs12_t pkcs12) * negative error value. **/ int -gnutls_pkcs12_import (gnutls_pkcs12_t pkcs12, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) +gnutls_pkcs12_import(gnutls_pkcs12_t pkcs12, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - char error_str[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - - _data.data = data->data; - _data.size = data->size; - - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* If the PKCS12 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - result = _gnutls_fbase64_decode (PEM_PKCS12, data->data, data->size, - &_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - need_free = 1; - } - - result = - asn1_der_decoding (&pkcs12->pkcs12, _data.data, _data.size, error_str); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - _gnutls_debug_log ("DER error: %s\n", error_str); - gnutls_assert (); - goto cleanup; - } - - if (need_free) - _gnutls_free_datum (&_data); - - return 0; - -cleanup: - if (need_free) - _gnutls_free_datum (&_data); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + char error_str[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; + + _data.data = data->data; + _data.size = data->size; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* If the PKCS12 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + result = + _gnutls_fbase64_decode(PEM_PKCS12, data->data, + data->size, &_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + need_free = 1; + } + + result = + asn1_der_decoding(&pkcs12->pkcs12, _data.data, _data.size, + error_str); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + _gnutls_debug_log("DER error: %s\n", error_str); + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } @@ -263,18 +254,17 @@ cleanup: * returned, and 0 on success. **/ int -gnutls_pkcs12_export (gnutls_pkcs12_t pkcs12, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_pkcs12_export(gnutls_pkcs12_t pkcs12, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_export_int (pkcs12->pkcs12, format, PEM_PKCS12, - output_data, output_data_size); + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_export_int(pkcs12->pkcs12, format, PEM_PKCS12, + output_data, output_data_size); } /** @@ -296,281 +286,276 @@ gnutls_pkcs12_export (gnutls_pkcs12_t pkcs12, * Since: 3.1.3 **/ int -gnutls_pkcs12_export2 (gnutls_pkcs12_t pkcs12, - gnutls_x509_crt_fmt_t format, gnutls_datum_t *out) +gnutls_pkcs12_export2(gnutls_pkcs12_t pkcs12, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int2 (pkcs12->pkcs12, format, PEM_PKCS12, out); + return _gnutls_x509_export_int2(pkcs12->pkcs12, format, PEM_PKCS12, + out); } -static int -oid2bag (const char *oid) +static int oid2bag(const char *oid) { - if (strcmp (oid, BAG_PKCS8_KEY) == 0) - return GNUTLS_BAG_PKCS8_KEY; - if (strcmp (oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) - return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; - if (strcmp (oid, BAG_CERTIFICATE) == 0) - return GNUTLS_BAG_CERTIFICATE; - if (strcmp (oid, BAG_CRL) == 0) - return GNUTLS_BAG_CRL; - if (strcmp (oid, BAG_SECRET) == 0) - return GNUTLS_BAG_SECRET; - - return GNUTLS_BAG_UNKNOWN; + if (strcmp(oid, BAG_PKCS8_KEY) == 0) + return GNUTLS_BAG_PKCS8_KEY; + if (strcmp(oid, BAG_PKCS8_ENCRYPTED_KEY) == 0) + return GNUTLS_BAG_PKCS8_ENCRYPTED_KEY; + if (strcmp(oid, BAG_CERTIFICATE) == 0) + return GNUTLS_BAG_CERTIFICATE; + if (strcmp(oid, BAG_CRL) == 0) + return GNUTLS_BAG_CRL; + if (strcmp(oid, BAG_SECRET) == 0) + return GNUTLS_BAG_SECRET; + + return GNUTLS_BAG_UNKNOWN; } -static const char * -bag_to_oid (int bag) +static const char *bag_to_oid(int bag) { - switch (bag) - { - case GNUTLS_BAG_PKCS8_KEY: - return BAG_PKCS8_KEY; - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - return BAG_PKCS8_ENCRYPTED_KEY; - case GNUTLS_BAG_CERTIFICATE: - return BAG_CERTIFICATE; - case GNUTLS_BAG_CRL: - return BAG_CRL; - case GNUTLS_BAG_SECRET: - return BAG_SECRET; - } - return NULL; + switch (bag) { + case GNUTLS_BAG_PKCS8_KEY: + return BAG_PKCS8_KEY; + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + return BAG_PKCS8_ENCRYPTED_KEY; + case GNUTLS_BAG_CERTIFICATE: + return BAG_CERTIFICATE; + case GNUTLS_BAG_CRL: + return BAG_CRL; + case GNUTLS_BAG_SECRET: + return BAG_SECRET; + } + return NULL; } /* Decodes the SafeContents, and puts the output in * the given bag. */ int -_pkcs12_decode_safe_contents (const gnutls_datum_t * content, - gnutls_pkcs12_bag_t bag) +_pkcs12_decode_safe_contents(const gnutls_datum_t * content, + gnutls_pkcs12_bag_t bag) { - char oid[MAX_OID_SIZE], root[ASN1_MAX_NAME_SIZE]; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int len, result; - int bag_type; - gnutls_datum_t attr_val; - gnutls_datum_t t; - int count = 0, i, attributes, j; - - /* Step 1. Extract the SEQUENCE. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-12-SafeContents", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_der_decoding (&c2, content->data, content->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Count the number of bags - */ - result = asn1_number_of_elements (c2, "", &count); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - bag->bag_elements = MIN (MAX_BAG_ELEMENTS, count); - - for (i = 0; i < bag->bag_elements; i++) - { - - snprintf (root, sizeof (root), "?%u.bagId", i + 1); - - len = sizeof (oid); - result = asn1_read_value (c2, root, oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Read the Bag type - */ - bag_type = oid2bag (oid); - - if (bag_type < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* Read the Bag Value - */ - - snprintf (root, sizeof (root), "?%u.bagValue", i + 1); - - result = _gnutls_x509_read_value (c2, root, &bag->element[i].data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL - || bag_type == GNUTLS_BAG_SECRET) - { - gnutls_datum_t tmp = bag->element[i].data; - - result = - _pkcs12_decode_crt_bag (bag_type, &tmp, &bag->element[i].data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - _gnutls_free_datum (&tmp); - } - - /* read the bag attributes - */ - snprintf (root, sizeof (root), "?%u.bagAttributes", i + 1); - - result = asn1_number_of_elements (c2, root, &attributes); - if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (attributes < 0) - attributes = 1; - - if (result != ASN1_ELEMENT_NOT_FOUND) - for (j = 0; j < attributes; j++) - { - - snprintf (root, sizeof (root), "?%u.bagAttributes.?%u", i + 1, - j + 1); - - result = - _gnutls_x509_decode_and_read_attribute (c2, root, oid, - sizeof (oid), &attr_val, - 1, 0); - - if (result < 0) - { - gnutls_assert (); - continue; /* continue in case we find some known attributes */ - } - - if (strcmp (oid, KEY_ID_OID) == 0) - { - result = - _gnutls_x509_decode_string (ASN1_ETYPE_OCTET_STRING, attr_val.data, - attr_val.size, &t); - _gnutls_free_datum (&attr_val); - if (result < 0) - { - gnutls_assert (); - _gnutls_debug_log - ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); - continue; - } - - attr_val.data = t.data; - attr_val.size = t.size; - - bag->element[i].local_key_id = attr_val; - } - else if (strcmp (oid, FRIENDLY_NAME_OID) == 0) - { - result = - _gnutls_x509_decode_string (ASN1_ETYPE_BMP_STRING, - attr_val.data, attr_val.size, &t); - _gnutls_free_datum (&attr_val); - if (result < 0) - { - gnutls_assert (); - _gnutls_debug_log - ("Error decoding PKCS12 Bag Attribute OID '%s'\n", oid); - continue; - } - - attr_val.data = t.data; - attr_val.size = t.size; - - bag->element[i].friendly_name = (char*)t.data; - } - else - { - _gnutls_free_datum (&attr_val); - _gnutls_debug_log - ("Unknown PKCS12 Bag Attribute OID '%s'\n", oid); - } - } - - - bag->element[i].type = bag_type; - - } - - asn1_delete_structure (&c2); - - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + char oid[MAX_OID_SIZE], root[ASN1_MAX_NAME_SIZE]; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int len, result; + int bag_type; + gnutls_datum_t attr_val; + gnutls_datum_t t; + int count = 0, i, attributes, j; + + /* Step 1. Extract the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_der_decoding(&c2, content->data, content->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Count the number of bags + */ + result = asn1_number_of_elements(c2, "", &count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + bag->bag_elements = MIN(MAX_BAG_ELEMENTS, count); + + for (i = 0; i < bag->bag_elements; i++) { + + snprintf(root, sizeof(root), "?%u.bagId", i + 1); + + len = sizeof(oid); + result = asn1_read_value(c2, root, oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Read the Bag type + */ + bag_type = oid2bag(oid); + + if (bag_type < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Read the Bag Value + */ + + snprintf(root, sizeof(root), "?%u.bagValue", i + 1); + + result = + _gnutls_x509_read_value(c2, root, + &bag->element[i].data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (bag_type == GNUTLS_BAG_CERTIFICATE + || bag_type == GNUTLS_BAG_CRL + || bag_type == GNUTLS_BAG_SECRET) { + gnutls_datum_t tmp = bag->element[i].data; + + result = + _pkcs12_decode_crt_bag(bag_type, &tmp, + &bag->element[i].data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_free_datum(&tmp); + } + + /* read the bag attributes + */ + snprintf(root, sizeof(root), "?%u.bagAttributes", i + 1); + + result = asn1_number_of_elements(c2, root, &attributes); + if (result != ASN1_SUCCESS + && result != ASN1_ELEMENT_NOT_FOUND) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (attributes < 0) + attributes = 1; + + if (result != ASN1_ELEMENT_NOT_FOUND) + for (j = 0; j < attributes; j++) { + + snprintf(root, sizeof(root), + "?%u.bagAttributes.?%u", i + 1, + j + 1); + + result = + _gnutls_x509_decode_and_read_attribute + (c2, root, oid, sizeof(oid), &attr_val, + 1, 0); + + if (result < 0) { + gnutls_assert(); + continue; /* continue in case we find some known attributes */ + } + + if (strcmp(oid, KEY_ID_OID) == 0) { + result = + _gnutls_x509_decode_string + (ASN1_ETYPE_OCTET_STRING, + attr_val.data, attr_val.size, + &t); + _gnutls_free_datum(&attr_val); + if (result < 0) { + gnutls_assert(); + _gnutls_debug_log + ("Error decoding PKCS12 Bag Attribute OID '%s'\n", + oid); + continue; + } + + attr_val.data = t.data; + attr_val.size = t.size; + + bag->element[i].local_key_id = + attr_val; + } else if (strcmp(oid, FRIENDLY_NAME_OID) + == 0) { + result = + _gnutls_x509_decode_string + (ASN1_ETYPE_BMP_STRING, + attr_val.data, attr_val.size, + &t); + _gnutls_free_datum(&attr_val); + if (result < 0) { + gnutls_assert(); + _gnutls_debug_log + ("Error decoding PKCS12 Bag Attribute OID '%s'\n", + oid); + continue; + } + + attr_val.data = t.data; + attr_val.size = t.size; + + bag->element[i].friendly_name = + (char *) t.data; + } else { + _gnutls_free_datum(&attr_val); + _gnutls_debug_log + ("Unknown PKCS12 Bag Attribute OID '%s'\n", + oid); + } + } + + + bag->element[i].type = bag_type; + + } + + asn1_delete_structure(&c2); + + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } static int -_parse_safe_contents (ASN1_TYPE sc, const char *sc_name, - gnutls_pkcs12_bag_t bag) +_parse_safe_contents(ASN1_TYPE sc, const char *sc_name, + gnutls_pkcs12_bag_t bag) { - gnutls_datum_t content = { NULL, 0 }; - int result; + gnutls_datum_t content = { NULL, 0 }; + int result; - /* Step 1. Extract the content. - */ + /* Step 1. Extract the content. + */ - result = _gnutls_x509_read_string (sc, sc_name, &content, ASN1_ETYPE_OCTET_STRING); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } + result = + _gnutls_x509_read_string(sc, sc_name, &content, + ASN1_ETYPE_OCTET_STRING); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - result = _pkcs12_decode_safe_contents (&content, bag); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } + result = _pkcs12_decode_safe_contents(&content, bag); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } - _gnutls_free_datum (&content); + _gnutls_free_datum(&content); - return 0; + return 0; -cleanup: - _gnutls_free_datum (&content); - return result; + cleanup: + _gnutls_free_datum(&content); + return result; } @@ -589,137 +574,128 @@ cleanup: * negative error value. **/ int -gnutls_pkcs12_get_bag (gnutls_pkcs12_t pkcs12, - int indx, gnutls_pkcs12_bag_t bag) +gnutls_pkcs12_get_bag(gnutls_pkcs12_t pkcs12, + int indx, gnutls_pkcs12_bag_t bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[ASN1_MAX_NAME_SIZE]; - char oid[MAX_OID_SIZE]; - - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Step 1. decode the data. - */ - result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Parse the AuthenticatedSafe - */ - - snprintf (root2, sizeof (root2), "?%u.contentType", indx + 1); - - len = sizeof (oid) - 1; - result = asn1_read_value (c2, root2, oid, &len); - - if (result == ASN1_ELEMENT_NOT_FOUND) - { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Not encrypted Bag - */ - - snprintf (root2, sizeof (root2), "?%u.content", indx + 1); - - if (strcmp (oid, DATA_OID) == 0) - { - result = _parse_safe_contents (c2, root2, bag); - goto cleanup; - } - - /* ENC_DATA_OID needs decryption */ - - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->bag_elements = 1; - - result = _gnutls_x509_read_value (c2, root2, &bag->element[0].data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[ASN1_MAX_NAME_SIZE]; + char oid[MAX_OID_SIZE]; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. decode the data. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Parse the AuthenticatedSafe + */ + + snprintf(root2, sizeof(root2), "?%u.contentType", indx + 1); + + len = sizeof(oid) - 1; + result = asn1_read_value(c2, root2, oid, &len); + + if (result == ASN1_ELEMENT_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Not encrypted Bag + */ + + snprintf(root2, sizeof(root2), "?%u.content", indx + 1); + + if (strcmp(oid, DATA_OID) == 0) { + result = _parse_safe_contents(c2, root2, bag); + goto cleanup; + } + + /* ENC_DATA_OID needs decryption */ + + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->bag_elements = 1; + + result = _gnutls_x509_read_value(c2, root2, &bag->element[0].data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } /* Creates an empty PFX structure for the PKCS12 structure. */ -static int -create_empty_pfx (ASN1_TYPE pkcs12) +static int create_empty_pfx(ASN1_TYPE pkcs12) { - uint8_t three = 3; - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - /* Use version 3 - */ - result = asn1_write_value (pkcs12, "version", &three, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Write the content type of the data - */ - result = asn1_write_value (pkcs12, "authSafe.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Check if the authenticatedSafe content is empty, and encode a - * null one in that case. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-12-AuthenticatedSafe", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs12, "authSafe.content", 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - asn1_delete_structure (&c2); - - return 0; - -cleanup: - asn1_delete_structure (&c2); - return result; + uint8_t three = 3; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + /* Use version 3 + */ + result = asn1_write_value(pkcs12, "version", &three, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Write the content type of the data + */ + result = + asn1_write_value(pkcs12, "authSafe.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Check if the authenticatedSafe content is empty, and encode a + * null one in that case. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-AuthenticatedSafe", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + asn1_delete_structure(&c2); + + return 0; + + cleanup: + asn1_delete_structure(&c2); + return result; } @@ -733,126 +709,117 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs12_set_bag (gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) +int gnutls_pkcs12_set_bag(gnutls_pkcs12_t pkcs12, gnutls_pkcs12_bag_t bag) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - int result; - int enc = 0, dum = 1; - char null; - - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Step 1. Check if the pkcs12 structure is empty. In that - * case generate an empty PFX. - */ - result = asn1_read_value (pkcs12->pkcs12, "authSafe.content", &null, &dum); - if (result == ASN1_VALUE_NOT_FOUND) - { - result = create_empty_pfx (pkcs12->pkcs12); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - /* Step 2. decode the authenticatedSafe. - */ - result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 3. Encode the bag elements into a SafeContents - * structure. - */ - result = _pkcs12_encode_safe_contents (bag, &safe_cont, &enc); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe - * structure. - */ - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (enc) - result = asn1_write_value (c2, "?LAST.contentType", ENC_DATA_OID, 1); - else - result = asn1_write_value (c2, "?LAST.contentType", DATA_OID, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (enc) - { - /* Encrypted packets are written directly. - */ - result = - asn1_write_value (c2, "?LAST.content", - bag->element[0].data.data, - bag->element[0].data.size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - } - else - { - result = - _gnutls_x509_der_encode_and_copy (safe_cont, "", c2, - "?LAST.content", 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - } - - asn1_delete_structure (&safe_cont); - - - /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 - * structure. - */ - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs12->pkcs12, - "authSafe.content", 1); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - -cleanup: - asn1_delete_structure (&c2); - asn1_delete_structure (&safe_cont); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + int result; + int enc = 0, dum = 1; + char null; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Step 1. Check if the pkcs12 structure is empty. In that + * case generate an empty PFX. + */ + result = + asn1_read_value(pkcs12->pkcs12, "authSafe.content", &null, + &dum); + if (result == ASN1_VALUE_NOT_FOUND) { + result = create_empty_pfx(pkcs12->pkcs12); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + /* Step 2. decode the authenticatedSafe. + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 3. Encode the bag elements into a SafeContents + * structure. + */ + result = _pkcs12_encode_safe_contents(bag, &safe_cont, &enc); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 4. Insert the encoded SafeContents into the AuthenticatedSafe + * structure. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) + result = + asn1_write_value(c2, "?LAST.contentType", ENC_DATA_OID, + 1); + else + result = + asn1_write_value(c2, "?LAST.contentType", DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (enc) { + /* Encrypted packets are written directly. + */ + result = + asn1_write_value(c2, "?LAST.content", + bag->element[0].data.data, + bag->element[0].data.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } else { + result = + _gnutls_x509_der_encode_and_copy(safe_cont, "", c2, + "?LAST.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } + + asn1_delete_structure(&safe_cont); + + + /* Step 5. Reencode and copy the AuthenticatedSafe into the pkcs12 + * structure. + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs12->pkcs12, + "authSafe.content", 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + asn1_delete_structure(&c2); + asn1_delete_structure(&safe_cont); + return result; } /** @@ -865,128 +832,119 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs12_generate_mac (gnutls_pkcs12_t pkcs12, const char *pass) +int gnutls_pkcs12_generate_mac(gnutls_pkcs12_t pkcs12, const char *pass) { - uint8_t salt[8], key[20]; - int result; - const int iter = 1; - mac_hd_st td1; - gnutls_datum_t tmp = { NULL, 0 }; - uint8_t sha_mac[20]; - - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Generate the salt. - */ - result = _gnutls_rnd (GNUTLS_RND_NONCE, salt, sizeof (salt)); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Write the salt into the structure. - */ - result = - asn1_write_value (pkcs12->pkcs12, "macData.macSalt", salt, sizeof (salt)); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* write the iterations - */ - - if (iter > 1) - { - result = - _gnutls_x509_write_uint32 (pkcs12->pkcs12, "macData.iterations", - iter); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - } - - /* Generate the key. - */ - result = _gnutls_pkcs12_string_to_key (3 /*MAC*/, salt, sizeof (salt), - iter, pass, sizeof (key), key); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, NULL, &tmp); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* MAC the data - */ - result = _gnutls_mac_init (&td1, mac_to_entry(GNUTLS_MAC_SHA1), - key, sizeof (key)); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - _gnutls_mac (&td1, tmp.data, tmp.size); - _gnutls_free_datum (&tmp); - - _gnutls_mac_deinit (&td1, sha_mac); - - - result = - asn1_write_value (pkcs12->pkcs12, "macData.mac.digest", sha_mac, - sizeof (sha_mac)); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = - asn1_write_value (pkcs12->pkcs12, - "macData.mac.digestAlgorithm.parameters", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = - asn1_write_value (pkcs12->pkcs12, - "macData.mac.digestAlgorithm.algorithm", HASH_OID_SHA1, - 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - return 0; - -cleanup: - _gnutls_free_datum (&tmp); - return result; + uint8_t salt[8], key[20]; + int result; + const int iter = 1; + mac_hd_st td1; + gnutls_datum_t tmp = { NULL, 0 }; + uint8_t sha_mac[20]; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Generate the salt. + */ + result = _gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt)); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Write the salt into the structure. + */ + result = + asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt, + sizeof(salt)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* write the iterations + */ + + if (iter > 1) { + result = + _gnutls_x509_write_uint32(pkcs12->pkcs12, + "macData.iterations", iter); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } + + /* Generate the key. + */ + result = + _gnutls_pkcs12_string_to_key(3 /*MAC*/, salt, sizeof(salt), + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + result = _gnutls_mac_init(&td1, mac_to_entry(GNUTLS_MAC_SHA1), + key, sizeof(key)); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_mac(&td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_mac_deinit(&td1, sha_mac); + + + result = + asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", sha_mac, + sizeof(sha_mac)); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.parameters", + NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(pkcs12->pkcs12, + "macData.mac.digestAlgorithm.algorithm", + HASH_OID_SHA1, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + return result; } /** @@ -999,216 +957,201 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs12_verify_mac (gnutls_pkcs12_t pkcs12, const char *pass) +int gnutls_pkcs12_verify_mac(gnutls_pkcs12_t pkcs12, const char *pass) { - uint8_t key[20]; - int result; - unsigned int iter; - int len; - mac_hd_st td1; - gnutls_datum_t tmp = { NULL, 0 }, salt = - { - NULL, 0}; - uint8_t sha_mac[20]; - uint8_t sha_mac_orig[20]; - - if (pkcs12 == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* read the iterations - */ - - result = - _gnutls_x509_read_uint (pkcs12->pkcs12, "macData.iterations", &iter); - if (result < 0) - { - iter = 1; /* the default */ - } - - - /* Read the salt from the structure. - */ - result = - _gnutls_x509_read_value (pkcs12->pkcs12, "macData.macSalt", &salt); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Generate the key. - */ - result = _gnutls_pkcs12_string_to_key (3 /*MAC*/, salt.data, salt.size, - iter, pass, sizeof (key), key); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - _gnutls_free_datum (&salt); - - /* Get the data to be MACed - */ - result = _decode_pkcs12_auth_safe (pkcs12->pkcs12, NULL, &tmp); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* MAC the data - */ - result = _gnutls_mac_init (&td1, mac_to_entry(GNUTLS_MAC_SHA1), - key, sizeof (key)); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - _gnutls_mac (&td1, tmp.data, tmp.size); - _gnutls_free_datum (&tmp); - - _gnutls_mac_deinit (&td1, sha_mac); - - len = sizeof (sha_mac_orig); - result = - asn1_read_value (pkcs12->pkcs12, "macData.mac.digest", sha_mac_orig, - &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (memcmp (sha_mac_orig, sha_mac, sizeof (sha_mac)) != 0) - { - gnutls_assert (); - return GNUTLS_E_MAC_VERIFY_FAILED; - } - - return 0; - -cleanup: - _gnutls_free_datum (&tmp); - _gnutls_free_datum (&salt); - return result; + uint8_t key[20]; + int result; + unsigned int iter; + int len; + mac_hd_st td1; + gnutls_datum_t tmp = { NULL, 0 }, salt = { + NULL, 0}; + uint8_t sha_mac[20]; + uint8_t sha_mac_orig[20]; + + if (pkcs12 == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* read the iterations + */ + + result = + _gnutls_x509_read_uint(pkcs12->pkcs12, "macData.iterations", + &iter); + if (result < 0) { + iter = 1; /* the default */ + } + + + /* Read the salt from the structure. + */ + result = + _gnutls_x509_read_value(pkcs12->pkcs12, "macData.macSalt", + &salt); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Generate the key. + */ + result = + _gnutls_pkcs12_string_to_key(3 /*MAC*/, salt.data, salt.size, + iter, pass, sizeof(key), key); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_free_datum(&salt); + + /* Get the data to be MACed + */ + result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* MAC the data + */ + result = _gnutls_mac_init(&td1, mac_to_entry(GNUTLS_MAC_SHA1), + key, sizeof(key)); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + _gnutls_mac(&td1, tmp.data, tmp.size); + _gnutls_free_datum(&tmp); + + _gnutls_mac_deinit(&td1, sha_mac); + + len = sizeof(sha_mac_orig); + result = + asn1_read_value(pkcs12->pkcs12, "macData.mac.digest", + sha_mac_orig, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (memcmp(sha_mac_orig, sha_mac, sizeof(sha_mac)) != 0) { + gnutls_assert(); + return GNUTLS_E_MAC_VERIFY_FAILED; + } + + return 0; + + cleanup: + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&salt); + return result; } static int -write_attributes (gnutls_pkcs12_bag_t bag, int elem, - ASN1_TYPE c2, const char *where) +write_attributes(gnutls_pkcs12_bag_t bag, int elem, + ASN1_TYPE c2, const char *where) { - int result; - char root[128]; - - /* If the bag attributes are empty, then write - * nothing to the attribute field. - */ - if (bag->element[elem].friendly_name == NULL && - bag->element[elem].local_key_id.data == NULL) - { - /* no attributes - */ - result = asn1_write_value (c2, where, NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; - } - - if (bag->element[elem].local_key_id.data != NULL) - { - - /* Add a new Attribute - */ - result = asn1_write_value (c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - _gnutls_str_cpy (root, sizeof (root), where); - _gnutls_str_cat (root, sizeof (root), ".?LAST"); - - result = - _gnutls_x509_encode_and_write_attribute (KEY_ID_OID, c2, root, - bag-> - element[elem].local_key_id. - data, - bag-> - element[elem].local_key_id. - size, 1); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - if (bag->element[elem].friendly_name != NULL) - { - uint8_t *name; - int size, i; - const char *p; - - /* Add a new Attribute - */ - result = asn1_write_value (c2, where, "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* convert name to BMPString - */ - size = strlen (bag->element[elem].friendly_name) * 2; - name = gnutls_malloc (size); - - if (name == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - p = bag->element[elem].friendly_name; - for (i = 0; i < size; i += 2) - { - name[i] = 0; - name[i + 1] = *p; - p++; - } - - _gnutls_str_cpy (root, sizeof (root), where); - _gnutls_str_cat (root, sizeof (root), ".?LAST"); - - result = - _gnutls_x509_encode_and_write_attribute (FRIENDLY_NAME_OID, c2, - root, name, size, 1); - - gnutls_free (name); - - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - return 0; + int result; + char root[128]; + + /* If the bag attributes are empty, then write + * nothing to the attribute field. + */ + if (bag->element[elem].friendly_name == NULL && + bag->element[elem].local_key_id.data == NULL) { + /* no attributes + */ + result = asn1_write_value(c2, where, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; + } + + if (bag->element[elem].local_key_id.data != NULL) { + + /* Add a new Attribute + */ + result = asn1_write_value(c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); + + result = + _gnutls_x509_encode_and_write_attribute(KEY_ID_OID, c2, + root, + bag->element + [elem]. + local_key_id.data, + bag->element + [elem]. + local_key_id.size, + 1); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + if (bag->element[elem].friendly_name != NULL) { + uint8_t *name; + int size, i; + const char *p; + + /* Add a new Attribute + */ + result = asn1_write_value(c2, where, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* convert name to BMPString + */ + size = strlen(bag->element[elem].friendly_name) * 2; + name = gnutls_malloc(size); + + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + p = bag->element[elem].friendly_name; + for (i = 0; i < size; i += 2) { + name[i] = 0; + name[i + 1] = *p; + p++; + } + + _gnutls_str_cpy(root, sizeof(root), where); + _gnutls_str_cat(root, sizeof(root), ".?LAST"); + + result = + _gnutls_x509_encode_and_write_attribute + (FRIENDLY_NAME_OID, c2, root, name, size, 1); + + gnutls_free(name); + + if (result < 0) { + gnutls_assert(); + return result; + } + } + + return 0; } @@ -1216,125 +1159,118 @@ write_attributes (gnutls_pkcs12_bag_t bag, int elem, * the given datum. Enc is set to non-zero if the data are encrypted; */ int -_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents, - int *enc) +_pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * contents, + int *enc) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - int i; - const char *oid; - - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) - { - *enc = 1; - return 0; /* ENCRYPTED BAG, do nothing. */ - } - else if (enc) - *enc = 0; - - /* Step 1. Create the SEQUENCE. - */ - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-12-SafeContents", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - for (i = 0; i < bag->bag_elements; i++) - { - - oid = bag_to_oid (bag->element[i].type); - if (oid == NULL) - { - gnutls_assert (); - continue; - } - - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Copy the bag type. - */ - result = asn1_write_value (c2, "?LAST.bagId", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Set empty attributes - */ - result = write_attributes (bag, i, c2, "?LAST.bagAttributes"); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - - /* Copy the Bag Value - */ - - if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || - bag->element[i].type == GNUTLS_BAG_SECRET || - bag->element[i].type == GNUTLS_BAG_CRL) - { - gnutls_datum_t tmp; - - /* in that case encode it to a CertBag or - * a CrlBag. - */ - - result = - _pkcs12_encode_crt_bag (bag->element[i].type, - &bag->element[i].data, &tmp); - - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_write_value (c2, "?LAST.bagValue", &tmp); - - _gnutls_free_datum (&tmp); - - } - else - { - - result = _gnutls_x509_write_value (c2, "?LAST.bagValue", - &bag->element[i].data); - } - - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - } - - /* Encode the data and copy them into the datum - */ - *contents = c2; - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + int i; + const char *oid; + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED && enc) { + *enc = 1; + return 0; /* ENCRYPTED BAG, do nothing. */ + } else if (enc) + *enc = 0; + + /* Step 1. Create the SEQUENCE. + */ + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-12-SafeContents", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + for (i = 0; i < bag->bag_elements; i++) { + + oid = bag_to_oid(bag->element[i].type); + if (oid == NULL) { + gnutls_assert(); + continue; + } + + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Copy the bag type. + */ + result = asn1_write_value(c2, "?LAST.bagId", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Set empty attributes + */ + result = + write_attributes(bag, i, c2, "?LAST.bagAttributes"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + + /* Copy the Bag Value + */ + + if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE || + bag->element[i].type == GNUTLS_BAG_SECRET || + bag->element[i].type == GNUTLS_BAG_CRL) { + gnutls_datum_t tmp; + + /* in that case encode it to a CertBag or + * a CrlBag. + */ + + result = + _pkcs12_encode_crt_bag(bag->element[i].type, + &bag->element[i].data, + &tmp); + + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_write_value(c2, "?LAST.bagValue", + &tmp); + + _gnutls_free_datum(&tmp); + + } else { + + result = + _gnutls_x509_write_value(c2, "?LAST.bagValue", + &bag->element[i]. + data); + } + + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + } + + /* Encode the data and copy them into the datum + */ + *contents = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } @@ -1342,45 +1278,49 @@ cleanup: * with the first certificate in chain (it is expected that chain_len==1) * and appends those in the chain. */ -static int make_chain(gnutls_x509_crt_t **chain, unsigned int *chain_len, - gnutls_x509_crt_t **extra_certs, unsigned int *extra_certs_len, - unsigned int flags) +static int make_chain(gnutls_x509_crt_t ** chain, unsigned int *chain_len, + gnutls_x509_crt_t ** extra_certs, + unsigned int *extra_certs_len, unsigned int flags) { -unsigned int i; - - if (*chain_len != 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - i = 0; - while(i<*extra_certs_len) - { - /* if it is an issuer but not a self-signed one */ - if (gnutls_x509_crt_check_issuer((*chain)[*chain_len - 1], (*extra_certs)[i]) != 0) - { - if (!(flags & GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED) && - gnutls_x509_crt_check_issuer((*extra_certs)[i], (*extra_certs)[i]) != 0) - goto skip; - - *chain = gnutls_realloc_fast (*chain, sizeof((*chain)[0]) * - ++(*chain_len)); - if (*chain == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - (*chain)[*chain_len - 1] = (*extra_certs)[i]; - - (*extra_certs)[i] = (*extra_certs)[*extra_certs_len-1]; - (*extra_certs_len)--; - - i=0; - continue; - } - -skip: - i++; - } - return 0; + unsigned int i; + + if (*chain_len != 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + i = 0; + while (i < *extra_certs_len) { + /* if it is an issuer but not a self-signed one */ + if (gnutls_x509_crt_check_issuer + ((*chain)[*chain_len - 1], (*extra_certs)[i]) != 0) { + if (!(flags & GNUTLS_PKCS12_SP_INCLUDE_SELF_SIGNED) + && + gnutls_x509_crt_check_issuer((*extra_certs)[i], + (*extra_certs)[i]) + != 0) + goto skip; + + *chain = + gnutls_realloc_fast(*chain, + sizeof((*chain)[0]) * + ++(*chain_len)); + if (*chain == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + (*chain)[*chain_len - 1] = (*extra_certs)[i]; + + (*extra_certs)[i] = + (*extra_certs)[*extra_certs_len - 1]; + (*extra_certs_len)--; + + i = 0; + continue; + } + + skip: + i++; + } + return 0; } /** @@ -1433,413 +1373,385 @@ skip: * Since: 3.1 **/ int -gnutls_pkcs12_simple_parse (gnutls_pkcs12_t p12, - const char *password, - gnutls_x509_privkey_t * key, - gnutls_x509_crt_t ** chain, - unsigned int * chain_len, - gnutls_x509_crt_t ** extra_certs, - unsigned int * extra_certs_len, - gnutls_x509_crl_t * crl, - unsigned int flags) +gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12, + const char *password, + gnutls_x509_privkey_t * key, + gnutls_x509_crt_t ** chain, + unsigned int *chain_len, + gnutls_x509_crt_t ** extra_certs, + unsigned int *extra_certs_len, + gnutls_x509_crl_t * crl, unsigned int flags) { - gnutls_pkcs12_bag_t bag = NULL; - gnutls_x509_crt_t *_extra_certs = NULL; - unsigned int _extra_certs_len = 0; - gnutls_x509_crt_t *_chain = NULL; - unsigned int _chain_len = 0; - int idx = 0; - int ret; - size_t cert_id_size = 0; - size_t key_id_size = 0; - uint8_t cert_id[20]; - uint8_t key_id[20]; - int privkey_ok = 0; - unsigned int i; - - *key = NULL; - - if (crl) - *crl = NULL; - - /* find the first private key */ - for (;;) - { - int elements_in_bag; - int i; - - ret = gnutls_pkcs12_bag_init (&bag); - if (ret < 0) - { - bag = NULL; - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_get_bag (p12, idx, bag); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_bag_get_type (bag, 0); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - if (ret == GNUTLS_BAG_ENCRYPTED) - { - if (password == NULL) - { - ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); - goto done; - } - - ret = gnutls_pkcs12_bag_decrypt (bag, password); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - } - - elements_in_bag = gnutls_pkcs12_bag_get_count (bag); - if (elements_in_bag < 0) - { - gnutls_assert (); - goto done; - } - - for (i = 0; i < elements_in_bag; i++) - { - int type; - gnutls_datum_t data; - - type = gnutls_pkcs12_bag_get_type (bag, i); - if (type < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_bag_get_data (bag, i, &data); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - switch (type) - { - case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: - if (password == NULL) - { - ret = gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); - goto done; - } - - case GNUTLS_BAG_PKCS8_KEY: - if (*key != NULL) /* too simple to continue */ - { - gnutls_assert (); - break; - } - - ret = gnutls_x509_privkey_init (key); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_x509_privkey_import_pkcs8 - (*key, &data, GNUTLS_X509_FMT_DER, password, - type == GNUTLS_BAG_PKCS8_KEY ? GNUTLS_PKCS_PLAIN : 0); - if (ret < 0) - { - gnutls_assert (); - gnutls_x509_privkey_deinit (*key); - goto done; - } - - key_id_size = sizeof (key_id); - ret = - gnutls_x509_privkey_get_key_id (*key, 0, key_id, - &key_id_size); - if (ret < 0) - { - gnutls_assert (); - gnutls_x509_privkey_deinit (*key); - goto done; - } - - privkey_ok = 1; /* break */ - break; - default: - break; - } - } - - idx++; - gnutls_pkcs12_bag_deinit (bag); - - if (privkey_ok != 0) /* private key was found */ - break; - } - - if (privkey_ok == 0) /* no private key */ - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - /* now find the corresponding certificate - */ - idx = 0; - bag = NULL; - for (;;) - { - int elements_in_bag; - int i; - - ret = gnutls_pkcs12_bag_init (&bag); - if (ret < 0) - { - bag = NULL; - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_get_bag (p12, idx, bag); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_bag_get_type (bag, 0); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - if (ret == GNUTLS_BAG_ENCRYPTED) - { - ret = gnutls_pkcs12_bag_decrypt (bag, password); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - } - - elements_in_bag = gnutls_pkcs12_bag_get_count (bag); - if (elements_in_bag < 0) - { - gnutls_assert (); - goto done; - } - - for (i = 0; i < elements_in_bag; i++) - { - int type; - gnutls_datum_t data; - gnutls_x509_crt_t this_cert; - - type = gnutls_pkcs12_bag_get_type (bag, i); - if (type < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_pkcs12_bag_get_data (bag, i, &data); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - switch (type) - { - case GNUTLS_BAG_CERTIFICATE: - ret = gnutls_x509_crt_init (&this_cert); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - ret = - gnutls_x509_crt_import (this_cert, &data, GNUTLS_X509_FMT_DER); - if (ret < 0) - { - gnutls_assert (); - gnutls_x509_crt_deinit (this_cert); - goto done; - } - - /* check if the key id match */ - cert_id_size = sizeof (cert_id); - ret = - gnutls_x509_crt_get_key_id (this_cert, 0, cert_id, &cert_id_size); - if (ret < 0) - { - gnutls_assert (); - gnutls_x509_crt_deinit (this_cert); - goto done; - } - - if (memcmp (cert_id, key_id, cert_id_size) != 0) - { /* they don't match - skip the certificate */ - if (extra_certs) - { - _extra_certs = gnutls_realloc_fast (_extra_certs, - sizeof(_extra_certs[0]) * - ++_extra_certs_len); - if (!_extra_certs) - { - gnutls_assert (); - ret = GNUTLS_E_MEMORY_ERROR; - goto done; - } - _extra_certs[_extra_certs_len - 1] = this_cert; - this_cert = NULL; - } - else - { - gnutls_x509_crt_deinit (this_cert); - } - } - else - { - if (chain && _chain_len == 0) - { - _chain = gnutls_malloc (sizeof(_chain[0]) * (++_chain_len)); - if (!_chain) - { - gnutls_assert (); - ret = GNUTLS_E_MEMORY_ERROR; - goto done; - } - _chain[_chain_len - 1] = this_cert; - this_cert = NULL; - } - else - { - gnutls_x509_crt_deinit (this_cert); - } - } - break; - - case GNUTLS_BAG_CRL: - if (crl == NULL || *crl != NULL) - { - gnutls_assert (); - break; - } - - ret = gnutls_x509_crl_init (crl); - if (ret < 0) - { - gnutls_assert (); - goto done; - } - - ret = gnutls_x509_crl_import (*crl, &data, GNUTLS_X509_FMT_DER); - if (ret < 0) - { - gnutls_assert (); - gnutls_x509_crl_deinit (*crl); - goto done; - } - break; - - case GNUTLS_BAG_ENCRYPTED: - /* XXX Bother to recurse one level down? Unlikely to - use the same password anyway. */ - case GNUTLS_BAG_EMPTY: - default: - break; - } - } - - idx++; - gnutls_pkcs12_bag_deinit (bag); - } - - if (chain != NULL) - { - if (_chain_len != 1) - { - ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto done; - } - - ret = make_chain(&_chain, &_chain_len, &_extra_certs, &_extra_certs_len, flags); - if (ret < 0) - { - gnutls_assert(); - goto done; - } - } - - ret = 0; - -done: - if (bag) - gnutls_pkcs12_bag_deinit (bag); - - if (ret < 0) - { - if (*key) - gnutls_x509_privkey_deinit(*key); - if (_extra_certs_len && _extra_certs != NULL) - { - for (i = 0; i < _extra_certs_len; i++) - gnutls_x509_crt_deinit(_extra_certs[i]); - gnutls_free(_extra_certs); - } - if (_chain_len && _chain != NULL) - { - for (i = 0; i < _chain_len; i++) - gnutls_x509_crt_deinit(_chain[i]); - gnutls_free(_chain); - } - - return ret; - } - - if (extra_certs && _extra_certs_len > 0) - { - *extra_certs = _extra_certs; - *extra_certs_len = _extra_certs_len; - } - else - { - if (extra_certs) - { - *extra_certs = NULL; - *extra_certs_len = 0; - } - for (i = 0; i < _extra_certs_len; i++) - gnutls_x509_crt_deinit(_extra_certs[i]); - gnutls_free(_extra_certs); - } - - if (chain != NULL) - { - *chain = _chain; - *chain_len = _chain_len; - } - - return ret; + gnutls_pkcs12_bag_t bag = NULL; + gnutls_x509_crt_t *_extra_certs = NULL; + unsigned int _extra_certs_len = 0; + gnutls_x509_crt_t *_chain = NULL; + unsigned int _chain_len = 0; + int idx = 0; + int ret; + size_t cert_id_size = 0; + size_t key_id_size = 0; + uint8_t cert_id[20]; + uint8_t key_id[20]; + int privkey_ok = 0; + unsigned int i; + + *key = NULL; + + if (crl) + *crl = NULL; + + /* find the first private key */ + for (;;) { + int elements_in_bag; + int i; + + ret = gnutls_pkcs12_bag_init(&bag); + if (ret < 0) { + bag = NULL; + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_get_bag(p12, idx, bag); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (ret < 0) { + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_bag_get_type(bag, 0); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + if (ret == GNUTLS_BAG_ENCRYPTED) { + if (password == NULL) { + ret = + gnutls_assert_val + (GNUTLS_E_DECRYPTION_FAILED); + goto done; + } + + ret = gnutls_pkcs12_bag_decrypt(bag, password); + if (ret < 0) { + gnutls_assert(); + goto done; + } + } + + elements_in_bag = gnutls_pkcs12_bag_get_count(bag); + if (elements_in_bag < 0) { + gnutls_assert(); + goto done; + } + + for (i = 0; i < elements_in_bag; i++) { + int type; + gnutls_datum_t data; + + type = gnutls_pkcs12_bag_get_type(bag, i); + if (type < 0) { + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_bag_get_data(bag, i, &data); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + switch (type) { + case GNUTLS_BAG_PKCS8_ENCRYPTED_KEY: + if (password == NULL) { + ret = + gnutls_assert_val + (GNUTLS_E_DECRYPTION_FAILED); + goto done; + } + + case GNUTLS_BAG_PKCS8_KEY: + if (*key != NULL) { /* too simple to continue */ + gnutls_assert(); + break; + } + + ret = gnutls_x509_privkey_init(key); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + ret = gnutls_x509_privkey_import_pkcs8 + (*key, &data, GNUTLS_X509_FMT_DER, + password, + type == + GNUTLS_BAG_PKCS8_KEY ? + GNUTLS_PKCS_PLAIN : 0); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(*key); + goto done; + } + + key_id_size = sizeof(key_id); + ret = + gnutls_x509_privkey_get_key_id(*key, 0, + key_id, + &key_id_size); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_privkey_deinit(*key); + goto done; + } + + privkey_ok = 1; /* break */ + break; + default: + break; + } + } + + idx++; + gnutls_pkcs12_bag_deinit(bag); + + if (privkey_ok != 0) /* private key was found */ + break; + } + + if (privkey_ok == 0) { /* no private key */ + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + /* now find the corresponding certificate + */ + idx = 0; + bag = NULL; + for (;;) { + int elements_in_bag; + int i; + + ret = gnutls_pkcs12_bag_init(&bag); + if (ret < 0) { + bag = NULL; + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_get_bag(p12, idx, bag); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + if (ret < 0) { + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_bag_get_type(bag, 0); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + if (ret == GNUTLS_BAG_ENCRYPTED) { + ret = gnutls_pkcs12_bag_decrypt(bag, password); + if (ret < 0) { + gnutls_assert(); + goto done; + } + } + + elements_in_bag = gnutls_pkcs12_bag_get_count(bag); + if (elements_in_bag < 0) { + gnutls_assert(); + goto done; + } + + for (i = 0; i < elements_in_bag; i++) { + int type; + gnutls_datum_t data; + gnutls_x509_crt_t this_cert; + + type = gnutls_pkcs12_bag_get_type(bag, i); + if (type < 0) { + gnutls_assert(); + goto done; + } + + ret = gnutls_pkcs12_bag_get_data(bag, i, &data); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + switch (type) { + case GNUTLS_BAG_CERTIFICATE: + ret = gnutls_x509_crt_init(&this_cert); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + ret = + gnutls_x509_crt_import(this_cert, + &data, + GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(this_cert); + goto done; + } + + /* check if the key id match */ + cert_id_size = sizeof(cert_id); + ret = + gnutls_x509_crt_get_key_id(this_cert, + 0, cert_id, + &cert_id_size); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(this_cert); + goto done; + } + + if (memcmp(cert_id, key_id, cert_id_size) != 0) { /* they don't match - skip the certificate */ + if (extra_certs) { + _extra_certs = + gnutls_realloc_fast + (_extra_certs, + sizeof(_extra_certs + [0]) * + ++_extra_certs_len); + if (!_extra_certs) { + gnutls_assert(); + ret = + GNUTLS_E_MEMORY_ERROR; + goto done; + } + _extra_certs + [_extra_certs_len - + 1] = this_cert; + this_cert = NULL; + } else { + gnutls_x509_crt_deinit + (this_cert); + } + } else { + if (chain && _chain_len == 0) { + _chain = + gnutls_malloc(sizeof + (_chain + [0]) * + (++_chain_len)); + if (!_chain) { + gnutls_assert(); + ret = + GNUTLS_E_MEMORY_ERROR; + goto done; + } + _chain[_chain_len - 1] = + this_cert; + this_cert = NULL; + } else { + gnutls_x509_crt_deinit + (this_cert); + } + } + break; + + case GNUTLS_BAG_CRL: + if (crl == NULL || *crl != NULL) { + gnutls_assert(); + break; + } + + ret = gnutls_x509_crl_init(crl); + if (ret < 0) { + gnutls_assert(); + goto done; + } + + ret = + gnutls_x509_crl_import(*crl, &data, + GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crl_deinit(*crl); + goto done; + } + break; + + case GNUTLS_BAG_ENCRYPTED: + /* XXX Bother to recurse one level down? Unlikely to + use the same password anyway. */ + case GNUTLS_BAG_EMPTY: + default: + break; + } + } + + idx++; + gnutls_pkcs12_bag_deinit(bag); + } + + if (chain != NULL) { + if (_chain_len != 1) { + ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto done; + } + + ret = + make_chain(&_chain, &_chain_len, &_extra_certs, + &_extra_certs_len, flags); + if (ret < 0) { + gnutls_assert(); + goto done; + } + } + + ret = 0; + + done: + if (bag) + gnutls_pkcs12_bag_deinit(bag); + + if (ret < 0) { + if (*key) + gnutls_x509_privkey_deinit(*key); + if (_extra_certs_len && _extra_certs != NULL) { + for (i = 0; i < _extra_certs_len; i++) + gnutls_x509_crt_deinit(_extra_certs[i]); + gnutls_free(_extra_certs); + } + if (_chain_len && _chain != NULL) { + for (i = 0; i < _chain_len; i++) + gnutls_x509_crt_deinit(_chain[i]); + gnutls_free(_chain); + } + + return ret; + } + + if (extra_certs && _extra_certs_len > 0) { + *extra_certs = _extra_certs; + *extra_certs_len = _extra_certs_len; + } else { + if (extra_certs) { + *extra_certs = NULL; + *extra_certs_len = 0; + } + for (i = 0; i < _extra_certs_len; i++) + gnutls_x509_crt_deinit(_extra_certs[i]); + gnutls_free(_extra_certs); + } + + if (chain != NULL) { + *chain = _chain; + *chain_len = _chain_len; + } + + return ret; } diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index a3a5149364..b77ea46cf4 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -42,31 +42,27 @@ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs12_bag_init (gnutls_pkcs12_bag_t * bag) +int gnutls_pkcs12_bag_init(gnutls_pkcs12_bag_t * bag) { - *bag = gnutls_calloc (1, sizeof (gnutls_pkcs12_bag_int)); + *bag = gnutls_calloc(1, sizeof(gnutls_pkcs12_bag_int)); - if (*bag) - { - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + if (*bag) { + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } -static inline void -_pkcs12_bag_free_data (gnutls_pkcs12_bag_t bag) +static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag) { - int i; + int i; - for (i = 0; i < bag->bag_elements; i++) - { - _gnutls_free_datum (&bag->element[i].data); - _gnutls_free_datum (&bag->element[i].local_key_id); - gnutls_free (bag->element[i].friendly_name); - bag->element[i].friendly_name = NULL; - bag->element[i].type = 0; - } + for (i = 0; i < bag->bag_elements; i++) { + _gnutls_free_datum(&bag->element[i].data); + _gnutls_free_datum(&bag->element[i].local_key_id); + gnutls_free(bag->element[i].friendly_name); + bag->element[i].friendly_name = NULL; + bag->element[i].type = 0; + } } @@ -77,15 +73,14 @@ _pkcs12_bag_free_data (gnutls_pkcs12_bag_t bag) * * This function will deinitialize a PKCS12 Bag structure. **/ -void -gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t bag) +void gnutls_pkcs12_bag_deinit(gnutls_pkcs12_bag_t bag) { - if (!bag) - return; + if (!bag) + return; - _pkcs12_bag_free_data (bag); + _pkcs12_bag_free_data(bag); - gnutls_free (bag); + gnutls_free(bag); } /** @@ -98,17 +93,16 @@ gnutls_pkcs12_bag_deinit (gnutls_pkcs12_bag_t bag) * Returns: One of the #gnutls_pkcs12_bag_type_t enumerations. **/ gnutls_pkcs12_bag_type_t -gnutls_pkcs12_bag_get_type (gnutls_pkcs12_bag_t bag, int indx) +gnutls_pkcs12_bag_get_type(gnutls_pkcs12_bag_t bag, int indx) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - return bag->element[indx].type; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return bag->element[indx].type; } /** @@ -120,16 +114,14 @@ gnutls_pkcs12_bag_get_type (gnutls_pkcs12_bag_t bag, int indx) * Returns: Number of elements in bag, or an negative error code on * error. **/ -int -gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag) +int gnutls_pkcs12_bag_get_count(gnutls_pkcs12_bag_t bag) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return bag->bag_elements; + return bag->bag_elements; } /** @@ -146,22 +138,21 @@ gnutls_pkcs12_bag_get_count (gnutls_pkcs12_bag_t bag) * negative error value. **/ int -gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t bag, int indx, - gnutls_datum_t * data) +gnutls_pkcs12_bag_get_data(gnutls_pkcs12_bag_t bag, int indx, + gnutls_datum_t * data) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx >= bag->bag_elements) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + if (indx >= bag->bag_elements) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - data->data = bag->element[indx].data.data; - data->size = bag->element[indx].data.size; + data->data = bag->element[indx].data.data; + data->size = bag->element[indx].data.size; - return 0; + return 0; } #define X509_CERT_OID "1.2.840.113549.1.9.22.1" @@ -169,220 +160,213 @@ gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t bag, int indx, #define RANDOM_NONCE_OID "1.2.840.113549.1.9.25.3" int -_pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * in, gnutls_datum_t * out) +_pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * in, gnutls_datum_t * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - switch (type) - { - case GNUTLS_BAG_CERTIFICATE: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-CertBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_read_string (c2, "certValue", out, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - case GNUTLS_BAG_CRL: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-CRLBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_read_string (c2, "crlValue", out, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - case GNUTLS_BAG_SECRET: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-SecretBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, in->data, in->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_read_string (c2, "secretValue", out, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - default: - gnutls_assert (); - asn1_delete_structure (&c2); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - asn1_delete_structure (&c2); - - return 0; - - -cleanup: - - asn1_delete_structure (&c2); - return ret; + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + switch (type) { + case GNUTLS_BAG_CERTIFICATE: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_read_string(c2, "certValue", out, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + case GNUTLS_BAG_CRL: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_read_string(c2, "crlValue", out, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + case GNUTLS_BAG_SECRET: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-SecretBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_der_decoding(&c2, in->data, in->size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_read_string(c2, "secretValue", out, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + default: + gnutls_assert(); + asn1_delete_structure(&c2); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } int -_pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * raw, gnutls_datum_t * out) +_pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * raw, gnutls_datum_t * out) { - int ret; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - switch (type) - { - case GNUTLS_BAG_CERTIFICATE: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-CertBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_string (c2, "certValue", raw, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - case GNUTLS_BAG_CRL: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-CRLBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_string (c2, "crlValue", raw, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - case GNUTLS_BAG_SECRET: - if ((ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-SecretBag", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_write_value (c2, "secretTypeId", RANDOM_NONCE_OID, 1); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = _gnutls_x509_write_string (c2, "secretValue", raw, ASN1_ETYPE_OCTET_STRING); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - break; - - default: - gnutls_assert (); - asn1_delete_structure (&c2); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - ret = _gnutls_x509_der_encode (c2, "", out, 0); - - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - - -cleanup: - - asn1_delete_structure (&c2); - return ret; + int ret; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + switch (type) { + case GNUTLS_BAG_CERTIFICATE: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CertBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_write_value(c2, "certId", X509_CERT_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_write_string(c2, "certValue", raw, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + case GNUTLS_BAG_CRL: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-CRLBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_write_value(c2, "crlId", X509_CRL_OID, 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_write_string(c2, "crlValue", raw, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + case GNUTLS_BAG_SECRET: + if ((ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-SecretBag", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + asn1_write_value(c2, "secretTypeId", RANDOM_NONCE_OID, + 1); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = + _gnutls_x509_write_string(c2, "secretValue", raw, + ASN1_ETYPE_OCTET_STRING); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + break; + + default: + gnutls_assert(); + asn1_delete_structure(&c2); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + ret = _gnutls_x509_der_encode(c2, "", out, 0); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + + cleanup: + + asn1_delete_structure(&c2); + return ret; } @@ -399,54 +383,49 @@ cleanup: * value on error. **/ int -gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t bag, - gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * data) +gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag, + gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * data) { - int ret; - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) - { - gnutls_assert (); - /* bag is full */ - return GNUTLS_E_MEMORY_ERROR; - } - - if (bag->bag_elements == 1) - { - /* A bag with a key or an encrypted bag, must have - * only one element. - */ - - if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || - bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY || - bag->element[0].type == GNUTLS_BAG_ENCRYPTED) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - } - - ret = - _gnutls_set_datum (&bag->element[bag->bag_elements].data, - data->data, data->size); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - bag->element[bag->bag_elements].type = type; - - bag->bag_elements++; - - return bag->bag_elements - 1; + int ret; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { + gnutls_assert(); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; + } + + if (bag->bag_elements == 1) { + /* A bag with a key or an encrypted bag, must have + * only one element. + */ + + if (bag->element[0].type == GNUTLS_BAG_PKCS8_KEY || + bag->element[0].type == GNUTLS_BAG_PKCS8_ENCRYPTED_KEY + || bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + } + + ret = + _gnutls_set_datum(&bag->element[bag->bag_elements].data, + data->data, data->size); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + bag->element[bag->bag_elements].type = type; + + bag->bag_elements++; + + return bag->bag_elements - 1; } /** @@ -461,29 +440,28 @@ gnutls_pkcs12_bag_set_data (gnutls_pkcs12_bag_t bag, * value on failure. **/ int -gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) +gnutls_pkcs12_bag_set_crt(gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs12_bag_set_data (bag, GNUTLS_BAG_CERTIFICATE, &data); + ret = + gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CERTIFICATE, &data); - _gnutls_free_datum (&data); + _gnutls_free_datum(&data); - return ret; + return ret; } /** @@ -498,30 +476,28 @@ gnutls_pkcs12_bag_set_crt (gnutls_pkcs12_bag_t bag, gnutls_x509_crt_t crt) * on failure. **/ int -gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) +gnutls_pkcs12_bag_set_crl(gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs12_bag_set_data (bag, GNUTLS_BAG_CRL, &data); + ret = gnutls_pkcs12_bag_set_data(bag, GNUTLS_BAG_CRL, &data); - _gnutls_free_datum (&data); + _gnutls_free_datum(&data); - return ret; + return ret; } /** @@ -539,34 +515,31 @@ gnutls_pkcs12_bag_set_crl (gnutls_pkcs12_bag_t bag, gnutls_x509_crl_t crl) * negative error value. or a negative error code on error. **/ int -gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int indx, - const gnutls_datum_t * id) +gnutls_pkcs12_bag_set_key_id(gnutls_pkcs12_bag_t bag, int indx, + const gnutls_datum_t * id) { - int ret; + int ret; - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements - 1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_set_datum (&bag->element[indx].local_key_id, - id->data, id->size); + ret = _gnutls_set_datum(&bag->element[indx].local_key_id, + id->data, id->size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -583,25 +556,23 @@ gnutls_pkcs12_bag_set_key_id (gnutls_pkcs12_bag_t bag, int indx, * negative error value. or a negative error code on error. **/ int -gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int indx, - gnutls_datum_t * id) +gnutls_pkcs12_bag_get_key_id(gnutls_pkcs12_bag_t bag, int indx, + gnutls_datum_t * id) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx > bag->bag_elements - 1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - id->data = bag->element[indx].local_key_id.data; - id->size = bag->element[indx].local_key_id.size; - - return 0; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + id->data = bag->element[indx].local_key_id.data; + id->size = bag->element[indx].local_key_id.size; + + return 0; } /** @@ -618,24 +589,22 @@ gnutls_pkcs12_bag_get_key_id (gnutls_pkcs12_bag_t bag, int indx, * negative error value. or a negative error code on error. **/ int -gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t bag, int indx, - char **name) +gnutls_pkcs12_bag_get_friendly_name(gnutls_pkcs12_bag_t bag, int indx, + char **name) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (indx > bag->bag_elements - 1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - *name = bag->element[indx].friendly_name; + *name = bag->element[indx].friendly_name; - return 0; + return 0; } @@ -654,30 +623,27 @@ gnutls_pkcs12_bag_get_friendly_name (gnutls_pkcs12_bag_t bag, int indx, * negative error value. or a negative error code on error. **/ int -gnutls_pkcs12_bag_set_friendly_name (gnutls_pkcs12_bag_t bag, int indx, - const char *name) +gnutls_pkcs12_bag_set_friendly_name(gnutls_pkcs12_bag_t bag, int indx, + const char *name) { - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (indx > bag->bag_elements - 1) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - bag->element[indx].friendly_name = gnutls_strdup (name); - - if (name == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - return 0; + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (indx > bag->bag_elements - 1) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + bag->element[indx].friendly_name = gnutls_strdup(name); + + if (name == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; } @@ -692,49 +658,45 @@ gnutls_pkcs12_bag_set_friendly_name (gnutls_pkcs12_bag_t bag, int indx, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, * otherwise a negative error code is returned. **/ -int -gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const char *pass) +int gnutls_pkcs12_bag_decrypt(gnutls_pkcs12_bag_t bag, const char *pass) { - int ret; - gnutls_datum_t dec; + int ret; + gnutls_datum_t dec; - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (bag->element[0].type != GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_pkcs7_decrypt_data (&bag->element[0].data, pass, &dec); + ret = + _gnutls_pkcs7_decrypt_data(&bag->element[0].data, pass, &dec); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - /* decryption succeeded. Now decode the SafeContents - * stuff, and parse it. - */ + /* decryption succeeded. Now decode the SafeContents + * stuff, and parse it. + */ - _gnutls_free_datum (&bag->element[0].data); + _gnutls_free_datum(&bag->element[0].data); - ret = _pkcs12_decode_safe_contents (&dec, bag); + ret = _pkcs12_decode_safe_contents(&dec, bag); - _gnutls_free_datum (&dec); + _gnutls_free_datum(&dec); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -749,79 +711,73 @@ gnutls_pkcs12_bag_decrypt (gnutls_pkcs12_bag_t bag, const char *pass) * otherwise a negative error code is returned. **/ int -gnutls_pkcs12_bag_encrypt (gnutls_pkcs12_bag_t bag, const char *pass, - unsigned int flags) +gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag_t bag, const char *pass, + unsigned int flags) { - int ret; - ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; - gnutls_datum_t der = { NULL, 0 }; - gnutls_datum_t enc = { NULL, 0 }; - schema_id id; - - if (bag == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Encode the whole bag to a safe contents - * structure. - */ - ret = _pkcs12_encode_safe_contents (bag, &safe_cont, NULL); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* DER encode the SafeContents. - */ - ret = _gnutls_x509_der_encode (safe_cont, "", &der, 0); - - asn1_delete_structure (&safe_cont); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (flags & GNUTLS_PKCS_PLAIN) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - id = _gnutls_pkcs_flags_to_schema (flags); - - /* Now encrypt them. - */ - ret = _gnutls_pkcs7_encrypt_data (id, &der, pass, &enc); - - _gnutls_free_datum (&der); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* encryption succeeded. - */ - - _pkcs12_bag_free_data (bag); - - bag->element[0].type = GNUTLS_BAG_ENCRYPTED; - bag->element[0].data = enc; - - bag->bag_elements = 1; - - - return 0; + int ret; + ASN1_TYPE safe_cont = ASN1_TYPE_EMPTY; + gnutls_datum_t der = { NULL, 0 }; + gnutls_datum_t enc = { NULL, 0 }; + schema_id id; + + if (bag == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bag->element[0].type == GNUTLS_BAG_ENCRYPTED) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Encode the whole bag to a safe contents + * structure. + */ + ret = _pkcs12_encode_safe_contents(bag, &safe_cont, NULL); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* DER encode the SafeContents. + */ + ret = _gnutls_x509_der_encode(safe_cont, "", &der, 0); + + asn1_delete_structure(&safe_cont); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (flags & GNUTLS_PKCS_PLAIN) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + id = _gnutls_pkcs_flags_to_schema(flags); + + /* Now encrypt them. + */ + ret = _gnutls_pkcs7_encrypt_data(id, &der, pass, &enc); + + _gnutls_free_datum(&der); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* encryption succeeded. + */ + + _pkcs12_bag_free_data(bag); + + bag->element[0].type = GNUTLS_BAG_ENCRYPTED; + bag->element[0].data = enc; + + bag->bag_elements = 1; + + + return 0; } diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index c90c8dd8d3..e194ca4884 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -30,19 +30,17 @@ /* Returns 0 if the password is ok, or a negative error * code instead. */ -static int -_pkcs12_check_pass (const char *pass, size_t plen) +static int _pkcs12_check_pass(const char *pass, size_t plen) { - unsigned int i; + unsigned int i; - for (i = 0; i < plen; i++) - { - if (c_isascii (pass[i])) - continue; - return GNUTLS_E_INVALID_PASSWORD; - } + for (i = 0; i < plen; i++) { + if (c_isascii(pass[i])) + continue; + return GNUTLS_E_INVALID_PASSWORD; + } - return 0; + return 0; } #define MAX_PASS_LEN 128 @@ -56,152 +54,138 @@ _pkcs12_check_pass (const char *pass, size_t plen) * NULL password, and for the password with zero length. */ int -_gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t * salt, - unsigned int salt_size, unsigned int iter, - const char *pw, unsigned int req_keylen, - uint8_t * keybuf) +_gnutls_pkcs12_string_to_key(unsigned int id, const uint8_t * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + uint8_t * keybuf) { - int rc; - unsigned int i, j; - digest_hd_st md; - bigint_t num_b1 = NULL, num_ij = NULL; - bigint_t mpi512 = NULL; - unsigned int pwlen; - uint8_t hash[20], buf_b[64], buf_i[MAX_PASS_LEN*2+64], *p; - uint8_t d[64]; - size_t cur_keylen; - size_t n, m, p_size, i_size; - const uint8_t buf_512[] = /* 2^64 */ - { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00 - }; - - cur_keylen = 0; - - if (pw == NULL) - pwlen = 0; - else - pwlen = strlen (pw); - - if (pwlen > MAX_PASS_LEN) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((rc = _pkcs12_check_pass (pw, pwlen)) < 0) - { - gnutls_assert (); - return rc; - } - - rc = _gnutls_mpi_scan (&mpi512, buf_512, sizeof (buf_512)); - if (rc < 0) - { - gnutls_assert (); - return rc; - } - - /* Store salt and password in BUF_I */ - p_size = ((pwlen/64)*64) + 64; - - if (p_size > sizeof(buf_i)-64) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - p = buf_i; - for (i = 0; i < 64; i++) - *p++ = salt[i % salt_size]; - if (pw) - { - for (i = j = 0; i < p_size; i += 2) - { - *p++ = 0; - *p++ = pw[j]; - if (++j > pwlen) /* Note, that we include the trailing (0) */ - j = 0; - } - } - else - memset (p, 0, p_size); - - i_size = 64+p_size; - - for (;;) - { - rc = _gnutls_hash_init (&md, mac_to_entry(GNUTLS_MAC_SHA1)); - if (rc < 0) - { - gnutls_assert (); - goto cleanup; - } - memset(d, id & 0xff, 64); - _gnutls_hash (&md, d, 64); - _gnutls_hash (&md, buf_i, pw ? i_size : 64); - _gnutls_hash_deinit (&md, hash); - for (i = 1; i < iter; i++) - { - rc = _gnutls_hash_fast (GNUTLS_MAC_SHA1, hash, 20, hash); - if (rc < 0) - { - gnutls_assert (); - goto cleanup; - } - } - for (i = 0; i < 20 && cur_keylen < req_keylen; i++) - keybuf[cur_keylen++] = hash[i]; - if (cur_keylen == req_keylen) - { - rc = 0; /* ready */ - goto cleanup; - } - - /* need more bytes. */ - for (i = 0; i < 64; i++) - buf_b[i] = hash[i % 20]; - n = 64; - rc = _gnutls_mpi_scan (&num_b1, buf_b, n); - if (rc < 0) - { - gnutls_assert (); - goto cleanup; - } - _gnutls_mpi_add_ui (num_b1, num_b1, 1); - for (i = 0; i < 128; i += 64) - { - n = 64; - rc = _gnutls_mpi_scan (&num_ij, buf_i + i, n); - if (rc < 0) - { - gnutls_assert (); - goto cleanup; - } - _gnutls_mpi_addm (num_ij, num_ij, num_b1, mpi512); - n = 64; + int rc; + unsigned int i, j; + digest_hd_st md; + bigint_t num_b1 = NULL, num_ij = NULL; + bigint_t mpi512 = NULL; + unsigned int pwlen; + uint8_t hash[20], buf_b[64], buf_i[MAX_PASS_LEN * 2 + 64], *p; + uint8_t d[64]; + size_t cur_keylen; + size_t n, m, p_size, i_size; + const uint8_t buf_512[] = /* 2^64 */ + { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00 + }; + + cur_keylen = 0; + + if (pw == NULL) + pwlen = 0; + else + pwlen = strlen(pw); + + if (pwlen > MAX_PASS_LEN) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((rc = _pkcs12_check_pass(pw, pwlen)) < 0) { + gnutls_assert(); + return rc; + } + + rc = _gnutls_mpi_scan(&mpi512, buf_512, sizeof(buf_512)); + if (rc < 0) { + gnutls_assert(); + return rc; + } + + /* Store salt and password in BUF_I */ + p_size = ((pwlen / 64) * 64) + 64; + + if (p_size > sizeof(buf_i) - 64) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + p = buf_i; + for (i = 0; i < 64; i++) + *p++ = salt[i % salt_size]; + if (pw) { + for (i = j = 0; i < p_size; i += 2) { + *p++ = 0; + *p++ = pw[j]; + if (++j > pwlen) /* Note, that we include the trailing (0) */ + j = 0; + } + } else + memset(p, 0, p_size); + + i_size = 64 + p_size; + + for (;;) { + rc = _gnutls_hash_init(&md, mac_to_entry(GNUTLS_MAC_SHA1)); + if (rc < 0) { + gnutls_assert(); + goto cleanup; + } + memset(d, id & 0xff, 64); + _gnutls_hash(&md, d, 64); + _gnutls_hash(&md, buf_i, pw ? i_size : 64); + _gnutls_hash_deinit(&md, hash); + for (i = 1; i < iter; i++) { + rc = _gnutls_hash_fast(GNUTLS_MAC_SHA1, hash, 20, + hash); + if (rc < 0) { + gnutls_assert(); + goto cleanup; + } + } + for (i = 0; i < 20 && cur_keylen < req_keylen; i++) + keybuf[cur_keylen++] = hash[i]; + if (cur_keylen == req_keylen) { + rc = 0; /* ready */ + goto cleanup; + } + + /* need more bytes. */ + for (i = 0; i < 64; i++) + buf_b[i] = hash[i % 20]; + n = 64; + rc = _gnutls_mpi_scan(&num_b1, buf_b, n); + if (rc < 0) { + gnutls_assert(); + goto cleanup; + } + _gnutls_mpi_add_ui(num_b1, num_b1, 1); + for (i = 0; i < 128; i += 64) { + n = 64; + rc = _gnutls_mpi_scan(&num_ij, buf_i + i, n); + if (rc < 0) { + gnutls_assert(); + goto cleanup; + } + _gnutls_mpi_addm(num_ij, num_ij, num_b1, mpi512); + n = 64; #ifndef PKCS12_BROKEN_KEYGEN - m = (_gnutls_mpi_get_nbits (num_ij) + 7) / 8; + m = (_gnutls_mpi_get_nbits(num_ij) + 7) / 8; #else - m = n; + m = n; #endif - memset (buf_i + i, 0, n - m); - rc = _gnutls_mpi_print (num_ij, buf_i + i + n - m, &n); - if (rc < 0) - { - gnutls_assert (); - goto cleanup; - } - _gnutls_mpi_release (&num_ij); - } - } -cleanup: - _gnutls_mpi_release (&num_ij); - _gnutls_mpi_release (&num_b1); - _gnutls_mpi_release (&mpi512); - - return rc; + memset(buf_i + i, 0, n - m); + rc = _gnutls_mpi_print(num_ij, buf_i + i + n - m, + &n); + if (rc < 0) { + gnutls_assert(); + goto cleanup; + } + _gnutls_mpi_release(&num_ij); + } + } + cleanup: + _gnutls_mpi_release(&num_ij); + _gnutls_mpi_release(&num_b1); + _gnutls_mpi_release(&mpi512); + + return rc; } - diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index a02b4f3999..50b384f46e 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -39,98 +39,89 @@ * data are copied (they are locally allocated) there. */ static int -_decode_pkcs7_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata, - gnutls_datum_t * raw) +_decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata, + gnutls_datum_t * raw) { - char oid[MAX_OID_SIZE]; - ASN1_TYPE c2; - uint8_t *tmp = NULL; - int tmp_size, len, result; - - len = sizeof (oid) - 1; - result = asn1_read_value (pkcs7, "contentType", oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (strcmp (oid, SIGNED_DATA_OID) != 0) - { - gnutls_assert (); - _gnutls_debug_log ("Unknown PKCS7 Content OID '%s'\n", oid); - return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; - } - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* the Signed-data has been created, so - * decode them. - */ - tmp_size = 0; - result = asn1_read_value (pkcs7, "content", NULL, &tmp_size); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - tmp = gnutls_malloc (tmp_size); - if (tmp == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - result = asn1_read_value (pkcs7, "content", tmp, &tmp_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* tmp, tmp_size hold the data and the size of the CertificateSet structure - * actually the ANY stuff. - */ - - /* Step 1. In case of a signed structure extract certificate set. - */ - - result = asn1_der_decoding (&c2, tmp, tmp_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (raw == NULL) - { - gnutls_free (tmp); - } - else - { - raw->data = tmp; - raw->size = tmp_size; - } - - *sdata = c2; - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - gnutls_free (tmp); - return result; + char oid[MAX_OID_SIZE]; + ASN1_TYPE c2; + uint8_t *tmp = NULL; + int tmp_size, len, result; + + len = sizeof(oid) - 1; + result = asn1_read_value(pkcs7, "contentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, SIGNED_DATA_OID) != 0) { + gnutls_assert(); + _gnutls_debug_log("Unknown PKCS7 Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* the Signed-data has been created, so + * decode them. + */ + tmp_size = 0; + result = asn1_read_value(pkcs7, "content", NULL, &tmp_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + tmp = gnutls_malloc(tmp_size); + if (tmp == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + result = asn1_read_value(pkcs7, "content", tmp, &tmp_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* tmp, tmp_size hold the data and the size of the CertificateSet structure + * actually the ANY stuff. + */ + + /* Step 1. In case of a signed structure extract certificate set. + */ + + result = asn1_der_decoding(&c2, tmp, tmp_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (raw == NULL) { + gnutls_free(tmp); + } else { + raw->data = tmp; + raw->size = tmp_size; + } + + *sdata = c2; + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + gnutls_free(tmp); + return result; } /** @@ -144,25 +135,22 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) +int gnutls_pkcs7_init(gnutls_pkcs7_t * pkcs7) { - *pkcs7 = gnutls_calloc (1, sizeof (gnutls_pkcs7_int)); - - if (*pkcs7) - { - int result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-7-ContentInfo", - &(*pkcs7)->pkcs7); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (*pkcs7); - return _gnutls_asn2err (result); - } - return 0; /* success */ - } - return GNUTLS_E_MEMORY_ERROR; + *pkcs7 = gnutls_calloc(1, sizeof(gnutls_pkcs7_int)); + + if (*pkcs7) { + int result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-ContentInfo", + &(*pkcs7)->pkcs7); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(*pkcs7); + return _gnutls_asn2err(result); + } + return 0; /* success */ + } + return GNUTLS_E_MEMORY_ERROR; } /** @@ -171,16 +159,15 @@ gnutls_pkcs7_init (gnutls_pkcs7_t * pkcs7) * * This function will deinitialize a PKCS7 structure. **/ -void -gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) +void gnutls_pkcs7_deinit(gnutls_pkcs7_t pkcs7) { - if (!pkcs7) - return; + if (!pkcs7) + return; - if (pkcs7->pkcs7) - asn1_delete_structure (&pkcs7->pkcs7); + if (pkcs7->pkcs7) + asn1_delete_structure(&pkcs7->pkcs7); - gnutls_free (pkcs7); + gnutls_free(pkcs7); } /** @@ -199,52 +186,51 @@ gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7) * negative error value. **/ int -gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +gnutls_pkcs7_import(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; + int result = 0, need_free = 0; + gnutls_datum_t _data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - _data.data = data->data; - _data.size = data->size; + _data.data = data->data; + _data.size = data->size; - /* If the PKCS7 is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - result = _gnutls_fbase64_decode (PEM_PKCS7, data->data, data->size, - &_data); + /* If the PKCS7 is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + result = + _gnutls_fbase64_decode(PEM_PKCS7, data->data, + data->size, &_data); - if (result <= 0) - { - gnutls_assert (); - return result; - } + if (result <= 0) { + gnutls_assert(); + return result; + } - need_free = 1; - } + need_free = 1; + } - result = asn1_der_decoding (&pkcs7->pkcs7, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } + result = + asn1_der_decoding(&pkcs7->pkcs7, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } - if (need_free) - _gnutls_free_datum (&_data); + if (need_free) + _gnutls_free_datum(&_data); - return 0; + return 0; -cleanup: - if (need_free) - _gnutls_free_datum (&_data); - return result; + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + return result; } /** @@ -267,93 +253,85 @@ cleanup: * %GNUTLS_E_SHORT_MEMORY_BUFFER is returned. **/ int -gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7, - int indx, void *certificate, - size_t * certificate_size) +gnutls_pkcs7_get_crt_raw(gnutls_pkcs7_t pkcs7, + int indx, void *certificate, + size_t * certificate_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, len; - char root2[ASN1_MAX_NAME_SIZE]; - char oid[MAX_OID_SIZE]; - gnutls_datum_t tmp = { NULL, 0 }; - - if (certificate_size == NULL || pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1); - - len = sizeof (oid) - 1; - - result = asn1_read_value (c2, root2, oid, &len); - - if (result == ASN1_VALUE_NOT_FOUND) - { - result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - goto cleanup; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* if 'Certificate' is the choice found: - */ - if (strcmp (oid, "certificate") == 0) - { - int start, end; - - result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size, - root2, &start, &end); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - end = end - start + 1; - - if ((unsigned) end > *certificate_size) - { - *certificate_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } - - if (certificate) - memcpy (certificate, &tmp.data[start], end); - - *certificate_size = end; - - result = 0; - - } - else - { - result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; - } - -cleanup: - _gnutls_free_datum (&tmp); - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, len; + char root2[ASN1_MAX_NAME_SIZE]; + char oid[MAX_OID_SIZE]; + gnutls_datum_t tmp = { NULL, 0 }; + + if (certificate_size == NULL || pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Parse the CertificateSet + */ + + snprintf(root2, sizeof(root2), "certificates.?%u", indx + 1); + + len = sizeof(oid) - 1; + + result = asn1_read_value(c2, root2, oid, &len); + + if (result == ASN1_VALUE_NOT_FOUND) { + result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + goto cleanup; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* if 'Certificate' is the choice found: + */ + if (strcmp(oid, "certificate") == 0) { + int start, end; + + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + end = end - start + 1; + + if ((unsigned) end > *certificate_size) { + *certificate_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } + + if (certificate) + memcpy(certificate, &tmp.data[start], end); + + *certificate_size = end; + + result = 0; + + } else { + result = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE; + } + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -366,37 +344,34 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7) +int gnutls_pkcs7_get_crt_count(gnutls_pkcs7_t pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ + /* Step 2. Count the CertificateSet */ - result = asn1_number_of_elements (c2, "certificates", &count); + result = asn1_number_of_elements(c2, "certificates", &count); - asn1_delete_structure (&c2); + asn1_delete_structure(&c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return 0; /* no certificates */ - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no certificates */ + } - return count; + return count; } @@ -421,15 +396,15 @@ gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7) * negative error value. **/ int -gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_pkcs7_export(gnutls_pkcs7_t pkcs7, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - return _gnutls_x509_export_int (pkcs7->pkcs7, format, PEM_PKCS7, - output_data, output_data_size); + return _gnutls_x509_export_int(pkcs7->pkcs7, format, PEM_PKCS7, + output_data, output_data_size); } /** @@ -451,91 +426,88 @@ gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7, * Since: 3.1.3 **/ int -gnutls_pkcs7_export2 (gnutls_pkcs7_t pkcs7, - gnutls_x509_crt_fmt_t format, gnutls_datum_t *out) +gnutls_pkcs7_export2(gnutls_pkcs7_t pkcs7, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - return _gnutls_x509_export_int2 (pkcs7->pkcs7, format, PEM_PKCS7, out); + return _gnutls_x509_export_int2(pkcs7->pkcs7, format, PEM_PKCS7, + out); } /* Creates an empty signed data structure in the pkcs7 * structure and returns a handle to the signed data. */ -static int -create_empty_signed_data (ASN1_TYPE pkcs7, ASN1_TYPE * sdata) +static int create_empty_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) { - uint8_t one = 1; - int result; - - *sdata = ASN1_TYPE_EMPTY; - - if ((result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.pkcs-7-SignedData", - sdata)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Use version 1 - */ - result = asn1_write_value (*sdata, "version", &one, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Use no digest algorithms - */ - - /* id-data */ - result = - asn1_write_value (*sdata, "encapContentInfo.eContentType", - "1.2.840.113549.1.7.5", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (*sdata, "encapContentInfo.eContent", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Add no certificates. - */ - - /* Add no crls. - */ - - /* Add no signerInfos. - */ - - /* Write the content type of the signed data - */ - result = asn1_write_value (pkcs7, "contentType", SIGNED_DATA_OID, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - return 0; - -cleanup: - asn1_delete_structure (sdata); - return result; + uint8_t one = 1; + int result; + + *sdata = ASN1_TYPE_EMPTY; + + if ((result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.pkcs-7-SignedData", + sdata)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use version 1 + */ + result = asn1_write_value(*sdata, "version", &one, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Use no digest algorithms + */ + + /* id-data */ + result = + asn1_write_value(*sdata, "encapContentInfo.eContentType", + "1.2.840.113549.1.7.5", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(*sdata, "encapContentInfo.eContent", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Add no certificates. + */ + + /* Add no crls. + */ + + /* Add no signerInfos. + */ + + /* Write the content type of the signed data + */ + result = + asn1_write_value(pkcs7, "contentType", SIGNED_DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + return 0; + + cleanup: + asn1_delete_structure(sdata); + return result; } @@ -551,86 +523,81 @@ cleanup: * negative error value. **/ int -gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt) +gnutls_pkcs7_set_crt_raw(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crt) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) - { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data (pkcs7->pkcs7, &c2); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - /* Step 2. Append the new certificate. - */ - - result = asn1_write_value (c2, "certificates", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (c2, "certificates.?LAST", "certificate", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = - asn1_write_value (c2, "certificates.?LAST.certificate", crt->data, - crt->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } + + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. + */ + result = create_empty_signed_data(pkcs7->pkcs7, &c2); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new certificate. + */ + + result = asn1_write_value(c2, "certificates", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(c2, "certificates.?LAST", "certificate", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(c2, "certificates.?LAST.certificate", + crt->data, crt->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, + "content", 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -645,33 +612,30 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) +int gnutls_pkcs7_set_crt(gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode (crt->cert, "", &data, 0); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_der_encode(crt->cert, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs7_set_crt_raw (pkcs7, &data); + ret = gnutls_pkcs7_set_crt_raw(pkcs7, &data); - _gnutls_free_datum (&data); + _gnutls_free_datum(&data); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } @@ -686,56 +650,53 @@ gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7, gnutls_x509_crt_t crt) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7, int indx) +int gnutls_pkcs7_delete_crt(gnutls_pkcs7_t pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[ASN1_MAX_NAME_SIZE]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Delete the certificate. - */ - - snprintf (root2, sizeof (root2), "certificates.?%u", indx + 1); - - result = asn1_write_value (c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[ASN1_MAX_NAME_SIZE]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the certificate. + */ + + snprintf(root2, sizeof(root2), "certificates.?%u", indx + 1); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, + "content", 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } /* Read and write CRLs @@ -757,65 +718,62 @@ cleanup: * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. **/ int -gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7, - int indx, void *crl, size_t * crl_size) +gnutls_pkcs7_get_crl_raw(gnutls_pkcs7_t pkcs7, + int indx, void *crl, size_t * crl_size) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[ASN1_MAX_NAME_SIZE]; - gnutls_datum_t tmp = { NULL, 0 }; - int start, end; - - if (pkcs7 == NULL || crl_size == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, &tmp); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Parse the CertificateSet - */ - - snprintf (root2, sizeof (root2), "crls.?%u", indx + 1); - - /* Get the raw CRL - */ - result = asn1_der_decoding_startEnd (c2, tmp.data, tmp.size, - root2, &start, &end); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - end = end - start + 1; - - if ((unsigned) end > *crl_size) - { - *crl_size = end; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - goto cleanup; - } - - if (crl) - memcpy (crl, &tmp.data[start], end); - - *crl_size = end; - - result = 0; - -cleanup: - _gnutls_free_datum (&tmp); - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[ASN1_MAX_NAME_SIZE]; + gnutls_datum_t tmp = { NULL, 0 }; + int start, end; + + if (pkcs7 == NULL || crl_size == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, &tmp); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Parse the CertificateSet + */ + + snprintf(root2, sizeof(root2), "crls.?%u", indx + 1); + + /* Get the raw CRL + */ + result = asn1_der_decoding_startEnd(c2, tmp.data, tmp.size, + root2, &start, &end); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + end = end - start + 1; + + if ((unsigned) end > *crl_size) { + *crl_size = end; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + goto cleanup; + } + + if (crl) + memcpy(crl, &tmp.data[start], end); + + *crl_size = end; + + result = 0; + + cleanup: + _gnutls_free_datum(&tmp); + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -828,37 +786,34 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7) +int gnutls_pkcs7_get_crl_count(gnutls_pkcs7_t pkcs7) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result, count; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result, count; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } - /* Step 2. Count the CertificateSet */ + /* Step 2. Count the CertificateSet */ - result = asn1_number_of_elements (c2, "crls", &count); + result = asn1_number_of_elements(c2, "crls", &count); - asn1_delete_structure (&c2); + asn1_delete_structure(&c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return 0; /* no crls */ - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return 0; /* no crls */ + } - return count; + return count; } @@ -873,76 +828,71 @@ gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7) * negative error value. **/ int -gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl) +gnutls_pkcs7_set_crl_raw(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * crl) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) - { - gnutls_assert (); - return result; - } - - /* If the signed data are uninitialized - * then create them. - */ - if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) - { - /* The pkcs7 structure is new, so create the - * signedData. - */ - result = create_empty_signed_data (pkcs7->pkcs7, &c2); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - /* Step 2. Append the new crl. - */ - - result = asn1_write_value (c2, "crls", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (c2, "crls.?LAST", crl->data, crl->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0 && result != GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + gnutls_assert(); + return result; + } + + /* If the signed data are uninitialized + * then create them. + */ + if (result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) { + /* The pkcs7 structure is new, so create the + * signedData. + */ + result = create_empty_signed_data(pkcs7->pkcs7, &c2); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + /* Step 2. Append the new crl. + */ + + result = asn1_write_value(c2, "crls", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "crls.?LAST", crl->data, crl->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, + "content", 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } /** @@ -956,33 +906,30 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) +int gnutls_pkcs7_set_crl(gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) { - int ret; - gnutls_datum_t data; + int ret; + gnutls_datum_t data; - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; - ret = _gnutls_x509_der_encode (crl->crl, "", &data, 0); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_der_encode(crl->crl, "", &data, 0); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = gnutls_pkcs7_set_crl_raw (pkcs7, &data); + ret = gnutls_pkcs7_set_crl_raw(pkcs7, &data); - _gnutls_free_datum (&data); + _gnutls_free_datum(&data); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -996,54 +943,51 @@ gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7, gnutls_x509_crl_t crl) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7, int indx) +int gnutls_pkcs7_delete_crl(gnutls_pkcs7_t pkcs7, int indx) { - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int result; - char root2[ASN1_MAX_NAME_SIZE]; - - if (pkcs7 == NULL) - return GNUTLS_E_INVALID_REQUEST; - - /* Step 1. Decode the signed data. - */ - result = _decode_pkcs7_signed_data (pkcs7->pkcs7, &c2, NULL); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Delete the crl. - */ - - snprintf (root2, sizeof (root2), "crls.?%u", indx + 1); - - result = asn1_write_value (c2, root2, NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* Step 3. Replace the old content with the new - */ - result = - _gnutls_x509_der_encode_and_copy (c2, "", pkcs7->pkcs7, "content", 0); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - asn1_delete_structure (&c2); - - return 0; - -cleanup: - if (c2) - asn1_delete_structure (&c2); - return result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int result; + char root2[ASN1_MAX_NAME_SIZE]; + + if (pkcs7 == NULL) + return GNUTLS_E_INVALID_REQUEST; + + /* Step 1. Decode the signed data. + */ + result = _decode_pkcs7_signed_data(pkcs7->pkcs7, &c2, NULL); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Delete the crl. + */ + + snprintf(root2, sizeof(root2), "crls.?%u", indx + 1); + + result = asn1_write_value(c2, root2, NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* Step 3. Replace the old content with the new + */ + result = + _gnutls_x509_der_encode_and_copy(c2, "", pkcs7->pkcs7, + "content", 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + asn1_delete_structure(&c2); + + return 0; + + cleanup: + if (c2) + asn1_delete_structure(&c2); + return result; } diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index af55d907e7..1a779772bc 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -42,19 +42,17 @@ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_privkey_init (gnutls_x509_privkey_t * key) +int gnutls_x509_privkey_init(gnutls_x509_privkey_t * key) { - *key = gnutls_calloc (1, sizeof (gnutls_x509_privkey_int)); + *key = gnutls_calloc(1, sizeof(gnutls_x509_privkey_int)); - if (*key) - { - (*key)->key = ASN1_TYPE_EMPTY; - (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; - return 0; /* success */ - } + if (*key) { + (*key)->key = ASN1_TYPE_EMPTY; + (*key)->pk_algorithm = GNUTLS_PK_UNKNOWN; + return 0; /* success */ + } - return GNUTLS_E_MEMORY_ERROR; + return GNUTLS_E_MEMORY_ERROR; } /** @@ -63,16 +61,15 @@ gnutls_x509_privkey_init (gnutls_x509_privkey_t * key) * * This function will deinitialize a private key structure. **/ -void -gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key) +void gnutls_x509_privkey_deinit(gnutls_x509_privkey_t key) { - if (!key) - return; + if (!key) + return; - gnutls_pk_params_clear(&key->params); - gnutls_pk_params_release(&key->params); - asn1_delete_structure (&key->key); - gnutls_free (key); + gnutls_pk_params_clear(&key->params); + gnutls_pk_params_release(&key->params); + asn1_delete_structure(&key->key); + gnutls_free(key); } /** @@ -87,146 +84,146 @@ gnutls_x509_privkey_deinit (gnutls_x509_privkey_t key) * negative error value. **/ int -gnutls_x509_privkey_cpy (gnutls_x509_privkey_t dst, gnutls_x509_privkey_t src) +gnutls_x509_privkey_cpy(gnutls_x509_privkey_t dst, + gnutls_x509_privkey_t src) { - unsigned int i; - int ret; + unsigned int i; + int ret; - if (!src || !dst) - return GNUTLS_E_INVALID_REQUEST; + if (!src || !dst) + return GNUTLS_E_INVALID_REQUEST; - for (i = 0; i < src->params.params_nr; i++) - { - dst->params.params[i] = _gnutls_mpi_copy (src->params.params[i]); - if (dst->params.params[i] == NULL) - return GNUTLS_E_MEMORY_ERROR; - } + for (i = 0; i < src->params.params_nr; i++) { + dst->params.params[i] = + _gnutls_mpi_copy(src->params.params[i]); + if (dst->params.params[i] == NULL) + return GNUTLS_E_MEMORY_ERROR; + } - dst->params.params_nr = src->params.params_nr; - dst->params.flags = src->params.flags; + dst->params.params_nr = src->params.params_nr; + dst->params.flags = src->params.flags; - dst->pk_algorithm = src->pk_algorithm; + dst->pk_algorithm = src->pk_algorithm; - ret = _gnutls_asn1_encode_privkey (dst->pk_algorithm, &dst->key, &dst->params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = + _gnutls_asn1_encode_privkey(dst->pk_algorithm, &dst->key, + &dst->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /* Converts an RSA PKCS#1 key to * an internal structure (gnutls_private_key) */ ASN1_TYPE -_gnutls_privkey_decode_pkcs1_rsa_key (const gnutls_datum_t * raw_key, - gnutls_x509_privkey_t pkey) +_gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * raw_key, + gnutls_x509_privkey_t pkey) { - int result; - ASN1_TYPE pkey_asn; - - gnutls_pk_params_init(&pkey->params); - - if ((result = - asn1_create_element (_gnutls_get_gnutls_asn (), - "GNUTLS.RSAPrivateKey", - &pkey_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return NULL; - } - - result = asn1_der_decoding (&pkey_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - - if ((result = _gnutls_x509_read_int (pkey_asn, "modulus", - &pkey->params.params[0])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = - _gnutls_x509_read_int (pkey_asn, "publicExponent", - &pkey->params.params[1])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = - _gnutls_x509_read_int (pkey_asn, "privateExponent", - &pkey->params.params[2])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (pkey_asn, "prime1", - &pkey->params.params[3])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (pkey_asn, "prime2", - &pkey->params.params[4])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (pkey_asn, "coefficient", - &pkey->params.params[5])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (pkey_asn, "exponent1", - &pkey->params.params[6])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (pkey_asn, "exponent2", - &pkey->params.params[7])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - result = _gnutls_pk_fixup (GNUTLS_PK_RSA, GNUTLS_IMPORT, &pkey->params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - pkey->params.params_nr = RSA_PRIVATE_PARAMS; - - return pkey_asn; - -error: - asn1_delete_structure (&pkey_asn); - gnutls_pk_params_clear (&pkey->params); - gnutls_pk_params_release (&pkey->params); - return NULL; + int result; + ASN1_TYPE pkey_asn; + + gnutls_pk_params_init(&pkey->params); + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.RSAPrivateKey", + &pkey_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + result = + asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, + NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = _gnutls_x509_read_int(pkey_asn, "modulus", + &pkey->params.params[0])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = + _gnutls_x509_read_int(pkey_asn, "publicExponent", + &pkey->params.params[1])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = + _gnutls_x509_read_int(pkey_asn, "privateExponent", + &pkey->params.params[2])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime1", + &pkey->params.params[3])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(pkey_asn, "prime2", + &pkey->params.params[4])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(pkey_asn, "coefficient", + &pkey->params.params[5])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(pkey_asn, "exponent1", + &pkey->params.params[6])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(pkey_asn, "exponent2", + &pkey->params.params[7])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + result = + _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_IMPORT, &pkey->params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + pkey->params.params_nr = RSA_PRIVATE_PARAMS; + + return pkey_asn; + + error: + asn1_delete_structure(&pkey_asn); + gnutls_pk_params_clear(&pkey->params); + gnutls_pk_params_release(&pkey->params); + return NULL; } @@ -234,171 +231,176 @@ error: * an internal structure (gnutls_private_key) */ ASN1_TYPE -_gnutls_privkey_decode_ecc_key (const gnutls_datum_t * raw_key, - gnutls_x509_privkey_t pkey) +_gnutls_privkey_decode_ecc_key(const gnutls_datum_t * raw_key, + gnutls_x509_privkey_t pkey) { - int ret; - ASN1_TYPE pkey_asn; - unsigned int version; - char oid[MAX_OID_SIZE]; - int oid_size; - gnutls_datum out; - - gnutls_pk_params_init(&pkey->params); - - if ((ret = - asn1_create_element (_gnutls_get_gnutls_asn (), - "GNUTLS.ECPrivateKey", - &pkey_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return NULL; - } - - ret = asn1_der_decoding (&pkey_asn, raw_key->data, raw_key->size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - - ret = _gnutls_x509_read_uint (pkey_asn, "Version", &version); - if (ret < 0) - { - gnutls_assert(); - goto error; - } - - if (version != 1) - { - _gnutls_debug_log("ECC private key version %u is not supported\n", version); - gnutls_assert(); - goto error; - } - - /* read the curve */ - oid_size = sizeof(oid); - ret = asn1_read_value(pkey_asn, "parameters.namedCurve", oid, &oid_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - - pkey->params.flags = _gnutls_oid_to_ecc_curve(oid); - if (pkey->params.flags == GNUTLS_ECC_CURVE_INVALID) - { - _gnutls_debug_log("Curve %s is not supported\n", oid); - gnutls_assert(); - goto error; - } - - /* read the public key */ - ret = _gnutls_x509_read_value (pkey_asn, "publicKey", &out); - if (ret < 0) - { - gnutls_assert(); - goto error; - } - - ret = _gnutls_ecc_ansi_x963_import (out.data, out.size, &pkey->params.params[ECC_X], - &pkey->params.params[ECC_Y]); - - _gnutls_free_datum(&out); - if (ret < 0) - { - gnutls_assert(); - goto error; - } - pkey->params.params_nr += 2; - - /* read the private key */ - ret = _gnutls_x509_read_int (pkey_asn, "privateKey", &pkey->params.params[ECC_K]); - if (ret < 0) - { - gnutls_assert(); - goto error; - } - pkey->params.params_nr ++; - - return pkey_asn; - -error: - asn1_delete_structure (&pkey_asn); - gnutls_pk_params_clear (&pkey->params); - gnutls_pk_params_release (&pkey->params); - return NULL; + int ret; + ASN1_TYPE pkey_asn; + unsigned int version; + char oid[MAX_OID_SIZE]; + int oid_size; + gnutls_datum out; + + gnutls_pk_params_init(&pkey->params); + + if ((ret = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.ECPrivateKey", + &pkey_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + ret = + asn1_der_decoding(&pkey_asn, raw_key->data, raw_key->size, + NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + ret = _gnutls_x509_read_uint(pkey_asn, "Version", &version); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + if (version != 1) { + _gnutls_debug_log + ("ECC private key version %u is not supported\n", + version); + gnutls_assert(); + goto error; + } + + /* read the curve */ + oid_size = sizeof(oid); + ret = + asn1_read_value(pkey_asn, "parameters.namedCurve", oid, + &oid_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + pkey->params.flags = _gnutls_oid_to_ecc_curve(oid); + if (pkey->params.flags == GNUTLS_ECC_CURVE_INVALID) { + _gnutls_debug_log("Curve %s is not supported\n", oid); + gnutls_assert(); + goto error; + } + + /* read the public key */ + ret = _gnutls_x509_read_value(pkey_asn, "publicKey", &out); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = + _gnutls_ecc_ansi_x963_import(out.data, out.size, + &pkey->params.params[ECC_X], + &pkey->params.params[ECC_Y]); + + _gnutls_free_datum(&out); + if (ret < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr += 2; + + /* read the private key */ + ret = + _gnutls_x509_read_int(pkey_asn, "privateKey", + &pkey->params.params[ECC_K]); + if (ret < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + return pkey_asn; + + error: + asn1_delete_structure(&pkey_asn); + gnutls_pk_params_clear(&pkey->params); + gnutls_pk_params_release(&pkey->params); + return NULL; } static ASN1_TYPE -decode_dsa_key (const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) +decode_dsa_key(const gnutls_datum_t * raw_key, gnutls_x509_privkey_t pkey) { - int result; - ASN1_TYPE dsa_asn; - - if ((result = - asn1_create_element (_gnutls_get_gnutls_asn (), - "GNUTLS.DSAPrivateKey", - &dsa_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return NULL; - } - - pkey->params.params_nr = 0; - - result = asn1_der_decoding (&dsa_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - - if ((result = _gnutls_x509_read_int (dsa_asn, "p", &pkey->params.params[0])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (dsa_asn, "q", &pkey->params.params[1])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (dsa_asn, "g", &pkey->params.params[2])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (dsa_asn, "Y", &pkey->params.params[3])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - if ((result = _gnutls_x509_read_int (dsa_asn, "priv", - &pkey->params.params[4])) < 0) - { - gnutls_assert (); - goto error; - } - pkey->params.params_nr++; - - return dsa_asn; - -error: - asn1_delete_structure (&dsa_asn); - gnutls_pk_params_clear(&pkey->params); - gnutls_pk_params_release(&pkey->params); - return NULL; + int result; + ASN1_TYPE dsa_asn; + + if ((result = + asn1_create_element(_gnutls_get_gnutls_asn(), + "GNUTLS.DSAPrivateKey", + &dsa_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return NULL; + } + + pkey->params.params_nr = 0; + + result = + asn1_der_decoding(&dsa_asn, raw_key->data, raw_key->size, + NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = + _gnutls_x509_read_int(dsa_asn, "p", + &pkey->params.params[0])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = + _gnutls_x509_read_int(dsa_asn, "q", + &pkey->params.params[1])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = + _gnutls_x509_read_int(dsa_asn, "g", + &pkey->params.params[2])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = + _gnutls_x509_read_int(dsa_asn, "Y", + &pkey->params.params[3])) < 0) { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + if ((result = _gnutls_x509_read_int(dsa_asn, "priv", + &pkey->params.params[4])) < 0) + { + gnutls_assert(); + goto error; + } + pkey->params.params_nr++; + + return dsa_asn; + + error: + asn1_delete_structure(&dsa_asn); + gnutls_pk_params_clear(&pkey->params); + gnutls_pk_params_release(&pkey->params); + return NULL; } @@ -425,176 +427,170 @@ error: * negative error value. **/ int -gnutls_x509_privkey_import (gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) +gnutls_x509_privkey_import(gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - /* Try the first header */ - result = - _gnutls_fbase64_decode (PEM_KEY_RSA, data->data, data->size, &_data); - - if (result >= 0) - key->pk_algorithm = GNUTLS_PK_RSA; - - if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) - { - /* try for the second header */ - result = - _gnutls_fbase64_decode (PEM_KEY_DSA, data->data, data->size, - &_data); - - if (result >= 0) - key->pk_algorithm = GNUTLS_PK_DSA; - - if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) - { - /* try for the second header */ - result = - _gnutls_fbase64_decode (PEM_KEY_ECC, data->data, data->size, - &_data); - if (result >= 0) - key->pk_algorithm = GNUTLS_PK_EC; - } - } - - if (result < 0) - { - gnutls_assert (); - goto failover; - } - - need_free = 1; - } - - if (key->pk_algorithm == GNUTLS_PK_RSA) - { - key->key = _gnutls_privkey_decode_pkcs1_rsa_key (&_data, key); - if (key->key == NULL) - gnutls_assert (); - } - else if (key->pk_algorithm == GNUTLS_PK_DSA) - { - key->key = decode_dsa_key (&_data, key); - if (key->key == NULL) - gnutls_assert (); - } - else if (key->pk_algorithm == GNUTLS_PK_EC) - { - key->key = _gnutls_privkey_decode_ecc_key (&_data, key); - if (key->key == NULL) - gnutls_assert (); - } - else - { - /* Try decoding with both, and accept the one that - * succeeds. - */ - key->pk_algorithm = GNUTLS_PK_RSA; - key->key = _gnutls_privkey_decode_pkcs1_rsa_key (&_data, key); - - if (key->key == NULL) - { - key->pk_algorithm = GNUTLS_PK_DSA; - key->key = decode_dsa_key (&_data, key); - if (key->key == NULL) - { - key->pk_algorithm = GNUTLS_PK_EC; - key->key = _gnutls_privkey_decode_ecc_key (&_data, key); - if (key->key == NULL) - gnutls_assert (); - } - } - } - - if (key->key == NULL) - { - gnutls_assert (); - result = GNUTLS_E_ASN1_DER_ERROR; - goto failover; - } - - if (need_free) - _gnutls_free_datum (&_data); - - /* The key has now been decoded. - */ - - return 0; - -failover: - /* Try PKCS #8 */ - if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) - { - _gnutls_debug_log ("Falling back to PKCS #8 key decoding\n"); - result = gnutls_x509_privkey_import_pkcs8 (key, data, format, - NULL, GNUTLS_PKCS_PLAIN); - } - - if (need_free) - _gnutls_free_datum (&_data); - - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_KEY_RSA, data->data, + data->size, &_data); + + if (result >= 0) + key->pk_algorithm = GNUTLS_PK_RSA; + + if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_KEY_DSA, data->data, + data->size, &_data); + + if (result >= 0) + key->pk_algorithm = GNUTLS_PK_DSA; + + if (result == + GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_KEY_ECC, + data->data, + data->size, + &_data); + if (result >= 0) + key->pk_algorithm = GNUTLS_PK_EC; + } + } + + if (result < 0) { + gnutls_assert(); + goto failover; + } + + need_free = 1; + } + + if (key->pk_algorithm == GNUTLS_PK_RSA) { + key->key = + _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + if (key->key == NULL) + gnutls_assert(); + } else if (key->pk_algorithm == GNUTLS_PK_DSA) { + key->key = decode_dsa_key(&_data, key); + if (key->key == NULL) + gnutls_assert(); + } else if (key->pk_algorithm == GNUTLS_PK_EC) { + key->key = _gnutls_privkey_decode_ecc_key(&_data, key); + if (key->key == NULL) + gnutls_assert(); + } else { + /* Try decoding with both, and accept the one that + * succeeds. + */ + key->pk_algorithm = GNUTLS_PK_RSA; + key->key = + _gnutls_privkey_decode_pkcs1_rsa_key(&_data, key); + + if (key->key == NULL) { + key->pk_algorithm = GNUTLS_PK_DSA; + key->key = decode_dsa_key(&_data, key); + if (key->key == NULL) { + key->pk_algorithm = GNUTLS_PK_EC; + key->key = + _gnutls_privkey_decode_ecc_key(&_data, + key); + if (key->key == NULL) + gnutls_assert(); + } + } + } + + if (key->key == NULL) { + gnutls_assert(); + result = GNUTLS_E_ASN1_DER_ERROR; + goto failover; + } + + if (need_free) + _gnutls_free_datum(&_data); + + /* The key has now been decoded. + */ + + return 0; + + failover: + /* Try PKCS #8 */ + if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { + _gnutls_debug_log + ("Falling back to PKCS #8 key decoding\n"); + result = + gnutls_x509_privkey_import_pkcs8(key, data, format, + NULL, + GNUTLS_PKCS_PLAIN); + } + + if (need_free) + _gnutls_free_datum(&_data); + + return result; } -static int import_pkcs12_privkey (gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, - const char* password, unsigned int flags) +static int import_pkcs12_privkey(gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + const char *password, unsigned int flags) { -int ret; -gnutls_pkcs12_t p12; -gnutls_x509_privkey_t newkey; - - ret = gnutls_pkcs12_init(&p12); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = gnutls_pkcs12_import(p12, data, format, flags); - if (ret < 0) - { - gnutls_assert(); - goto fail; - } - - ret = gnutls_pkcs12_simple_parse (p12, password, &newkey, NULL, NULL, NULL, NULL, NULL, 0); - if (ret < 0) - { - gnutls_assert(); - goto fail; - } - - ret = gnutls_x509_privkey_cpy (key, newkey); - gnutls_x509_privkey_deinit (newkey); - if (ret < 0) - { - gnutls_assert(); - goto fail; - } - - ret = 0; -fail: - - gnutls_pkcs12_deinit(p12); - - return ret; + int ret; + gnutls_pkcs12_t p12; + gnutls_x509_privkey_t newkey; + + ret = gnutls_pkcs12_init(&p12); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = gnutls_pkcs12_import(p12, data, format, flags); + if (ret < 0) { + gnutls_assert(); + goto fail; + } + + ret = + gnutls_pkcs12_simple_parse(p12, password, &newkey, NULL, NULL, + NULL, NULL, NULL, 0); + if (ret < 0) { + gnutls_assert(); + goto fail; + } + + ret = gnutls_x509_privkey_cpy(key, newkey); + gnutls_x509_privkey_deinit(newkey); + if (ret < 0) { + gnutls_assert(); + goto fail; + } + + ret = 0; + fail: + + gnutls_pkcs12_deinit(p12); + + return ret; } /** @@ -619,52 +615,54 @@ fail: * negative error value. **/ int -gnutls_x509_privkey_import2 (gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, - const char* password, unsigned int flags) +gnutls_x509_privkey_import2(gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + const char *password, unsigned int flags) { - int ret = 0; - - if (password == NULL && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) - { - ret = gnutls_x509_privkey_import(key, data, format); - if (ret < 0) - { - gnutls_assert(); - } - } - - if ((password != NULL || (flags & GNUTLS_PKCS_NULL_PASSWORD)) || ret < 0) - { - ret = gnutls_x509_privkey_import_pkcs8(key, data, format, password, flags); - if (ret < 0) - { - if (ret == GNUTLS_E_DECRYPTION_FAILED) goto cleanup; - ret = import_pkcs12_privkey(key, data, format, password, flags); - if (ret < 0 && format == GNUTLS_X509_FMT_PEM) - { - if (ret == GNUTLS_E_DECRYPTION_FAILED) goto cleanup; - - ret = gnutls_x509_privkey_import_openssl(key, data, password); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - } - else - { - gnutls_assert(); - goto cleanup; - } - } - } - - ret = 0; - -cleanup: - return ret; + int ret = 0; + + if (password == NULL && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) { + ret = gnutls_x509_privkey_import(key, data, format); + if (ret < 0) { + gnutls_assert(); + } + } + + if ((password != NULL || (flags & GNUTLS_PKCS_NULL_PASSWORD)) + || ret < 0) { + ret = + gnutls_x509_privkey_import_pkcs8(key, data, format, + password, flags); + if (ret < 0) { + if (ret == GNUTLS_E_DECRYPTION_FAILED) + goto cleanup; + ret = + import_pkcs12_privkey(key, data, format, + password, flags); + if (ret < 0 && format == GNUTLS_X509_FMT_PEM) { + if (ret == GNUTLS_E_DECRYPTION_FAILED) + goto cleanup; + + ret = + gnutls_x509_privkey_import_openssl(key, + data, + password); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } else { + gnutls_assert(); + goto cleanup; + } + } + } + + ret = 0; + + cleanup: + return ret; } @@ -686,16 +684,16 @@ cleanup: * negative error value. **/ int -gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, - const gnutls_datum_t * m, - const gnutls_datum_t * e, - const gnutls_datum_t * d, - const gnutls_datum_t * p, - const gnutls_datum_t * q, - const gnutls_datum_t * u) +gnutls_x509_privkey_import_rsa_raw(gnutls_x509_privkey_t key, + const gnutls_datum_t * m, + const gnutls_datum_t * e, + const gnutls_datum_t * d, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * u) { - return gnutls_x509_privkey_import_rsa_raw2 (key, m, e, d, p, q, u, NULL, - NULL); + return gnutls_x509_privkey_import_rsa_raw2(key, m, e, d, p, q, u, + NULL, NULL); } /** @@ -718,125 +716,117 @@ gnutls_x509_privkey_import_rsa_raw (gnutls_x509_privkey_t key, * negative error value. **/ int -gnutls_x509_privkey_import_rsa_raw2 (gnutls_x509_privkey_t key, - const gnutls_datum_t * m, - const gnutls_datum_t * e, - const gnutls_datum_t * d, - const gnutls_datum_t * p, - const gnutls_datum_t * q, - const gnutls_datum_t * u, - const gnutls_datum_t * e1, - const gnutls_datum_t * e2) +gnutls_x509_privkey_import_rsa_raw2(gnutls_x509_privkey_t key, + const gnutls_datum_t * m, + const gnutls_datum_t * e, + const gnutls_datum_t * d, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * u, + const gnutls_datum_t * e1, + const gnutls_datum_t * e2) { - int ret; - size_t siz = 0; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - gnutls_pk_params_init(&key->params); - - siz = m->size; - if (_gnutls_mpi_scan_nz (&key->params.params[0], m->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = e->size; - if (_gnutls_mpi_scan_nz (&key->params.params[1], e->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = d->size; - if (_gnutls_mpi_scan_nz (&key->params.params[2], d->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = p->size; - if (_gnutls_mpi_scan_nz (&key->params.params[3], p->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = q->size; - if (_gnutls_mpi_scan_nz (&key->params.params[4], q->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = u->size; - if (_gnutls_mpi_scan_nz (&key->params.params[5], u->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - if (e1 && e2) - { - siz = e1->size; - if (_gnutls_mpi_scan_nz (&key->params.params[6], e1->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - siz = e2->size; - if (_gnutls_mpi_scan_nz (&key->params.params[7], e2->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - } - - ret = _gnutls_pk_fixup (GNUTLS_PK_RSA, GNUTLS_IMPORT, &key->params); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_asn1_encode_privkey (GNUTLS_PK_RSA, &key->key, &key->params); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - key->params.params_nr = RSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_RSA; - - return 0; - -cleanup: - gnutls_pk_params_clear(&key->params); - gnutls_pk_params_release(&key->params); - return ret; + int ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + gnutls_pk_params_init(&key->params); + + siz = m->size; + if (_gnutls_mpi_scan_nz(&key->params.params[0], m->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = e->size; + if (_gnutls_mpi_scan_nz(&key->params.params[1], e->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = d->size; + if (_gnutls_mpi_scan_nz(&key->params.params[2], d->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = p->size; + if (_gnutls_mpi_scan_nz(&key->params.params[3], p->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = q->size; + if (_gnutls_mpi_scan_nz(&key->params.params[4], q->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = u->size; + if (_gnutls_mpi_scan_nz(&key->params.params[5], u->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + if (e1 && e2) { + siz = e1->size; + if (_gnutls_mpi_scan_nz + (&key->params.params[6], e1->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + siz = e2->size; + if (_gnutls_mpi_scan_nz + (&key->params.params[7], e2->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + } + + ret = _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_IMPORT, &key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + _gnutls_asn1_encode_privkey(GNUTLS_PK_RSA, &key->key, + &key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + key->params.params_nr = RSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_RSA; + + return 0; + + cleanup: + gnutls_pk_params_clear(&key->params); + gnutls_pk_params_release(&key->params); + return ret; } @@ -857,78 +847,73 @@ cleanup: * negative error value. **/ int -gnutls_x509_privkey_import_dsa_raw (gnutls_x509_privkey_t key, - const gnutls_datum_t * p, - const gnutls_datum_t * q, - const gnutls_datum_t * g, - const gnutls_datum_t * y, - const gnutls_datum_t * x) +gnutls_x509_privkey_import_dsa_raw(gnutls_x509_privkey_t key, + const gnutls_datum_t * p, + const gnutls_datum_t * q, + const gnutls_datum_t * g, + const gnutls_datum_t * y, + const gnutls_datum_t * x) { - int ret; - size_t siz = 0; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - siz = p->size; - if (_gnutls_mpi_scan_nz (&key->params.params[0], p->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - - siz = q->size; - if (_gnutls_mpi_scan_nz (&key->params.params[1], q->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - - siz = g->size; - if (_gnutls_mpi_scan_nz (&key->params.params[2], g->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - - siz = y->size; - if (_gnutls_mpi_scan_nz (&key->params.params[3], y->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - - siz = x->size; - if (_gnutls_mpi_scan_nz (&key->params.params[4], x->data, siz)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - - ret = _gnutls_asn1_encode_privkey (GNUTLS_PK_DSA, &key->key, &key->params); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - key->params.params_nr = DSA_PRIVATE_PARAMS; - key->pk_algorithm = GNUTLS_PK_DSA; - - return 0; - -cleanup: - gnutls_pk_params_clear(&key->params); - gnutls_pk_params_release(&key->params); - return ret; + int ret; + size_t siz = 0; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + siz = p->size; + if (_gnutls_mpi_scan_nz(&key->params.params[0], p->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + + siz = q->size; + if (_gnutls_mpi_scan_nz(&key->params.params[1], q->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + + siz = g->size; + if (_gnutls_mpi_scan_nz(&key->params.params[2], g->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + + siz = y->size; + if (_gnutls_mpi_scan_nz(&key->params.params[3], y->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + + siz = x->size; + if (_gnutls_mpi_scan_nz(&key->params.params[4], x->data, siz)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + + ret = + _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &key->key, + &key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + key->params.params_nr = DSA_PRIVATE_PARAMS; + key->pk_algorithm = GNUTLS_PK_DSA; + + return 0; + + cleanup: + gnutls_pk_params_clear(&key->params); + gnutls_pk_params_release(&key->params); + return ret; } @@ -950,54 +935,53 @@ cleanup: * Since: 3.0 **/ int -gnutls_x509_privkey_import_ecc_raw (gnutls_x509_privkey_t key, - gnutls_ecc_curve_t curve, - const gnutls_datum_t * x, - const gnutls_datum_t * y, - const gnutls_datum_t * k) +gnutls_x509_privkey_import_ecc_raw(gnutls_x509_privkey_t key, + gnutls_ecc_curve_t curve, + const gnutls_datum_t * x, + const gnutls_datum_t * y, + const gnutls_datum_t * k) { - int ret; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - key->params.flags = curve; - - if (_gnutls_mpi_scan_nz (&key->params.params[ECC_X], x->data, x->size)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - if (_gnutls_mpi_scan_nz (&key->params.params[ECC_Y], y->data, y->size)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - if (_gnutls_mpi_scan_nz (&key->params.params[ECC_K], k->data, k->size)) - { - gnutls_assert (); - ret = GNUTLS_E_MPI_SCAN_FAILED; - goto cleanup; - } - key->params.params_nr++; - - key->pk_algorithm = GNUTLS_PK_EC; - - return 0; - -cleanup: - gnutls_pk_params_clear(&key->params); - gnutls_pk_params_release(&key->params); - return ret; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + key->params.flags = curve; + + if (_gnutls_mpi_scan_nz + (&key->params.params[ECC_X], x->data, x->size)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + if (_gnutls_mpi_scan_nz + (&key->params.params[ECC_Y], y->data, y->size)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + if (_gnutls_mpi_scan_nz + (&key->params.params[ECC_K], k->data, k->size)) { + gnutls_assert(); + ret = GNUTLS_E_MPI_SCAN_FAILED; + goto cleanup; + } + key->params.params_nr++; + + key->pk_algorithm = GNUTLS_PK_EC; + + return 0; + + cleanup: + gnutls_pk_params_clear(&key->params); + gnutls_pk_params_release(&key->params); + return ret; } @@ -1012,16 +996,14 @@ cleanup: * Returns: a member of the #gnutls_pk_algorithm_t enumeration on * success, or a negative error code on error. **/ -int -gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key) +int gnutls_x509_privkey_get_pk_algorithm(gnutls_x509_privkey_t key) { - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return key->pk_algorithm; + return key->pk_algorithm; } /** @@ -1036,36 +1018,36 @@ gnutls_x509_privkey_get_pk_algorithm (gnutls_x509_privkey_t key) * success, or a negative error code on error. **/ int -gnutls_x509_privkey_get_pk_algorithm2 (gnutls_x509_privkey_t key, unsigned int *bits) +gnutls_x509_privkey_get_pk_algorithm2(gnutls_x509_privkey_t key, + unsigned int *bits) { -int ret; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bits) - { - ret = pubkey_to_bits(key->pk_algorithm, &key->params); - if (ret < 0) ret = 0; - *bits = ret; - } - - return key->pk_algorithm; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (bits) { + ret = pubkey_to_bits(key->pk_algorithm, &key->params); + if (ret < 0) + ret = 0; + *bits = ret; + } + + return key->pk_algorithm; } -static const char* set_msg(gnutls_x509_privkey_t key) +static const char *set_msg(gnutls_x509_privkey_t key) { - if (key->pk_algorithm == GNUTLS_PK_RSA) - return PEM_KEY_RSA; - else if (key->pk_algorithm == GNUTLS_PK_DSA) - return PEM_KEY_DSA; - else if (key->pk_algorithm == GNUTLS_PK_EC) - return PEM_KEY_ECC; - else - return "UNKNOWN"; + if (key->pk_algorithm == GNUTLS_PK_RSA) + return PEM_KEY_RSA; + else if (key->pk_algorithm == GNUTLS_PK_DSA) + return PEM_KEY_DSA; + else if (key->pk_algorithm == GNUTLS_PK_EC) + return PEM_KEY_ECC; + else + return "UNKNOWN"; } /** @@ -1091,22 +1073,21 @@ static const char* set_msg(gnutls_x509_privkey_t key) * negative error value. **/ int -gnutls_x509_privkey_export (gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_x509_privkey_export(gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - const char *msg; + const char *msg; - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - msg = set_msg(key); + msg = set_msg(key); - return _gnutls_x509_export_int (key->key, format, msg, - output_data, output_data_size); + return _gnutls_x509_export_int(key->key, format, msg, + output_data, output_data_size); } /** @@ -1130,21 +1111,20 @@ gnutls_x509_privkey_export (gnutls_x509_privkey_t key, * Since 3.1.3 **/ int -gnutls_x509_privkey_export2 (gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, - gnutls_datum_t * out) +gnutls_x509_privkey_export2(gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + gnutls_datum_t * out) { - const char *msg; + const char *msg; - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - msg = set_msg(key); + msg = set_msg(key); - return _gnutls_x509_export_int2 (key->key, format, msg, out); + return _gnutls_x509_export_int2(key->key, format, msg, out); } /** @@ -1159,16 +1139,15 @@ gnutls_x509_privkey_export2 (gnutls_x509_privkey_t key, * * Since: 2.12.0 **/ -gnutls_sec_param_t -gnutls_x509_privkey_sec_param (gnutls_x509_privkey_t key) +gnutls_sec_param_t gnutls_x509_privkey_sec_param(gnutls_x509_privkey_t key) { - int bits; + int bits; - bits = pubkey_to_bits(key->pk_algorithm, &key->params); - if (bits <= 0) - return GNUTLS_SEC_PARAM_UNKNOWN; - - return gnutls_pk_bits_to_sec_param(key->pk_algorithm, bits); + bits = pubkey_to_bits(key->pk_algorithm, &key->params); + if (bits <= 0) + return GNUTLS_SEC_PARAM_UNKNOWN; + + return gnutls_pk_bits_to_sec_param(key->pk_algorithm, bits); } /** @@ -1188,50 +1167,47 @@ gnutls_x509_privkey_sec_param (gnutls_x509_privkey_t key) * * Since: 3.0 **/ -int gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key, - gnutls_ecc_curve_t *curve, - gnutls_datum_t * x, gnutls_datum_t * y, - gnutls_datum_t* k) +int gnutls_x509_privkey_export_ecc_raw(gnutls_x509_privkey_t key, + gnutls_ecc_curve_t * curve, + gnutls_datum_t * x, + gnutls_datum_t * y, + gnutls_datum_t * k) { - int ret; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - *curve = key->params.flags; - - /* X */ - ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_X], x); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* Y */ - ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_Y], y); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (x); - return ret; - } - - - /* K */ - ret = _gnutls_mpi_dprint_lz (key->params.params[ECC_K], k); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (x); - _gnutls_free_datum (y); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + *curve = key->params.flags; + + /* X */ + ret = _gnutls_mpi_dprint_lz(key->params.params[ECC_X], x); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Y */ + ret = _gnutls_mpi_dprint_lz(key->params.params[ECC_Y], y); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(x); + return ret; + } + + + /* K */ + ret = _gnutls_mpi_dprint_lz(key->params.params[ECC_K], k); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(x); + _gnutls_free_datum(y); + return ret; + } + + return 0; } @@ -1253,14 +1229,14 @@ int gnutls_x509_privkey_export_ecc_raw (gnutls_x509_privkey_t key, * negative error value. **/ int -gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, - gnutls_datum_t * m, gnutls_datum_t * e, - gnutls_datum_t * d, gnutls_datum_t * p, - gnutls_datum_t * q, gnutls_datum_t * u) +gnutls_x509_privkey_export_rsa_raw(gnutls_x509_privkey_t key, + gnutls_datum_t * m, gnutls_datum_t * e, + gnutls_datum_t * d, gnutls_datum_t * p, + gnutls_datum_t * q, gnutls_datum_t * u) { - return gnutls_x509_privkey_export_rsa_raw2 (key, m, e, d, p, q, u, NULL, - NULL); + return gnutls_x509_privkey_export_rsa_raw2(key, m, e, d, p, q, u, + NULL, NULL); } /** @@ -1285,124 +1261,112 @@ gnutls_x509_privkey_export_rsa_raw (gnutls_x509_privkey_t key, * Since: 2.12.0 **/ int -gnutls_x509_privkey_export_rsa_raw2 (gnutls_x509_privkey_t key, - gnutls_datum_t * m, gnutls_datum_t * e, - gnutls_datum_t * d, gnutls_datum_t * p, - gnutls_datum_t * q, gnutls_datum_t * u, - gnutls_datum_t * e1, gnutls_datum_t * e2) +gnutls_x509_privkey_export_rsa_raw2(gnutls_x509_privkey_t key, + gnutls_datum_t * m, gnutls_datum_t * e, + gnutls_datum_t * d, gnutls_datum_t * p, + gnutls_datum_t * q, gnutls_datum_t * u, + gnutls_datum_t * e1, + gnutls_datum_t * e2) { - int ret; - gnutls_pk_params_st pk_params; - - gnutls_pk_params_init(&pk_params); - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - m->data = e->data = d->data = p->data = q->data = u->data = NULL; - m->size = e->size = d->size = p->size = q->size = u->size = 0; - - ret = _gnutls_pk_params_copy (&pk_params, &key->params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_pk_fixup (GNUTLS_PK_RSA, GNUTLS_EXPORT, &pk_params); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = _gnutls_mpi_dprint_lz (pk_params.params[0], m); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* E */ - ret = _gnutls_mpi_dprint_lz (pk_params.params[1], e); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* D */ - ret = _gnutls_mpi_dprint_lz (pk_params.params[2], d); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* P */ - ret = _gnutls_mpi_dprint_lz (pk_params.params[3], p); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* Q */ - ret = _gnutls_mpi_dprint_lz (pk_params.params[4], q); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* U */ - ret = _gnutls_mpi_dprint_lz (key->params.params[5], u); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* E1 */ - if (e1) - { - ret = _gnutls_mpi_dprint_lz (key->params.params[6], e1); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - } - - /* E2 */ - if (e2) - { - ret = _gnutls_mpi_dprint_lz (key->params.params[7], e2); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - } - - gnutls_pk_params_clear(&pk_params); - gnutls_pk_params_release (&pk_params); - - return 0; - -error: - _gnutls_free_datum (m); - _gnutls_free_datum (d); - _gnutls_free_datum (e); - _gnutls_free_datum (p); - _gnutls_free_datum (q); - gnutls_pk_params_clear(&pk_params); - gnutls_pk_params_release (&pk_params); - - return ret; + int ret; + gnutls_pk_params_st pk_params; + + gnutls_pk_params_init(&pk_params); + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + m->data = e->data = d->data = p->data = q->data = u->data = NULL; + m->size = e->size = d->size = p->size = q->size = u->size = 0; + + ret = _gnutls_pk_params_copy(&pk_params, &key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_pk_fixup(GNUTLS_PK_RSA, GNUTLS_EXPORT, &pk_params); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = _gnutls_mpi_dprint_lz(pk_params.params[0], m); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* E */ + ret = _gnutls_mpi_dprint_lz(pk_params.params[1], e); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* D */ + ret = _gnutls_mpi_dprint_lz(pk_params.params[2], d); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* P */ + ret = _gnutls_mpi_dprint_lz(pk_params.params[3], p); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* Q */ + ret = _gnutls_mpi_dprint_lz(pk_params.params[4], q); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* U */ + ret = _gnutls_mpi_dprint_lz(key->params.params[5], u); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* E1 */ + if (e1) { + ret = _gnutls_mpi_dprint_lz(key->params.params[6], e1); + if (ret < 0) { + gnutls_assert(); + goto error; + } + } + + /* E2 */ + if (e2) { + ret = _gnutls_mpi_dprint_lz(key->params.params[7], e2); + if (ret < 0) { + gnutls_assert(); + goto error; + } + } + + gnutls_pk_params_clear(&pk_params); + gnutls_pk_params_release(&pk_params); + + return 0; + + error: + _gnutls_free_datum(m); + _gnutls_free_datum(d); + _gnutls_free_datum(e); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + gnutls_pk_params_clear(&pk_params); + gnutls_pk_params_release(&pk_params); + + return ret; } /** @@ -1422,72 +1386,66 @@ error: * negative error value. **/ int -gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key, - gnutls_datum_t * p, gnutls_datum_t * q, - gnutls_datum_t * g, gnutls_datum_t * y, - gnutls_datum_t * x) +gnutls_x509_privkey_export_dsa_raw(gnutls_x509_privkey_t key, + gnutls_datum_t * p, gnutls_datum_t * q, + gnutls_datum_t * g, gnutls_datum_t * y, + gnutls_datum_t * x) { - int ret; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* P */ - ret = _gnutls_mpi_dprint_lz (key->params.params[0], p); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* Q */ - ret = _gnutls_mpi_dprint_lz (key->params.params[1], q); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - return ret; - } - - - /* G */ - ret = _gnutls_mpi_dprint_lz (key->params.params[2], g); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - _gnutls_free_datum (q); - return ret; - } - - - /* Y */ - ret = _gnutls_mpi_dprint_lz (key->params.params[3], y); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - _gnutls_free_datum (g); - _gnutls_free_datum (q); - return ret; - } - - /* X */ - ret = _gnutls_mpi_dprint_lz (key->params.params[4], x); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (y); - _gnutls_free_datum (p); - _gnutls_free_datum (g); - _gnutls_free_datum (q); - return ret; - } - - return 0; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* P */ + ret = _gnutls_mpi_dprint_lz(key->params.params[0], p); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Q */ + ret = _gnutls_mpi_dprint_lz(key->params.params[1], q); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + return ret; + } + + + /* G */ + ret = _gnutls_mpi_dprint_lz(key->params.params[2], g); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + return ret; + } + + + /* Y */ + ret = _gnutls_mpi_dprint_lz(key->params.params[3], y); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + /* X */ + ret = _gnutls_mpi_dprint_lz(key->params.params[4], x); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(y); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + return ret; + } + + return 0; } /** @@ -1510,51 +1468,47 @@ gnutls_x509_privkey_export_dsa_raw (gnutls_x509_privkey_t key, * negative error value. **/ int -gnutls_x509_privkey_generate (gnutls_x509_privkey_t key, - gnutls_pk_algorithm_t algo, unsigned int bits, - unsigned int flags) +gnutls_x509_privkey_generate(gnutls_x509_privkey_t key, + gnutls_pk_algorithm_t algo, unsigned int bits, + unsigned int flags) { - int ret; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - gnutls_pk_params_init(&key->params); - - if (algo == GNUTLS_PK_EC) - { - if (GNUTLS_BITS_ARE_CURVE(bits)) - bits = GNUTLS_BITS_TO_CURVE(bits); - else - bits = _gnutls_ecc_bits_to_curve(bits); - } - - ret = _gnutls_pk_generate (algo, bits, &key->params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_asn1_encode_privkey (algo, &key->key, &key->params); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - key->pk_algorithm = algo; - - return 0; - -cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - gnutls_pk_params_clear(&key->params); - gnutls_pk_params_release(&key->params); - - return ret; + int ret; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + gnutls_pk_params_init(&key->params); + + if (algo == GNUTLS_PK_EC) { + if (GNUTLS_BITS_ARE_CURVE(bits)) + bits = GNUTLS_BITS_TO_CURVE(bits); + else + bits = _gnutls_ecc_bits_to_curve(bits); + } + + ret = _gnutls_pk_generate(algo, bits, &key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_asn1_encode_privkey(algo, &key->key, &key->params); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + key->pk_algorithm = algo; + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + gnutls_pk_params_clear(&key->params); + gnutls_pk_params_release(&key->params); + + return ret; } /** @@ -1566,19 +1520,17 @@ cleanup: * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t key) +int gnutls_x509_privkey_verify_params(gnutls_x509_privkey_t key) { - int ret; + int ret; - ret = _gnutls_pk_verify_params (key->pk_algorithm, &key->params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_pk_verify_params(key->pk_algorithm, &key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } /** @@ -1602,26 +1554,26 @@ gnutls_x509_privkey_verify_params (gnutls_x509_privkey_t key) * negative error value. **/ int -gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, - unsigned int flags, - unsigned char *output_data, - size_t * output_data_size) +gnutls_x509_privkey_get_key_id(gnutls_x509_privkey_t key, + unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { - int ret; + int ret; - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_get_key_id(key->pk_algorithm, &key->params, output_data, output_data_size); - if (ret < 0) - { - gnutls_assert (); - } + ret = + _gnutls_get_key_id(key->pk_algorithm, &key->params, + output_data, output_data_size); + if (ret < 0) { + gnutls_assert(); + } - return ret; + return ret; } @@ -1648,44 +1600,43 @@ gnutls_x509_privkey_get_key_id (gnutls_x509_privkey_t key, * negative error value. -*/ static int -_gnutls_x509_privkey_sign_hash2 (gnutls_x509_privkey_t signer, - const mac_entry_st *me, - unsigned int flags, - const gnutls_datum_t * hash_data, - gnutls_datum_t * signature) +_gnutls_x509_privkey_sign_hash2(gnutls_x509_privkey_t signer, + const mac_entry_st * me, + unsigned int flags, + const gnutls_datum_t * hash_data, + gnutls_datum_t * signature) { - int ret; - gnutls_datum_t digest; - - digest.data = gnutls_malloc (hash_data->size); - if (digest.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - digest.size = hash_data->size; - memcpy (digest.data, hash_data->data, digest.size); - - ret = pk_prepare_hash (signer->pk_algorithm, me, &digest); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_pk_sign (signer->pk_algorithm, signature, &digest, &signer->params); - - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = 0; - -cleanup: - _gnutls_free_datum (&digest); - return ret; + int ret; + gnutls_datum_t digest; + + digest.data = gnutls_malloc(hash_data->size); + if (digest.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + digest.size = hash_data->size; + memcpy(digest.data, hash_data->data, digest.size); + + ret = pk_prepare_hash(signer->pk_algorithm, me, &digest); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + _gnutls_pk_sign(signer->pk_algorithm, signature, &digest, + &signer->params); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + _gnutls_free_datum(&digest); + return ret; } /** @@ -1705,27 +1656,27 @@ cleanup: * Deprecated in: 2.12.0 */ int -gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key, - const gnutls_datum_t * hash, - gnutls_datum_t * signature) +gnutls_x509_privkey_sign_hash(gnutls_x509_privkey_t key, + const gnutls_datum_t * hash, + gnutls_datum_t * signature) { - int result; + int result; - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_pk_sign (key->pk_algorithm, signature, hash, &key->params); + result = + _gnutls_pk_sign(key->pk_algorithm, signature, hash, + &key->params); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -1756,55 +1707,51 @@ gnutls_x509_privkey_sign_hash (gnutls_x509_privkey_t key, * Deprecated: Use gnutls_privkey_sign_data(). */ int -gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, - gnutls_digest_algorithm_t digest, - unsigned int flags, - const gnutls_datum_t * data, - void *signature, size_t * signature_size) +gnutls_x509_privkey_sign_data(gnutls_x509_privkey_t key, + gnutls_digest_algorithm_t digest, + unsigned int flags, + const gnutls_datum_t * data, + void *signature, size_t * signature_size) { - int result; - gnutls_datum_t sig = { NULL, 0 }; - gnutls_datum_t hash; - const mac_entry_st *me = mac_to_entry(digest); - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = - pk_hash_data (key->pk_algorithm, me, &key->params, data, &hash); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = - _gnutls_x509_privkey_sign_hash2 (key, me, flags, &hash, &sig); - - _gnutls_free_datum(&hash); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - if (*signature_size < sig.size) - { - *signature_size = sig.size; - _gnutls_free_datum (&sig); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *signature_size = sig.size; - memcpy (signature, sig.data, sig.size); - - _gnutls_free_datum (&sig); - - return 0; + int result; + gnutls_datum_t sig = { NULL, 0 }; + gnutls_datum_t hash; + const mac_entry_st *me = mac_to_entry(digest); + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + pk_hash_data(key->pk_algorithm, me, &key->params, data, &hash); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_privkey_sign_hash2(key, me, flags, &hash, &sig); + + _gnutls_free_datum(&hash); + + if (result < 0) { + gnutls_assert(); + return result; + } + + if (*signature_size < sig.size) { + *signature_size = sig.size; + _gnutls_free_datum(&sig); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *signature_size = sig.size; + memcpy(signature, sig.data, sig.size); + + _gnutls_free_datum(&sig); + + return 0; } @@ -1818,26 +1765,24 @@ gnutls_x509_privkey_sign_data (gnutls_x509_privkey_t key, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_privkey_fix (gnutls_x509_privkey_t key) +int gnutls_x509_privkey_fix(gnutls_x509_privkey_t key) { - int ret; + int ret; - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - asn1_delete_structure (&key->key); + asn1_delete_structure(&key->key); - ret = _gnutls_asn1_encode_privkey (key->pk_algorithm, &key->key, &key->params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = + _gnutls_asn1_encode_privkey(key->pk_algorithm, &key->key, + &key->params); + if (ret < 0) { + gnutls_assert(); + return ret; + } - return 0; + return 0; } - diff --git a/lib/x509/privkey_openssl.c b/lib/x509/privkey_openssl.c index 396020e1af..9c0db45a55 100644 --- a/lib/x509/privkey_openssl.c +++ b/lib/x509/privkey_openssl.c @@ -35,76 +35,69 @@ #include <pbkdf2-sha1.h> static int -openssl_hash_password (const char *pass, gnutls_datum_t * key, gnutls_datum_t * salt) +openssl_hash_password(const char *pass, gnutls_datum_t * key, + gnutls_datum_t * salt) { - unsigned char md5[16]; - gnutls_hash_hd_t hash; - unsigned int count = 0; - int err; - - while (count < key->size) - { - err = gnutls_hash_init (&hash, GNUTLS_DIG_MD5); - if (err) - { - gnutls_assert (); - return err; - } - if (count) - { - err = gnutls_hash (hash, md5, sizeof (md5)); - if (err) - { - hash_err: - gnutls_hash_deinit (hash, NULL); - gnutls_assert(); - return err; - } - } - if (pass) - { - err = gnutls_hash (hash, pass, strlen (pass)); - if (err) - { - gnutls_assert(); - goto hash_err; - } - } - err = gnutls_hash (hash, salt->data, 8); - if (err) - { - gnutls_assert(); - goto hash_err; - } - - gnutls_hash_deinit (hash, md5); - - if (key->size - count <= sizeof (md5)) - { - memcpy (&key->data[count], md5, key->size - count); - break; - } - - memcpy (&key->data[count], md5, sizeof (md5)); - count += sizeof (md5); - } - - return 0; + unsigned char md5[16]; + gnutls_hash_hd_t hash; + unsigned int count = 0; + int err; + + while (count < key->size) { + err = gnutls_hash_init(&hash, GNUTLS_DIG_MD5); + if (err) { + gnutls_assert(); + return err; + } + if (count) { + err = gnutls_hash(hash, md5, sizeof(md5)); + if (err) { + hash_err: + gnutls_hash_deinit(hash, NULL); + gnutls_assert(); + return err; + } + } + if (pass) { + err = gnutls_hash(hash, pass, strlen(pass)); + if (err) { + gnutls_assert(); + goto hash_err; + } + } + err = gnutls_hash(hash, salt->data, 8); + if (err) { + gnutls_assert(); + goto hash_err; + } + + gnutls_hash_deinit(hash, md5); + + if (key->size - count <= sizeof(md5)) { + memcpy(&key->data[count], md5, key->size - count); + break; + } + + memcpy(&key->data[count], md5, sizeof(md5)); + count += sizeof(md5); + } + + return 0; } static const struct pem_cipher { - const char *name; - gnutls_cipher_algorithm_t cipher; + const char *name; + gnutls_cipher_algorithm_t cipher; } pem_ciphers[] = { - { "DES-CBC", GNUTLS_CIPHER_DES_CBC }, - { "DES-EDE3-CBC", GNUTLS_CIPHER_3DES_CBC }, - { "AES-128-CBC", GNUTLS_CIPHER_AES_128_CBC }, - { "AES-192-CBC", GNUTLS_CIPHER_AES_192_CBC }, - { "AES-256-CBC", GNUTLS_CIPHER_AES_256_CBC }, - { "CAMELLIA-128-CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC }, - { "CAMELLIA-192-CBC", GNUTLS_CIPHER_CAMELLIA_192_CBC }, - { "CAMELLIA-256-CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC }, -}; + { + "DES-CBC", GNUTLS_CIPHER_DES_CBC}, { + "DES-EDE3-CBC", GNUTLS_CIPHER_3DES_CBC}, { + "AES-128-CBC", GNUTLS_CIPHER_AES_128_CBC}, { + "AES-192-CBC", GNUTLS_CIPHER_AES_192_CBC}, { + "AES-256-CBC", GNUTLS_CIPHER_AES_256_CBC}, { + "CAMELLIA-128-CBC", GNUTLS_CIPHER_CAMELLIA_128_CBC}, { + "CAMELLIA-192-CBC", GNUTLS_CIPHER_CAMELLIA_192_CBC}, { +"CAMELLIA-256-CBC", GNUTLS_CIPHER_CAMELLIA_256_CBC},}; /** * gnutls_x509_privkey_import_openssl: @@ -126,224 +119,211 @@ static const struct pem_cipher { * negative error value. **/ int -gnutls_x509_privkey_import_openssl (gnutls_x509_privkey_t key, - const gnutls_datum_t *data, const char* password) +gnutls_x509_privkey_import_openssl(gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + const char *password) { - gnutls_cipher_hd_t handle; - gnutls_cipher_algorithm_t cipher = GNUTLS_CIPHER_UNKNOWN; - gnutls_datum_t b64_data; - gnutls_datum_t salt, enc_key; - unsigned char *key_data; - const char *pem_header = (void*)data->data; - const char *pem_header_start = (void*)data->data; - ssize_t pem_header_size; - int ret; - unsigned int i, iv_size, l; - - pem_header_size = data->size; - - pem_header = memmem(pem_header, pem_header_size, "PRIVATE KEY---", 14); - if (pem_header == NULL) - { - gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; - } - - pem_header_size -= (ptrdiff_t)(pem_header-pem_header_start); - - pem_header = memmem(pem_header, pem_header_size, "DEK-Info: ", 10); - if (pem_header == NULL) - { - gnutls_assert(); - return GNUTLS_E_PARSING_ERROR; - } - - pem_header_size = data->size - (ptrdiff_t)(pem_header-pem_header_start) - 10; - pem_header += 10; - - for (i = 0; i < sizeof(pem_ciphers)/sizeof(pem_ciphers[0]); i++) - { - l = strlen(pem_ciphers[i].name); - if (!strncmp(pem_header, pem_ciphers[i].name, l) && - pem_header[l] == ',') - { - pem_header += l + 1; - cipher = pem_ciphers[i].cipher; - break; - } - } - - if (cipher == GNUTLS_CIPHER_UNKNOWN) - { - _gnutls_debug_log ("Unsupported PEM encryption type: %.10s\n", pem_header); - gnutls_assert(); - return GNUTLS_E_INVALID_REQUEST; - } - - iv_size = gnutls_cipher_get_iv_size(cipher); - salt.size = iv_size; - salt.data = gnutls_malloc (salt.size); - if (!salt.data) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - for (i = 0; i < salt.size * 2; i++) - { - unsigned char x; - const char *c = &pem_header[i]; - - if (*c >= '0' && *c <= '9') - x = (*c) - '0'; - else if (*c >= 'A' && *c <= 'F') - x = (*c) - 'A' + 10; - else - { - gnutls_assert(); - /* Invalid salt in encrypted PEM file */ - ret = GNUTLS_E_INVALID_REQUEST; - goto out_salt; - } - if (i & 1) - salt.data[i / 2] |= x; - else - salt.data[i / 2] = x << 4; - } - - pem_header += salt.size * 2; - if (*pem_header != '\r' && *pem_header != '\n') - { - gnutls_assert(); - ret = GNUTLS_E_INVALID_REQUEST; - goto out_salt; - } - while (*pem_header == '\n' || *pem_header == '\r') - pem_header++; - - ret = _gnutls_base64_decode((const void*)pem_header, pem_header_size, &b64_data); - if (ret < 0) - { - gnutls_assert(); - goto out_salt; - } - - if (b64_data.size < 16) - { - /* Just to be sure our parsing is OK */ - gnutls_assert(); - ret = GNUTLS_E_PARSING_ERROR; - goto out_b64; - } - - ret = GNUTLS_E_MEMORY_ERROR; - enc_key.size = gnutls_cipher_get_key_size (cipher); - enc_key.data = gnutls_malloc (enc_key.size); - if (!enc_key.data) - { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto out_b64; - } - - key_data = gnutls_malloc (b64_data.size); - if (!key_data) - { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto out_enc_key; - } - - while (1) - { - memcpy (key_data, b64_data.data, b64_data.size); - - ret = openssl_hash_password (password, &enc_key, &salt); - if (ret < 0) - { - gnutls_assert(); - goto out; - } - - ret = gnutls_cipher_init (&handle, cipher, &enc_key, &salt); - if (ret < 0) - { - gnutls_assert(); - gnutls_cipher_deinit (handle); - goto out; - } - - ret = gnutls_cipher_decrypt (handle, key_data, b64_data.size); - gnutls_cipher_deinit (handle); - - if (ret < 0) - { - gnutls_assert(); - goto out; - } - - /* We have to strip any padding to accept it. - So a bit more ASN.1 parsing for us.*/ - if (key_data[0] == 0x30) - { - gnutls_datum_t key_datum; - unsigned int blocksize = gnutls_cipher_get_block_size (cipher); - unsigned int keylen = key_data[1]; - unsigned int ofs = 2; - - if (keylen & 0x80) - { - int lenlen = keylen & 0x7f; - keylen = 0; - - if (lenlen > 3) - { - gnutls_assert(); - goto fail; - } - - while (lenlen) - { - keylen <<= 8; - keylen |= key_data[ofs++]; - lenlen--; - } - } - keylen += ofs; - - /* If there appears to be more padding than required, fail */ - if (b64_data.size - keylen > blocksize) - { - gnutls_assert(); - goto fail; - } - - /* If the padding bytes aren't all equal to the amount of padding, fail */ - ofs = keylen; - while (ofs < b64_data.size) - { - if (key_data[ofs] != b64_data.size - keylen) - { - gnutls_assert(); - goto fail; - } - ofs++; - } - - key_datum.data = key_data; - key_datum.size = keylen; - ret = - gnutls_x509_privkey_import (key, &key_datum, - GNUTLS_X509_FMT_DER); - if (ret == 0) - goto out; - } - fail: - ret = GNUTLS_E_DECRYPTION_FAILED; - goto out; - } -out: - gnutls_free (key_data); -out_enc_key: - gnutls_free (enc_key.data); -out_b64: - gnutls_free (b64_data.data); -out_salt: - gnutls_free (salt.data); - return ret; + gnutls_cipher_hd_t handle; + gnutls_cipher_algorithm_t cipher = GNUTLS_CIPHER_UNKNOWN; + gnutls_datum_t b64_data; + gnutls_datum_t salt, enc_key; + unsigned char *key_data; + const char *pem_header = (void *) data->data; + const char *pem_header_start = (void *) data->data; + ssize_t pem_header_size; + int ret; + unsigned int i, iv_size, l; + + pem_header_size = data->size; + + pem_header = + memmem(pem_header, pem_header_size, "PRIVATE KEY---", 14); + if (pem_header == NULL) { + gnutls_assert(); + return GNUTLS_E_PARSING_ERROR; + } + + pem_header_size -= (ptrdiff_t) (pem_header - pem_header_start); + + pem_header = memmem(pem_header, pem_header_size, "DEK-Info: ", 10); + if (pem_header == NULL) { + gnutls_assert(); + return GNUTLS_E_PARSING_ERROR; + } + + pem_header_size = + data->size - (ptrdiff_t) (pem_header - pem_header_start) - 10; + pem_header += 10; + + for (i = 0; i < sizeof(pem_ciphers) / sizeof(pem_ciphers[0]); i++) { + l = strlen(pem_ciphers[i].name); + if (!strncmp(pem_header, pem_ciphers[i].name, l) && + pem_header[l] == ',') { + pem_header += l + 1; + cipher = pem_ciphers[i].cipher; + break; + } + } + + if (cipher == GNUTLS_CIPHER_UNKNOWN) { + _gnutls_debug_log + ("Unsupported PEM encryption type: %.10s\n", + pem_header); + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + iv_size = gnutls_cipher_get_iv_size(cipher); + salt.size = iv_size; + salt.data = gnutls_malloc(salt.size); + if (!salt.data) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + for (i = 0; i < salt.size * 2; i++) { + unsigned char x; + const char *c = &pem_header[i]; + + if (*c >= '0' && *c <= '9') + x = (*c) - '0'; + else if (*c >= 'A' && *c <= 'F') + x = (*c) - 'A' + 10; + else { + gnutls_assert(); + /* Invalid salt in encrypted PEM file */ + ret = GNUTLS_E_INVALID_REQUEST; + goto out_salt; + } + if (i & 1) + salt.data[i / 2] |= x; + else + salt.data[i / 2] = x << 4; + } + + pem_header += salt.size * 2; + if (*pem_header != '\r' && *pem_header != '\n') { + gnutls_assert(); + ret = GNUTLS_E_INVALID_REQUEST; + goto out_salt; + } + while (*pem_header == '\n' || *pem_header == '\r') + pem_header++; + + ret = + _gnutls_base64_decode((const void *) pem_header, + pem_header_size, &b64_data); + if (ret < 0) { + gnutls_assert(); + goto out_salt; + } + + if (b64_data.size < 16) { + /* Just to be sure our parsing is OK */ + gnutls_assert(); + ret = GNUTLS_E_PARSING_ERROR; + goto out_b64; + } + + ret = GNUTLS_E_MEMORY_ERROR; + enc_key.size = gnutls_cipher_get_key_size(cipher); + enc_key.data = gnutls_malloc(enc_key.size); + if (!enc_key.data) { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto out_b64; + } + + key_data = gnutls_malloc(b64_data.size); + if (!key_data) { + ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + goto out_enc_key; + } + + while (1) { + memcpy(key_data, b64_data.data, b64_data.size); + + ret = openssl_hash_password(password, &enc_key, &salt); + if (ret < 0) { + gnutls_assert(); + goto out; + } + + ret = gnutls_cipher_init(&handle, cipher, &enc_key, &salt); + if (ret < 0) { + gnutls_assert(); + gnutls_cipher_deinit(handle); + goto out; + } + + ret = + gnutls_cipher_decrypt(handle, key_data, b64_data.size); + gnutls_cipher_deinit(handle); + + if (ret < 0) { + gnutls_assert(); + goto out; + } + + /* We have to strip any padding to accept it. + So a bit more ASN.1 parsing for us. */ + if (key_data[0] == 0x30) { + gnutls_datum_t key_datum; + unsigned int blocksize = + gnutls_cipher_get_block_size(cipher); + unsigned int keylen = key_data[1]; + unsigned int ofs = 2; + + if (keylen & 0x80) { + int lenlen = keylen & 0x7f; + keylen = 0; + + if (lenlen > 3) { + gnutls_assert(); + goto fail; + } + + while (lenlen) { + keylen <<= 8; + keylen |= key_data[ofs++]; + lenlen--; + } + } + keylen += ofs; + + /* If there appears to be more padding than required, fail */ + if (b64_data.size - keylen > blocksize) { + gnutls_assert(); + goto fail; + } + + /* If the padding bytes aren't all equal to the amount of padding, fail */ + ofs = keylen; + while (ofs < b64_data.size) { + if (key_data[ofs] != + b64_data.size - keylen) { + gnutls_assert(); + goto fail; + } + ofs++; + } + + key_datum.data = key_data; + key_datum.size = keylen; + ret = + gnutls_x509_privkey_import(key, &key_datum, + GNUTLS_X509_FMT_DER); + if (ret == 0) + goto out; + } + fail: + ret = GNUTLS_E_DECRYPTION_FAILED; + goto out; + } + out: + gnutls_free(key_data); + out_enc_key: + gnutls_free(enc_key.data); + out_b64: + gnutls_free(b64_data.data); + out_salt: + gnutls_free(salt.data); + return ret; } diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index c861264721..252742ea2e 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -34,7 +34,8 @@ #include <random.h> #include <pbkdf2-sha1.h> -static int _decode_pkcs8_ecc_key (ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey); +static int _decode_pkcs8_ecc_key(ASN1_TYPE pkcs8_asn, + gnutls_x509_privkey_t pkey); #define PBES2_OID "1.2.840.113549.1.5.13" #define PBKDF2_OID "1.2.840.113549.1.5.12" @@ -49,50 +50,48 @@ static int _decode_pkcs8_ecc_key (ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pke #define PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" #define PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" -struct pbkdf2_params -{ - uint8_t salt[32]; - int salt_size; - unsigned int iter_count; - unsigned int key_size; +struct pbkdf2_params { + uint8_t salt[32]; + int salt_size; + unsigned int iter_count; + unsigned int key_size; }; -struct pbe_enc_params -{ - gnutls_cipher_algorithm_t cipher; - uint8_t iv[MAX_CIPHER_BLOCK_SIZE]; - int iv_size; +struct pbe_enc_params { + gnutls_cipher_algorithm_t cipher; + uint8_t iv[MAX_CIPHER_BLOCK_SIZE]; + int iv_size; }; -static int generate_key (schema_id schema, const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, - gnutls_datum_t * key); -static int read_pbkdf2_params (ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbkdf2_params *params); -static int read_pbe_enc_params (ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbe_enc_params *params); -static int decrypt_data (schema_id, ASN1_TYPE pkcs8_asn, const char *root, - const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data); -static int decode_private_key_info (const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey); -static int write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params); -static int encrypt_data (const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted); - -static int read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, - struct pbkdf2_params *params); -static int write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *params); +static int generate_key(schema_id schema, const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, + gnutls_datum_t * key); +static int read_pbkdf2_params(ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbkdf2_params *params); +static int read_pbe_enc_params(ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params); +static int decrypt_data(schema_id, ASN1_TYPE pkcs8_asn, const char *root, + const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data); +static int decode_private_key_info(const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey); +static int write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params); +static int encrypt_data(const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted); + +static int read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, + struct pbkdf2_params *params); +static int write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *params); #define PEM_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_UNENCRYPTED_PKCS8 "PRIVATE KEY" @@ -100,25 +99,25 @@ static int write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, /* Returns a negative error code if the encryption schema in * the OID is not supported. The schema ID is returned. */ -static int -check_schema (const char *oid) +static int check_schema(const char *oid) { - if (strcmp (oid, PBES2_OID) == 0) - return PBES2_GENERIC; /* ok */ + if (strcmp(oid, PBES2_OID) == 0) + return PBES2_GENERIC; /* ok */ - if (strcmp (oid, PKCS12_PBE_3DES_SHA1_OID) == 0) - return PKCS12_3DES_SHA1; + if (strcmp(oid, PKCS12_PBE_3DES_SHA1_OID) == 0) + return PKCS12_3DES_SHA1; - if (strcmp (oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) - return PKCS12_ARCFOUR_SHA1; + if (strcmp(oid, PKCS12_PBE_ARCFOUR_SHA1_OID) == 0) + return PKCS12_ARCFOUR_SHA1; - if (strcmp (oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) - return PKCS12_RC2_40_SHA1; + if (strcmp(oid, PKCS12_PBE_RC2_40_SHA1_OID) == 0) + return PKCS12_RC2_40_SHA1; - _gnutls_debug_log ("PKCS encryption schema OID '%s' is unsupported.\n", oid); + _gnutls_debug_log + ("PKCS encryption schema OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } /* Encodes a private key to the raw format PKCS #8 needs. @@ -126,82 +125,80 @@ check_schema (const char *oid) * an ASN.1 INTEGER of the x value. */ inline static int -_encode_privkey (gnutls_x509_privkey_t pkey, gnutls_datum_t * raw) +_encode_privkey(gnutls_x509_privkey_t pkey, gnutls_datum_t * raw) { - size_t size = 0; - uint8_t *data = NULL; - int ret; - ASN1_TYPE spk = ASN1_TYPE_EMPTY; - - switch (pkey->pk_algorithm) - { - case GNUTLS_PK_RSA: - case GNUTLS_PK_EC: - ret = - gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, NULL, &size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - goto error; - } - - data = gnutls_malloc (size); - if (data == NULL) - { - gnutls_assert (); - ret = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - - ret = - gnutls_x509_privkey_export (pkey, GNUTLS_X509_FMT_DER, data, &size); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - raw->data = data; - raw->size = size; - break; - case GNUTLS_PK_DSA: - /* DSAPublicKey == INTEGER */ - if ((ret = asn1_create_element - (_gnutls_get_gnutls_asn (), "GNUTLS.DSAPublicKey", &spk)) - != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = _gnutls_x509_write_int (spk, "", pkey->params.params[4], 1); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - ret = _gnutls_x509_der_encode (spk, "", raw, 0); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - asn1_delete_structure (&spk); - break; - - default: - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return 0; - -error: - gnutls_free (data); - asn1_delete_structure (&spk); - return ret; + size_t size = 0; + uint8_t *data = NULL; + int ret; + ASN1_TYPE spk = ASN1_TYPE_EMPTY; + + switch (pkey->pk_algorithm) { + case GNUTLS_PK_RSA: + case GNUTLS_PK_EC: + ret = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, + NULL, &size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + goto error; + } + + data = gnutls_malloc(size); + if (data == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + + ret = + gnutls_x509_privkey_export(pkey, GNUTLS_X509_FMT_DER, + data, &size); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + raw->data = data; + raw->size = size; + break; + case GNUTLS_PK_DSA: + /* DSAPublicKey == INTEGER */ + if ((ret = asn1_create_element + (_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", + &spk)) + != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = + _gnutls_x509_write_int(spk, "", pkey->params.params[4], + 1); + if (ret < 0) { + gnutls_assert(); + goto error; + } + ret = _gnutls_x509_der_encode(spk, "", raw, 0); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&spk); + break; + + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return 0; + + error: + gnutls_free(data); + asn1_delete_structure(&spk); + return ret; } @@ -211,357 +208,336 @@ error: * the ASN1_TYPE of private key info will be returned. */ static int -encode_to_private_key_info (gnutls_x509_privkey_t pkey, - gnutls_datum_t * der, ASN1_TYPE * pkey_info) +encode_to_private_key_info(gnutls_x509_privkey_t pkey, + gnutls_datum_t * der, ASN1_TYPE * pkey_info) { - int result, len; - uint8_t null = 0; - const char *oid; - gnutls_datum_t algo_params = { NULL, 0 }; - gnutls_datum_t algo_privkey = { NULL, 0 }; - - oid = _gnutls_x509_pk_to_oid(pkey->pk_algorithm); - if (oid == NULL) - { - gnutls_assert (); - return GNUTLS_E_UNIMPLEMENTED_FEATURE; - } - - result = - _gnutls_x509_write_pubkey_params (pkey->pk_algorithm, &pkey->params, &algo_params); - if (result < 0) - { - gnutls_assert (); - return result; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-8-PrivateKeyInfo", - pkey_info)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Write the version. - */ - result = asn1_write_value (*pkey_info, "version", &null, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* write the privateKeyAlgorithm - * fields. (OID+NULL data) - */ - result = - asn1_write_value (*pkey_info, "privateKeyAlgorithm.algorithm", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = - asn1_write_value (*pkey_info, "privateKeyAlgorithm.parameters", - algo_params.data, algo_params.size); - _gnutls_free_datum (&algo_params); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - - /* Write the raw private key - */ - result = _encode_privkey (pkey, &algo_privkey); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = - asn1_write_value (*pkey_info, "privateKey", algo_privkey.data, - algo_privkey.size); - _gnutls_free_datum (&algo_privkey); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Append an empty Attributes field. - */ - result = asn1_write_value (*pkey_info, "attributes", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* DER Encode the generated private key info. - */ - len = 0; - result = asn1_der_coding (*pkey_info, "", NULL, &len, NULL); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* allocate data for the der - */ - der->size = len; - der->data = gnutls_malloc (len); - if (der->data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_der_coding (*pkey_info, "", der->data, &len, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - return 0; - -error: - asn1_delete_structure (pkey_info); - _gnutls_free_datum (&algo_params); - _gnutls_free_datum (&algo_privkey); - return result; + int result, len; + uint8_t null = 0; + const char *oid; + gnutls_datum_t algo_params = { NULL, 0 }; + gnutls_datum_t algo_privkey = { NULL, 0 }; + + oid = _gnutls_x509_pk_to_oid(pkey->pk_algorithm); + if (oid == NULL) { + gnutls_assert(); + return GNUTLS_E_UNIMPLEMENTED_FEATURE; + } + + result = + _gnutls_x509_write_pubkey_params(pkey->pk_algorithm, + &pkey->params, &algo_params); + if (result < 0) { + gnutls_assert(); + return result; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + pkey_info)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the version. + */ + result = asn1_write_value(*pkey_info, "version", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the privateKeyAlgorithm + * fields. (OID+NULL data) + */ + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.algorithm", + oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_write_value(*pkey_info, "privateKeyAlgorithm.parameters", + algo_params.data, algo_params.size); + _gnutls_free_datum(&algo_params); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + + /* Write the raw private key + */ + result = _encode_privkey(pkey, &algo_privkey); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_write_value(*pkey_info, "privateKey", algo_privkey.data, + algo_privkey.size); + _gnutls_free_datum(&algo_privkey); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Append an empty Attributes field. + */ + result = asn1_write_value(*pkey_info, "attributes", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* DER Encode the generated private key info. + */ + len = 0; + result = asn1_der_coding(*pkey_info, "", NULL, &len, NULL); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* allocate data for the der + */ + der->size = len; + der->data = gnutls_malloc(len); + if (der->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_der_coding(*pkey_info, "", der->data, &len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + return 0; + + error: + asn1_delete_structure(pkey_info); + _gnutls_free_datum(&algo_params); + _gnutls_free_datum(&algo_privkey); + return result; } -static const char * -cipher_to_pkcs_params (int cipher, const char **oid) +static const char *cipher_to_pkcs_params(int cipher, const char **oid) { - switch (cipher) - { - case GNUTLS_CIPHER_AES_128_CBC: - if (oid) - *oid = AES_128_CBC_OID; - return "PKIX1.pkcs-5-aes128-CBC-params"; - break; - case GNUTLS_CIPHER_AES_192_CBC: - if (oid) - *oid = AES_192_CBC_OID; - return "PKIX1.pkcs-5-aes192-CBC-params"; - break; - case GNUTLS_CIPHER_AES_256_CBC: - if (oid) - *oid = AES_256_CBC_OID; - return "PKIX1.pkcs-5-aes256-CBC-params"; - break; - case GNUTLS_CIPHER_3DES_CBC: - if (oid) - *oid = DES_EDE3_CBC_OID; - return "PKIX1.pkcs-5-des-EDE3-CBC-params"; - break; - default: - return NULL; - break; - } + switch (cipher) { + case GNUTLS_CIPHER_AES_128_CBC: + if (oid) + *oid = AES_128_CBC_OID; + return "PKIX1.pkcs-5-aes128-CBC-params"; + break; + case GNUTLS_CIPHER_AES_192_CBC: + if (oid) + *oid = AES_192_CBC_OID; + return "PKIX1.pkcs-5-aes192-CBC-params"; + break; + case GNUTLS_CIPHER_AES_256_CBC: + if (oid) + *oid = AES_256_CBC_OID; + return "PKIX1.pkcs-5-aes256-CBC-params"; + break; + case GNUTLS_CIPHER_3DES_CBC: + if (oid) + *oid = DES_EDE3_CBC_OID; + return "PKIX1.pkcs-5-des-EDE3-CBC-params"; + break; + default: + return NULL; + break; + } } -static int -cipher_to_schema (int cipher) +static int cipher_to_schema(int cipher) { - switch (cipher) - { - case GNUTLS_CIPHER_AES_128_CBC: - return PBES2_AES_128; - break; - case GNUTLS_CIPHER_AES_192_CBC: - return PBES2_AES_192; - break; - case GNUTLS_CIPHER_AES_256_CBC: - return PBES2_AES_256; - break; - case GNUTLS_CIPHER_3DES_CBC: - return PBES2_3DES; - break; - default: - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - break; - } + switch (cipher) { + case GNUTLS_CIPHER_AES_128_CBC: + return PBES2_AES_128; + break; + case GNUTLS_CIPHER_AES_192_CBC: + return PBES2_AES_192; + break; + case GNUTLS_CIPHER_AES_256_CBC: + return PBES2_AES_256; + break; + case GNUTLS_CIPHER_3DES_CBC: + return PBES2_3DES; + break; + default: + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + break; + } } -int -_gnutls_pkcs_flags_to_schema (unsigned int flags) +int _gnutls_pkcs_flags_to_schema(unsigned int flags) { - int schema; - - if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) - schema = PKCS12_ARCFOUR_SHA1; - else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) - schema = PKCS12_RC2_40_SHA1; - else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) - schema = PBES2_3DES; - else if (flags & GNUTLS_PKCS_USE_PBES2_AES_128) - schema = PBES2_AES_128; - else if (flags & GNUTLS_PKCS_USE_PBES2_AES_192) - schema = PBES2_AES_192; - else if (flags & GNUTLS_PKCS_USE_PBES2_AES_256) - schema = PBES2_AES_256; - else - { - gnutls_assert (); - _gnutls_debug_log - ("Selecting default encryption PKCS12_3DES_SHA1 (flags: %u).\n", - flags); - schema = PKCS12_3DES_SHA1; - } - - return schema; + int schema; + + if (flags & GNUTLS_PKCS_USE_PKCS12_ARCFOUR) + schema = PKCS12_ARCFOUR_SHA1; + else if (flags & GNUTLS_PKCS_USE_PKCS12_RC2_40) + schema = PKCS12_RC2_40_SHA1; + else if (flags & GNUTLS_PKCS_USE_PBES2_3DES) + schema = PBES2_3DES; + else if (flags & GNUTLS_PKCS_USE_PBES2_AES_128) + schema = PBES2_AES_128; + else if (flags & GNUTLS_PKCS_USE_PBES2_AES_192) + schema = PBES2_AES_192; + else if (flags & GNUTLS_PKCS_USE_PBES2_AES_256) + schema = PBES2_AES_256; + else { + gnutls_assert(); + _gnutls_debug_log + ("Selecting default encryption PKCS12_3DES_SHA1 (flags: %u).\n", + flags); + schema = PKCS12_3DES_SHA1; + } + + return schema; } /* returns the OID corresponding to given schema */ -static int -schema_to_oid (schema_id schema, const char **str_oid) +static int schema_to_oid(schema_id schema, const char **str_oid) { - int result = 0; - - switch (schema) - { - case PBES2_3DES: - case PBES2_AES_128: - case PBES2_AES_192: - case PBES2_AES_256: - *str_oid = PBES2_OID; - break; - case PKCS12_3DES_SHA1: - *str_oid = PKCS12_PBE_3DES_SHA1_OID; - break; - case PKCS12_ARCFOUR_SHA1: - *str_oid = PKCS12_PBE_ARCFOUR_SHA1_OID; - break; - case PKCS12_RC2_40_SHA1: - *str_oid = PKCS12_PBE_RC2_40_SHA1_OID; - break; - default: - gnutls_assert (); - result = GNUTLS_E_INTERNAL_ERROR; - } - - return result; + int result = 0; + + switch (schema) { + case PBES2_3DES: + case PBES2_AES_128: + case PBES2_AES_192: + case PBES2_AES_256: + *str_oid = PBES2_OID; + break; + case PKCS12_3DES_SHA1: + *str_oid = PKCS12_PBE_3DES_SHA1_OID; + break; + case PKCS12_ARCFOUR_SHA1: + *str_oid = PKCS12_PBE_ARCFOUR_SHA1_OID; + break; + case PKCS12_RC2_40_SHA1: + *str_oid = PKCS12_PBE_RC2_40_SHA1_OID; + break; + default: + gnutls_assert(); + result = GNUTLS_E_INTERNAL_ERROR; + } + + return result; } /* Converts a PKCS #8 private key info to * a PKCS #8 EncryptedPrivateKeyInfo. */ static int -encode_to_pkcs8_key (schema_id schema, const gnutls_datum_t * der_key, - const char *password, ASN1_TYPE * out) +encode_to_pkcs8_key(schema_id schema, const gnutls_datum_t * der_key, + const char *password, ASN1_TYPE * out) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - const char *str_oid; - - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Write the encryption schema OID - */ - result = schema_to_oid (schema, &str_oid); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = - asn1_write_value (pkcs8_asn, "encryptionAlgorithm.algorithm", str_oid, 1); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Generate a symmetric key. - */ - - result = generate_key (schema, password, &kdf_params, &enc_params, &key); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = - write_schema_params (schema, pkcs8_asn, - "encryptionAlgorithm.parameters", &kdf_params, - &enc_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data (der_key, &enc_params, &key, &tmp); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - /* write the encrypted data. - */ - result = asn1_write_value (pkcs8_asn, "encryptedData", tmp.data, tmp.size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - _gnutls_free_datum (&tmp); - _gnutls_free_datum (&key); - - *out = pkcs8_asn; - - return 0; - -error: - _gnutls_free_datum (&key); - _gnutls_free_datum (&tmp); - asn1_delete_structure (&pkcs8_asn); - return result; + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + const char *str_oid; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + result = schema_to_oid(schema, &str_oid); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + asn1_write_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + str_oid, 1); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + write_schema_params(schema, pkcs8_asn, + "encryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(der_key, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs8_asn, "encryptedData", tmp.data, + tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + *out = pkcs8_asn; + + return 0; + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs8_asn); + return result; } @@ -595,68 +571,65 @@ error: * returned, and 0 on success. **/ int -gnutls_x509_privkey_export_pkcs8 (gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags, - void *output_data, - size_t * output_data_size) +gnutls_x509_privkey_export_pkcs8(gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + const char *password, + unsigned int flags, + void *output_data, + size_t * output_data_size) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum_t tmp; - schema_id schema; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info (key, &tmp, &pkey_info); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - schema = _gnutls_pkcs_flags_to_schema (flags); - - if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) - { - _gnutls_free_datum (&tmp); - - ret = - _gnutls_x509_export_int (pkey_info, format, - PEM_UNENCRYPTED_PKCS8, - output_data, output_data_size); - - asn1_delete_structure (&pkey_info); - } - else - { - asn1_delete_structure (&pkey_info); /* we don't need it */ - - ret = encode_to_pkcs8_key (schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum (&tmp); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - _gnutls_x509_export_int (pkcs8_asn, format, PEM_PKCS8, - output_data, output_data_size); - - asn1_delete_structure (&pkcs8_asn); - } - - return ret; + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum_t tmp; + schema_id schema; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info(key, &tmp, &pkey_info); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + schema = _gnutls_pkcs_flags_to_schema(flags); + + if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) + && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) { + _gnutls_free_datum(&tmp); + + ret = + _gnutls_x509_export_int(pkey_info, format, + PEM_UNENCRYPTED_PKCS8, + output_data, output_data_size); + + asn1_delete_structure(&pkey_info); + } else { + asn1_delete_structure(&pkey_info); /* we don't need it */ + + ret = + encode_to_pkcs8_key(schema, &tmp, password, + &pkcs8_asn); + _gnutls_free_datum(&tmp); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_export_int(pkcs8_asn, format, PEM_PKCS8, + output_data, output_data_size); + + asn1_delete_structure(&pkcs8_asn); + } + + return ret; } /** @@ -687,65 +660,62 @@ gnutls_x509_privkey_export_pkcs8 (gnutls_x509_privkey_t key, * Since 3.1.3 **/ int -gnutls_x509_privkey_export2_pkcs8 (gnutls_x509_privkey_t key, - gnutls_x509_crt_fmt_t format, - const char *password, - unsigned int flags, - gnutls_datum_t *out) +gnutls_x509_privkey_export2_pkcs8(gnutls_x509_privkey_t key, + gnutls_x509_crt_fmt_t format, + const char *password, + unsigned int flags, gnutls_datum_t * out) { - ASN1_TYPE pkcs8_asn, pkey_info; - int ret; - gnutls_datum_t tmp; - schema_id schema; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Get the private key info - * tmp holds the DER encoding. - */ - ret = encode_to_private_key_info (key, &tmp, &pkey_info); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - schema = _gnutls_pkcs_flags_to_schema (flags); - - if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) - { - _gnutls_free_datum (&tmp); - - ret = - _gnutls_x509_export_int2 (pkey_info, format, - PEM_UNENCRYPTED_PKCS8, out); - - asn1_delete_structure (&pkey_info); - } - else - { - asn1_delete_structure (&pkey_info); /* we don't need it */ - - ret = encode_to_pkcs8_key (schema, &tmp, password, &pkcs8_asn); - _gnutls_free_datum (&tmp); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - _gnutls_x509_export_int2 (pkcs8_asn, format, PEM_PKCS8, out); - - asn1_delete_structure (&pkcs8_asn); - } - - return ret; + ASN1_TYPE pkcs8_asn, pkey_info; + int ret; + gnutls_datum_t tmp; + schema_id schema; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Get the private key info + * tmp holds the DER encoding. + */ + ret = encode_to_private_key_info(key, &tmp, &pkey_info); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + schema = _gnutls_pkcs_flags_to_schema(flags); + + if (((flags & GNUTLS_PKCS_PLAIN) || password == NULL) + && !(flags & GNUTLS_PKCS_NULL_PASSWORD)) { + _gnutls_free_datum(&tmp); + + ret = + _gnutls_x509_export_int2(pkey_info, format, + PEM_UNENCRYPTED_PKCS8, out); + + asn1_delete_structure(&pkey_info); + } else { + asn1_delete_structure(&pkey_info); /* we don't need it */ + + ret = + encode_to_pkcs8_key(schema, &tmp, password, + &pkcs8_asn); + _gnutls_free_datum(&tmp); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + _gnutls_x509_export_int2(pkcs8_asn, format, PEM_PKCS8, + out); + + asn1_delete_structure(&pkcs8_asn); + } + + return ret; } @@ -753,256 +723,240 @@ gnutls_x509_privkey_export2_pkcs8 (gnutls_x509_privkey_t key, * schema ID. */ static int -read_pkcs_schema_params (schema_id * schema, const char *password, - const uint8_t * data, int data_size, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params) +read_pkcs_schema_params(schema_id * schema, const char *password, + const uint8_t * data, int data_size, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params) { - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int result; - gnutls_datum_t tmp; - - switch (*schema) - { - - case PBES2_GENERIC: - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Decode the parameters. - */ - result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - tmp.data = (uint8_t *) data; - tmp.size = data_size; - - result = read_pbkdf2_params (pbes2_asn, &tmp, kdf_params); - if (result < 0) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = read_pbe_enc_params (pbes2_asn, &tmp, enc_params); - if (result < 0) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - asn1_delete_structure (&pbes2_asn); - - result = cipher_to_schema (enc_params->cipher); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - *schema = result; - return 0; - - case PKCS12_3DES_SHA1: - case PKCS12_ARCFOUR_SHA1: - case PKCS12_RC2_40_SHA1: - - if ((*schema) == PKCS12_3DES_SHA1) - { - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - enc_params->iv_size = 8; - } - else if ((*schema) == PKCS12_ARCFOUR_SHA1) - { - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - enc_params->iv_size = 0; - } - else if ((*schema) == PKCS12_RC2_40_SHA1) - { - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - enc_params->iv_size = 8; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Decode the parameters. - */ - result = asn1_der_decoding (&pbes2_asn, data, data_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = read_pkcs12_kdf_params (pbes2_asn, kdf_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - if (enc_params->iv_size) - { - result = - _gnutls_pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, - enc_params->iv); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - } - - asn1_delete_structure (&pbes2_asn); - - return 0; - - default: - gnutls_assert (); - } /* switch */ - - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; - -error: - asn1_delete_structure (&pbes2_asn); - return result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int result; + gnutls_datum_t tmp; + + switch (*schema) { + + case PBES2_GENERIC: + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Decode the parameters. + */ + result = + asn1_der_decoding(&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + tmp.data = (uint8_t *) data; + tmp.size = data_size; + + result = read_pbkdf2_params(pbes2_asn, &tmp, kdf_params); + if (result < 0) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = read_pbe_enc_params(pbes2_asn, &tmp, enc_params); + if (result < 0) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + asn1_delete_structure(&pbes2_asn); + + result = cipher_to_schema(enc_params->cipher); + if (result < 0) { + gnutls_assert(); + goto error; + } + + *schema = result; + return 0; + + case PKCS12_3DES_SHA1: + case PKCS12_ARCFOUR_SHA1: + case PKCS12_RC2_40_SHA1: + + if ((*schema) == PKCS12_3DES_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + enc_params->iv_size = 8; + } else if ((*schema) == PKCS12_ARCFOUR_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + enc_params->iv_size = 0; + } else if ((*schema) == PKCS12_RC2_40_SHA1) { + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + enc_params->iv_size = 8; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Decode the parameters. + */ + result = + asn1_der_decoding(&pbes2_asn, data, data_size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = read_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + if (enc_params->iv_size) { + result = + _gnutls_pkcs12_string_to_key(2 /*IV*/, + kdf_params->salt, + kdf_params-> + salt_size, + kdf_params-> + iter_count, + password, + enc_params-> + iv_size, + enc_params->iv); + if (result < 0) { + gnutls_assert(); + goto error; + } + + } + + asn1_delete_structure(&pbes2_asn); + + return 0; + + default: + gnutls_assert(); + } /* switch */ + + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + + error: + asn1_delete_structure(&pbes2_asn); + return result; } static int decrypt_pkcs8_key(const gnutls_datum_t * raw_key, - ASN1_TYPE pkcs8_asn, const char *password, - gnutls_x509_privkey_t pkey) + ASN1_TYPE pkcs8_asn, const char *password, + gnutls_x509_privkey_t pkey) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - /* Check the encryption schema OID - */ - len = sizeof (enc_oid); - result = - asn1_read_value (pkcs8_asn, "encryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - - if ((result = check_schema (enc_oid)) < 0) - { - gnutls_assert (); - goto error; - } - - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd (pkcs8_asn, raw_key->data, - raw_key->size, - "encryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params (&schema, password, - &raw_key->data[params_start], - params_len, &kdf_params, &enc_params); - - if (result < 0) - { - gnutls_assert (); - goto error; - } - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - result = - decrypt_data (schema, pkcs8_asn, "encryptedData", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = decode_private_key_info (&tmp, pkey); - _gnutls_free_datum (&tmp); - - if (result < 0) - { - /* We've gotten this far. In the real world it's almost certain - * that we're dealing with a good file, but wrong password. - * Sadly like 90% of random data is somehow valid DER for the - * a first small number of bytes, so no easy way to guarantee. */ - if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || - result == GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND || - result == GNUTLS_E_ASN1_DER_ERROR || - result == GNUTLS_E_ASN1_VALUE_NOT_FOUND || - result == GNUTLS_E_ASN1_GENERIC_ERROR || - result == GNUTLS_E_ASN1_VALUE_NOT_VALID || - result == GNUTLS_E_ASN1_TAG_ERROR || - result == GNUTLS_E_ASN1_TAG_IMPLICIT || - result == GNUTLS_E_ASN1_TYPE_ANY_ERROR || - result == GNUTLS_E_ASN1_SYNTAX_ERROR || - result == GNUTLS_E_ASN1_DER_OVERFLOW) - { - result = GNUTLS_E_DECRYPTION_FAILED; - } - - gnutls_assert (); - goto error; - } - - return 0; - -error: - asn1_delete_structure (&pbes2_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs8_asn, "encryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs8_asn, raw_key->data, + raw_key->size, + "encryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(&schema, password, + &raw_key->data[params_start], + params_len, &kdf_params, &enc_params); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + result = + decrypt_data(schema, pkcs8_asn, "encryptedData", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = decode_private_key_info(&tmp, pkey); + _gnutls_free_datum(&tmp); + + if (result < 0) { + /* We've gotten this far. In the real world it's almost certain + * that we're dealing with a good file, but wrong password. + * Sadly like 90% of random data is somehow valid DER for the + * a first small number of bytes, so no easy way to guarantee. */ + if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || + result == GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND || + result == GNUTLS_E_ASN1_DER_ERROR || + result == GNUTLS_E_ASN1_VALUE_NOT_FOUND || + result == GNUTLS_E_ASN1_GENERIC_ERROR || + result == GNUTLS_E_ASN1_VALUE_NOT_VALID || + result == GNUTLS_E_ASN1_TAG_ERROR || + result == GNUTLS_E_ASN1_TAG_IMPLICIT || + result == GNUTLS_E_ASN1_TYPE_ANY_ERROR || + result == GNUTLS_E_ASN1_SYNTAX_ERROR || + result == GNUTLS_E_ASN1_DER_OVERFLOW) { + result = GNUTLS_E_DECRYPTION_FAILED; + } + + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + return result; } /* Converts a PKCS #8 key to @@ -1010,244 +964,241 @@ error: * (normally a PKCS #1 encoded RSA key) */ static int -decode_pkcs8_key (const gnutls_datum_t * raw_key, - const char *password, gnutls_x509_privkey_t pkey, - unsigned int decrypt) +decode_pkcs8_key(const gnutls_datum_t * raw_key, + const char *password, gnutls_x509_privkey_t pkey, + unsigned int decrypt) { - int result; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = asn1_der_decoding (&pkcs8_asn, raw_key->data, raw_key->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - if (decrypt) - result = decrypt_pkcs8_key(raw_key, pkcs8_asn, password, pkey); - else - result = 0; - -error: - asn1_delete_structure (&pkcs8_asn); - return result; + int result; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-EncryptedPrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_der_decoding(&pkcs8_asn, raw_key->data, raw_key->size, + NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if (decrypt) + result = + decrypt_pkcs8_key(raw_key, pkcs8_asn, password, pkey); + else + result = 0; + + error: + asn1_delete_structure(&pkcs8_asn); + return result; } /* Decodes an RSA privateKey from a PKCS8 structure. */ static int -_decode_pkcs8_rsa_key (ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) +_decode_pkcs8_rsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) { - int ret; - gnutls_datum_t tmp; - - ret = _gnutls_x509_read_value (pkcs8_asn, "privateKey", &tmp); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - pkey->key = _gnutls_privkey_decode_pkcs1_rsa_key (&tmp, pkey); - _gnutls_free_datum (&tmp); - if (pkey->key == NULL) - { - gnutls_assert (); - goto error; - } - - ret = 0; - -error: - return ret; + int ret; + gnutls_datum_t tmp; + + ret = _gnutls_x509_read_value(pkcs8_asn, "privateKey", &tmp); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + pkey->key = _gnutls_privkey_decode_pkcs1_rsa_key(&tmp, pkey); + _gnutls_free_datum(&tmp); + if (pkey->key == NULL) { + gnutls_assert(); + goto error; + } + + ret = 0; + + error: + return ret; } /* Decodes an ECC privateKey from a PKCS8 structure. */ static int -_decode_pkcs8_ecc_key (ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) +_decode_pkcs8_ecc_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) { - int ret; - gnutls_datum_t tmp; - - ret = _gnutls_x509_read_value (pkcs8_asn, "privateKey", &tmp); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - pkey->key = _gnutls_privkey_decode_ecc_key (&tmp, pkey); - _gnutls_free_datum (&tmp); - if (pkey->key == NULL) - { - ret = GNUTLS_E_PARSING_ERROR; - gnutls_assert (); - goto error; - } - - ret = 0; - -error: - return ret; + int ret; + gnutls_datum_t tmp; + + ret = _gnutls_x509_read_value(pkcs8_asn, "privateKey", &tmp); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + pkey->key = _gnutls_privkey_decode_ecc_key(&tmp, pkey); + _gnutls_free_datum(&tmp); + if (pkey->key == NULL) { + ret = GNUTLS_E_PARSING_ERROR; + gnutls_assert(); + goto error; + } + + ret = 0; + + error: + return ret; } /* Decodes an DSA privateKey and params from a PKCS8 structure. */ static int -_decode_pkcs8_dsa_key (ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) +_decode_pkcs8_dsa_key(ASN1_TYPE pkcs8_asn, gnutls_x509_privkey_t pkey) { - int ret; - gnutls_datum_t tmp; - - ret = _gnutls_x509_read_value (pkcs8_asn, "privateKey", &tmp); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = _gnutls_x509_read_der_int (tmp.data, tmp.size, &pkey->params.params[4]); - _gnutls_free_datum (&tmp); - - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = - _gnutls_x509_read_value (pkcs8_asn, "privateKeyAlgorithm.parameters", - &tmp); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = _gnutls_x509_read_pubkey_params (GNUTLS_PK_DSA, tmp.data, tmp.size, &pkey->params); - _gnutls_free_datum (&tmp); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - /* the public key can be generated as g^x mod p */ - pkey->params.params[3] = _gnutls_mpi_alloc_like (pkey->params.params[0]); - if (pkey->params.params[3] == NULL) - { - gnutls_assert (); - goto error; - } - - _gnutls_mpi_powm (pkey->params.params[3], pkey->params.params[2], pkey->params.params[4], - pkey->params.params[0]); - - ret = _gnutls_asn1_encode_privkey (GNUTLS_PK_DSA, &pkey->key, &pkey->params); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - pkey->params.params_nr = DSA_PRIVATE_PARAMS; - - ret = 0; - -error: - return ret; + int ret; + gnutls_datum_t tmp; + + ret = _gnutls_x509_read_value(pkcs8_asn, "privateKey", &tmp); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = + _gnutls_x509_read_der_int(tmp.data, tmp.size, + &pkey->params.params[4]); + _gnutls_free_datum(&tmp); + + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = + _gnutls_x509_read_value(pkcs8_asn, + "privateKeyAlgorithm.parameters", + &tmp); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = + _gnutls_x509_read_pubkey_params(GNUTLS_PK_DSA, tmp.data, + tmp.size, &pkey->params); + _gnutls_free_datum(&tmp); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + /* the public key can be generated as g^x mod p */ + pkey->params.params[3] = + _gnutls_mpi_alloc_like(pkey->params.params[0]); + if (pkey->params.params[3] == NULL) { + gnutls_assert(); + goto error; + } + + _gnutls_mpi_powm(pkey->params.params[3], pkey->params.params[2], + pkey->params.params[4], pkey->params.params[0]); + + ret = + _gnutls_asn1_encode_privkey(GNUTLS_PK_DSA, &pkey->key, + &pkey->params); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + pkey->params.params_nr = DSA_PRIVATE_PARAMS; + + ret = 0; + + error: + return ret; } static int -decode_private_key_info (const gnutls_datum_t * der, - gnutls_x509_privkey_t pkey) +decode_private_key_info(const gnutls_datum_t * der, + gnutls_x509_privkey_t pkey) { - int result, len; - char oid[64]; - ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; - - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-8-PrivateKeyInfo", - &pkcs8_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = asn1_der_decoding (&pkcs8_asn, der->data, der->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Check the private key algorithm OID - */ - len = sizeof (oid); - result = - asn1_read_value (pkcs8_asn, "privateKeyAlgorithm.algorithm", oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* we only support RSA and DSA private keys. - */ - - pkey->pk_algorithm = _gnutls_x509_oid2pk_algorithm(oid); - if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) - { - gnutls_assert (); - _gnutls_debug_log - ("PKCS #8 private key OID '%s' is unsupported.\n", oid); - result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; - goto error; - } - - /* Get the DER encoding of the actual private key. - */ - - if (pkey->pk_algorithm == GNUTLS_PK_RSA) - result = _decode_pkcs8_rsa_key (pkcs8_asn, pkey); - else if (pkey->pk_algorithm == GNUTLS_PK_DSA) - result = _decode_pkcs8_dsa_key (pkcs8_asn, pkey); - else if (pkey->pk_algorithm == GNUTLS_PK_EC) - result = _decode_pkcs8_ecc_key (pkcs8_asn, pkey); - else return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = 0; - -error: - asn1_delete_structure (&pkcs8_asn); - - return result; + int result, len; + char oid[64]; + ASN1_TYPE pkcs8_asn = ASN1_TYPE_EMPTY; + + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-8-PrivateKeyInfo", + &pkcs8_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_der_decoding(&pkcs8_asn, der->data, der->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the private key algorithm OID + */ + len = sizeof(oid); + result = + asn1_read_value(pkcs8_asn, "privateKeyAlgorithm.algorithm", + oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* we only support RSA and DSA private keys. + */ + + pkey->pk_algorithm = _gnutls_x509_oid2pk_algorithm(oid); + if (pkey->pk_algorithm == GNUTLS_PK_UNKNOWN) { + gnutls_assert(); + _gnutls_debug_log + ("PKCS #8 private key OID '%s' is unsupported.\n", + oid); + result = GNUTLS_E_UNKNOWN_PK_ALGORITHM; + goto error; + } + + /* Get the DER encoding of the actual private key. + */ + + if (pkey->pk_algorithm == GNUTLS_PK_RSA) + result = _decode_pkcs8_rsa_key(pkcs8_asn, pkey); + else if (pkey->pk_algorithm == GNUTLS_PK_DSA) + result = _decode_pkcs8_dsa_key(pkcs8_asn, pkey); + else if (pkey->pk_algorithm == GNUTLS_PK_EC) + result = _decode_pkcs8_ecc_key(pkcs8_asn, pkey); + else + return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); + + if (result < 0) { + gnutls_assert(); + return result; + } + + result = 0; + + error: + asn1_delete_structure(&pkcs8_asn); + + return result; } @@ -1280,282 +1231,267 @@ error: * negative error value. **/ int -gnutls_x509_privkey_import_pkcs8 (gnutls_x509_privkey_t key, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, - const char *password, unsigned int flags) +gnutls_x509_privkey_import_pkcs8(gnutls_x509_privkey_t key, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + const char *password, unsigned int flags) { - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - /* Try the first header - */ - result = - _gnutls_fbase64_decode (PEM_UNENCRYPTED_PKCS8, - data->data, data->size, &_data); - - if (result < 0) - { /* Try the encrypted header - */ - result = - _gnutls_fbase64_decode (PEM_PKCS8, data->data, data->size, &_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - } - else if (flags == 0) - flags |= GNUTLS_PKCS_PLAIN; - - need_free = 1; - } - - /* Here we don't check for password == NULL to maintain a backwards - * compatibility behavior, with old versions that were encrypting using - * a NULL password. - */ - if (flags & GNUTLS_PKCS_PLAIN) - { - result = decode_private_key_info (&_data, key); - if (result < 0) - { /* check if it is encrypted */ - if (decode_pkcs8_key(&_data, "", key, 0) == 0) - result = GNUTLS_E_DECRYPTION_FAILED; - } - } - else - { /* encrypted. */ - result = decode_pkcs8_key (&_data, password, key, 1); - } - - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (need_free) - _gnutls_free_datum (&_data); - - /* The key has now been decoded. - */ - - return 0; - -cleanup: - key->pk_algorithm = GNUTLS_PK_UNKNOWN; - if (need_free) - _gnutls_free_datum (&_data); - return result; + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + /* Try the first header + */ + result = + _gnutls_fbase64_decode(PEM_UNENCRYPTED_PKCS8, + data->data, data->size, &_data); + + if (result < 0) { /* Try the encrypted header + */ + result = + _gnutls_fbase64_decode(PEM_PKCS8, data->data, + data->size, &_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + } else if (flags == 0) + flags |= GNUTLS_PKCS_PLAIN; + + need_free = 1; + } + + /* Here we don't check for password == NULL to maintain a backwards + * compatibility behavior, with old versions that were encrypting using + * a NULL password. + */ + if (flags & GNUTLS_PKCS_PLAIN) { + result = decode_private_key_info(&_data, key); + if (result < 0) { /* check if it is encrypted */ + if (decode_pkcs8_key(&_data, "", key, 0) == 0) + result = GNUTLS_E_DECRYPTION_FAILED; + } + } else { /* encrypted. */ + result = decode_pkcs8_key(&_data, password, key, 1); + } + + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + if (need_free) + _gnutls_free_datum(&_data); + + /* The key has now been decoded. + */ + + return 0; + + cleanup: + key->pk_algorithm = GNUTLS_PK_UNKNOWN; + if (need_free) + _gnutls_free_datum(&_data); + return result; } /* Reads the PBKDF2 parameters. */ static int -read_pbkdf2_params (ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, struct pbkdf2_params *params) +read_pbkdf2_params(ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbkdf2_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - char oid[64]; - - memset (params, 0, sizeof (*params)); - - /* Check the key derivation algorithm - */ - len = sizeof (oid); - result = - asn1_read_value (pbes2_asn, "keyDerivationFunc.algorithm", oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - _gnutls_hard_log ("keyDerivationFunc.algorithm: %s\n", oid); - - if (strcmp (oid, PBKDF2_OID) != 0) - { - gnutls_assert (); - _gnutls_debug_log - ("PKCS #8 key derivation OID '%s' is unsupported.\n", oid); - return _gnutls_asn2err (result); - } - - result = - asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, - "keyDerivationFunc.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - params_len = params_end - params_start + 1; - - /* Now check the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = - asn1_der_decoding (&pbkdf2_asn, &der->data[params_start], - params_len, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* read the salt */ - params->salt_size = sizeof (params->salt); - result = - asn1_read_value (pbkdf2_asn, "salt.specified", params->salt, - ¶ms->salt_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("salt.specified.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint (pbkdf2_asn, "iterationCount", - ¶ms->iter_count); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); - - /* read the keylength, if it is set. - */ - result = - _gnutls_x509_read_uint (pbkdf2_asn, "keyLength", ¶ms->key_size); - if (result < 0) - { - params->key_size = 0; - } - _gnutls_hard_log ("keyLength: %d\n", params->key_size); - - /* We don't read the PRF. We only use the default. - */ - - result = 0; - -error: - asn1_delete_structure (&pbkdf2_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + char oid[64]; + + memset(params, 0, sizeof(*params)); + + /* Check the key derivation algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "keyDerivationFunc.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + _gnutls_hard_log("keyDerivationFunc.algorithm: %s\n", oid); + + if (strcmp(oid, PBKDF2_OID) != 0) { + gnutls_assert(); + _gnutls_debug_log + ("PKCS #8 key derivation OID '%s' is unsupported.\n", + oid); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "keyDerivationFunc.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbkdf2_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbkdf2_asn, "salt.specified", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "iterationCount", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + /* read the keylength, if it is set. + */ + result = + _gnutls_x509_read_uint(pbkdf2_asn, "keyLength", + ¶ms->key_size); + if (result < 0) { + params->key_size = 0; + } + _gnutls_hard_log("keyLength: %d\n", params->key_size); + + /* We don't read the PRF. We only use the default. + */ + + result = 0; + + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } /* Reads the PBE parameters from PKCS-12 schemas (*&#%*&#% RSA). */ static int -read_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, struct pbkdf2_params *params) +read_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, struct pbkdf2_params *params) { - int result; - - memset (params, 0, sizeof (*params)); - - /* read the salt */ - params->salt_size = sizeof (params->salt); - result = - asn1_read_value (pbes2_asn, "salt", params->salt, ¶ms->salt_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("salt.size: %d\n", params->salt_size); - - /* read the iteration count - */ - result = - _gnutls_x509_read_uint (pbes2_asn, "iterations", ¶ms->iter_count); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - _gnutls_hard_log ("iterationCount: %d\n", params->iter_count); - - params->key_size = 0; - - return 0; - -error: - return result; + int result; + + memset(params, 0, sizeof(*params)); + + /* read the salt */ + params->salt_size = sizeof(params->salt); + result = + asn1_read_value(pbes2_asn, "salt", params->salt, + ¶ms->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", params->salt_size); + + /* read the iteration count + */ + result = + _gnutls_x509_read_uint(pbes2_asn, "iterations", + ¶ms->iter_count); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", params->iter_count); + + params->key_size = 0; + + return 0; + + error: + return result; } /* Writes the PBE parameters for PKCS-12 schemas. */ static int -write_pkcs12_kdf_params (ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +write_pkcs12_kdf_params(ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - - /* write the salt - */ - result = - asn1_write_value (pbes2_asn, "salt", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("salt.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - result = - _gnutls_x509_write_uint32 (pbes2_asn, "iterations", - kdf_params->iter_count); - if (result < 0) - { - gnutls_assert (); - goto error; - } - _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); - - return 0; - -error: - return result; + int result; + + /* write the salt + */ + result = + asn1_write_value(pbes2_asn, "salt", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.size: %d\n", kdf_params->salt_size); + + /* write the iteration count + */ + result = + _gnutls_x509_write_uint32(pbes2_asn, "iterations", + kdf_params->iter_count); + if (result < 0) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + return 0; + + error: + return result; } @@ -1563,584 +1499,557 @@ error: /* Converts an OID to a gnutls cipher type. */ inline static int -oid2cipher (const char *oid, gnutls_cipher_algorithm_t * algo) +oid2cipher(const char *oid, gnutls_cipher_algorithm_t * algo) { - *algo = 0; - - if (strcmp (oid, DES_EDE3_CBC_OID) == 0) - { - *algo = GNUTLS_CIPHER_3DES_CBC; - return 0; - } - else if (strcmp (oid, DES_CBC_OID) == 0) - { - *algo = GNUTLS_CIPHER_DES_CBC; - return 0; - } - else if (strcmp (oid, AES_128_CBC_OID) == 0) - { - *algo = GNUTLS_CIPHER_AES_128_CBC; - return 0; - } - else if (strcmp (oid, AES_192_CBC_OID) == 0) - { - *algo = GNUTLS_CIPHER_AES_192_CBC; - return 0; - } - else if (strcmp (oid, AES_256_CBC_OID) == 0) - { - *algo = GNUTLS_CIPHER_AES_256_CBC; - return 0; - } - - _gnutls_debug_log ("PKCS #8 encryption OID '%s' is unsupported.\n", oid); - return GNUTLS_E_UNKNOWN_CIPHER_TYPE; + *algo = 0; + + if (strcmp(oid, DES_EDE3_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_3DES_CBC; + return 0; + } else if (strcmp(oid, DES_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_DES_CBC; + return 0; + } else if (strcmp(oid, AES_128_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_AES_128_CBC; + return 0; + } else if (strcmp(oid, AES_192_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_AES_192_CBC; + return 0; + } else if (strcmp(oid, AES_256_CBC_OID) == 0) { + *algo = GNUTLS_CIPHER_AES_256_CBC; + return 0; + } + + _gnutls_debug_log("PKCS #8 encryption OID '%s' is unsupported.\n", + oid); + return GNUTLS_E_UNKNOWN_CIPHER_TYPE; } static int -read_pbe_enc_params (ASN1_TYPE pbes2_asn, - const gnutls_datum_t * der, - struct pbe_enc_params *params) +read_pbe_enc_params(ASN1_TYPE pbes2_asn, + const gnutls_datum_t * der, + struct pbe_enc_params *params) { - int params_start, params_end; - int params_len, len, result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - char oid[64]; - const char *eparams; - - memset (params, 0, sizeof (*params)); - - /* Check the encryption algorithm - */ - len = sizeof (oid); - result = - asn1_read_value (pbes2_asn, "encryptionScheme.algorithm", oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", oid); - - if ((result = oid2cipher (oid, ¶ms->cipher)) < 0) - { - gnutls_assert (); - goto error; - } - - result = - asn1_der_decoding_startEnd (pbes2_asn, der->data, der->size, - "encryptionScheme.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - params_len = params_end - params_start + 1; - - /* Now check the encryption parameters. - */ - eparams = cipher_to_pkcs_params (params->cipher, NULL); - if (eparams == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - eparams, &pbe_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = - asn1_der_decoding (&pbe_asn, &der->data[params_start], params_len, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* read the IV */ - params->iv_size = sizeof (params->iv); - result = asn1_read_value (pbe_asn, "", params->iv, ¶ms->iv_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("IV.size: %d\n", params->iv_size); - - result = 0; - -error: - asn1_delete_structure (&pbe_asn); - return result; + int params_start, params_end; + int params_len, len, result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + char oid[64]; + const char *eparams; + + memset(params, 0, sizeof(*params)); + + /* Check the encryption algorithm + */ + len = sizeof(oid); + result = + asn1_read_value(pbes2_asn, "encryptionScheme.algorithm", oid, + &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); + + if ((result = oid2cipher(oid, ¶ms->cipher)) < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_der_decoding_startEnd(pbes2_asn, der->data, der->size, + "encryptionScheme.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + params_len = params_end - params_start + 1; + + /* Now check the encryption parameters. + */ + eparams = cipher_to_pkcs_params(params->cipher, NULL); + if (eparams == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + eparams, &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&pbe_asn, &der->data[params_start], + params_len, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* read the IV */ + params->iv_size = sizeof(params->iv); + result = + asn1_read_value(pbe_asn, "", params->iv, ¶ms->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + result = 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } static int -decrypt_data (schema_id schema, ASN1_TYPE pkcs8_asn, - const char *root, const char *password, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * decrypted_data) +decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *root, const char *password, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * decrypted_data) { - int result; - int data_size; - uint8_t *data = NULL, *key = NULL; - gnutls_datum_t dkey, d_iv; - cipher_hd_st ch; - int ch_init = 0; - int key_size; - unsigned int pass_len = 0; - - if (password) - pass_len = strlen(password); - - data_size = 0; - result = asn1_read_value (pkcs8_asn, root, NULL, &data_size); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - data = gnutls_malloc (data_size); - if (data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = asn1_read_value (pkcs8_asn, root, data, &data_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - if (kdf_params->key_size == 0) - { - key_size = gnutls_cipher_get_key_size (enc_params->cipher); - } - else - key_size = kdf_params->key_size; - - key = gnutls_malloc (key_size); - if (key == NULL) - { - gnutls_assert (); - result = GNUTLS_E_MEMORY_ERROR; - goto error; - } - - /* generate the key - */ - switch (schema) - { - case PBES2_3DES: - case PBES2_AES_128: - case PBES2_AES_192: - case PBES2_AES_256: - - result = _gnutls_pbkdf2_sha1 (password, pass_len, - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, key, key_size); - - if (result < 0) - { - gnutls_assert (); - goto error; - } - break; - default: - result = - _gnutls_pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - key_size, key); - - if (result < 0) - { - gnutls_assert (); - goto error; - } - } - - /* do the decryption. - */ - dkey.data = key; - dkey.size = key_size; - - d_iv.data = (uint8_t *) enc_params->iv; - d_iv.size = enc_params->iv_size; - result = _gnutls_cipher_init (&ch, cipher_to_entry(enc_params->cipher), &dkey, &d_iv, 0); - - gnutls_free (key); - key = NULL; - - if (result < 0) - { - gnutls_assert (); - goto error; - } - - ch_init = 1; - - result = _gnutls_cipher_decrypt (&ch, data, data_size); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - decrypted_data->data = data; - - if (gnutls_cipher_get_block_size (enc_params->cipher) != 1) - decrypted_data->size = data_size - data[data_size - 1]; - else - decrypted_data->size = data_size; - - _gnutls_cipher_deinit (&ch); - - return 0; - -error: - gnutls_free (data); - gnutls_free (key); - if (ch_init != 0) - _gnutls_cipher_deinit (&ch); - return result; + int result; + int data_size; + uint8_t *data = NULL, *key = NULL; + gnutls_datum_t dkey, d_iv; + cipher_hd_st ch; + int ch_init = 0; + int key_size; + unsigned int pass_len = 0; + + if (password) + pass_len = strlen(password); + + data_size = 0; + result = asn1_read_value(pkcs8_asn, root, NULL, &data_size); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + data = gnutls_malloc(data_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = asn1_read_value(pkcs8_asn, root, data, &data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if (kdf_params->key_size == 0) { + key_size = gnutls_cipher_get_key_size(enc_params->cipher); + } else + key_size = kdf_params->key_size; + + key = gnutls_malloc(key_size); + if (key == NULL) { + gnutls_assert(); + result = GNUTLS_E_MEMORY_ERROR; + goto error; + } + + /* generate the key + */ + switch (schema) { + case PBES2_3DES: + case PBES2_AES_128: + case PBES2_AES_192: + case PBES2_AES_256: + + result = _gnutls_pbkdf2_sha1(password, pass_len, + kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, key, + key_size); + + if (result < 0) { + gnutls_assert(); + goto error; + } + break; + default: + result = + _gnutls_pkcs12_string_to_key(1 /*KEY*/, + kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, + password, key_size, key); + + if (result < 0) { + gnutls_assert(); + goto error; + } + } + + /* do the decryption. + */ + dkey.data = key; + dkey.size = key_size; + + d_iv.data = (uint8_t *) enc_params->iv; + d_iv.size = enc_params->iv_size; + result = + _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher), + &dkey, &d_iv, 0); + + gnutls_free(key); + key = NULL; + + if (result < 0) { + gnutls_assert(); + goto error; + } + + ch_init = 1; + + result = _gnutls_cipher_decrypt(&ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + decrypted_data->data = data; + + if (gnutls_cipher_get_block_size(enc_params->cipher) != 1) + decrypted_data->size = data_size - data[data_size - 1]; + else + decrypted_data->size = data_size; + + _gnutls_cipher_deinit(&ch); + + return 0; + + error: + gnutls_free(data); + gnutls_free(key); + if (ch_init != 0) + _gnutls_cipher_deinit(&ch); + return result; } /* Writes the PBKDF2 parameters. */ static int -write_pbkdf2_params (ASN1_TYPE pbes2_asn, - const struct pbkdf2_params *kdf_params) +write_pbkdf2_params(ASN1_TYPE pbes2_asn, + const struct pbkdf2_params *kdf_params) { - int result; - ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; - uint8_t tmp[64]; - - /* Write the key derivation algorithm - */ - result = - asn1_write_value (pbes2_asn, "keyDerivationFunc.algorithm", - PBKDF2_OID, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Now write the key derivation and the encryption - * functions. - */ - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-5-PBKDF2-params", - &pbkdf2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = asn1_write_value (pbkdf2_asn, "salt", "specified", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* write the salt - */ - result = - asn1_write_value (pbkdf2_asn, "salt.specified", - kdf_params->salt, kdf_params->salt_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("salt.specified.size: %d\n", kdf_params->salt_size); - - /* write the iteration count - */ - _gnutls_write_uint32 (kdf_params->iter_count, tmp); - - result = asn1_write_value (pbkdf2_asn, "iterationCount", tmp, 4); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("iterationCount: %d\n", kdf_params->iter_count); - - /* write the keylength, if it is set. - */ - result = asn1_write_value (pbkdf2_asn, "keyLength", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* We write an emptry prf. - */ - result = asn1_write_value (pbkdf2_asn, "prf", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* now encode them an put the DER output - * in the keyDerivationFunc.parameters - */ - result = _gnutls_x509_der_encode_and_copy (pbkdf2_asn, "", - pbes2_asn, - "keyDerivationFunc.parameters", - 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - return 0; - -error: - asn1_delete_structure (&pbkdf2_asn); - return result; + int result; + ASN1_TYPE pbkdf2_asn = ASN1_TYPE_EMPTY; + uint8_t tmp[64]; + + /* Write the key derivation algorithm + */ + result = + asn1_write_value(pbes2_asn, "keyDerivationFunc.algorithm", + PBKDF2_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Now write the key derivation and the encryption + * functions. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBKDF2-params", + &pbkdf2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = asn1_write_value(pbkdf2_asn, "salt", "specified", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* write the salt + */ + result = + asn1_write_value(pbkdf2_asn, "salt.specified", + kdf_params->salt, kdf_params->salt_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("salt.specified.size: %d\n", + kdf_params->salt_size); + + /* write the iteration count + */ + _gnutls_write_uint32(kdf_params->iter_count, tmp); + + result = asn1_write_value(pbkdf2_asn, "iterationCount", tmp, 4); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("iterationCount: %d\n", kdf_params->iter_count); + + /* write the keylength, if it is set. + */ + result = asn1_write_value(pbkdf2_asn, "keyLength", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* We write an emptry prf. + */ + result = asn1_write_value(pbkdf2_asn, "prf", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* now encode them an put the DER output + * in the keyDerivationFunc.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbkdf2_asn, "", + pbes2_asn, + "keyDerivationFunc.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbkdf2_asn); + return result; } static int -write_pbe_enc_params (ASN1_TYPE pbes2_asn, - const struct pbe_enc_params *params) +write_pbe_enc_params(ASN1_TYPE pbes2_asn, + const struct pbe_enc_params *params) { - int result; - ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; - const char *oid, *eparams; - - /* Write the encryption algorithm - */ - eparams = cipher_to_pkcs_params (params->cipher, &oid); - if (eparams == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = asn1_write_value (pbes2_asn, "encryptionScheme.algorithm", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - goto error; - } - _gnutls_hard_log ("encryptionScheme.algorithm: %s\n", oid); - - /* Now check the encryption parameters. - */ - if ((result = - asn1_create_element (_gnutls_get_pkix (), - eparams, &pbe_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* read the salt */ - result = asn1_write_value (pbe_asn, "", params->iv, params->iv_size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - _gnutls_hard_log ("IV.size: %d\n", params->iv_size); - - /* now encode them an put the DER output - * in the encryptionScheme.parameters - */ - result = _gnutls_x509_der_encode_and_copy (pbe_asn, "", - pbes2_asn, - "encryptionScheme.parameters", - 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - return 0; - -error: - asn1_delete_structure (&pbe_asn); - return result; + int result; + ASN1_TYPE pbe_asn = ASN1_TYPE_EMPTY; + const char *oid, *eparams; + + /* Write the encryption algorithm + */ + eparams = cipher_to_pkcs_params(params->cipher, &oid); + if (eparams == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + asn1_write_value(pbes2_asn, "encryptionScheme.algorithm", oid, + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + goto error; + } + _gnutls_hard_log("encryptionScheme.algorithm: %s\n", oid); + + /* Now check the encryption parameters. + */ + if ((result = + asn1_create_element(_gnutls_get_pkix(), + eparams, &pbe_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* read the salt */ + result = + asn1_write_value(pbe_asn, "", params->iv, params->iv_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + _gnutls_hard_log("IV.size: %d\n", params->iv_size); + + /* now encode them an put the DER output + * in the encryptionScheme.parameters + */ + result = _gnutls_x509_der_encode_and_copy(pbe_asn, "", + pbes2_asn, + "encryptionScheme.parameters", + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + return 0; + + error: + asn1_delete_structure(&pbe_asn); + return result; } /* Generates a key and also stores the key parameters. */ static int -generate_key (schema_id schema, - const char *password, - struct pbkdf2_params *kdf_params, - struct pbe_enc_params *enc_params, gnutls_datum_t * key) +generate_key(schema_id schema, + const char *password, + struct pbkdf2_params *kdf_params, + struct pbe_enc_params *enc_params, gnutls_datum_t * key) { - unsigned char rnd[2]; - unsigned int pass_len = 0; - int ret; - - if (password) - pass_len = strlen(password); - - ret = _gnutls_rnd (GNUTLS_RND_RANDOM, rnd, 2); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* generate salt */ - kdf_params->salt_size = - MIN (sizeof (kdf_params->salt), (unsigned) (10 + (rnd[1] % 10))); - - switch (schema) - { - case PBES2_3DES: - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - break; - case PBES2_AES_128: - enc_params->cipher = GNUTLS_CIPHER_AES_128_CBC; - break; - case PBES2_AES_192: - enc_params->cipher = GNUTLS_CIPHER_AES_192_CBC; - break; - case PBES2_AES_256: - enc_params->cipher = GNUTLS_CIPHER_AES_256_CBC; - break; - /* non PBES2 algorithms */ - case PKCS12_ARCFOUR_SHA1: - enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; - kdf_params->salt_size = 8; - break; - case PKCS12_3DES_SHA1: - enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; - kdf_params->salt_size = 8; - break; - case PKCS12_RC2_40_SHA1: - enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; - kdf_params->salt_size = 8; - break; - default: - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_rnd (GNUTLS_RND_RANDOM, kdf_params->salt, - kdf_params->salt_size); - if (ret < 0) - { - gnutls_assert (); - return GNUTLS_E_RANDOM_FAILED; - } - - kdf_params->iter_count = 256 + rnd[0]; - key->size = kdf_params->key_size = - gnutls_cipher_get_key_size (enc_params->cipher); - - enc_params->iv_size = gnutls_cipher_get_iv_size (enc_params->cipher); - key->data = gnutls_malloc (key->size); - if (key->data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - /* now generate the key. - */ - - switch (schema) - { - case PBES2_3DES: - case PBES2_AES_128: - case PBES2_AES_192: - case PBES2_AES_256: - - ret = _gnutls_pbkdf2_sha1 (password, pass_len, - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, - key->data, kdf_params->key_size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (enc_params->iv_size) - { - ret = _gnutls_rnd (GNUTLS_RND_NONCE, - enc_params->iv, enc_params->iv_size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - break; - - default: - ret = - _gnutls_pkcs12_string_to_key (1 /*KEY*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - kdf_params->key_size, key->data); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* Now generate the IV - */ - if (enc_params->iv_size) - { - ret = - _gnutls_pkcs12_string_to_key (2 /*IV*/, kdf_params->salt, - kdf_params->salt_size, - kdf_params->iter_count, password, - enc_params->iv_size, - enc_params->iv); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - } - } - - - return 0; + unsigned char rnd[2]; + unsigned int pass_len = 0; + int ret; + + if (password) + pass_len = strlen(password); + + ret = _gnutls_rnd(GNUTLS_RND_RANDOM, rnd, 2); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* generate salt */ + kdf_params->salt_size = + MIN(sizeof(kdf_params->salt), (unsigned) (10 + (rnd[1] % 10))); + + switch (schema) { + case PBES2_3DES: + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + break; + case PBES2_AES_128: + enc_params->cipher = GNUTLS_CIPHER_AES_128_CBC; + break; + case PBES2_AES_192: + enc_params->cipher = GNUTLS_CIPHER_AES_192_CBC; + break; + case PBES2_AES_256: + enc_params->cipher = GNUTLS_CIPHER_AES_256_CBC; + break; + /* non PBES2 algorithms */ + case PKCS12_ARCFOUR_SHA1: + enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128; + kdf_params->salt_size = 8; + break; + case PKCS12_3DES_SHA1: + enc_params->cipher = GNUTLS_CIPHER_3DES_CBC; + kdf_params->salt_size = 8; + break; + case PKCS12_RC2_40_SHA1: + enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC; + kdf_params->salt_size = 8; + break; + default: + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_rnd(GNUTLS_RND_RANDOM, kdf_params->salt, + kdf_params->salt_size); + if (ret < 0) { + gnutls_assert(); + return GNUTLS_E_RANDOM_FAILED; + } + + kdf_params->iter_count = 256 + rnd[0]; + key->size = kdf_params->key_size = + gnutls_cipher_get_key_size(enc_params->cipher); + + enc_params->iv_size = + gnutls_cipher_get_iv_size(enc_params->cipher); + key->data = gnutls_malloc(key->size); + if (key->data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + /* now generate the key. + */ + + switch (schema) { + case PBES2_3DES: + case PBES2_AES_128: + case PBES2_AES_192: + case PBES2_AES_256: + + ret = _gnutls_pbkdf2_sha1(password, pass_len, + kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, + key->data, kdf_params->key_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (enc_params->iv_size) { + ret = _gnutls_rnd(GNUTLS_RND_NONCE, + enc_params->iv, + enc_params->iv_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + break; + + default: + ret = + _gnutls_pkcs12_string_to_key(1 /*KEY*/, + kdf_params->salt, + kdf_params->salt_size, + kdf_params->iter_count, + password, + kdf_params->key_size, + key->data); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Now generate the IV + */ + if (enc_params->iv_size) { + ret = + _gnutls_pkcs12_string_to_key(2 /*IV*/, + kdf_params->salt, + kdf_params-> + salt_size, + kdf_params-> + iter_count, + password, + enc_params-> + iv_size, + enc_params->iv); + if (ret < 0) { + gnutls_assert(); + return ret; + } + } + } + + + return 0; } @@ -2148,408 +2057,382 @@ generate_key (schema_id schema, * part. */ static int -write_schema_params (schema_id schema, ASN1_TYPE pkcs8_asn, - const char *where, - const struct pbkdf2_params *kdf_params, - const struct pbe_enc_params *enc_params) +write_schema_params(schema_id schema, ASN1_TYPE pkcs8_asn, + const char *where, + const struct pbkdf2_params *kdf_params, + const struct pbe_enc_params *enc_params) { - int result; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; - - switch (schema) - { - case PBES2_3DES: - case PBES2_AES_128: - case PBES2_AES_192: - case PBES2_AES_256: - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-5-PBES2-params", - &pbes2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = write_pbkdf2_params (pbes2_asn, kdf_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = write_pbe_enc_params (pbes2_asn, enc_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - asn1_delete_structure (&pbes2_asn); - break; - - default: - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-12-PbeParams", - &pbes2_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = write_pkcs12_kdf_params (pbes2_asn, kdf_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = _gnutls_x509_der_encode_and_copy (pbes2_asn, "", - pkcs8_asn, where, 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - asn1_delete_structure (&pbes2_asn); - - } - - return 0; - -error: - asn1_delete_structure (&pbes2_asn); - return result; + int result; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY; + + switch (schema) { + case PBES2_3DES: + case PBES2_AES_128: + case PBES2_AES_192: + case PBES2_AES_256: + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-5-PBES2-params", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = write_pbkdf2_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = write_pbe_enc_params(pbes2_asn, enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pbes2_asn); + break; + + default: + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-12-PbeParams", + &pbes2_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = write_pkcs12_kdf_params(pbes2_asn, kdf_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = _gnutls_x509_der_encode_and_copy(pbes2_asn, "", + pkcs8_asn, where, + 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pbes2_asn); + + } + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + return result; } static int -encrypt_data (const gnutls_datum_t * plain, - const struct pbe_enc_params *enc_params, - gnutls_datum_t * key, gnutls_datum_t * encrypted) +encrypt_data(const gnutls_datum_t * plain, + const struct pbe_enc_params *enc_params, + gnutls_datum_t * key, gnutls_datum_t * encrypted) { - int result; - int data_size; - uint8_t *data = NULL; - gnutls_datum_t d_iv; - cipher_hd_st ch; - int ch_init = 0; - uint8_t pad, pad_size; - - pad_size = gnutls_cipher_get_block_size (enc_params->cipher); - - if (pad_size == 1) /* stream */ - pad_size = 0; - - data = gnutls_malloc (plain->size + pad_size); - if (data == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - memcpy (data, plain->data, plain->size); - - if (pad_size > 0) - { - pad = pad_size - (plain->size % pad_size); - if (pad == 0) - pad = pad_size; - memset (&data[plain->size], pad, pad); - } - else - pad = 0; - - data_size = plain->size + pad; - - d_iv.data = (uint8_t *) enc_params->iv; - d_iv.size = enc_params->iv_size; - result = _gnutls_cipher_init (&ch, cipher_to_entry(enc_params->cipher), key, &d_iv, 1); - - if (result < 0) - { - gnutls_assert (); - goto error; - } - - ch_init = 1; - - result = _gnutls_cipher_encrypt (&ch, data, data_size); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - encrypted->data = data; - encrypted->size = data_size; - - _gnutls_cipher_deinit (&ch); - - return 0; - -error: - gnutls_free (data); - if (ch_init != 0) - _gnutls_cipher_deinit (&ch); - return result; + int result; + int data_size; + uint8_t *data = NULL; + gnutls_datum_t d_iv; + cipher_hd_st ch; + int ch_init = 0; + uint8_t pad, pad_size; + + pad_size = gnutls_cipher_get_block_size(enc_params->cipher); + + if (pad_size == 1) /* stream */ + pad_size = 0; + + data = gnutls_malloc(plain->size + pad_size); + if (data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + memcpy(data, plain->data, plain->size); + + if (pad_size > 0) { + pad = pad_size - (plain->size % pad_size); + if (pad == 0) + pad = pad_size; + memset(&data[plain->size], pad, pad); + } else + pad = 0; + + data_size = plain->size + pad; + + d_iv.data = (uint8_t *) enc_params->iv; + d_iv.size = enc_params->iv_size; + result = + _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher), + key, &d_iv, 1); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + ch_init = 1; + + result = _gnutls_cipher_encrypt(&ch, data, data_size); + if (result < 0) { + gnutls_assert(); + goto error; + } + + encrypted->data = data; + encrypted->size = data_size; + + _gnutls_cipher_deinit(&ch); + + return 0; + + error: + gnutls_free(data); + if (ch_init != 0) + _gnutls_cipher_deinit(&ch); + return result; } /* Decrypts a PKCS #7 encryptedData. The output is allocated * and stored in dec. */ int -_gnutls_pkcs7_decrypt_data (const gnutls_datum_t * data, - const char *password, gnutls_datum_t * dec) +_gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data, + const char *password, gnutls_datum_t * dec) { - int result, len; - char enc_oid[64]; - gnutls_datum_t tmp; - ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; - int params_start, params_end, params_len; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - schema_id schema; - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = asn1_der_decoding (&pkcs7_asn, data->data, data->size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Check the encryption schema OID - */ - len = sizeof (enc_oid); - result = - asn1_read_value (pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - enc_oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - if ((result = check_schema (enc_oid)) < 0) - { - gnutls_assert (); - goto error; - } - schema = result; - - /* Get the DER encoding of the parameters. - */ - result = - asn1_der_decoding_startEnd (pkcs7_asn, data->data, data->size, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - ¶ms_start, ¶ms_end); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - params_len = params_end - params_start + 1; - - result = - read_pkcs_schema_params (&schema, password, - &data->data[params_start], - params_len, &kdf_params, &enc_params); - if (result < ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Parameters have been decoded. Now - * decrypt the EncryptedData. - */ - - result = - decrypt_data (schema, pkcs7_asn, - "encryptedContentInfo.encryptedContent", password, - &kdf_params, &enc_params, &tmp); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - asn1_delete_structure (&pkcs7_asn); - - *dec = tmp; - - return 0; - -error: - asn1_delete_structure (&pbes2_asn); - asn1_delete_structure (&pkcs7_asn); - return result; + int result, len; + char enc_oid[64]; + gnutls_datum_t tmp; + ASN1_TYPE pbes2_asn = ASN1_TYPE_EMPTY, pkcs7_asn = ASN1_TYPE_EMPTY; + int params_start, params_end, params_len; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + schema_id schema; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_der_decoding(&pkcs7_asn, data->data, data->size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Check the encryption schema OID + */ + len = sizeof(enc_oid); + result = + asn1_read_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + enc_oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + if ((result = check_schema(enc_oid)) < 0) { + gnutls_assert(); + goto error; + } + schema = result; + + /* Get the DER encoding of the parameters. + */ + result = + asn1_der_decoding_startEnd(pkcs7_asn, data->data, data->size, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + ¶ms_start, ¶ms_end); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + params_len = params_end - params_start + 1; + + result = + read_pkcs_schema_params(&schema, password, + &data->data[params_start], + params_len, &kdf_params, &enc_params); + if (result < ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Parameters have been decoded. Now + * decrypt the EncryptedData. + */ + + result = + decrypt_data(schema, pkcs7_asn, + "encryptedContentInfo.encryptedContent", password, + &kdf_params, &enc_params, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + asn1_delete_structure(&pkcs7_asn); + + *dec = tmp; + + return 0; + + error: + asn1_delete_structure(&pbes2_asn); + asn1_delete_structure(&pkcs7_asn); + return result; } /* Encrypts to a PKCS #7 encryptedData. The output is allocated * and stored in enc. */ int -_gnutls_pkcs7_encrypt_data (schema_id schema, - const gnutls_datum_t * data, - const char *password, gnutls_datum_t * enc) +_gnutls_pkcs7_encrypt_data(schema_id schema, + const gnutls_datum_t * data, + const char *password, gnutls_datum_t * enc) { - int result; - gnutls_datum_t key = { NULL, 0 }; - gnutls_datum_t tmp = { NULL, 0 }; - ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; - struct pbkdf2_params kdf_params; - struct pbe_enc_params enc_params; - const char *str_oid; - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.pkcs-7-EncryptedData", - &pkcs7_asn)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Write the encryption schema OID - */ - result = schema_to_oid (schema, &str_oid); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = - asn1_write_value (pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", - str_oid, 1); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Generate a symmetric key. - */ - - result = generate_key (schema, password, &kdf_params, &enc_params, &key); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = write_schema_params (schema, pkcs7_asn, - "encryptedContentInfo.contentEncryptionAlgorithm.parameters", - &kdf_params, &enc_params); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - /* Parameters have been encoded. Now - * encrypt the Data. - */ - result = encrypt_data (data, &enc_params, &key, &tmp); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - /* write the encrypted data. - */ - result = - asn1_write_value (pkcs7_asn, - "encryptedContentInfo.encryptedContent", tmp.data, - tmp.size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - _gnutls_free_datum (&tmp); - _gnutls_free_datum (&key); - - /* Now write the rest of the pkcs-7 stuff. - */ - - result = _gnutls_x509_write_uint32 (pkcs7_asn, "version", 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = - asn1_write_value (pkcs7_asn, "encryptedContentInfo.contentType", - DATA_OID, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = asn1_write_value (pkcs7_asn, "unprotectedAttrs", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* Now encode and copy the DER stuff. - */ - result = _gnutls_x509_der_encode (pkcs7_asn, "", enc, 0); - - asn1_delete_structure (&pkcs7_asn); - - if (result < 0) - { - gnutls_assert (); - goto error; - } - - -error: - _gnutls_free_datum (&key); - _gnutls_free_datum (&tmp); - asn1_delete_structure (&pkcs7_asn); - return result; + int result; + gnutls_datum_t key = { NULL, 0 }; + gnutls_datum_t tmp = { NULL, 0 }; + ASN1_TYPE pkcs7_asn = ASN1_TYPE_EMPTY; + struct pbkdf2_params kdf_params; + struct pbe_enc_params enc_params; + const char *str_oid; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.pkcs-7-EncryptedData", + &pkcs7_asn)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Write the encryption schema OID + */ + result = schema_to_oid(schema, &str_oid); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.algorithm", + str_oid, 1); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Generate a symmetric key. + */ + + result = + generate_key(schema, password, &kdf_params, &enc_params, &key); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = write_schema_params(schema, pkcs7_asn, + "encryptedContentInfo.contentEncryptionAlgorithm.parameters", + &kdf_params, &enc_params); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* Parameters have been encoded. Now + * encrypt the Data. + */ + result = encrypt_data(data, &enc_params, &key, &tmp); + if (result < 0) { + gnutls_assert(); + goto error; + } + + /* write the encrypted data. + */ + result = + asn1_write_value(pkcs7_asn, + "encryptedContentInfo.encryptedContent", + tmp.data, tmp.size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + _gnutls_free_datum(&tmp); + _gnutls_free_datum(&key); + + /* Now write the rest of the pkcs-7 stuff. + */ + + result = _gnutls_x509_write_uint32(pkcs7_asn, "version", 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = + asn1_write_value(pkcs7_asn, "encryptedContentInfo.contentType", + DATA_OID, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_write_value(pkcs7_asn, "unprotectedAttrs", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* Now encode and copy the DER stuff. + */ + result = _gnutls_x509_der_encode(pkcs7_asn, "", enc, 0); + + asn1_delete_structure(&pkcs7_asn); + + if (result < 0) { + gnutls_assert(); + goto error; + } + + + error: + _gnutls_free_datum(&key); + _gnutls_free_datum(&tmp); + asn1_delete_structure(&pkcs7_asn); + return result; } - diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index 52fd1db35b..6876d1ef53 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -38,67 +38,66 @@ * Returns: non-zero for a successful match, and zero on failure. **/ int -gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname) +gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, + const char *hostname) { - char dnsname[MAX_CN]; - size_t dnsnamesize; - int found_dnsname = 0; - int ret = 0; - int i = 0; + char dnsname[MAX_CN]; + size_t dnsnamesize; + int found_dnsname = 0; + int ret = 0; + int i = 0; - /* try matching against: - * 1) a DNS name as an alternative name (subjectAltName) extension - * in the certificate - * 2) the common name (CN) in the certificate - * - * either of these may be of the form: *.domain.tld - * - * only try (2) if there is no subjectAltName extension of - * type dNSName - */ + /* try matching against: + * 1) a DNS name as an alternative name (subjectAltName) extension + * in the certificate + * 2) the common name (CN) in the certificate + * + * either of these may be of the form: *.domain.tld + * + * only try (2) if there is no subjectAltName extension of + * type dNSName + */ - /* Check through all included subjectAltName extensions, comparing - * against all those of type dNSName. - */ - for (i = 0; !(ret < 0); i++) - { + /* Check through all included subjectAltName extensions, comparing + * against all those of type dNSName. + */ + for (i = 0; !(ret < 0); i++) { - dnsnamesize = sizeof (dnsname); - ret = gnutls_x509_crt_get_subject_alt_name (cert, i, - dnsname, &dnsnamesize, - NULL); + dnsnamesize = sizeof(dnsname); + ret = gnutls_x509_crt_get_subject_alt_name(cert, i, + dnsname, + &dnsnamesize, + NULL); - if (ret == GNUTLS_SAN_DNSNAME) - { - found_dnsname = 1; - if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0)) - { - return 1; - } - } - } + if (ret == GNUTLS_SAN_DNSNAME) { + found_dnsname = 1; + if (_gnutls_hostname_compare + (dnsname, dnsnamesize, hostname, 0)) { + return 1; + } + } + } - if (!found_dnsname) - { - /* not got the necessary extension, use CN instead - */ - dnsnamesize = sizeof (dnsname); - if (gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0, - 0, dnsname, &dnsnamesize) < 0) - { - /* got an error, can't find a name - */ - return 0; - } + if (!found_dnsname) { + /* not got the necessary extension, use CN instead + */ + dnsnamesize = sizeof(dnsname); + if (gnutls_x509_crt_get_dn_by_oid + (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, + &dnsnamesize) < 0) { + /* got an error, can't find a name + */ + return 0; + } - if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0)) - { - return 1; - } - } + if (_gnutls_hostname_compare + (dnsname, dnsnamesize, hostname, 0)) { + return 1; + } + } - /* not found a matching name - */ - return 0; + /* not found a matching name + */ + return 0; } diff --git a/lib/x509/sign.c b/lib/x509/sign.c index 4bc092dbe4..d924ad4209 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -29,7 +29,7 @@ #include <gnutls_errors.h> #include <libtasn1.h> #include <gnutls_global.h> -#include <gnutls_num.h> /* MAX */ +#include <gnutls_num.h> /* MAX */ #include <gnutls_sig.h> #include <gnutls_str.h> #include <gnutls_datum.h> @@ -42,36 +42,34 @@ * of the TBS and sign it on the fly. */ int -_gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name, - gnutls_datum_t * tbs) +_gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name, + gnutls_datum_t * tbs) { - int result; - uint8_t *buf; - int buf_size; + int result; + uint8_t *buf; + int buf_size; - buf_size = 0; - asn1_der_coding (cert, tbs_name, NULL, &buf_size, NULL); + buf_size = 0; + asn1_der_coding(cert, tbs_name, NULL, &buf_size, NULL); - buf = gnutls_malloc (buf_size); - if (buf == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } + buf = gnutls_malloc(buf_size); + if (buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - result = asn1_der_coding (cert, tbs_name, buf, &buf_size, NULL); + result = asn1_der_coding(cert, tbs_name, buf, &buf_size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (buf); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(buf); + return _gnutls_asn2err(result); + } - tbs->data = buf; - tbs->size = buf_size; + tbs->data = buf; + tbs->size = buf_size; - return 0; + return 0; } /*- @@ -87,86 +85,84 @@ _gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name, * negative error value. -*/ int -_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, - gnutls_digest_algorithm_t dig, - gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key) +_gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, + gnutls_digest_algorithm_t dig, + gnutls_x509_crt_t issuer, + gnutls_privkey_t issuer_key) { - int result; - gnutls_datum_t signature; - gnutls_datum_t tbs; - char name[128]; - - /* Step 1. Copy the issuer's name into the certificate. - */ - _gnutls_str_cpy (name, sizeof (name), src_name); - _gnutls_str_cat (name, sizeof (name), ".issuer"); - - result = asn1_copy_node (src, name, issuer->cert, "tbsCertificate.subject"); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Step 1.5. Write the signature stuff in the tbsCertificate. - */ - _gnutls_str_cpy (name, sizeof (name), src_name); - _gnutls_str_cat (name, sizeof (name), ".signature"); - - result = _gnutls_x509_write_sig_params (src, name, - gnutls_privkey_get_pk_algorithm - (issuer_key, NULL), dig); - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* Step 2. Sign the certificate. - */ - result = _gnutls_x509_get_tbs (src, src_name, &tbs); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_privkey_sign_data (issuer_key, dig, 0, &tbs, &signature); - gnutls_free (tbs.data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - /* write the signature (bits) - */ - result = - asn1_write_value (src, "signature", signature.data, signature.size * 8); - - _gnutls_free_datum (&signature); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Step 3. Move up and write the AlgorithmIdentifier, which is also - * the same. - */ - - result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm", - gnutls_privkey_get_pk_algorithm - (issuer_key, NULL), dig); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + gnutls_datum_t signature; + gnutls_datum_t tbs; + char name[128]; + + /* Step 1. Copy the issuer's name into the certificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".issuer"); + + result = + asn1_copy_node(src, name, issuer->cert, + "tbsCertificate.subject"); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 1.5. Write the signature stuff in the tbsCertificate. + */ + _gnutls_str_cpy(name, sizeof(name), src_name); + _gnutls_str_cat(name, sizeof(name), ".signature"); + + result = _gnutls_x509_write_sig_params(src, name, + gnutls_privkey_get_pk_algorithm + (issuer_key, NULL), dig); + if (result < 0) { + gnutls_assert(); + return result; + } + + /* Step 2. Sign the certificate. + */ + result = _gnutls_x509_get_tbs(src, src_name, &tbs); + + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + gnutls_privkey_sign_data(issuer_key, dig, 0, &tbs, &signature); + gnutls_free(tbs.data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + /* write the signature (bits) + */ + result = + asn1_write_value(src, "signature", signature.data, + signature.size * 8); + + _gnutls_free_datum(&signature); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Step 3. Move up and write the AlgorithmIdentifier, which is also + * the same. + */ + + result = _gnutls_x509_write_sig_params(src, "signatureAlgorithm", + gnutls_privkey_get_pk_algorithm + (issuer_key, NULL), dig); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } - diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 71abe45d11..72e6656519 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -24,7 +24,7 @@ #include <gnutls_errors.h> #include <libtasn1.h> #include <gnutls_global.h> -#include <gnutls_num.h> /* MAX */ +#include <gnutls_num.h> /* MAX */ #include <gnutls_sig.h> #include <gnutls_str.h> #include <gnutls_datum.h> @@ -34,27 +34,27 @@ #include "verify-high.h" struct named_cert_st { - gnutls_x509_crt_t cert; - uint8_t name[MAX_SERVER_NAME_SIZE]; - unsigned int name_size; + gnutls_x509_crt_t cert; + uint8_t name[MAX_SERVER_NAME_SIZE]; + unsigned int name_size; }; struct node_st { - /* The trusted certificates */ - gnutls_x509_crt_t *trusted_cas; - unsigned int trusted_ca_size; + /* The trusted certificates */ + gnutls_x509_crt_t *trusted_cas; + unsigned int trusted_ca_size; - struct named_cert_st *named_certs; - unsigned int named_cert_size; + struct named_cert_st *named_certs; + unsigned int named_cert_size; - /* The trusted CRLs */ - gnutls_x509_crl_t *crls; - unsigned int crl_size; + /* The trusted CRLs */ + gnutls_x509_crl_t *crls; + unsigned int crl_size; }; struct gnutls_x509_trust_list_st { - unsigned int size; - struct node_st *node; + unsigned int size; + struct node_st *node; }; #define DEFAULT_SIZE 127 @@ -73,28 +73,28 @@ struct gnutls_x509_trust_list_st { **/ int gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, - unsigned int size) + unsigned int size) { - gnutls_x509_trust_list_t tmp = - gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st)); + gnutls_x509_trust_list_t tmp = + gnutls_calloc(1, sizeof(struct gnutls_x509_trust_list_st)); - if (!tmp) - return GNUTLS_E_MEMORY_ERROR; + if (!tmp) + return GNUTLS_E_MEMORY_ERROR; - if (size == 0) - size = DEFAULT_SIZE; - tmp->size = size; + if (size == 0) + size = DEFAULT_SIZE; + tmp->size = size; - tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0])); - if (tmp->node == NULL) { - gnutls_assert(); - gnutls_free(tmp); - return GNUTLS_E_MEMORY_ERROR; - } + tmp->node = gnutls_calloc(1, tmp->size * sizeof(tmp->node[0])); + if (tmp->node == NULL) { + gnutls_assert(); + gnutls_free(tmp); + return GNUTLS_E_MEMORY_ERROR; + } - *list = tmp; + *list = tmp; - return 0; /* success */ + return 0; /* success */ } /** @@ -108,35 +108,39 @@ gnutls_x509_trust_list_init(gnutls_x509_trust_list_t * list, **/ void gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, - unsigned int all) + unsigned int all) { - unsigned int i, j; - - if (!list) - return; - - for (i = 0; i < list->size; i++) { - if (all) - for (j = 0; j < list->node[i].trusted_ca_size; j++) { - gnutls_x509_crt_deinit(list->node[i].trusted_cas[j]); - } - gnutls_free(list->node[i].trusted_cas); - - if (all) - for (j = 0; j < list->node[i].crl_size; j++) { - gnutls_x509_crl_deinit(list->node[i].crls[j]); - } - gnutls_free(list->node[i].crls); - - if (all) - for (j = 0; j < list->node[i].named_cert_size; j++) { - gnutls_x509_crt_deinit(list->node[i].named_certs[j].cert); - } - gnutls_free(list->node[i].named_certs); - } - - gnutls_free(list->node); - gnutls_free(list); + unsigned int i, j; + + if (!list) + return; + + for (i = 0; i < list->size; i++) { + if (all) + for (j = 0; j < list->node[i].trusted_ca_size; j++) { + gnutls_x509_crt_deinit(list->node[i]. + trusted_cas[j]); + } + gnutls_free(list->node[i].trusted_cas); + + if (all) + for (j = 0; j < list->node[i].crl_size; j++) { + gnutls_x509_crl_deinit(list->node[i]. + crls[j]); + } + gnutls_free(list->node[i].crls); + + if (all) + for (j = 0; j < list->node[i].named_cert_size; j++) { + gnutls_x509_crt_deinit(list->node[i]. + named_certs[j]. + cert); + } + gnutls_free(list->node[i].named_certs); + } + + gnutls_free(list->node); + gnutls_free(list); } /** @@ -156,32 +160,35 @@ gnutls_x509_trust_list_deinit(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, - const gnutls_x509_crt_t * clist, - int clist_size, unsigned int flags) + const gnutls_x509_crt_t * clist, + int clist_size, unsigned int flags) { - int i; - uint32_t hash; - - for (i = 0; i < clist_size; i++) { - hash = hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); - hash %= list->size; - - list->node[hash].trusted_cas = - gnutls_realloc_fast(list->node[hash].trusted_cas, - (list->node[hash].trusted_ca_size + - 1) * - sizeof(list->node[hash].trusted_cas[0])); - if (list->node[hash].trusted_cas == NULL) { - gnutls_assert(); - return i; - } - - list->node[hash].trusted_cas[list->node[hash].trusted_ca_size] = - clist[i]; - list->node[hash].trusted_ca_size++; - } - - return i; + int i; + uint32_t hash; + + for (i = 0; i < clist_size; i++) { + hash = + hash_pjw_bare(clist[i]->raw_dn.data, + clist[i]->raw_dn.size); + hash %= list->size; + + list->node[hash].trusted_cas = + gnutls_realloc_fast(list->node[hash].trusted_cas, + (list->node[hash].trusted_ca_size + + 1) * + sizeof(list->node[hash]. + trusted_cas[0])); + if (list->node[hash].trusted_cas == NULL) { + gnutls_assert(); + return i; + } + + list->node[hash].trusted_cas[list->node[hash]. + trusted_ca_size] = clist[i]; + list->node[hash].trusted_ca_size++; + } + + return i; } /** @@ -199,32 +206,38 @@ gnutls_x509_trust_list_add_cas(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, - const gnutls_x509_crt_t * clist, - int clist_size) + const gnutls_x509_crt_t * clist, + int clist_size) { - int i, r = 0; - unsigned j; - uint32_t hash; - - for (i = 0; i < clist_size; i++) - { - hash = hash_pjw_bare(clist[i]->raw_dn.data, clist[i]->raw_dn.size); - hash %= list->size; - - for (j=0;j<list->node[hash].trusted_ca_size;j++) - { - if (_gnutls_check_if_same_cert(clist[i], list->node[hash].trusted_cas[j]) != 0) - { - gnutls_x509_crt_deinit(list->node[hash].trusted_cas[j]); - list->node[hash].trusted_cas[j] = - list->node[hash].trusted_cas[list->node[hash].trusted_ca_size-1]; - list->node[hash].trusted_ca_size--; - r++; - } - } - } - - return r; + int i, r = 0; + unsigned j; + uint32_t hash; + + for (i = 0; i < clist_size; i++) { + hash = + hash_pjw_bare(clist[i]->raw_dn.data, + clist[i]->raw_dn.size); + hash %= list->size; + + for (j = 0; j < list->node[hash].trusted_ca_size; j++) { + if (_gnutls_check_if_same_cert + (clist[i], + list->node[hash].trusted_cas[j]) != 0) { + gnutls_x509_crt_deinit(list->node[hash]. + trusted_cas[j]); + list->node[hash].trusted_cas[j] = + list->node[hash].trusted_cas[list-> + node + [hash]. + trusted_ca_size + - 1]; + list->node[hash].trusted_ca_size--; + r++; + } + } + } + + return r; } /** @@ -254,35 +267,40 @@ gnutls_x509_trust_list_remove_cas(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - const void *name, size_t name_size, - unsigned int flags) + gnutls_x509_crt_t cert, + const void *name, size_t name_size, + unsigned int flags) { - uint32_t hash; - - if (name_size >= MAX_SERVER_NAME_SIZE) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - hash = hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); - hash %= list->size; - - list->node[hash].named_certs = - gnutls_realloc_fast(list->node[hash].named_certs, - (list->node[hash].named_cert_size + - 1) * sizeof(list->node[hash].named_certs[0])); - if (list->node[hash].named_certs == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - list->node[hash].named_certs[list->node[hash].named_cert_size].cert = - cert; - memcpy(list->node[hash].named_certs[list->node[hash].named_cert_size]. - name, name, name_size); - list->node[hash].named_certs[list->node[hash].named_cert_size]. - name_size = name_size; - - list->node[hash].named_cert_size++; - - return 0; + uint32_t hash; + + if (name_size >= MAX_SERVER_NAME_SIZE) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + hash = + hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); + hash %= list->size; + + list->node[hash].named_certs = + gnutls_realloc_fast(list->node[hash].named_certs, + (list->node[hash].named_cert_size + + 1) * + sizeof(list->node[hash].named_certs[0])); + if (list->node[hash].named_certs == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + list->node[hash].named_certs[list->node[hash].named_cert_size]. + cert = cert; + memcpy(list->node[hash]. + named_certs[list->node[hash].named_cert_size].name, name, + name_size); + list->node[hash].named_certs[list->node[hash]. + named_cert_size].name_size = + name_size; + + list->node[hash].named_cert_size++; + + return 0; } /** @@ -306,51 +324,58 @@ gnutls_x509_trust_list_add_named_crt(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, - const gnutls_x509_crl_t * crl_list, - int crl_size, unsigned int flags, - unsigned int verification_flags) + const gnutls_x509_crl_t * crl_list, + int crl_size, unsigned int flags, + unsigned int verification_flags) { - int ret, i, j = 0; - unsigned int vret = 0; - uint32_t hash; - - /* Probably we can optimize things such as removing duplicates - * etc. - */ - if (crl_size == 0 || crl_list == NULL) - return 0; - - for (i = 0; i < crl_size; i++) { - hash = hash_pjw_bare(crl_list[i]->raw_issuer_dn.data, crl_list[i]->raw_issuer_dn.size); - hash %= list->size; - - if (flags & GNUTLS_TL_VERIFY_CRL) { - - ret = - gnutls_x509_crl_verify(crl_list[i], - list->node[hash].trusted_cas, - list->node[hash].trusted_ca_size, - verification_flags, &vret); - if (ret < 0 || vret != 0) - continue; - } - - list->node[hash].crls = - gnutls_realloc_fast(list->node[hash].crls, - (list->node[hash].crl_size + - 1) * - sizeof(list->node[hash].trusted_cas[0])); - if (list->node[hash].crls == NULL) { - gnutls_assert(); - return i; - } - - list->node[hash].crls[list->node[hash].crl_size] = crl_list[i]; - list->node[hash].crl_size++; - j++; - } - - return j; + int ret, i, j = 0; + unsigned int vret = 0; + uint32_t hash; + + /* Probably we can optimize things such as removing duplicates + * etc. + */ + if (crl_size == 0 || crl_list == NULL) + return 0; + + for (i = 0; i < crl_size; i++) { + hash = + hash_pjw_bare(crl_list[i]->raw_issuer_dn.data, + crl_list[i]->raw_issuer_dn.size); + hash %= list->size; + + if (flags & GNUTLS_TL_VERIFY_CRL) { + + ret = + gnutls_x509_crl_verify(crl_list[i], + list->node[hash]. + trusted_cas, + list->node[hash]. + trusted_ca_size, + verification_flags, + &vret); + if (ret < 0 || vret != 0) + continue; + } + + list->node[hash].crls = + gnutls_realloc_fast(list->node[hash].crls, + (list->node[hash].crl_size + + 1) * + sizeof(list->node[hash]. + trusted_cas[0])); + if (list->node[hash].crls == NULL) { + gnutls_assert(); + return i; + } + + list->node[hash].crls[list->node[hash].crl_size] = + crl_list[i]; + list->node[hash].crl_size++; + j++; + } + + return j; } /* Takes a certificate list and shortens it if there are @@ -361,51 +386,53 @@ gnutls_x509_trust_list_add_crls(gnutls_x509_trust_list_t list, * Returns the new size of the list or a negative number on error. */ static int shorten_clist(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t * certificate_list, - unsigned int clist_size) + gnutls_x509_crt_t * certificate_list, + unsigned int clist_size) { - unsigned int j, i; - uint32_t hash; - - if (clist_size > 1) { - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - * - * This prevents from verifying self signed certificates against - * themselves. This (although not bad) caused verification - * failures on some root self signed certificates that use the - * MD2 algorithm. - */ - if (gnutls_x509_crt_check_issuer(certificate_list[clist_size - 1], - certificate_list[clist_size - - 1]) != 0) { - clist_size--; - } - } - - /* We want to shorten the chain by removing the cert that matches - * one of the certs we trust and all the certs after that i.e. if - * cert chain is A signed-by B signed-by C signed-by D (signed-by - * self-signed E but already removed above), and we trust B, remove - * B, C and D. */ - for (i = 1; i < clist_size; i++) { - hash = hash_pjw_bare(certificate_list[i]->raw_issuer_dn.data, certificate_list[i]->raw_issuer_dn.size); - hash %= list->size; - - for (j = 0; j < list->node[hash].trusted_ca_size; j++) { - if (_gnutls_check_if_same_cert - (certificate_list[i], - list->node[hash].trusted_cas[j]) != 0) { - /* cut the list at the point of first the trusted certificate */ - clist_size = i + 1; - break; - } - } - /* clist_size may have been changed which gets out of loop */ - } - - return clist_size; + unsigned int j, i; + uint32_t hash; + + if (clist_size > 1) { + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + * + * This prevents from verifying self signed certificates against + * themselves. This (although not bad) caused verification + * failures on some root self signed certificates that use the + * MD2 algorithm. + */ + if (gnutls_x509_crt_check_issuer + (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) != 0) { + clist_size--; + } + } + + /* We want to shorten the chain by removing the cert that matches + * one of the certs we trust and all the certs after that i.e. if + * cert chain is A signed-by B signed-by C signed-by D (signed-by + * self-signed E but already removed above), and we trust B, remove + * B, C and D. */ + for (i = 1; i < clist_size; i++) { + hash = + hash_pjw_bare(certificate_list[i]->raw_issuer_dn.data, + certificate_list[i]->raw_issuer_dn.size); + hash %= list->size; + + for (j = 0; j < list->node[hash].trusted_ca_size; j++) { + if (_gnutls_check_if_same_cert + (certificate_list[i], + list->node[hash].trusted_cas[j]) != 0) { + /* cut the list at the point of first the trusted certificate */ + clist_size = i + 1; + break; + } + } + /* clist_size may have been changed which gets out of loop */ + } + + return clist_size; } /* Takes a certificate list and orders it with subject, issuer order. @@ -415,61 +442,57 @@ static int shorten_clist(gnutls_x509_trust_list_t list, * * Returns the sorted list which may be the original clist. */ -static gnutls_x509_crt_t* sort_clist(gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH], - gnutls_x509_crt_t * clist, - unsigned int *clist_size) +static gnutls_x509_crt_t *sort_clist(gnutls_x509_crt_t + sorted[DEFAULT_MAX_VERIFY_DEPTH], + gnutls_x509_crt_t * clist, + unsigned int *clist_size) { - int prev; - unsigned int j, i; - int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */ - - /* Do not bother sorting if too many certificates are given. - * Prevent any DoS attacks. - */ - if (*clist_size > DEFAULT_MAX_VERIFY_DEPTH) - return clist; - - for (i=0;i<DEFAULT_MAX_VERIFY_DEPTH;i++) - issuer[i] = -1; - - /* Find the issuer of each certificate and store it - * in issuer array. - */ - for(i=0;i<*clist_size;i++) - { - for (j=1;j<*clist_size;j++) - { - if (i==j) continue; - - if (gnutls_x509_crt_check_issuer(clist[i], - clist[j]) != 0) - { - issuer[i] = j; - break; - } - } - } - - if (issuer[0] == -1) - { - *clist_size = 1; - return clist; - } - - prev = 0; - sorted[0] = clist[0]; - for (i=1;i<*clist_size;i++) - { - prev = issuer[prev]; - if (prev == -1) /* no issuer */ - { - *clist_size = i; - break; - } - sorted[i] = clist[prev]; - } - - return sorted; + int prev; + unsigned int j, i; + int issuer[DEFAULT_MAX_VERIFY_DEPTH]; /* contain the index of the issuers */ + + /* Do not bother sorting if too many certificates are given. + * Prevent any DoS attacks. + */ + if (*clist_size > DEFAULT_MAX_VERIFY_DEPTH) + return clist; + + for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) + issuer[i] = -1; + + /* Find the issuer of each certificate and store it + * in issuer array. + */ + for (i = 0; i < *clist_size; i++) { + for (j = 1; j < *clist_size; j++) { + if (i == j) + continue; + + if (gnutls_x509_crt_check_issuer(clist[i], + clist[j]) != 0) { + issuer[i] = j; + break; + } + } + } + + if (issuer[0] == -1) { + *clist_size = 1; + return clist; + } + + prev = 0; + sorted[0] = clist[0]; + for (i = 1; i < *clist_size; i++) { + prev = issuer[prev]; + if (prev == -1) { /* no issuer */ + *clist_size = i; + break; + } + sorted[i] = clist[prev]; + } + + return sorted; } /** @@ -488,28 +511,31 @@ static gnutls_x509_crt_t* sort_clist(gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY * Since: 3.0 **/ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - gnutls_x509_crt_t * issuer, - unsigned int flags) + gnutls_x509_crt_t cert, + gnutls_x509_crt_t * issuer, + unsigned int flags) { - int ret; - unsigned int i; - uint32_t hash; - - hash = hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); - hash %= list->size; - - for (i = 0; i < list->node[hash].trusted_ca_size; i++) { - ret = - gnutls_x509_crt_check_issuer(cert, - list->node[hash].trusted_cas[i]); - if (ret != 0) { - *issuer = list->node[hash].trusted_cas[i]; - return 0; - } - } - - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + int ret; + unsigned int i; + uint32_t hash; + + hash = + hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); + hash %= list->size; + + for (i = 0; i < list->node[hash].trusted_ca_size; i++) { + ret = + gnutls_x509_crt_check_issuer(cert, + list->node[hash]. + trusted_cas[i]); + if (ret != 0) { + *issuer = list->node[hash].trusted_cas[i]; + return 0; + } + } + + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; } /** @@ -532,69 +558,78 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t * cert_list, - unsigned int cert_list_size, - unsigned int flags, - unsigned int *verify, - gnutls_verify_output_function func) + gnutls_x509_crt_t * cert_list, + unsigned int cert_list_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func) { - int ret; - unsigned int i; - uint32_t hash; - gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; - - if (cert_list == NULL || cert_list_size < 1) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) - cert_list = sort_clist(sorted, cert_list, &cert_list_size); - - cert_list_size = shorten_clist(list, cert_list, cert_list_size); - if (cert_list_size <= 0) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - - hash = hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn.data, - cert_list[cert_list_size - 1]->raw_issuer_dn.size); - hash %= list->size; - - *verify = _gnutls_x509_verify_certificate(cert_list, cert_list_size, - list->node[hash].trusted_cas, - list->node[hash]. - trusted_ca_size, flags, - func); - - if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) - return 0; - - /* Check revocation of individual certificates. - * start with the last one that we already have its hash - */ - ret = _gnutls_x509_crt_check_revocation(cert_list[cert_list_size - 1], - list->node[hash].crls, - list->node[hash].crl_size, - func); - if (ret == 1) { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; - } - - for (i = 0; i < cert_list_size - 1; i++) { - hash = hash_pjw_bare(cert_list[i]->raw_issuer_dn.data, cert_list[i]->raw_issuer_dn.size); - hash %= list->size; - - ret = _gnutls_x509_crt_check_revocation(cert_list[i], - list->node[hash].crls, - list->node[hash].crl_size, - func); - if (ret == 1) { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; - } - } - - return 0; + int ret; + unsigned int i; + uint32_t hash; + gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH]; + + if (cert_list == NULL || cert_list_size < 1) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) + cert_list = sort_clist(sorted, cert_list, &cert_list_size); + + cert_list_size = shorten_clist(list, cert_list, cert_list_size); + if (cert_list_size <= 0) + return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + + hash = + hash_pjw_bare(cert_list[cert_list_size - 1]->raw_issuer_dn. + data, + cert_list[cert_list_size - + 1]->raw_issuer_dn.size); + hash %= list->size; + + *verify = + _gnutls_x509_verify_certificate(cert_list, cert_list_size, + list->node[hash].trusted_cas, + list-> + node[hash].trusted_ca_size, + flags, func); + + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) + return 0; + + /* Check revocation of individual certificates. + * start with the last one that we already have its hash + */ + ret = + _gnutls_x509_crt_check_revocation(cert_list + [cert_list_size - 1], + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; + } + + for (i = 0; i < cert_list_size - 1; i++) { + hash = + hash_pjw_bare(cert_list[i]->raw_issuer_dn.data, + cert_list[i]->raw_issuer_dn.size); + hash %= list->size; + + ret = _gnutls_x509_crt_check_revocation(cert_list[i], + list->node[hash]. + crls, + list->node[hash]. + crl_size, func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; + } + } + + return 0; } /** @@ -619,70 +654,75 @@ gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert, - const void *name, - size_t name_size, - unsigned int flags, - unsigned int *verify, - gnutls_verify_output_function func) + gnutls_x509_crt_t cert, + const void *name, + size_t name_size, + unsigned int flags, + unsigned int *verify, + gnutls_verify_output_function func) { - int ret; - unsigned int i; - uint32_t hash; - - hash = hash_pjw_bare(cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); - hash %= list->size; - - *verify = GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; - - for (i = 0; i < list->node[hash].named_cert_size; i++) { - if (_gnutls_check_if_same_cert(cert, list->node[hash].named_certs[i].cert) != 0) { /* check if name matches */ - if (list->node[hash].named_certs[i].name_size == name_size && - memcmp(list->node[hash].named_certs[i].name, name, - name_size) == 0) { - *verify = 0; - break; - } - } - } - - if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) - return 0; - - /* Check revocation of individual certificates. - * start with the last one that we already have its hash - */ - ret = _gnutls_x509_crt_check_revocation(cert, - list->node[hash].crls, - list->node[hash].crl_size, - func); - if (ret == 1) { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - return 0; - } - - return 0; + int ret; + unsigned int i; + uint32_t hash; + + hash = + hash_pjw_bare(cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); + hash %= list->size; + + *verify = GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND; + + for (i = 0; i < list->node[hash].named_cert_size; i++) { + if (_gnutls_check_if_same_cert(cert, list->node[hash].named_certs[i].cert) != 0) { /* check if name matches */ + if (list->node[hash].named_certs[i].name_size == + name_size + && memcmp(list->node[hash].named_certs[i].name, + name, name_size) == 0) { + *verify = 0; + break; + } + } + } + + if (*verify != 0 || (flags & GNUTLS_VERIFY_DISABLE_CRL_CHECKS)) + return 0; + + /* Check revocation of individual certificates. + * start with the last one that we already have its hash + */ + ret = _gnutls_x509_crt_check_revocation(cert, + list->node[hash].crls, + list->node[hash].crl_size, + func); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + return 0; + } + + return 0; } /* return 1 if @cert is in @list, 0 if not */ int -_gnutls_trustlist_inlist (gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert) +_gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert) { - int ret; - unsigned int i; - uint32_t hash; - - hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); - hash %= list->size; - - for (i = 0; i < list->node[hash].trusted_ca_size; i++) - { - ret = _gnutls_check_if_same_cert (cert, list->node[hash].trusted_cas[i]); - if (ret != 0) - return 1; - } - - return 0; + int ret; + unsigned int i; + uint32_t hash; + + hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size); + hash %= list->size; + + for (i = 0; i < list->node[hash].trusted_ca_size; i++) { + ret = + _gnutls_check_if_same_cert(cert, + list->node[hash]. + trusted_cas[i]); + if (ret != 0) + return 1; + } + + return 0; } diff --git a/lib/x509/verify-high.h b/lib/x509/verify-high.h index 3315a871f3..ba45f6ee55 100644 --- a/lib/x509/verify-high.h +++ b/lib/x509/verify-high.h @@ -20,5 +20,5 @@ * */ -int _gnutls_trustlist_inlist (gnutls_x509_trust_list_t list, - gnutls_x509_crt_t cert); +int _gnutls_trustlist_inlist(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert); diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index 7408e54f39..5af5e67cdc 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -54,49 +54,57 @@ **/ int gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, - const gnutls_datum_t * cas, - const gnutls_datum_t * crls, - gnutls_x509_crt_fmt_t type, - unsigned int tl_flags, - unsigned int tl_vflags) + const gnutls_datum_t * cas, + const gnutls_datum_t * crls, + gnutls_x509_crt_fmt_t type, + unsigned int tl_flags, + unsigned int tl_vflags) { - int ret; - gnutls_x509_crt_t *x509_ca_list = NULL; - gnutls_x509_crl_t *x509_crl_list = NULL; - unsigned int x509_ncas, x509_ncrls; - unsigned int r = 0; - - if (cas != NULL && cas->data != NULL) - { - ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, type, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, tl_flags); - gnutls_free(x509_ca_list); - - if (ret < 0) - return gnutls_assert_val(ret); - else - r += ret; - } - - if (crls != NULL && crls->data != NULL) - { - ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls, type, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, tl_flags, tl_vflags); - gnutls_free(x509_crl_list); - - if (ret < 0) - return gnutls_assert_val(ret); - else - r += ret; - } - - return r; + int ret; + gnutls_x509_crt_t *x509_ca_list = NULL; + gnutls_x509_crl_t *x509_crl_list = NULL; + unsigned int x509_ncas, x509_ncrls; + unsigned int r = 0; + + if (cas != NULL && cas->data != NULL) { + ret = + gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, + cas, type, 0); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + gnutls_x509_trust_list_add_cas(list, x509_ca_list, + x509_ncas, tl_flags); + gnutls_free(x509_ca_list); + + if (ret < 0) + return gnutls_assert_val(ret); + else + r += ret; + } + + if (crls != NULL && crls->data != NULL) { + ret = + gnutls_x509_crl_list_import2(&x509_crl_list, + &x509_ncrls, crls, type, + 0); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + gnutls_x509_trust_list_add_crls(list, x509_crl_list, + x509_ncrls, tl_flags, + tl_vflags); + gnutls_free(x509_crl_list); + + if (ret < 0) + return gnutls_assert_val(ret); + else + r += ret; + } + + return r; } /** @@ -114,125 +122,139 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t list, - const gnutls_datum_t * cas, - gnutls_x509_crt_fmt_t type) + const gnutls_datum_t * cas, + gnutls_x509_crt_fmt_t type) { - int ret; - gnutls_x509_crt_t *x509_ca_list = NULL; - unsigned int x509_ncas; - unsigned int r = 0, i; - - if (cas != NULL && cas->data != NULL) - { - ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas, type, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = gnutls_x509_trust_list_remove_cas(list, x509_ca_list, x509_ncas); - - for (i=0;i<x509_ncas;i++) - gnutls_x509_crt_deinit(x509_ca_list[i]); - gnutls_free(x509_ca_list); - - if (ret < 0) - return gnutls_assert_val(ret); - else - r += ret; - } - - return r; + int ret; + gnutls_x509_crt_t *x509_ca_list = NULL; + unsigned int x509_ncas; + unsigned int r = 0, i; + + if (cas != NULL && cas->data != NULL) { + ret = + gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, + cas, type, 0); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + gnutls_x509_trust_list_remove_cas(list, x509_ca_list, + x509_ncas); + + for (i = 0; i < x509_ncas; i++) + gnutls_x509_crt_deinit(x509_ca_list[i]); + gnutls_free(x509_ca_list); + + if (ret < 0) + return gnutls_assert_val(ret); + else + r += ret; + } + + return r; } #ifdef ENABLE_PKCS11 -static -int import_pkcs11_url(gnutls_x509_trust_list_t list, const char* ca_file, unsigned int flags) +static +int import_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file, + unsigned int flags) { -gnutls_x509_crt_t *xcrt_list = NULL; -gnutls_pkcs11_obj_t *pcrt_list = NULL; -unsigned int pcrt_list_size = 0, i; -int ret; - - ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, ca_file, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - if (pcrt_list_size == 0) - { - ret = 0; - goto cleanup; - } - - xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t)*pcrt_list_size); - if (xcrt_list == NULL) - { - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - ret = gnutls_x509_crt_list_import_pkcs11( xcrt_list, pcrt_list_size, pcrt_list, 0); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - ret = gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, flags); - -cleanup: - for (i=0;i<pcrt_list_size;i++) - gnutls_pkcs11_obj_deinit(pcrt_list[i]); - gnutls_free(pcrt_list); - gnutls_free(xcrt_list); - - return ret; + gnutls_x509_crt_t *xcrt_list = NULL; + gnutls_pkcs11_obj_t *pcrt_list = NULL; + unsigned int pcrt_list_size = 0, i; + int ret; + + ret = + gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, + ca_file, + GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, + 0); + if (ret < 0) + return gnutls_assert_val(ret); + + if (pcrt_list_size == 0) { + ret = 0; + goto cleanup; + } + + xcrt_list = + gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size); + if (xcrt_list == NULL) { + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ret = + gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, + pcrt_list, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, + flags); + + cleanup: + for (i = 0; i < pcrt_list_size; i++) + gnutls_pkcs11_obj_deinit(pcrt_list[i]); + gnutls_free(pcrt_list); + gnutls_free(xcrt_list); + + return ret; } -static -int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char* ca_file) +static +int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file) { -gnutls_x509_crt_t *xcrt_list = NULL; -gnutls_pkcs11_obj_t *pcrt_list = NULL; -unsigned int pcrt_list_size = 0, i; -int ret; - - ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, ca_file, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - if (pcrt_list_size == 0) - { - ret = 0; - goto cleanup; - } - - xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t)*pcrt_list_size); - if (xcrt_list == NULL) - { - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - ret = gnutls_x509_crt_list_import_pkcs11( xcrt_list, pcrt_list_size, pcrt_list, 0); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - ret = gnutls_x509_trust_list_remove_cas(list, xcrt_list, pcrt_list_size); - -cleanup: - for (i=0;i<pcrt_list_size;i++) - { - gnutls_pkcs11_obj_deinit(pcrt_list[i]); - if (xcrt_list) gnutls_x509_crt_deinit(xcrt_list[i]); - } - gnutls_free(pcrt_list); - gnutls_free(xcrt_list); - - return ret; + gnutls_x509_crt_t *xcrt_list = NULL; + gnutls_pkcs11_obj_t *pcrt_list = NULL; + unsigned int pcrt_list_size = 0, i; + int ret; + + ret = + gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, + ca_file, + GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, + 0); + if (ret < 0) + return gnutls_assert_val(ret); + + if (pcrt_list_size == 0) { + ret = 0; + goto cleanup; + } + + xcrt_list = + gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size); + if (xcrt_list == NULL) { + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ret = + gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, + pcrt_list, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + gnutls_x509_trust_list_remove_cas(list, xcrt_list, + pcrt_list_size); + + cleanup: + for (i = 0; i < pcrt_list_size; i++) { + gnutls_pkcs11_obj_deinit(pcrt_list[i]); + if (xcrt_list) + gnutls_x509_crt_deinit(xcrt_list[i]); + } + gnutls_free(pcrt_list); + gnutls_free(xcrt_list); + + return ret; } #endif @@ -256,52 +278,49 @@ cleanup: **/ int gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, - const char* ca_file, - const char* crl_file, - gnutls_x509_crt_fmt_t type, - unsigned int tl_flags, - unsigned int tl_vflags) + const char *ca_file, + const char *crl_file, + gnutls_x509_crt_fmt_t type, + unsigned int tl_flags, + unsigned int tl_vflags) { - gnutls_datum_t cas = { NULL, 0 }; - gnutls_datum_t crls = { NULL, 0 }; - size_t size; - int ret; + gnutls_datum_t cas = { NULL, 0 }; + gnutls_datum_t crls = { NULL, 0 }; + size_t size; + int ret; #ifdef ENABLE_PKCS11 - if (strncmp (ca_file, "pkcs11:", 7) == 0) - { - ret = import_pkcs11_url(list, ca_file, tl_flags); - if (ret < 0) - return gnutls_assert_val(ret); - } - else + if (strncmp(ca_file, "pkcs11:", 7) == 0) { + ret = import_pkcs11_url(list, ca_file, tl_flags); + if (ret < 0) + return gnutls_assert_val(ret); + } else #endif - { - cas.data = (void*)read_binary_file (ca_file, &size); - if (cas.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_FILE_ERROR; - } - cas.size = size; - } - - if (crl_file) - { - crls.data = (void*)read_binary_file (crl_file, &size); - if (crls.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_FILE_ERROR; - } - crls.size = size; - } - - ret = gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type, tl_flags, tl_vflags); - free(crls.data); - free(cas.data); - - return ret; + { + cas.data = (void *) read_binary_file(ca_file, &size); + if (cas.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + cas.size = size; + } + + if (crl_file) { + crls.data = (void *) read_binary_file(crl_file, &size); + if (crls.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + crls.size = size; + } + + ret = + gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type, + tl_flags, tl_vflags); + free(crls.data); + free(cas.data); + + return ret; } /** @@ -320,35 +339,31 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, **/ int gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t list, - const char* ca_file, - gnutls_x509_crt_fmt_t type) + const char *ca_file, + gnutls_x509_crt_fmt_t type) { - gnutls_datum_t cas = { NULL, 0 }; - size_t size; - int ret; + gnutls_datum_t cas = { NULL, 0 }; + size_t size; + int ret; #ifdef ENABLE_PKCS11 - if (strncmp (ca_file, "pkcs11:", 7) == 0) - { - ret = remove_pkcs11_url(list, ca_file); - if (ret < 0) - return gnutls_assert_val(ret); - } - else + if (strncmp(ca_file, "pkcs11:", 7) == 0) { + ret = remove_pkcs11_url(list, ca_file); + if (ret < 0) + return gnutls_assert_val(ret); + } else #endif - { - cas.data = (void*)read_binary_file (ca_file, &size); - if (cas.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_FILE_ERROR; - } - cas.size = size; - } - - ret = gnutls_x509_trust_list_remove_trust_mem(list, &cas, type); - free(cas.data); - - return ret; -} + { + cas.data = (void *) read_binary_file(ca_file, &size); + if (cas.data == NULL) { + gnutls_assert(); + return GNUTLS_E_FILE_ERROR; + } + cas.size = size; + } + ret = gnutls_x509_trust_list_remove_trust_mem(list, &cas, type); + free(cas.data); + + return ret; +} diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 30758f88f8..f7390dcccc 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -28,7 +28,7 @@ #include <gnutls_errors.h> #include <libtasn1.h> #include <gnutls_global.h> -#include <gnutls_num.h> /* MAX */ +#include <gnutls_num.h> /* MAX */ #include <gnutls_sig.h> #include <gnutls_str.h> #include <gnutls_datum.h> @@ -38,42 +38,41 @@ /* Checks if two certs are identical. Return 1 on match. */ int -_gnutls_check_if_same_cert (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) +_gnutls_check_if_same_cert(gnutls_x509_crt_t cert1, + gnutls_x509_crt_t cert2) { - gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = - { NULL, 0}; - int result; - - result = _gnutls_is_same_dn (cert1, cert2); - if (result == 0) - return 0; - - result = _gnutls_x509_der_encode (cert1->cert, "", &cert1bin, 0); - if (result < 0) - { - result = 0; - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_der_encode (cert2->cert, "", &cert2bin, 0); - if (result < 0) - { - result = 0; - gnutls_assert (); - goto cleanup; - } - - if ((cert1bin.size == cert2bin.size) && - (memcmp (cert1bin.data, cert2bin.data, cert1bin.size) == 0)) - result = 1; - else - result = 0; - -cleanup: - _gnutls_free_datum (&cert1bin); - _gnutls_free_datum (&cert2bin); - return result; + gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = { + NULL, 0}; + int result; + + result = _gnutls_is_same_dn(cert1, cert2); + if (result == 0) + return 0; + + result = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0); + if (result < 0) { + result = 0; + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(cert2->cert, "", &cert2bin, 0); + if (result < 0) { + result = 0; + gnutls_assert(); + goto cleanup; + } + + if ((cert1bin.size == cert2bin.size) && + (memcmp(cert1bin.data, cert2bin.data, cert1bin.size) == 0)) + result = 1; + else + result = 0; + + cleanup: + _gnutls_free_datum(&cert1bin); + _gnutls_free_datum(&cert2bin); + return result; } /* Checks if the issuer of a certificate is a @@ -84,113 +83,110 @@ cleanup: * or not. */ static int -check_if_ca (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, - unsigned int *max_path, - unsigned int flags) +check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, + unsigned int *max_path, unsigned int flags) { - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t issuer_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_datum_t issuer_signature = { NULL, 0 }; - int pathlen, result; - unsigned int ca_status; - - /* Check if the issuer is the same with the - * certificate. This is added in order for trusted - * certificates to be able to verify themselves. - */ - - result = - _gnutls_x509_get_signed_data (issuer->cert, "tbsCertificate", - &issuer_signed_data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = - _gnutls_x509_get_signed_data (cert->cert, "tbsCertificate", - &cert_signed_data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = - _gnutls_x509_get_signature (issuer->cert, "signature", &issuer_signature); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = - _gnutls_x509_get_signature (cert->cert, "signature", &cert_signature); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* If the subject certificate is the same as the issuer - * return true. - */ - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) - if (cert_signed_data.size == issuer_signed_data.size) - { - if ((memcmp (cert_signed_data.data, issuer_signed_data.data, - cert_signed_data.size) == 0) && - (cert_signature.size == issuer_signature.size) && - (memcmp (cert_signature.data, issuer_signature.data, - cert_signature.size) == 0)) - { - result = 1; - goto cleanup; - } - } - - result = gnutls_x509_crt_get_basic_constraints( issuer, NULL, &ca_status, &pathlen); - if (result < 0) - { - ca_status = 0; - pathlen = -1; - } - - if (ca_status != 0 && pathlen != -1) - { - if ((unsigned)pathlen < *max_path) - *max_path = pathlen; - } - - if (ca_status != 0) - { - result = 1; - goto cleanup; - } - /* Handle V1 CAs that do not have a basicConstraint, but accept - these certs only if the appropriate flags are set. */ - else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && - ((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) || - (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) && - (gnutls_x509_crt_check_issuer (issuer, issuer) != 0)))) - { - gnutls_assert (); - result = 1; - goto cleanup; - } - else - gnutls_assert (); - - result = 0; - -cleanup: - _gnutls_free_datum (&cert_signed_data); - _gnutls_free_datum (&issuer_signed_data); - _gnutls_free_datum (&cert_signature); - _gnutls_free_datum (&issuer_signature); - return result; + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t issuer_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_datum_t issuer_signature = { NULL, 0 }; + int pathlen, result; + unsigned int ca_status; + + /* Check if the issuer is the same with the + * certificate. This is added in order for trusted + * certificates to be able to verify themselves. + */ + + result = + _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate", + &issuer_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(issuer->cert, "signature", + &issuer_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* If the subject certificate is the same as the issuer + * return true. + */ + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) + if (cert_signed_data.size == issuer_signed_data.size) { + if ((memcmp + (cert_signed_data.data, + issuer_signed_data.data, + cert_signed_data.size) == 0) + && (cert_signature.size == + issuer_signature.size) + && + (memcmp + (cert_signature.data, issuer_signature.data, + cert_signature.size) == 0)) { + result = 1; + goto cleanup; + } + } + + result = + gnutls_x509_crt_get_basic_constraints(issuer, NULL, &ca_status, + &pathlen); + if (result < 0) { + ca_status = 0; + pathlen = -1; + } + + if (ca_status != 0 && pathlen != -1) { + if ((unsigned) pathlen < *max_path) + *max_path = pathlen; + } + + if (ca_status != 0) { + result = 1; + goto cleanup; + } + /* Handle V1 CAs that do not have a basicConstraint, but accept + these certs only if the appropriate flags are set. */ + else if ((result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) && + ((flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT) || + (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) && + (gnutls_x509_crt_check_issuer(issuer, issuer) != 0)))) { + gnutls_assert(); + result = 1; + goto cleanup; + } else + gnutls_assert(); + + result = 0; + + cleanup: + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&issuer_signed_data); + _gnutls_free_datum(&cert_signature); + _gnutls_free_datum(&issuer_signature); + return result; } @@ -200,147 +196,146 @@ cleanup: * * Returns 1 if they match and (0) if they don't match. */ -static int -is_issuer (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer) +static int is_issuer(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer) { - uint8_t id1[512]; - uint8_t id2[512]; - size_t id1_size; - size_t id2_size; - int ret; - - if (_gnutls_x509_compare_raw_dn(&cert->raw_issuer_dn, &issuer->raw_dn) != 0) - ret = 1; - else - ret = 0; - - if (ret != 0) - { - /* check if the authority key identifier matches the subject key identifier - * of the issuer */ - id1_size = sizeof(id1); - - ret = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL); - if (ret < 0) - { - ret = 1; - goto cleanup; - } - - id2_size = sizeof(id2); - ret = gnutls_x509_crt_get_subject_key_id(issuer, id2, &id2_size, NULL); - if (ret < 0) - { - ret = 1; - gnutls_assert(); - goto cleanup; - } - - if (id1_size == id2_size && memcmp(id1, id2, id1_size) == 0) - ret = 1; - else - ret = 0; - } - -cleanup: - return ret; + uint8_t id1[512]; + uint8_t id2[512]; + size_t id1_size; + size_t id2_size; + int ret; + + if (_gnutls_x509_compare_raw_dn + (&cert->raw_issuer_dn, &issuer->raw_dn) != 0) + ret = 1; + else + ret = 0; + + if (ret != 0) { + /* check if the authority key identifier matches the subject key identifier + * of the issuer */ + id1_size = sizeof(id1); + + ret = + gnutls_x509_crt_get_authority_key_id(cert, id1, + &id1_size, NULL); + if (ret < 0) { + ret = 1; + goto cleanup; + } + + id2_size = sizeof(id2); + ret = + gnutls_x509_crt_get_subject_key_id(issuer, id2, + &id2_size, NULL); + if (ret < 0) { + ret = 1; + gnutls_assert(); + goto cleanup; + } + + if (id1_size == id2_size + && memcmp(id1, id2, id1_size) == 0) + ret = 1; + else + ret = 0; + } + + cleanup: + return ret; } /* Check if the given certificate is the issuer of the CRL. * Returns 1 on success and 0 otherwise. */ -static int -is_crl_issuer (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer) +static int is_crl_issuer(gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer) { - if (_gnutls_x509_compare_raw_dn(&crl->raw_issuer_dn, &issuer->raw_dn) != 0) - return 1; - else - return 0; + if (_gnutls_x509_compare_raw_dn + (&crl->raw_issuer_dn, &issuer->raw_dn) != 0) + return 1; + else + return 0; } /* Checks if the DN of two certificates is the same. * Returns 1 if they match and (0) if they don't match. Otherwise * a negative error code is returned to indicate error. */ -int -_gnutls_is_same_dn (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) +int _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2) { - if (_gnutls_x509_compare_raw_dn(&cert1->raw_dn, &cert2->raw_dn) != 0) - return 1; - else - return 0; + if (_gnutls_x509_compare_raw_dn(&cert1->raw_dn, &cert2->raw_dn) != + 0) + return 1; + else + return 0; } /* Finds an issuer of the certificate. If multiple issuers * are present, returns one that is activated and not expired. */ static inline gnutls_x509_crt_t -find_issuer (gnutls_x509_crt_t cert, - const gnutls_x509_crt_t * trusted_cas, int tcas_size) +find_issuer(gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * trusted_cas, int tcas_size) { -int i; -gnutls_x509_crt_t issuer = NULL; - - /* this is serial search. - */ - - for (i = 0; i < tcas_size; i++) - { - if (is_issuer (cert, trusted_cas[i]) != 0) - { - if (issuer == NULL) - { - issuer = trusted_cas[i]; - } - else - { - time_t now = gnutls_time(0); - - if (now < gnutls_x509_crt_get_expiration_time(trusted_cas[i]) && - now >= gnutls_x509_crt_get_activation_time(trusted_cas[i])) - { - issuer = trusted_cas[i]; - } - } - } - } - - return issuer; + int i; + gnutls_x509_crt_t issuer = NULL; + + /* this is serial search. + */ + + for (i = 0; i < tcas_size; i++) { + if (is_issuer(cert, trusted_cas[i]) != 0) { + if (issuer == NULL) { + issuer = trusted_cas[i]; + } else { + time_t now = gnutls_time(0); + + if (now < + gnutls_x509_crt_get_expiration_time + (trusted_cas[i]) + && now >= + gnutls_x509_crt_get_activation_time + (trusted_cas[i])) { + issuer = trusted_cas[i]; + } + } + } + } + + return issuer; } -static unsigned int -check_time (gnutls_x509_crt_t crt, time_t now) +static unsigned int check_time(gnutls_x509_crt_t crt, time_t now) { - int status = 0; - time_t t; - - t = gnutls_x509_crt_get_activation_time (crt); - if (t == (time_t) - 1 || now < t) - { - status |= GNUTLS_CERT_NOT_ACTIVATED; - status |= GNUTLS_CERT_INVALID; - return status; - } - - t = gnutls_x509_crt_get_expiration_time (crt); - if (t == (time_t) - 1 || now > t) - { - status |= GNUTLS_CERT_EXPIRED; - status |= GNUTLS_CERT_INVALID; - return status; - } - - return 0; + int status = 0; + time_t t; + + t = gnutls_x509_crt_get_activation_time(crt); + if (t == (time_t) - 1 || now < t) { + status |= GNUTLS_CERT_NOT_ACTIVATED; + status |= GNUTLS_CERT_INVALID; + return status; + } + + t = gnutls_x509_crt_get_expiration_time(crt); + if (t == (time_t) - 1 || now > t) { + status |= GNUTLS_CERT_EXPIRED; + status |= GNUTLS_CERT_INVALID; + return status; + } + + return 0; } static -int is_broken_allowed( gnutls_sign_algorithm_t sig, unsigned int flags) +int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) { - if ((sig == GNUTLS_SIGN_RSA_MD2) && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) - return 1; - if ((sig == GNUTLS_SIGN_RSA_MD5) && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)) - return 1; - return 0; + if ((sig == GNUTLS_SIGN_RSA_MD2) + && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) + return 1; + if ((sig == GNUTLS_SIGN_RSA_MD5) + && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)) + return 1; + return 0; } /* @@ -356,182 +351,180 @@ int is_broken_allowed( gnutls_sign_algorithm_t sig, unsigned int flags) * procedure. Issuer will hold the actual issuer from the trusted list. */ static int -_gnutls_verify_certificate2 (gnutls_x509_crt_t cert, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size, unsigned int flags, - unsigned int *output, - gnutls_x509_crt_t * _issuer, - time_t now, - unsigned int *max_path, - gnutls_verify_output_function func) +_gnutls_verify_certificate2(gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *output, + gnutls_x509_crt_t * _issuer, + time_t now, + unsigned int *max_path, + gnutls_verify_output_function func) { - gnutls_datum_t cert_signed_data = { NULL, 0 }; - gnutls_datum_t cert_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer = NULL; - int issuer_version, result, hash_algo; - unsigned int out = 0, usage; - - if (output) - *output = 0; - - if (*max_path == 0) - { - out = GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | GNUTLS_CERT_INVALID; - if (output) - *output |= out; - gnutls_assert (); - result = 0; - goto cleanup; - } - (*max_path)--; - - if (tcas_size >= 1) - issuer = find_issuer (cert, trusted_cas, tcas_size); - - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) - { - out = GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - if (output) - *output |= out; - gnutls_assert (); - result = 0; - goto cleanup; - } - - if (_issuer != NULL) - *_issuer = issuer; - - issuer_version = gnutls_x509_crt_get_version (issuer); - if (issuer_version < 0) - { - gnutls_assert (); - return issuer_version; - } - - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && - ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) - || issuer_version != 1)) - { - if (check_if_ca (cert, issuer, max_path, flags) == 0) - { - gnutls_assert (); - out = GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - if (output) - *output |= out; - result = 0; - goto cleanup; - } - - result = gnutls_x509_crt_get_key_usage(issuer, &usage, NULL); - if (result >= 0) - { - if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) - { - gnutls_assert(); - out = GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | GNUTLS_CERT_INVALID; - if (output) - *output |= out; - result = 0; - goto cleanup; - } - } - } - - result = - _gnutls_x509_get_signed_data (cert->cert, "tbsCertificate", - &cert_signed_data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = - _gnutls_x509_get_signature (cert->cert, "signature", &cert_signature); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_signature_algorithm(cert->cert, "signatureAlgorithm.algorithm"); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - hash_algo = gnutls_sign_get_hash_algorithm(result); - - result = - _gnutls_x509_verify_data (mac_to_entry(hash_algo), &cert_signed_data, &cert_signature, - issuer); - if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) - { - gnutls_assert (); - out |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE; - /* error. ignore it */ - if (output) - *output |= out; - result = 0; - } - else if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - /* If the certificate is not self signed check if the algorithms - * used are secure. If the certificate is self signed it doesn't - * really matter. - */ - if (is_issuer (cert, cert) == 0) - { - int sigalg; - - sigalg = gnutls_x509_crt_get_signature_algorithm (cert); - - if (gnutls_sign_is_secure(sigalg) == 0 && is_broken_allowed(sigalg, flags) == 0) - { - out = GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID; - if (output) - *output |= out; - result = 0; - } - } - - /* Check activation/expiration times - */ - if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) - { - /* check the time of the issuer first */ - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)) - { - out |= check_time (issuer, now); - if (out != 0) - { - result = 0; - if (output) *output |= out; - } - } - - out |= check_time (cert, now); - if (out != 0) - { - result = 0; - if (output) *output |= out; - } - } - -cleanup: - if (result >= 0 && func) func(cert, issuer, NULL, out); - _gnutls_free_datum (&cert_signed_data); - _gnutls_free_datum (&cert_signature); - - return result; + gnutls_datum_t cert_signed_data = { NULL, 0 }; + gnutls_datum_t cert_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; + int issuer_version, result, hash_algo; + unsigned int out = 0, usage; + + if (output) + *output = 0; + + if (*max_path == 0) { + out = + GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | + GNUTLS_CERT_INVALID; + if (output) + *output |= out; + gnutls_assert(); + result = 0; + goto cleanup; + } + (*max_path)--; + + if (tcas_size >= 1) + issuer = find_issuer(cert, trusted_cas, tcas_size); + + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + out = GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; + if (output) + *output |= out; + gnutls_assert(); + result = 0; + goto cleanup; + } + + if (_issuer != NULL) + *_issuer = issuer; + + issuer_version = gnutls_x509_crt_get_version(issuer); + if (issuer_version < 0) { + gnutls_assert(); + return issuer_version; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) && + ((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT) + || issuer_version != 1)) { + if (check_if_ca(cert, issuer, max_path, flags) == 0) { + gnutls_assert(); + out = + GNUTLS_CERT_SIGNER_NOT_CA | + GNUTLS_CERT_INVALID; + if (output) + *output |= out; + result = 0; + goto cleanup; + } + + result = + gnutls_x509_crt_get_key_usage(issuer, &usage, NULL); + if (result >= 0) { + if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) { + gnutls_assert(); + out = + GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE + | GNUTLS_CERT_INVALID; + if (output) + *output |= out; + result = 0; + goto cleanup; + } + } + } + + result = + _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate", + &cert_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(cert->cert, "signature", + &cert_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature_algorithm(cert->cert, + "signatureAlgorithm.algorithm"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + hash_algo = gnutls_sign_get_hash_algorithm(result); + + result = + _gnutls_x509_verify_data(mac_to_entry(hash_algo), + &cert_signed_data, &cert_signature, + issuer); + if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { + gnutls_assert(); + out |= GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNATURE_FAILURE; + /* error. ignore it */ + if (output) + *output |= out; + result = 0; + } else if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + /* If the certificate is not self signed check if the algorithms + * used are secure. If the certificate is self signed it doesn't + * really matter. + */ + if (is_issuer(cert, cert) == 0) { + int sigalg; + + sigalg = gnutls_x509_crt_get_signature_algorithm(cert); + + if (gnutls_sign_is_secure(sigalg) == 0 + && is_broken_allowed(sigalg, flags) == 0) { + out = + GNUTLS_CERT_INSECURE_ALGORITHM | + GNUTLS_CERT_INVALID; + if (output) + *output |= out; + result = 0; + } + } + + /* Check activation/expiration times + */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { + /* check the time of the issuer first */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS)) { + out |= check_time(issuer, now); + if (out != 0) { + result = 0; + if (output) + *output |= out; + } + } + + out |= check_time(cert, now); + if (out != 0) { + result = 0; + if (output) + *output |= out; + } + } + + cleanup: + if (result >= 0 && func) + func(cert, issuer, NULL, out); + _gnutls_free_datum(&cert_signed_data); + _gnutls_free_datum(&cert_signature); + + return result; } /** @@ -547,10 +540,10 @@ cleanup: * by the given issuer, and false (0) if not. **/ int -gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer) +gnutls_x509_crt_check_issuer(gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer) { - return is_issuer (cert, issuer); + return is_issuer(cert, issuer); } /* Verify X.509 certificate chain. @@ -561,132 +554,132 @@ gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, * list should lead to a trusted certificate in order to be trusted. */ unsigned int -_gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, - int clist_size, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size, - unsigned int flags, - gnutls_verify_output_function func) +_gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list, + int clist_size, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, + unsigned int flags, + gnutls_verify_output_function func) { - int i = 0, ret; - unsigned int status = 0, output; - time_t now = gnutls_time (0); - gnutls_x509_crt_t issuer = NULL; - unsigned int max_path; - - if (clist_size > 1) - { - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - * - * This prevents from verifying self signed certificates against - * themselves. This (although not bad) caused verification - * failures on some root self signed certificates that use the - * MD2 algorithm. - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) != 0) - { - clist_size--; - } - } - - /* We want to shorten the chain by removing the cert that matches - * one of the certs we trust and all the certs after that i.e. if - * cert chain is A signed-by B signed-by C signed-by D (signed-by - * self-signed E but already removed above), and we trust B, remove - * B, C and D. */ - if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) - i = 0; /* also replace the first one */ - else - i = 1; /* do not replace the first one */ - - for (; i < clist_size; i++) - { - int j; - - for (j = 0; j < tcas_size; j++) - { - if (_gnutls_check_if_same_cert (certificate_list[i], trusted_cas[j]) != 0) - { - /* explicity time check for trusted CA that we remove from - * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS - */ - if (!(flags & GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) - && !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) - { - status |= check_time (trusted_cas[j], now); - if (status != 0) - { - if (func) func(certificate_list[i], trusted_cas[j], NULL, status); - return status; - } - } - - if (func) func(certificate_list[i], trusted_cas[j], NULL, status); - clist_size = i; - break; - } - } - /* clist_size may have been changed which gets out of loop */ - } - - if (clist_size == 0) - { - /* The certificate is already present in the trusted certificate list. - * Nothing to verify. */ - return status; - } - - /* Verify the last certificate in the certificate path - * against the trusted CA certificate list. - * - * If no CAs are present returns CERT_INVALID. Thus works - * in self signed etc certificates. - */ - output = 0; - max_path = MAX_VERIFY_DEPTH; - ret = _gnutls_verify_certificate2 (certificate_list[clist_size - 1], - trusted_cas, tcas_size, flags, &output, - &issuer, now, &max_path, func); - if (ret == 0) - { - /* if the last certificate in the certificate - * list is invalid, then the certificate is not - * trusted. - */ - gnutls_assert (); - status |= output; - status |= GNUTLS_CERT_INVALID; - return status; - } - - /* Verify the certificate path (chain) - */ - for (i = clist_size - 1; i > 0; i--) - { - output = 0; - if (i - 1 < 0) - break; - - /* note that here we disable this V1 CA flag. So that no version 1 - * certificates can exist in a supplied chain. - */ - if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) - flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); - if ((ret = - _gnutls_verify_certificate2 (certificate_list[i - 1], - &certificate_list[i], 1, flags, - &output, NULL, now, &max_path, func)) == 0) - { - status |= output; - status |= GNUTLS_CERT_INVALID; - return status; - } - } - - return 0; + int i = 0, ret; + unsigned int status = 0, output; + time_t now = gnutls_time(0); + gnutls_x509_crt_t issuer = NULL; + unsigned int max_path; + + if (clist_size > 1) { + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + * + * This prevents from verifying self signed certificates against + * themselves. This (although not bad) caused verification + * failures on some root self signed certificates that use the + * MD2 algorithm. + */ + if (gnutls_x509_crt_check_issuer + (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) != 0) { + clist_size--; + } + } + + /* We want to shorten the chain by removing the cert that matches + * one of the certs we trust and all the certs after that i.e. if + * cert chain is A signed-by B signed-by C signed-by D (signed-by + * self-signed E but already removed above), and we trust B, remove + * B, C and D. */ + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_SAME)) + i = 0; /* also replace the first one */ + else + i = 1; /* do not replace the first one */ + + for (; i < clist_size; i++) { + int j; + + for (j = 0; j < tcas_size; j++) { + if (_gnutls_check_if_same_cert + (certificate_list[i], trusted_cas[j]) != 0) { + /* explicity time check for trusted CA that we remove from + * list. GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS + */ + if (! + (flags & + GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS) +&& !(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) { + status |= + check_time(trusted_cas[j], + now); + if (status != 0) { + if (func) + func(certificate_list[i], trusted_cas[j], NULL, status); + return status; + } + } + + if (func) + func(certificate_list[i], + trusted_cas[j], NULL, status); + clist_size = i; + break; + } + } + /* clist_size may have been changed which gets out of loop */ + } + + if (clist_size == 0) { + /* The certificate is already present in the trusted certificate list. + * Nothing to verify. */ + return status; + } + + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * + * If no CAs are present returns CERT_INVALID. Thus works + * in self signed etc certificates. + */ + output = 0; + max_path = MAX_VERIFY_DEPTH; + ret = _gnutls_verify_certificate2(certificate_list[clist_size - 1], + trusted_cas, tcas_size, flags, + &output, &issuer, now, &max_path, + func); + if (ret == 0) { + /* if the last certificate in the certificate + * list is invalid, then the certificate is not + * trusted. + */ + gnutls_assert(); + status |= output; + status |= GNUTLS_CERT_INVALID; + return status; + } + + /* Verify the certificate path (chain) + */ + for (i = clist_size - 1; i > 0; i--) { + output = 0; + if (i - 1 < 0) + break; + + /* note that here we disable this V1 CA flag. So that no version 1 + * certificates can exist in a supplied chain. + */ + if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT)) + flags &= ~(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + if ((ret = + _gnutls_verify_certificate2(certificate_list[i - 1], + &certificate_list[i], 1, + flags, &output, NULL, now, + &max_path, func)) == 0) { + status |= output; + status |= GNUTLS_CERT_INVALID; + return status; + } + } + + return 0; } /* This will return the appropriate hash to verify the given signature. @@ -694,12 +687,13 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, * the given parameters. */ int -_gnutls_x509_verify_algorithm (gnutls_digest_algorithm_t * hash, - const gnutls_datum_t * signature, - gnutls_pk_algorithm_t pk, - gnutls_pk_params_st * issuer_params) +_gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_algorithm_t pk, + gnutls_pk_params_st * issuer_params) { - return _gnutls_pk_hash_algorithm(pk, signature, issuer_params, hash); + return _gnutls_pk_hash_algorithm(pk, signature, issuer_params, + hash); } /* verifies if the certificate is properly signed. @@ -709,37 +703,35 @@ _gnutls_x509_verify_algorithm (gnutls_digest_algorithm_t * hash, * 'signature' is the signature! */ int -_gnutls_x509_verify_data (const mac_entry_st* me, - const gnutls_datum_t * data, - const gnutls_datum_t * signature, - gnutls_x509_crt_t issuer) +_gnutls_x509_verify_data(const mac_entry_st * me, + const gnutls_datum_t * data, + const gnutls_datum_t * signature, + gnutls_x509_crt_t issuer) { - gnutls_pk_params_st issuer_params; - int ret; - - /* Read the MPI parameters from the issuer's certificate. - */ - ret = - _gnutls_x509_crt_get_mpis (issuer, &issuer_params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - pubkey_verify_data (gnutls_x509_crt_get_pk_algorithm (issuer, NULL), - me, data, signature, &issuer_params); - if (ret < 0) - { - gnutls_assert (); - } - - /* release all allocated MPIs - */ - gnutls_pk_params_release(&issuer_params); - - return ret; + gnutls_pk_params_st issuer_params; + int ret; + + /* Read the MPI parameters from the issuer's certificate. + */ + ret = _gnutls_x509_crt_get_mpis(issuer, &issuer_params); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + pubkey_verify_data(gnutls_x509_crt_get_pk_algorithm + (issuer, NULL), me, data, signature, + &issuer_params); + if (ret < 0) { + gnutls_assert(); + } + + /* release all allocated MPIs + */ + gnutls_pk_params_release(&issuer_params); + + return ret; } /** @@ -771,40 +763,39 @@ _gnutls_x509_verify_data (const mac_entry_st* me, * negative error value. **/ int -gnutls_x509_crt_list_verify (const gnutls_x509_crt_t * cert_list, - int cert_list_length, - const gnutls_x509_crt_t * CA_list, - int CA_list_length, - const gnutls_x509_crl_t * CRL_list, - int CRL_list_length, unsigned int flags, - unsigned int *verify) +gnutls_x509_crt_list_verify(const gnutls_x509_crt_t * cert_list, + int cert_list_length, + const gnutls_x509_crt_t * CA_list, + int CA_list_length, + const gnutls_x509_crl_t * CRL_list, + int CRL_list_length, unsigned int flags, + unsigned int *verify) { -int i, ret; - - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - /* Verify certificate - */ - *verify = - _gnutls_x509_verify_certificate (cert_list, cert_list_length, - CA_list, CA_list_length, - flags, NULL); - - /* Check for revoked certificates in the chain. - */ - for (i = 0; i < cert_list_length; i++) - { - ret = gnutls_x509_crt_check_revocation (cert_list[i], - CRL_list, CRL_list_length); - if (ret == 1) - { /* revoked */ - *verify |= GNUTLS_CERT_REVOKED; - *verify |= GNUTLS_CERT_INVALID; - } - } - - return 0; + int i, ret; + + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + /* Verify certificate + */ + *verify = + _gnutls_x509_verify_certificate(cert_list, cert_list_length, + CA_list, CA_list_length, + flags, NULL); + + /* Check for revoked certificates in the chain. + */ + for (i = 0; i < cert_list_length; i++) { + ret = gnutls_x509_crt_check_revocation(cert_list[i], + CRL_list, + CRL_list_length); + if (ret == 1) { /* revoked */ + *verify |= GNUTLS_CERT_REVOKED; + *verify |= GNUTLS_CERT_INVALID; + } + } + + return 0; } /** @@ -823,18 +814,18 @@ int i, ret; * negative error value. **/ int -gnutls_x509_crt_verify (gnutls_x509_crt_t cert, - const gnutls_x509_crt_t * CA_list, - int CA_list_length, unsigned int flags, - unsigned int *verify) +gnutls_x509_crt_verify(gnutls_x509_crt_t cert, + const gnutls_x509_crt_t * CA_list, + int CA_list_length, unsigned int flags, + unsigned int *verify) { - /* Verify certificate - */ - *verify = - _gnutls_x509_verify_certificate (&cert, 1, - CA_list, CA_list_length, - flags, NULL); - return 0; + /* Verify certificate + */ + *verify = + _gnutls_x509_verify_certificate(&cert, 1, + CA_list, CA_list_length, + flags, NULL); + return 0; } /** @@ -849,29 +840,28 @@ gnutls_x509_crt_verify (gnutls_x509_crt_t cert, * and false (0) if not. **/ int -gnutls_x509_crl_check_issuer (gnutls_x509_crl_t crl, - gnutls_x509_crt_t issuer) +gnutls_x509_crl_check_issuer(gnutls_x509_crl_t crl, + gnutls_x509_crt_t issuer) { - return is_crl_issuer (crl, issuer); + return is_crl_issuer(crl, issuer); } static inline gnutls_x509_crt_t -find_crl_issuer (gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * trusted_cas, int tcas_size) +find_crl_issuer(gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * trusted_cas, int tcas_size) { - int i; + int i; - /* this is serial search. - */ + /* this is serial search. + */ - for (i = 0; i < tcas_size; i++) - { - if (is_crl_issuer (crl, trusted_cas[i]) != 0) - return trusted_cas[i]; - } + for (i = 0; i < tcas_size; i++) { + if (is_crl_issuer(crl, trusted_cas[i]) != 0) + return trusted_cas[i]; + } - gnutls_assert (); - return NULL; + gnutls_assert(); + return NULL; } /** @@ -895,127 +885,130 @@ find_crl_issuer (gnutls_x509_crl_t crl, * negative error value. **/ int -gnutls_x509_crl_verify (gnutls_x509_crl_t crl, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size, unsigned int flags, unsigned int *verify) +gnutls_x509_crl_verify(gnutls_x509_crl_t crl, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, unsigned int flags, + unsigned int *verify) { /* CRL is ignored for now */ - gnutls_datum_t crl_signed_data = { NULL, 0 }; - gnutls_datum_t crl_signature = { NULL, 0 }; - gnutls_x509_crt_t issuer = NULL; - int result, hash_algo; - time_t now = gnutls_time(0); - unsigned int usage; - - if (verify) - *verify = 0; - - if (tcas_size >= 1) - issuer = find_crl_issuer (crl, trusted_cas, tcas_size); - - /* issuer is not in trusted certificate - * authorities. - */ - if (issuer == NULL) - { - gnutls_assert (); - if (verify) - *verify |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID; - return 0; - } - - if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) - { - if (gnutls_x509_crt_get_ca_status (issuer, NULL) != 1) - { - gnutls_assert (); - if (verify) - *verify |= GNUTLS_CERT_SIGNER_NOT_CA | GNUTLS_CERT_INVALID; - return 0; - } - - result = gnutls_x509_crt_get_key_usage(issuer, &usage, NULL); - if (result >= 0) - { - if (!(usage & GNUTLS_KEY_CRL_SIGN)) - { - gnutls_assert(); - if (verify) - *verify |= GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE | GNUTLS_CERT_INVALID; - return 0; - } - } - } - - result = - _gnutls_x509_get_signed_data (crl->crl, "tbsCertList", &crl_signed_data); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_signature (crl->crl, "signature", &crl_signature); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_signature_algorithm(crl->crl, "signatureAlgorithm.algorithm"); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - hash_algo = gnutls_sign_get_hash_algorithm(result); - - result = - _gnutls_x509_verify_data (mac_to_entry(hash_algo), &crl_signed_data, &crl_signature, - issuer); - if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) - { - gnutls_assert (); - /* error. ignore it */ - if (verify) - *verify |= GNUTLS_CERT_SIGNATURE_FAILURE; - result = 0; - } - else if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - { - int sigalg; - - sigalg = gnutls_x509_crl_get_signature_algorithm (crl); - - if (((sigalg == GNUTLS_SIGN_RSA_MD2) && - !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || - ((sigalg == GNUTLS_SIGN_RSA_MD5) && - !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) - { - if (verify) - *verify |= GNUTLS_CERT_INSECURE_ALGORITHM; - result = 0; - } - } - - if (gnutls_x509_crl_get_this_update (crl) > now && verify) - *verify |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE; - - if (gnutls_x509_crl_get_next_update (crl) < now && verify) - *verify |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; - - -cleanup: - if (verify) *verify |= GNUTLS_CERT_INVALID; - - _gnutls_free_datum (&crl_signed_data); - _gnutls_free_datum (&crl_signature); - - return result; + gnutls_datum_t crl_signed_data = { NULL, 0 }; + gnutls_datum_t crl_signature = { NULL, 0 }; + gnutls_x509_crt_t issuer = NULL; + int result, hash_algo; + time_t now = gnutls_time(0); + unsigned int usage; + + if (verify) + *verify = 0; + + if (tcas_size >= 1) + issuer = find_crl_issuer(crl, trusted_cas, tcas_size); + + /* issuer is not in trusted certificate + * authorities. + */ + if (issuer == NULL) { + gnutls_assert(); + if (verify) + *verify |= + GNUTLS_CERT_SIGNER_NOT_FOUND | + GNUTLS_CERT_INVALID; + return 0; + } + + if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN)) { + if (gnutls_x509_crt_get_ca_status(issuer, NULL) != 1) { + gnutls_assert(); + if (verify) + *verify |= + GNUTLS_CERT_SIGNER_NOT_CA | + GNUTLS_CERT_INVALID; + return 0; + } + + result = + gnutls_x509_crt_get_key_usage(issuer, &usage, NULL); + if (result >= 0) { + if (!(usage & GNUTLS_KEY_CRL_SIGN)) { + gnutls_assert(); + if (verify) + *verify |= + GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE + | GNUTLS_CERT_INVALID; + return 0; + } + } + } + + result = + _gnutls_x509_get_signed_data(crl->crl, "tbsCertList", + &crl_signed_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature(crl->crl, "signature", + &crl_signature); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_get_signature_algorithm(crl->crl, + "signatureAlgorithm.algorithm"); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + hash_algo = gnutls_sign_get_hash_algorithm(result); + + result = + _gnutls_x509_verify_data(mac_to_entry(hash_algo), + &crl_signed_data, &crl_signature, + issuer); + if (result == GNUTLS_E_PK_SIG_VERIFY_FAILED) { + gnutls_assert(); + /* error. ignore it */ + if (verify) + *verify |= GNUTLS_CERT_SIGNATURE_FAILURE; + result = 0; + } else if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + { + int sigalg; + + sigalg = gnutls_x509_crl_get_signature_algorithm(crl); + + if (((sigalg == GNUTLS_SIGN_RSA_MD2) && + !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) || + ((sigalg == GNUTLS_SIGN_RSA_MD5) && + !(flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))) { + if (verify) + *verify |= GNUTLS_CERT_INSECURE_ALGORITHM; + result = 0; + } + } + + if (gnutls_x509_crl_get_this_update(crl) > now && verify) + *verify |= GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE; + + if (gnutls_x509_crl_get_next_update(crl) < now && verify) + *verify |= GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED; + + + cleanup: + if (verify) + *verify |= GNUTLS_CERT_INVALID; + + _gnutls_free_datum(&crl_signed_data); + _gnutls_free_datum(&crl_signature); + + return result; } diff --git a/lib/x509/x509.c b/lib/x509/x509.c index a0ec602c2e..164864b668 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -42,30 +42,29 @@ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crt_init (gnutls_x509_crt_t * cert) +int gnutls_x509_crt_init(gnutls_x509_crt_t * cert) { - gnutls_x509_crt_t tmp = gnutls_calloc (1, sizeof (gnutls_x509_crt_int)); - int result; + gnutls_x509_crt_t tmp = + gnutls_calloc(1, sizeof(gnutls_x509_crt_int)); + int result; - if (!tmp) - return GNUTLS_E_MEMORY_ERROR; + if (!tmp) + return GNUTLS_E_MEMORY_ERROR; - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Certificate", &tmp->cert); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (tmp); - return _gnutls_asn2err (result); - } + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Certificate", &tmp->cert); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(tmp); + return _gnutls_asn2err(result); + } - /* If you add anything here, be sure to check if it has to be added - to gnutls_x509_crt_import as well. */ + /* If you add anything here, be sure to check if it has to be added + to gnutls_x509_crt_import as well. */ - *cert = tmp; + *cert = tmp; - return 0; /* success */ + return 0; /* success */ } /*- @@ -78,49 +77,48 @@ gnutls_x509_crt_init (gnutls_x509_crt_t * cert) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. -*/ -int -_gnutls_x509_crt_cpy (gnutls_x509_crt_t dest, gnutls_x509_crt_t src) -{ - int ret; - size_t der_size=0; - uint8_t *der; - gnutls_datum_t tmp; - - ret = gnutls_x509_crt_export (src, GNUTLS_X509_FMT_DER, NULL, &der_size); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - { - gnutls_assert (); - return ret; - } - - der = gnutls_malloc (der_size); - if (der == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_export (src, GNUTLS_X509_FMT_DER, der, &der_size); - if (ret < 0) - { - gnutls_assert (); - gnutls_free (der); - return ret; - } - - tmp.data = der; - tmp.size = der_size; - ret = gnutls_x509_crt_import (dest, &tmp, GNUTLS_X509_FMT_DER); - - gnutls_free (der); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - return 0; +int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src) +{ + int ret; + size_t der_size = 0; + uint8_t *der; + gnutls_datum_t tmp; + + ret = + gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, + &der_size); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + der = gnutls_malloc(der_size); + if (der == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, der, + &der_size); + if (ret < 0) { + gnutls_assert(); + gnutls_free(der); + return ret; + } + + tmp.data = der; + tmp.size = der_size; + ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER); + + gnutls_free(der); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } /** @@ -129,17 +127,16 @@ _gnutls_x509_crt_cpy (gnutls_x509_crt_t dest, gnutls_x509_crt_t src) * * This function will deinitialize a certificate structure. **/ -void -gnutls_x509_crt_deinit (gnutls_x509_crt_t cert) +void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert) { - if (!cert) - return; + if (!cert) + return; - if (cert->cert) - asn1_delete_structure (&cert->cert); - gnutls_free(cert->raw_dn.data); - gnutls_free(cert->raw_issuer_dn.data); - gnutls_free (cert); + if (cert->cert) + asn1_delete_structure(&cert->cert); + gnutls_free(cert->raw_dn.data); + gnutls_free(cert->raw_issuer_dn.data); + gnutls_free(cert); } /** @@ -159,108 +156,103 @@ gnutls_x509_crt_deinit (gnutls_x509_crt_t cert) * negative error value. **/ int -gnutls_x509_crt_import (gnutls_x509_crt_t cert, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format) -{ - int result = 0, need_free = 0; - gnutls_datum_t _data; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - _data.data = data->data; - _data.size = data->size; - - /* If the Certificate is in PEM format then decode it - */ - if (format == GNUTLS_X509_FMT_PEM) - { - /* Try the first header */ - result = - _gnutls_fbase64_decode (PEM_X509_CERT2, data->data, data->size, &_data); - - if (result <= 0) - { - /* try for the second header */ - result = - _gnutls_fbase64_decode (PEM_X509_CERT, data->data, - data->size, &_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - need_free = 1; - } - - if (cert->expanded) - { - /* Any earlier asn1_der_decoding will modify the ASN.1 - structure, so we need to replace it with a fresh - structure. */ - asn1_delete_structure (&cert->cert); - _gnutls_free_datum(&cert->raw_dn); - _gnutls_free_datum(&cert->raw_issuer_dn); - - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.Certificate", &cert->cert); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - } - - result = asn1_der_decoding (&cert->cert, _data.data, _data.size, NULL); - if (result != ASN1_SUCCESS) - { - result = _gnutls_asn2err (result); - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_raw_dn2 (cert->cert, &_data, - "tbsCertificate.issuer.rdnSequence", - &cert->raw_issuer_dn); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - result = _gnutls_x509_get_raw_dn2 (cert->cert, &_data, - "tbsCertificate.subject.rdnSequence", - &cert->raw_dn); - if (result < 0) - { - gnutls_assert (); - goto cleanup; - } - - cert->expanded = 1; - - /* Since we do not want to disable any extension - */ - cert->use_extensions = 1; - if (need_free) - _gnutls_free_datum (&_data); - - return 0; - -cleanup: - if (need_free) - _gnutls_free_datum (&_data); - _gnutls_free_datum (&cert->raw_dn); - _gnutls_free_datum (&cert->raw_issuer_dn); - return result; +gnutls_x509_crt_import(gnutls_x509_crt_t cert, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format) +{ + int result = 0, need_free = 0; + gnutls_datum_t _data; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + _data.data = data->data; + _data.size = data->size; + + /* If the Certificate is in PEM format then decode it + */ + if (format == GNUTLS_X509_FMT_PEM) { + /* Try the first header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT2, data->data, + data->size, &_data); + + if (result <= 0) { + /* try for the second header */ + result = + _gnutls_fbase64_decode(PEM_X509_CERT, + data->data, data->size, + &_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + } + + need_free = 1; + } + + if (cert->expanded) { + /* Any earlier asn1_der_decoding will modify the ASN.1 + structure, so we need to replace it with a fresh + structure. */ + asn1_delete_structure(&cert->cert); + _gnutls_free_datum(&cert->raw_dn); + _gnutls_free_datum(&cert->raw_issuer_dn); + + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Certificate", + &cert->cert); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + } + + result = + asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL); + if (result != ASN1_SUCCESS) { + result = _gnutls_asn2err(result); + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_get_raw_dn2(cert->cert, &_data, + "tbsCertificate.issuer.rdnSequence", + &cert->raw_issuer_dn); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_get_raw_dn2(cert->cert, &_data, + "tbsCertificate.subject.rdnSequence", + &cert->raw_dn); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + cert->expanded = 1; + + /* Since we do not want to disable any extension + */ + cert->use_extensions = 1; + if (need_free) + _gnutls_free_datum(&_data); + + return 0; + + cleanup: + if (need_free) + _gnutls_free_datum(&_data); + _gnutls_free_datum(&cert->raw_dn); + _gnutls_free_datum(&cert->raw_issuer_dn); + return result; } @@ -282,18 +274,17 @@ cleanup: * the required size. On success 0 is returned. **/ int -gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, - size_t * buf_size) +gnutls_x509_crt_get_issuer_dn(gnutls_x509_crt_t cert, char *buf, + size_t * buf_size) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn (cert->cert, - "tbsCertificate.issuer.rdnSequence", buf, - buf_size); + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.issuer.rdnSequence", + buf, buf_size); } /** @@ -312,16 +303,16 @@ gnutls_x509_crt_get_issuer_dn (gnutls_x509_crt_t cert, char *buf, * Since: 3.1.10 **/ int -gnutls_x509_crt_get_issuer_dn2 (gnutls_x509_crt_t cert, gnutls_datum_t * dn) +gnutls_x509_crt_get_issuer_dn2(gnutls_x509_crt_t cert, gnutls_datum_t * dn) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn (cert->cert, - "tbsCertificate.issuer.rdnSequence", dn); + return _gnutls_x509_get_dn(cert->cert, + "tbsCertificate.issuer.rdnSequence", + dn); } /** @@ -354,27 +345,26 @@ gnutls_x509_crt_get_issuer_dn2 (gnutls_x509_crt_t cert, gnutls_datum_t * dn) * are no data in the current index. On success 0 is returned. **/ int -gnutls_x509_crt_get_issuer_dn_by_oid (gnutls_x509_crt_t cert, - const char *oid, int indx, - unsigned int raw_flag, void *buf, - size_t * buf_size) +gnutls_x509_crt_get_issuer_dn_by_oid(gnutls_x509_crt_t cert, + const char *oid, int indx, + unsigned int raw_flag, void *buf, + size_t * buf_size) { -gnutls_datum_t td; -int ret; + gnutls_datum_t td; + int ret; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + ret = _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + oid, indx, raw_flag, &td); + if (ret < 0) + return gnutls_assert_val(ret); - ret = _gnutls_x509_parse_dn_oid (cert->cert, - "tbsCertificate.issuer.rdnSequence", - oid, indx, raw_flag, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, buf, buf_size); + return _gnutls_strdatum_to_buf(&td, buf, buf_size); } /** @@ -397,18 +387,17 @@ int ret; * are no data in the current index. On success 0 is returned. **/ int -gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, - int indx, void *oid, size_t * oid_size) +gnutls_x509_crt_get_issuer_dn_oid(gnutls_x509_crt_t cert, + int indx, void *oid, size_t * oid_size) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn_oid (cert->cert, - "tbsCertificate.issuer.rdnSequence", - indx, oid, oid_size); + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.issuer.rdnSequence", + indx, oid, oid_size); } /** @@ -429,18 +418,17 @@ gnutls_x509_crt_get_issuer_dn_oid (gnutls_x509_crt_t cert, * with the required size. On success 0 is returned. **/ int -gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, - size_t * buf_size) +gnutls_x509_crt_get_dn(gnutls_x509_crt_t cert, char *buf, + size_t * buf_size) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_parse_dn (cert->cert, - "tbsCertificate.subject.rdnSequence", buf, - buf_size); + return _gnutls_x509_parse_dn(cert->cert, + "tbsCertificate.subject.rdnSequence", + buf, buf_size); } /** @@ -458,17 +446,16 @@ gnutls_x509_crt_get_dn (gnutls_x509_crt_t cert, char *buf, * * Since: 3.1.10 **/ -int -gnutls_x509_crt_get_dn2 (gnutls_x509_crt_t cert, gnutls_datum_t * dn) +int gnutls_x509_crt_get_dn2(gnutls_x509_crt_t cert, gnutls_datum_t * dn) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn (cert->cert, - "tbsCertificate.subject.rdnSequence", dn); + return _gnutls_x509_get_dn(cert->cert, + "tbsCertificate.subject.rdnSequence", + dn); } /** @@ -501,26 +488,25 @@ gnutls_x509_crt_get_dn2 (gnutls_x509_crt_t cert, gnutls_datum_t * dn) * are no data in the current index. On success 0 is returned. **/ int -gnutls_x509_crt_get_dn_by_oid (gnutls_x509_crt_t cert, const char *oid, - int indx, unsigned int raw_flag, - void *buf, size_t * buf_size) +gnutls_x509_crt_get_dn_by_oid(gnutls_x509_crt_t cert, const char *oid, + int indx, unsigned int raw_flag, + void *buf, size_t * buf_size) { -gnutls_datum_t td; -int ret; + gnutls_datum_t td; + int ret; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + ret = _gnutls_x509_parse_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + oid, indx, raw_flag, &td); + if (ret < 0) + return gnutls_assert_val(ret); - ret = _gnutls_x509_parse_dn_oid (cert->cert, - "tbsCertificate.subject.rdnSequence", - oid, indx, raw_flag, &td); - if (ret < 0) - return gnutls_assert_val(ret); - - return _gnutls_strdatum_to_buf (&td, buf, buf_size); + return _gnutls_strdatum_to_buf(&td, buf, buf_size); } /** @@ -543,18 +529,17 @@ int ret; * are no data in the current index. On success 0 is returned. **/ int -gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert, - int indx, void *oid, size_t * oid_size) +gnutls_x509_crt_get_dn_oid(gnutls_x509_crt_t cert, + int indx, void *oid, size_t * oid_size) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_get_dn_oid (cert->cert, - "tbsCertificate.subject.rdnSequence", - indx, oid, oid_size); + return _gnutls_x509_get_dn_oid(cert->cert, + "tbsCertificate.subject.rdnSequence", + indx, oid, oid_size); } /** @@ -568,10 +553,10 @@ gnutls_x509_crt_get_dn_oid (gnutls_x509_crt_t cert, * Returns: a #gnutls_sign_algorithm_t value, or a negative error code on * error. **/ -int -gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert) +int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert) { - return _gnutls_x509_get_signature_algorithm(cert->cert, "signatureAlgorithm.algorithm"); + return _gnutls_x509_get_signature_algorithm(cert->cert, + "signatureAlgorithm.algorithm"); } /** @@ -586,50 +571,45 @@ gnutls_x509_crt_get_signature_algorithm (gnutls_x509_crt_t cert) * negative error value. and a negative error code on error. **/ int -gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert, - char *sig, size_t * sizeof_sig) -{ - int result; - unsigned int bits; - int len; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - len = 0; - result = asn1_read_value (cert->cert, "signature", NULL, &len); - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - bits = len; - if (bits % 8 != 0) - { - gnutls_assert (); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - len = bits / 8; - - if (*sizeof_sig < (unsigned int) len) - { - *sizeof_sig = len; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - result = asn1_read_value (cert->cert, "signature", sig, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; +gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert, + char *sig, size_t * sizeof_sig) +{ + int result; + unsigned int bits; + int len; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + len = 0; + result = asn1_read_value(cert->cert, "signature", NULL, &len); + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + bits = len; + if (bits % 8 != 0) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_ERROR; + } + + len = bits / 8; + + if (*sizeof_sig < (unsigned int) len) { + *sizeof_sig = len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + result = asn1_read_value(cert->cert, "signature", sig, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -640,31 +620,28 @@ gnutls_x509_crt_get_signature (gnutls_x509_crt_t cert, * * Returns: version of certificate, or a negative error code on error. **/ -int -gnutls_x509_crt_get_version (gnutls_x509_crt_t cert) +int gnutls_x509_crt_get_version(gnutls_x509_crt_t cert) { - uint8_t version[8]; - int len, result; + uint8_t version[8]; + int len, result; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - len = sizeof (version); - if ((result = - asn1_read_value (cert->cert, "tbsCertificate.version", version, - &len)) != ASN1_SUCCESS) - { + len = sizeof(version); + if ((result = + asn1_read_value(cert->cert, "tbsCertificate.version", version, + &len)) != ASN1_SUCCESS) { - if (result == ASN1_ELEMENT_NOT_FOUND) - return 1; /* the DEFAULT version */ - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) + return 1; /* the DEFAULT version */ + gnutls_assert(); + return _gnutls_asn2err(result); + } - return (int) version[0] + 1; + return (int) version[0] + 1; } /** @@ -676,17 +653,16 @@ gnutls_x509_crt_get_version (gnutls_x509_crt_t cert) * * Returns: activation time, or (time_t)-1 on error. **/ -time_t -gnutls_x509_crt_get_activation_time (gnutls_x509_crt_t cert) +time_t gnutls_x509_crt_get_activation_time(gnutls_x509_crt_t cert) { - if (cert == NULL) - { - gnutls_assert (); - return (time_t) - 1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time (cert->cert, - "tbsCertificate.validity.notBefore", 0); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notBefore", + 0); } /** @@ -698,17 +674,16 @@ gnutls_x509_crt_get_activation_time (gnutls_x509_crt_t cert) * * Returns: expiration time, or (time_t)-1 on error. **/ -time_t -gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) +time_t gnutls_x509_crt_get_expiration_time(gnutls_x509_crt_t cert) { - if (cert == NULL) - { - gnutls_assert (); - return (time_t) - 1; - } + if (cert == NULL) { + gnutls_assert(); + return (time_t) - 1; + } - return _gnutls_x509_get_time (cert->cert, - "tbsCertificate.validity.notAfter", 0); + return _gnutls_x509_get_time(cert->cert, + "tbsCertificate.validity.notAfter", + 0); } /** @@ -726,60 +701,59 @@ gnutls_x509_crt_get_expiration_time (gnutls_x509_crt_t cert) * if the extension is not present, otherwise a negative error value. **/ int -gnutls_x509_crt_get_private_key_usage_period (gnutls_x509_crt_t cert, time_t* activation, time_t* expiration, - unsigned int *critical) -{ - int result, ret; - gnutls_datum_t der = {NULL, 0}; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = - _gnutls_x509_crt_get_extension (cert, "2.5.29.16", 0, &der, - critical); - if (ret < 0) - return gnutls_assert_val(ret); - - if (der.size == 0 || der.data == NULL) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_der_decoding (&c2, der.data, der.size, NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - if (activation) - *activation = _gnutls_x509_get_time (c2, - "notBefore", 1); - - if (expiration) - *expiration = _gnutls_x509_get_time (c2, - "notAfter", 1); - - ret = 0; - -cleanup: - _gnutls_free_datum(&der); - asn1_delete_structure (&c2); - - return ret; +gnutls_x509_crt_get_private_key_usage_period(gnutls_x509_crt_t cert, + time_t * activation, + time_t * expiration, + unsigned int *critical) +{ + int result, ret; + gnutls_datum_t der = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + _gnutls_x509_crt_get_extension(cert, "2.5.29.16", 0, &der, + critical); + if (ret < 0) + return gnutls_assert_val(ret); + + if (der.size == 0 || der.data == NULL) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.PrivateKeyUsagePeriod", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, der.data, der.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + if (activation) + *activation = _gnutls_x509_get_time(c2, "notBefore", 1); + + if (expiration) + *expiration = _gnutls_x509_get_time(c2, "notAfter", 1); + + ret = 0; + + cleanup: + _gnutls_free_datum(&der); + asn1_delete_structure(&c2); + + return ret; } @@ -798,29 +772,28 @@ cleanup: * negative error value. **/ int -gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, - size_t * result_size) +gnutls_x509_crt_get_serial(gnutls_x509_crt_t cert, void *result, + size_t * result_size) { - int ret, len; + int ret, len; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - len = *result_size; - ret = - asn1_read_value (cert->cert, "tbsCertificate.serialNumber", result, &len); - *result_size = len; + len = *result_size; + ret = + asn1_read_value(cert->cert, "tbsCertificate.serialNumber", + result, &len); + *result_size = len; - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /** @@ -838,126 +811,116 @@ gnutls_x509_crt_get_serial (gnutls_x509_crt_t cert, void *result, * if the extension is not present, otherwise a negative error value. **/ int -gnutls_x509_crt_get_subject_key_id (gnutls_x509_crt_t cert, void *ret, - size_t * ret_size, unsigned int *critical) -{ - int result, len; - gnutls_datum_t id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - - if (ret) - memset (ret, 0, *ret_size); - else - *ret_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &id, - critical)) < 0) - { - return result; - } - - if (id.size == 0 || id.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.SubjectKeyIdentifier", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&id); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, id.data, id.size, NULL); - _gnutls_free_datum (&id); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - len = *ret_size; - result = asn1_read_value (c2, "", ret, &len); - - *ret_size = len; - asn1_delete_structure (&c2); - - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (result != ASN1_SUCCESS) - { - if (result != ASN1_MEM_ERROR) - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; +gnutls_x509_crt_get_subject_key_id(gnutls_x509_crt_t cert, void *ret, + size_t * ret_size, + unsigned int *critical) +{ + int result, len; + gnutls_datum_t id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + + if (ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + len = *ret_size; + result = asn1_read_value(c2, "", ret, &len); + + *ret_size = len; + asn1_delete_structure(&c2); + + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (result != ASN1_SUCCESS) { + if (result != ASN1_MEM_ERROR) + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } static int -_get_authority_key_id (gnutls_x509_crt_t cert, ASN1_TYPE *c2, - unsigned int *critical) -{ - int ret; - gnutls_datum_t id; - - *c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((ret = - _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &id, - critical)) < 0) - { - return gnutls_assert_val(ret); - } - - if (id.size == 0 || id.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - ret = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.AuthorityKeyIdentifier", c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&id); - return _gnutls_asn2err (ret); - } - - ret = asn1_der_decoding (c2, id.data, id.size, NULL); - _gnutls_free_datum (&id); - - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (c2); - return _gnutls_asn2err (ret); - } - - return 0; +_get_authority_key_id(gnutls_x509_crt_t cert, ASN1_TYPE * c2, + unsigned int *critical) +{ + int ret; + gnutls_datum_t id; + + *c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((ret = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &id, + critical)) < 0) { + return gnutls_assert_val(ret); + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + ret = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(ret); + } + + ret = asn1_der_decoding(c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(c2); + return _gnutls_asn2err(ret); + } + + return 0; } /** @@ -985,48 +948,50 @@ _get_authority_key_id (gnutls_x509_crt_t cert, ASN1_TYPE *c2, * Since: 3.0 **/ int -gnutls_x509_crt_get_authority_key_gn_serial (gnutls_x509_crt_t cert, unsigned int seq, void *alt, - size_t * alt_size, unsigned int *alt_type, - void* serial, size_t *serial_size, - unsigned int *critical) -{ -int ret, result, len; -ASN1_TYPE c2; - - ret = _get_authority_key_id(cert, &c2, critical); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = - _gnutls_parse_general_name (c2, "authorityCertIssuer", seq, alt, alt_size, alt_type, - 0); - if (ret < 0) - { - ret = gnutls_assert_val(ret); - goto fail; - } - - if (serial) - { - len = *serial_size; - result = asn1_read_value (c2, "authorityCertSerialNumber", serial, &len); - - *serial_size = len; - - if (result < 0) - { - ret = _gnutls_asn2err(result); - goto fail; - } - - } - - ret = 0; - -fail: - asn1_delete_structure (&c2); - - return ret; +gnutls_x509_crt_get_authority_key_gn_serial(gnutls_x509_crt_t cert, + unsigned int seq, void *alt, + size_t * alt_size, + unsigned int *alt_type, + void *serial, + size_t * serial_size, + unsigned int *critical) +{ + int ret, result, len; + ASN1_TYPE c2; + + ret = _get_authority_key_id(cert, &c2, critical); + if (ret < 0) + return gnutls_assert_val(ret); + + ret = + _gnutls_parse_general_name(c2, "authorityCertIssuer", seq, alt, + alt_size, alt_type, 0); + if (ret < 0) { + ret = gnutls_assert_val(ret); + goto fail; + } + + if (serial) { + len = *serial_size; + result = + asn1_read_value(c2, "authorityCertSerialNumber", + serial, &len); + + *serial_size = len; + + if (result < 0) { + ret = _gnutls_asn2err(result); + goto fail; + } + + } + + ret = 0; + + fail: + asn1_delete_structure(&c2); + + return ret; } /** @@ -1048,34 +1013,35 @@ fail: * if the extension is not present, otherwise a negative error value. **/ int -gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert, void *id, - size_t * id_size, - unsigned int *critical) +gnutls_x509_crt_get_authority_key_id(gnutls_x509_crt_t cert, void *id, + size_t * id_size, + unsigned int *critical) { - int ret, result, len; - ASN1_TYPE c2; + int ret, result, len; + ASN1_TYPE c2; - ret = _get_authority_key_id(cert, &c2, critical); - if (ret < 0) - return gnutls_assert_val(ret); + ret = _get_authority_key_id(cert, &c2, critical); + if (ret < 0) + return gnutls_assert_val(ret); - len = *id_size; - result = asn1_read_value (c2, "keyIdentifier", id, &len); + len = *id_size; + result = asn1_read_value(c2, "keyIdentifier", id, &len); - *id_size = len; - asn1_delete_structure (&c2); + *id_size = len; + asn1_delete_structure(&c2); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - return gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION); + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) + return + gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION); - if (result != ASN1_SUCCESS) - { - if (result != ASN1_MEM_ERROR) - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + if (result != ASN1_MEM_ERROR) + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -1095,42 +1061,40 @@ gnutls_x509_crt_get_authority_key_id (gnutls_x509_crt_t cert, void *id, * success, or a negative error code on error. **/ int -gnutls_x509_crt_get_pk_algorithm (gnutls_x509_crt_t cert, unsigned int *bits) +gnutls_x509_crt_get_pk_algorithm(gnutls_x509_crt_t cert, + unsigned int *bits) { - int result; + int result; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (bits) - *bits = 0; + if (bits) + *bits = 0; - result = - _gnutls_x509_get_pk_algorithm (cert->cert, - "tbsCertificate.subjectPublicKeyInfo", - bits); + result = + _gnutls_x509_get_pk_algorithm(cert->cert, + "tbsCertificate.subjectPublicKeyInfo", + bits); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return result; + return result; } -inline static int -is_type_printable (int type) +inline static int is_type_printable(int type) { - if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || - type == GNUTLS_SAN_URI) - return 1; - else - return 0; + if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME || + type == GNUTLS_SAN_URI) + return 1; + else + return 0; } #define XMPP_OID "1.3.6.1.5.5.7.8.5" @@ -1139,251 +1103,233 @@ is_type_printable (int type) * Type is also returned as a parameter in case of an error. */ int -_gnutls_parse_general_name (ASN1_TYPE src, const char *src_name, - int seq, void *name, size_t * name_size, - unsigned int *ret_type, int othername_oid) -{ - int len; - char nptr[ASN1_MAX_NAME_SIZE]; - int result; - char choice_type[128]; - gnutls_x509_subject_alt_name_t type; - - seq++; /* 0->1, 1->2 etc */ - - if (src_name[0] != 0) - snprintf (nptr, sizeof (nptr), "%s.?%u", src_name, seq); - else - snprintf (nptr, sizeof (nptr), "?%u", seq); - - len = sizeof (choice_type); - result = asn1_read_value (src, nptr, choice_type, &len); - - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - - type = _gnutls_x509_san_find_type (choice_type); - if (type == (gnutls_x509_subject_alt_name_t) - 1) - { - gnutls_assert (); - return GNUTLS_E_X509_UNKNOWN_SAN; - } - - if (ret_type) - *ret_type = type; - - if (type == GNUTLS_SAN_OTHERNAME) - { - if (othername_oid) - _gnutls_str_cat (nptr, sizeof (nptr), ".otherName.type-id"); - else - _gnutls_str_cat (nptr, sizeof (nptr), ".otherName.value"); - - len = *name_size; - result = asn1_read_value (src, nptr, name, &len); - *name_size = len; - - if (result == ASN1_MEM_ERROR) - return GNUTLS_E_SHORT_MEMORY_BUFFER; - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (othername_oid) - { - if ((unsigned)len > strlen (XMPP_OID) && strcmp (name, XMPP_OID) == 0) - type = GNUTLS_SAN_OTHERNAME_XMPP; - } - else - { - char oid[42]; - - if (src_name[0] != 0) - snprintf (nptr, sizeof (nptr), "%s.?%u.otherName.type-id", - src_name, seq); - else - snprintf (nptr, sizeof (nptr), "?%u.otherName.type-id", seq); - - len = sizeof (oid); - result = asn1_read_value (src, nptr, oid, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if ((unsigned)len > strlen (XMPP_OID) && strcmp (oid, XMPP_OID) == 0) - { - gnutls_datum_t out; - - result = _gnutls_x509_decode_string(ASN1_ETYPE_UTF8_STRING, - name, *name_size, &out); - if (result < 0) - { - gnutls_assert(); - return result; - } - - if (*name_size <= out.size) - { - gnutls_assert (); - gnutls_free(out.data); - *name_size = len + 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - *name_size = out.size; - memcpy(name, out.data, out.size); - /* null terminate it */ - ((char *) name)[*name_size] = 0; - gnutls_free(out.data); - } - } - } - else if (type == GNUTLS_SAN_DN) - { - _gnutls_str_cat (nptr, sizeof (nptr), ".directoryName"); - result = _gnutls_x509_parse_dn (src, nptr, name, name_size); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - else if (othername_oid) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else - { - size_t orig_name_size = *name_size; - - _gnutls_str_cat (nptr, sizeof (nptr), "."); - _gnutls_str_cat (nptr, sizeof (nptr), choice_type); - - len = *name_size; - result = asn1_read_value (src, nptr, name, &len); - *name_size = len; - - if (result == ASN1_MEM_ERROR) - { - if (is_type_printable (type)) - (*name_size)++; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (is_type_printable (type)) - { - - if ((unsigned)len + 1 > orig_name_size) - { - gnutls_assert (); - (*name_size)++; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - /* null terminate it */ - if (name) - ((char *) name)[*name_size] = 0; - } - - } - - return type; +_gnutls_parse_general_name(ASN1_TYPE src, const char *src_name, + int seq, void *name, size_t * name_size, + unsigned int *ret_type, int othername_oid) +{ + int len; + char nptr[ASN1_MAX_NAME_SIZE]; + int result; + char choice_type[128]; + gnutls_x509_subject_alt_name_t type; + + seq++; /* 0->1, 1->2 etc */ + + if (src_name[0] != 0) + snprintf(nptr, sizeof(nptr), "%s.?%u", src_name, seq); + else + snprintf(nptr, sizeof(nptr), "?%u", seq); + + len = sizeof(choice_type); + result = asn1_read_value(src, nptr, choice_type, &len); + + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + + type = _gnutls_x509_san_find_type(choice_type); + if (type == (gnutls_x509_subject_alt_name_t) - 1) { + gnutls_assert(); + return GNUTLS_E_X509_UNKNOWN_SAN; + } + + if (ret_type) + *ret_type = type; + + if (type == GNUTLS_SAN_OTHERNAME) { + if (othername_oid) + _gnutls_str_cat(nptr, sizeof(nptr), + ".otherName.type-id"); + else + _gnutls_str_cat(nptr, sizeof(nptr), + ".otherName.value"); + + len = *name_size; + result = asn1_read_value(src, nptr, name, &len); + *name_size = len; + + if (result == ASN1_MEM_ERROR) + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (othername_oid) { + if ((unsigned) len > strlen(XMPP_OID) + && strcmp(name, XMPP_OID) == 0) + type = GNUTLS_SAN_OTHERNAME_XMPP; + } else { + char oid[42]; + + if (src_name[0] != 0) + snprintf(nptr, sizeof(nptr), + "%s.?%u.otherName.type-id", + src_name, seq); + else + snprintf(nptr, sizeof(nptr), + "?%u.otherName.type-id", seq); + + len = sizeof(oid); + result = asn1_read_value(src, nptr, oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if ((unsigned) len > strlen(XMPP_OID) + && strcmp(oid, XMPP_OID) == 0) { + gnutls_datum_t out; + + result = + _gnutls_x509_decode_string + (ASN1_ETYPE_UTF8_STRING, name, + *name_size, &out); + if (result < 0) { + gnutls_assert(); + return result; + } + + if (*name_size <= out.size) { + gnutls_assert(); + gnutls_free(out.data); + *name_size = len + 1; + return + GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + *name_size = out.size; + memcpy(name, out.data, out.size); + /* null terminate it */ + ((char *) name)[*name_size] = 0; + gnutls_free(out.data); + } + } + } else if (type == GNUTLS_SAN_DN) { + _gnutls_str_cat(nptr, sizeof(nptr), ".directoryName"); + result = _gnutls_x509_parse_dn(src, nptr, name, name_size); + if (result < 0) { + gnutls_assert(); + return result; + } + } else if (othername_oid) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else { + size_t orig_name_size = *name_size; + + _gnutls_str_cat(nptr, sizeof(nptr), "."); + _gnutls_str_cat(nptr, sizeof(nptr), choice_type); + + len = *name_size; + result = asn1_read_value(src, nptr, name, &len); + *name_size = len; + + if (result == ASN1_MEM_ERROR) { + if (is_type_printable(type)) + (*name_size)++; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (is_type_printable(type)) { + + if ((unsigned) len + 1 > orig_name_size) { + gnutls_assert(); + (*name_size)++; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + /* null terminate it */ + if (name) + ((char *) name)[*name_size] = 0; + } + + } + + return type; } static int -get_alt_name (gnutls_x509_crt_t cert, const char *extension_id, - unsigned int seq, void *alt, - size_t * alt_size, unsigned int *alt_type, - unsigned int *critical, int othername_oid) -{ - int result; - gnutls_datum_t dnsname; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (alt) - memset (alt, 0, *alt_size); - else - *alt_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension (cert, extension_id, 0, &dnsname, - critical)) < 0) - { - return result; - } - - if (dnsname.size == 0 || dnsname.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (strcmp ("2.5.29.17", extension_id) == 0) - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.SubjectAltName", &c2); - else if (strcmp ("2.5.29.18", extension_id) == 0) - result = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.IssuerAltName", &c2); - else - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&dnsname); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, dnsname.data, dnsname.size, NULL); - _gnutls_free_datum (&dnsname); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - result = - _gnutls_parse_general_name (c2, "", seq, alt, alt_size, alt_type, - othername_oid); - - asn1_delete_structure (&c2); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return result; +get_alt_name(gnutls_x509_crt_t cert, const char *extension_id, + unsigned int seq, void *alt, + size_t * alt_size, unsigned int *alt_type, + unsigned int *critical, int othername_oid) +{ + int result; + gnutls_datum_t dnsname; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (alt) + memset(alt, 0, *alt_size); + else + *alt_size = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, extension_id, 0, + &dnsname, critical)) < 0) { + return result; + } + + if (dnsname.size == 0 || dnsname.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (strcmp("2.5.29.17", extension_id) == 0) + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.SubjectAltName", &c2); + else if (strcmp("2.5.29.18", extension_id) == 0) + result = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.IssuerAltName", &c2); + else { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dnsname); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, dnsname.data, dnsname.size, NULL); + _gnutls_free_datum(&dnsname); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + result = + _gnutls_parse_general_name(c2, "", seq, alt, alt_size, + alt_type, othername_oid); + + asn1_delete_structure(&c2); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return result; } /** @@ -1417,13 +1363,13 @@ get_alt_name (gnutls_x509_crt_t cert, const char *extension_id, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. **/ int -gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, - unsigned int seq, void *san, - size_t * san_size, - unsigned int *critical) +gnutls_x509_crt_get_subject_alt_name(gnutls_x509_crt_t cert, + unsigned int seq, void *san, + size_t * san_size, + unsigned int *critical) { - return get_alt_name (cert, "2.5.29.17", seq, san, san_size, NULL, critical, - 0); + return get_alt_name(cert, "2.5.29.17", seq, san, san_size, NULL, + critical, 0); } /** @@ -1460,13 +1406,13 @@ gnutls_x509_crt_get_subject_alt_name (gnutls_x509_crt_t cert, * Since: 2.10.0 **/ int -gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t cert, - unsigned int seq, void *ian, - size_t * ian_size, - unsigned int *critical) +gnutls_x509_crt_get_issuer_alt_name(gnutls_x509_crt_t cert, + unsigned int seq, void *ian, + size_t * ian_size, + unsigned int *critical) { - return get_alt_name (cert, "2.5.29.18", seq, ian, ian_size, NULL, critical, - 0); + return get_alt_name(cert, "2.5.29.18", seq, ian, ian_size, NULL, + critical, 0); } /** @@ -1494,14 +1440,14 @@ gnutls_x509_crt_get_issuer_alt_name (gnutls_x509_crt_t cert, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. **/ int -gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert, - unsigned int seq, void *san, - size_t * san_size, - unsigned int *san_type, - unsigned int *critical) +gnutls_x509_crt_get_subject_alt_name2(gnutls_x509_crt_t cert, + unsigned int seq, void *san, + size_t * san_size, + unsigned int *san_type, + unsigned int *critical) { - return get_alt_name (cert, "2.5.29.17", seq, san, san_size, san_type, - critical, 0); + return get_alt_name(cert, "2.5.29.17", seq, san, san_size, + san_type, critical, 0); } /** @@ -1532,14 +1478,14 @@ gnutls_x509_crt_get_subject_alt_name2 (gnutls_x509_crt_t cert, * **/ int -gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t cert, - unsigned int seq, void *ian, - size_t * ian_size, - unsigned int *ian_type, - unsigned int *critical) +gnutls_x509_crt_get_issuer_alt_name2(gnutls_x509_crt_t cert, + unsigned int seq, void *ian, + size_t * ian_size, + unsigned int *ian_type, + unsigned int *critical) { - return get_alt_name (cert, "2.5.29.18", seq, ian, ian_size, ian_type, - critical, 0); + return get_alt_name(cert, "2.5.29.18", seq, ian, ian_size, + ian_type, critical, 0); } /** @@ -1573,11 +1519,12 @@ gnutls_x509_crt_get_issuer_alt_name2 (gnutls_x509_crt_t cert, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. **/ int -gnutls_x509_crt_get_subject_alt_othername_oid (gnutls_x509_crt_t cert, - unsigned int seq, - void *oid, size_t * oid_size) +gnutls_x509_crt_get_subject_alt_othername_oid(gnutls_x509_crt_t cert, + unsigned int seq, + void *oid, size_t * oid_size) { - return get_alt_name (cert, "2.5.29.17", seq, oid, oid_size, NULL, NULL, 1); + return get_alt_name(cert, "2.5.29.17", seq, oid, oid_size, NULL, + NULL, 1); } /** @@ -1613,11 +1560,12 @@ gnutls_x509_crt_get_subject_alt_othername_oid (gnutls_x509_crt_t cert, * Since: 2.10.0 **/ int -gnutls_x509_crt_get_issuer_alt_othername_oid (gnutls_x509_crt_t cert, - unsigned int seq, - void *ret, size_t * ret_size) +gnutls_x509_crt_get_issuer_alt_othername_oid(gnutls_x509_crt_t cert, + unsigned int seq, + void *ret, size_t * ret_size) { - return get_alt_name (cert, "2.5.29.18", seq, ret, ret_size, NULL, NULL, 1); + return get_alt_name(cert, "2.5.29.18", seq, ret, ret_size, NULL, + NULL, 1); } /** @@ -1641,49 +1589,48 @@ gnutls_x509_crt_get_issuer_alt_othername_oid (gnutls_x509_crt_t cert, * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. **/ int -gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t cert, - unsigned int *critical, - unsigned int *ca, int *pathlen) -{ - int result; - gnutls_datum_t basicConstraints; - unsigned int tmp_ca; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.19", 0, - &basicConstraints, critical)) < 0) - { - return result; - } - - if (basicConstraints.size == 0 || basicConstraints.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = - _gnutls_x509_ext_extract_basicConstraints (&tmp_ca, - pathlen, - basicConstraints.data, - basicConstraints.size); - if (ca) - *ca = tmp_ca; - _gnutls_free_datum (&basicConstraints); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return tmp_ca; +gnutls_x509_crt_get_basic_constraints(gnutls_x509_crt_t cert, + unsigned int *critical, + unsigned int *ca, int *pathlen) +{ + int result; + gnutls_datum_t basicConstraints; + unsigned int tmp_ca; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.19", 0, + &basicConstraints, + critical)) < 0) { + return result; + } + + if (basicConstraints.size == 0 || basicConstraints.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = + _gnutls_x509_ext_extract_basicConstraints(&tmp_ca, + pathlen, + basicConstraints. + data, + basicConstraints. + size); + if (ca) + *ca = tmp_ca; + _gnutls_free_datum(&basicConstraints); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return tmp_ca; } /** @@ -1704,12 +1651,13 @@ gnutls_x509_crt_get_basic_constraints (gnutls_x509_crt_t cert, * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. **/ int -gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical) +gnutls_x509_crt_get_ca_status(gnutls_x509_crt_t cert, + unsigned int *critical) { - int pathlen; - unsigned int ca; - return gnutls_x509_crt_get_basic_constraints (cert, critical, &ca, - &pathlen); + int pathlen; + unsigned int ca; + return gnutls_x509_crt_get_basic_constraints(cert, critical, &ca, + &pathlen); } /** @@ -1732,46 +1680,42 @@ gnutls_x509_crt_get_ca_status (gnutls_x509_crt_t cert, unsigned int *critical) * returned. **/ int -gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, - unsigned int *key_usage, - unsigned int *critical) +gnutls_x509_crt_get_key_usage(gnutls_x509_crt_t cert, + unsigned int *key_usage, + unsigned int *critical) { - int result; - gnutls_datum_t keyUsage; - uint16_t _usage; + int result; + gnutls_datum_t keyUsage; + uint16_t _usage; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.15", 0, &keyUsage, - critical)) < 0) - { - return result; - } + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.15", 0, + &keyUsage, critical)) < 0) { + return result; + } - if (keyUsage.size == 0 || keyUsage.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (keyUsage.size == 0 || keyUsage.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - result = _gnutls_x509_ext_extract_keyUsage (&_usage, keyUsage.data, - keyUsage.size); - _gnutls_free_datum (&keyUsage); + result = _gnutls_x509_ext_extract_keyUsage(&_usage, keyUsage.data, + keyUsage.size); + _gnutls_free_datum(&keyUsage); - *key_usage = _usage; + *key_usage = _usage; - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - return 0; + return 0; } /** @@ -1792,48 +1736,46 @@ gnutls_x509_crt_get_key_usage (gnutls_x509_crt_t cert, * otherwise a negative error code is returned. **/ int -gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert, - unsigned int *critical, - int *pathlen, - char **policyLanguage, - char **policy, size_t * sizeof_policy) -{ - int result; - gnutls_datum_t proxyCertInfo; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((result = - _gnutls_x509_crt_get_extension (cert, "1.3.6.1.5.5.7.1.14", 0, - &proxyCertInfo, critical)) < 0) - { - return result; - } - - if (proxyCertInfo.size == 0 || proxyCertInfo.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = _gnutls_x509_ext_extract_proxyCertInfo (pathlen, - policyLanguage, - policy, - sizeof_policy, - proxyCertInfo.data, - proxyCertInfo.size); - _gnutls_free_datum (&proxyCertInfo); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; +gnutls_x509_crt_get_proxy(gnutls_x509_crt_t cert, + unsigned int *critical, + int *pathlen, + char **policyLanguage, + char **policy, size_t * sizeof_policy) +{ + int result; + gnutls_datum_t proxyCertInfo; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((result = + _gnutls_x509_crt_get_extension(cert, "1.3.6.1.5.5.7.1.14", 0, + &proxyCertInfo, critical)) < 0) + { + return result; + } + + if (proxyCertInfo.size == 0 || proxyCertInfo.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = _gnutls_x509_ext_extract_proxyCertInfo(pathlen, + policyLanguage, + policy, + sizeof_policy, + proxyCertInfo.data, + proxyCertInfo. + size); + _gnutls_free_datum(&proxyCertInfo); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -1845,92 +1787,86 @@ gnutls_x509_crt_get_proxy (gnutls_x509_crt_t cert, * * Since: 3.1.5 **/ -void gnutls_x509_policy_release(struct gnutls_x509_policy_st* policy) -{ -unsigned i; - - gnutls_free(policy->oid); - for (i=0;i<policy->qualifiers;i++) - gnutls_free(policy->qualifier[i].data); -} - -static int decode_user_notice(const void* data, size_t size, gnutls_datum_t *txt) -{ - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - int ret, len; - char choice_type[64]; - char name[128]; - gnutls_datum_t td, utd; - - ret = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.UserNotice", &c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; - } - - ret = asn1_der_decoding (&c2, data, size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; - } - - len = sizeof(choice_type); - ret = asn1_read_value(c2, "explicitText", choice_type, &len); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; - } - - if (strcmp(choice_type, "utf8String") != 0 && strcmp(choice_type, "IA5String") != 0 && - strcmp(choice_type, "bmpString") != 0 && strcmp(choice_type, "visibleString") != 0) - { - gnutls_assert(); - ret = GNUTLS_E_PARSING_ERROR; - goto cleanup; - } - - snprintf (name, sizeof (name), "explicitText.%s", choice_type); - - ret = _gnutls_x509_read_value(c2, name, &td); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - if (strcmp(choice_type, "bmpString") == 0) - { /* convert to UTF-8 */ - ret = _gnutls_ucs2_to_utf8(td.data, td.size, &utd); - _gnutls_free_datum(&td); - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - - td.data = utd.data; - td.size = utd.size; - } - else - { - /* _gnutls_x509_read_value allows that */ - td.data[td.size] = 0; - } - - txt->data = (void*)td.data; - txt->size = td.size; - ret = 0; - -cleanup: - asn1_delete_structure (&c2); - return ret; +void gnutls_x509_policy_release(struct gnutls_x509_policy_st *policy) +{ + unsigned i; + + gnutls_free(policy->oid); + for (i = 0; i < policy->qualifiers; i++) + gnutls_free(policy->qualifier[i].data); +} + +static int decode_user_notice(const void *data, size_t size, + gnutls_datum_t * txt) +{ + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + int ret, len; + char choice_type[64]; + char name[128]; + gnutls_datum_t td, utd; + + ret = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.UserNotice", &c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = GNUTLS_E_PARSING_ERROR; + goto cleanup; + } + + ret = asn1_der_decoding(&c2, data, size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = GNUTLS_E_PARSING_ERROR; + goto cleanup; + } + + len = sizeof(choice_type); + ret = asn1_read_value(c2, "explicitText", choice_type, &len); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = GNUTLS_E_PARSING_ERROR; + goto cleanup; + } + + if (strcmp(choice_type, "utf8String") != 0 + && strcmp(choice_type, "IA5String") != 0 + && strcmp(choice_type, "bmpString") != 0 + && strcmp(choice_type, "visibleString") != 0) { + gnutls_assert(); + ret = GNUTLS_E_PARSING_ERROR; + goto cleanup; + } + + snprintf(name, sizeof(name), "explicitText.%s", choice_type); + + ret = _gnutls_x509_read_value(c2, name, &td); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (strcmp(choice_type, "bmpString") == 0) { /* convert to UTF-8 */ + ret = _gnutls_ucs2_to_utf8(td.data, td.size, &utd); + _gnutls_free_datum(&td); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + td.data = utd.data; + td.size = utd.size; + } else { + /* _gnutls_x509_read_value allows that */ + td.data[td.size] = 0; + } + + txt->data = (void *) td.data; + txt->size = td.size; + ret = 0; + + cleanup: + asn1_delete_structure(&c2); + return ret; } @@ -1953,153 +1889,149 @@ cleanup: * Since: 3.1.5 **/ int -gnutls_x509_crt_get_policy (gnutls_x509_crt_t crt, int indx, - struct gnutls_x509_policy_st* policy, - unsigned int *critical) -{ - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - char tmpstr[128]; - char tmpoid[MAX_OID_SIZE]; - gnutls_datum_t tmpd = {NULL, 0}; - int ret, len; - unsigned i; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - memset(policy, 0, sizeof(*policy)); - - if ((ret = - _gnutls_x509_crt_get_extension (crt, "2.5.29.32", 0, &tmpd, - critical)) < 0) - { - return ret; - } - - if (tmpd.size == 0 || tmpd .data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - ret = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.certificatePolicies", &c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - ret = asn1_der_decoding (&c2, tmpd.data, tmpd.size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - _gnutls_free_datum (&tmpd); - - indx++; - /* create a string like "?1" - */ - snprintf (tmpstr, sizeof (tmpstr), "?%u.policyIdentifier", indx); - - ret = _gnutls_x509_read_value(c2, tmpstr, &tmpd); - - if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) - ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - - if (ret < 0) - { - gnutls_assert(); - goto cleanup; - } - policy->oid = (void*)tmpd.data; - tmpd.data = NULL; - - for (i=0;i<GNUTLS_MAX_QUALIFIERS;i++) - { - gnutls_datum_t td; - - snprintf (tmpstr, sizeof (tmpstr), "?%u.policyQualifiers.?%u.policyQualifierId", indx, i+1); - - len = sizeof(tmpoid); - ret = asn1_read_value(c2, tmpstr, tmpoid, &len); - - if (ret == ASN1_ELEMENT_NOT_FOUND) - break; /* finished */ - - if (ret != ASN1_SUCCESS) - { - gnutls_assert(); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - - if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.1") == 0) - { - snprintf (tmpstr, sizeof (tmpstr), "?%u.policyQualifiers.?%u.qualifier", indx, i+1); - - ret = _gnutls_x509_read_string(c2, tmpstr, &td, ASN1_ETYPE_IA5_STRING); - if (ret < 0) - { - gnutls_assert(); - goto full_cleanup; - } - - policy->qualifier[i].data = (void*)td.data; - policy->qualifier[i].size = td.size; - td.data = NULL; - policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_URI; - } - else if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.2") == 0) - { - gnutls_datum_t txt; - - snprintf (tmpstr, sizeof (tmpstr), "?%u.policyQualifiers.?%u.qualifier", indx, i+1); - - ret = _gnutls_x509_read_value(c2, tmpstr, &td); - if (ret < 0) - { - gnutls_assert(); - goto full_cleanup; - } - - ret = decode_user_notice(td.data, td.size, &txt); - gnutls_free(td.data); - td.data = NULL; - - if (ret < 0) - { - gnutls_assert(); - goto full_cleanup; - } - - policy->qualifier[i].data = (void*)txt.data; - policy->qualifier[i].size = txt.size; - policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_NOTICE; - } - else - policy->qualifier[i].type = GNUTLS_X509_QUALIFIER_UNKNOWN; - - policy->qualifiers++; - - } - - ret = 0; - goto cleanup; - -full_cleanup: - gnutls_x509_policy_release(policy); - -cleanup: - _gnutls_free_datum (&tmpd); - asn1_delete_structure (&c2); - return ret; +gnutls_x509_crt_get_policy(gnutls_x509_crt_t crt, int indx, + struct gnutls_x509_policy_st *policy, + unsigned int *critical) +{ + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char tmpstr[128]; + char tmpoid[MAX_OID_SIZE]; + gnutls_datum_t tmpd = { NULL, 0 }; + int ret, len; + unsigned i; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + memset(policy, 0, sizeof(*policy)); + + if ((ret = + _gnutls_x509_crt_get_extension(crt, "2.5.29.32", 0, &tmpd, + critical)) < 0) { + return ret; + } + + if (tmpd.size == 0 || tmpd.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + ret = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.certificatePolicies", &c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + ret = asn1_der_decoding(&c2, tmpd.data, tmpd.size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + _gnutls_free_datum(&tmpd); + + indx++; + /* create a string like "?1" + */ + snprintf(tmpstr, sizeof(tmpstr), "?%u.policyIdentifier", indx); + + ret = _gnutls_x509_read_value(c2, tmpstr, &tmpd); + + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) + ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + policy->oid = (void *) tmpd.data; + tmpd.data = NULL; + + for (i = 0; i < GNUTLS_MAX_QUALIFIERS; i++) { + gnutls_datum_t td; + + snprintf(tmpstr, sizeof(tmpstr), + "?%u.policyQualifiers.?%u.policyQualifierId", + indx, i + 1); + + len = sizeof(tmpoid); + ret = asn1_read_value(c2, tmpstr, tmpoid, &len); + + if (ret == ASN1_ELEMENT_NOT_FOUND) + break; /* finished */ + + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + + if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.1") == 0) { + snprintf(tmpstr, sizeof(tmpstr), + "?%u.policyQualifiers.?%u.qualifier", + indx, i + 1); + + ret = + _gnutls_x509_read_string(c2, tmpstr, &td, + ASN1_ETYPE_IA5_STRING); + if (ret < 0) { + gnutls_assert(); + goto full_cleanup; + } + + policy->qualifier[i].data = (void *) td.data; + policy->qualifier[i].size = td.size; + td.data = NULL; + policy->qualifier[i].type = + GNUTLS_X509_QUALIFIER_URI; + } else if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.2") == 0) { + gnutls_datum_t txt; + + snprintf(tmpstr, sizeof(tmpstr), + "?%u.policyQualifiers.?%u.qualifier", + indx, i + 1); + + ret = _gnutls_x509_read_value(c2, tmpstr, &td); + if (ret < 0) { + gnutls_assert(); + goto full_cleanup; + } + + ret = decode_user_notice(td.data, td.size, &txt); + gnutls_free(td.data); + td.data = NULL; + + if (ret < 0) { + gnutls_assert(); + goto full_cleanup; + } + + policy->qualifier[i].data = (void *) txt.data; + policy->qualifier[i].size = txt.size; + policy->qualifier[i].type = + GNUTLS_X509_QUALIFIER_NOTICE; + } else + policy->qualifier[i].type = + GNUTLS_X509_QUALIFIER_UNKNOWN; + + policy->qualifiers++; + + } + + ret = 0; + goto cleanup; + + full_cleanup: + gnutls_x509_policy_release(policy); + + cleanup: + _gnutls_free_datum(&tmpd); + asn1_delete_structure(&c2); + return ret; } @@ -2122,49 +2054,45 @@ cleanup: * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. **/ int -gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t cert, - const char *oid, int indx, - void *buf, size_t * buf_size, - unsigned int *critical) +gnutls_x509_crt_get_extension_by_oid(gnutls_x509_crt_t cert, + const char *oid, int indx, + void *buf, size_t * buf_size, + unsigned int *critical) { - int result; - gnutls_datum_t output; + int result; + gnutls_datum_t output; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if ((result = - _gnutls_x509_crt_get_extension (cert, oid, indx, &output, - critical)) < 0) - { - gnutls_assert (); - return result; - } + if ((result = + _gnutls_x509_crt_get_extension(cert, oid, indx, &output, + critical)) < 0) { + gnutls_assert(); + return result; + } - if (output.size == 0 || output.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } + if (output.size == 0 || output.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } - if (output.size > (unsigned int) *buf_size) - { - *buf_size = output.size; - _gnutls_free_datum (&output); - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (output.size > (unsigned int) *buf_size) { + *buf_size = output.size; + _gnutls_free_datum(&output); + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - *buf_size = output.size; + *buf_size = output.size; - if (buf) - memcpy (buf, output.data, output.size); + if (buf) + memcpy(buf, output.data, output.size); - _gnutls_free_datum (&output); + _gnutls_free_datum(&output); - return 0; + return 0; } @@ -2187,24 +2115,23 @@ gnutls_x509_crt_get_extension_by_oid (gnutls_x509_crt_t cert, * will be returned. **/ int -gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, int indx, - void *oid, size_t * oid_size) +gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, int indx, + void *oid, size_t * oid_size) { - int result; + int result; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_crt_get_extension_oid (cert, indx, oid, oid_size); - if (result < 0) - { - return result; - } + result = + _gnutls_x509_crt_get_extension_oid(cert, indx, oid, oid_size); + if (result < 0) { + return result; + } - return 0; + return 0; } @@ -2233,55 +2160,51 @@ gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, int indx, * will be returned. **/ int -gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t cert, int indx, - void *oid, size_t * oid_size, - unsigned int *critical) -{ - int result; - char str_critical[10]; - char name[ASN1_MAX_NAME_SIZE]; - int len; - - if (!cert) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - snprintf (name, sizeof (name), "tbsCertificate.extensions.?%u.extnID", - indx + 1); - - len = *oid_size; - result = asn1_read_value (cert->cert, name, oid, &len); - *oid_size = len; - - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - snprintf (name, sizeof (name), "tbsCertificate.extensions.?%u.critical", - indx + 1); - len = sizeof (str_critical); - result = asn1_read_value (cert->cert, name, str_critical, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (critical) - { - if (str_critical[0] == 'T') - *critical = 1; - else - *critical = 0; - } - - return 0; +gnutls_x509_crt_get_extension_info(gnutls_x509_crt_t cert, int indx, + void *oid, size_t * oid_size, + unsigned int *critical) +{ + int result; + char str_critical[10]; + char name[ASN1_MAX_NAME_SIZE]; + int len; + + if (!cert) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + snprintf(name, sizeof(name), + "tbsCertificate.extensions.?%u.extnID", indx + 1); + + len = *oid_size; + result = asn1_read_value(cert->cert, name, oid, &len); + *oid_size = len; + + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + snprintf(name, sizeof(name), + "tbsCertificate.extensions.?%u.critical", indx + 1); + len = sizeof(str_critical); + result = asn1_read_value(cert->cert, name, str_critical, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (critical) { + if (str_critical[0] == 'T') + *critical = 1; + else + *critical = 0; + } + + return 0; } @@ -2307,34 +2230,32 @@ gnutls_x509_crt_get_extension_info (gnutls_x509_crt_t cert, int indx, * will be returned. **/ int -gnutls_x509_crt_get_extension_data (gnutls_x509_crt_t cert, int indx, - void *data, size_t * sizeof_data) +gnutls_x509_crt_get_extension_data(gnutls_x509_crt_t cert, int indx, + void *data, size_t * sizeof_data) { - int result, len; - char name[ASN1_MAX_NAME_SIZE]; + int result, len; + char name[ASN1_MAX_NAME_SIZE]; - if (!cert) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (!cert) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - snprintf (name, sizeof (name), "tbsCertificate.extensions.?%u.extnValue", - indx + 1); + snprintf(name, sizeof(name), + "tbsCertificate.extensions.?%u.extnValue", indx + 1); - len = *sizeof_data; - result = asn1_read_value (cert->cert, name, data, &len); - *sizeof_data = len; + len = *sizeof_data; + result = asn1_read_value(cert->cert, name, data, &len); + *sizeof_data = len; - if (result == ASN1_ELEMENT_NOT_FOUND) - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - else if (result < 0) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } + if (result == ASN1_ELEMENT_NOT_FOUND) + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + else if (result < 0) { + gnutls_assert(); + return _gnutls_asn2err(result); + } - return 0; + return 0; } /** @@ -2350,10 +2271,11 @@ gnutls_x509_crt_get_extension_data (gnutls_x509_crt_t cert, int indx, * **/ int -gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert, - gnutls_datum_t * dn) +gnutls_x509_crt_get_raw_issuer_dn(gnutls_x509_crt_t cert, + gnutls_datum_t * dn) { - return _gnutls_set_datum (dn, cert->raw_issuer_dn.data, cert->raw_issuer_dn.size); + return _gnutls_set_datum(dn, cert->raw_issuer_dn.data, + cert->raw_issuer_dn.size); } /** @@ -2368,19 +2290,18 @@ gnutls_x509_crt_get_raw_issuer_dn (gnutls_x509_crt_t cert, * negative error value. or a negative error code on error. * **/ -int -gnutls_x509_crt_get_raw_dn (gnutls_x509_crt_t cert, gnutls_datum_t * dn) +int gnutls_x509_crt_get_raw_dn(gnutls_x509_crt_t cert, gnutls_datum_t * dn) { - return _gnutls_set_datum (dn, cert->raw_dn.data, cert->raw_dn.size); + return _gnutls_set_datum(dn, cert->raw_dn.data, cert->raw_dn.size); } static int -get_dn (gnutls_x509_crt_t cert, const char *whom, gnutls_x509_dn_t * dn) +get_dn(gnutls_x509_crt_t cert, const char *whom, gnutls_x509_dn_t * dn) { - *dn = asn1_find_node (cert->cert, whom); - if (!*dn) - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - return 0; + *dn = asn1_find_node(cert->cert, whom); + if (!*dn) + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + return 0; } /** @@ -2398,9 +2319,9 @@ get_dn (gnutls_x509_crt_t cert, const char *whom, gnutls_x509_dn_t * dn) * Returns: Returns 0 on success, or an error code. **/ int -gnutls_x509_crt_get_subject (gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) +gnutls_x509_crt_get_subject(gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) { - return get_dn (cert, "tbsCertificate.subject.rdnSequence", dn); + return get_dn(cert, "tbsCertificate.subject.rdnSequence", dn); } /** @@ -2418,9 +2339,9 @@ gnutls_x509_crt_get_subject (gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) * Returns: Returns 0 on success, or an error code. **/ int -gnutls_x509_crt_get_issuer (gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) +gnutls_x509_crt_get_issuer(gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) { - return get_dn (cert, "tbsCertificate.issuer.rdnSequence", dn); + return get_dn(cert, "tbsCertificate.issuer.rdnSequence", dn); } /** @@ -2452,99 +2373,92 @@ gnutls_x509_crt_get_issuer (gnutls_x509_crt_t cert, gnutls_x509_dn_t * dn) * Returns: Returns 0 on success, or an error code. **/ int -gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn, - int irdn, int iava, gnutls_x509_ava_st * ava) -{ - ASN1_TYPE rdn, elem; - ASN1_DATA_NODE vnode; - long len; - int lenlen, remlen, ret; - char rbuf[ASN1_MAX_NAME_SIZE]; - unsigned char cls; - const unsigned char *ptr; - - iava++; - irdn++; /* 0->1, 1->2 etc */ - - snprintf (rbuf, sizeof (rbuf), "rdnSequence.?%d.?%d", irdn, iava); - rdn = asn1_find_node (dn, rbuf); - if (!rdn) - { - gnutls_assert (); - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - } - - snprintf (rbuf, sizeof (rbuf), "?%d.type", iava); - elem = asn1_find_node (rdn, rbuf); - if (!elem) - { - gnutls_assert (); - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - } - - ret = asn1_read_node_value(elem, &vnode); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - } - - ava->oid.data = (void*)vnode.value; - ava->oid.size = vnode.value_len; - - snprintf (rbuf, sizeof (rbuf), "?%d.value", iava); - elem = asn1_find_node (rdn, rbuf); - if (!elem) - { - gnutls_assert (); - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - } - - ret = asn1_read_node_value(elem, &vnode); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; - } - /* The value still has the previous tag's length bytes, plus the - * current value's tag and length bytes. Decode them. - */ - - ptr = vnode.value; - remlen = vnode.value_len; - len = asn1_get_length_der (ptr, remlen, &lenlen); - if (len < 0) - { - gnutls_assert (); - return GNUTLS_E_ASN1_DER_ERROR; - } - - ptr += lenlen; - remlen -= lenlen; - ret = asn1_get_tag_der (ptr, remlen, &cls, &lenlen, &ava->value_tag); - if (ret) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ptr += lenlen; - remlen -= lenlen; - - { - signed long tmp; - - tmp = asn1_get_length_der (ptr, remlen, &lenlen); - if (tmp < 0) - { - gnutls_assert (); - return GNUTLS_E_ASN1_DER_ERROR; - } - ava->value.size = tmp; - } - ava->value.data = (void*)(ptr + lenlen); - - return 0; +gnutls_x509_dn_get_rdn_ava(gnutls_x509_dn_t dn, + int irdn, int iava, gnutls_x509_ava_st * ava) +{ + ASN1_TYPE rdn, elem; + ASN1_DATA_NODE vnode; + long len; + int lenlen, remlen, ret; + char rbuf[ASN1_MAX_NAME_SIZE]; + unsigned char cls; + const unsigned char *ptr; + + iava++; + irdn++; /* 0->1, 1->2 etc */ + + snprintf(rbuf, sizeof(rbuf), "rdnSequence.?%d.?%d", irdn, iava); + rdn = asn1_find_node(dn, rbuf); + if (!rdn) { + gnutls_assert(); + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + } + + snprintf(rbuf, sizeof(rbuf), "?%d.type", iava); + elem = asn1_find_node(rdn, rbuf); + if (!elem) { + gnutls_assert(); + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + } + + ret = asn1_read_node_value(elem, &vnode); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + } + + ava->oid.data = (void *) vnode.value; + ava->oid.size = vnode.value_len; + + snprintf(rbuf, sizeof(rbuf), "?%d.value", iava); + elem = asn1_find_node(rdn, rbuf); + if (!elem) { + gnutls_assert(); + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + } + + ret = asn1_read_node_value(elem, &vnode); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return GNUTLS_E_ASN1_ELEMENT_NOT_FOUND; + } + /* The value still has the previous tag's length bytes, plus the + * current value's tag and length bytes. Decode them. + */ + + ptr = vnode.value; + remlen = vnode.value_len; + len = asn1_get_length_der(ptr, remlen, &lenlen); + if (len < 0) { + gnutls_assert(); + return GNUTLS_E_ASN1_DER_ERROR; + } + + ptr += lenlen; + remlen -= lenlen; + ret = + asn1_get_tag_der(ptr, remlen, &cls, &lenlen, &ava->value_tag); + if (ret) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ptr += lenlen; + remlen -= lenlen; + + { + signed long tmp; + + tmp = asn1_get_length_der(ptr, remlen, &lenlen); + if (tmp < 0) { + gnutls_assert(); + return GNUTLS_E_ASN1_DER_ERROR; + } + ava->value.size = tmp; + } + ava->value.data = (void *) (ptr + lenlen); + + return 0; } /** @@ -2564,46 +2478,45 @@ gnutls_x509_dn_get_rdn_ava (gnutls_x509_dn_t dn, * with the required size. On success 0 is returned. **/ int -gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t cert, - gnutls_digest_algorithm_t algo, - void *buf, size_t * buf_size) +gnutls_x509_crt_get_fingerprint(gnutls_x509_crt_t cert, + gnutls_digest_algorithm_t algo, + void *buf, size_t * buf_size) { - uint8_t *cert_buf; - int cert_buf_size; - int result; - gnutls_datum_t tmp; + uint8_t *cert_buf; + int cert_buf_size; + int result; + gnutls_datum_t tmp; - if (buf_size == 0 || cert == NULL) - { - return GNUTLS_E_INVALID_REQUEST; - } + if (buf_size == 0 || cert == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } - cert_buf_size = 0; - asn1_der_coding (cert->cert, "", NULL, &cert_buf_size, NULL); + cert_buf_size = 0; + asn1_der_coding(cert->cert, "", NULL, &cert_buf_size, NULL); - cert_buf = gnutls_malloc (cert_buf_size); - if (cert_buf == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } + cert_buf = gnutls_malloc(cert_buf_size); + if (cert_buf == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } - result = asn1_der_coding (cert->cert, "", cert_buf, &cert_buf_size, NULL); + result = + asn1_der_coding(cert->cert, "", cert_buf, &cert_buf_size, + NULL); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (cert_buf); - return _gnutls_asn2err (result); - } + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(cert_buf); + return _gnutls_asn2err(result); + } - tmp.data = cert_buf; - tmp.size = cert_buf_size; + tmp.data = cert_buf; + tmp.size = cert_buf_size; - result = gnutls_fingerprint (algo, &tmp, buf, buf_size); - gnutls_free (cert_buf); + result = gnutls_fingerprint(algo, &tmp, buf, buf_size); + gnutls_free(cert_buf); - return result; + return result; } /** @@ -2627,18 +2540,17 @@ gnutls_x509_crt_get_fingerprint (gnutls_x509_crt_t cert, * returned, and 0 on success. **/ int -gnutls_x509_crt_export (gnutls_x509_crt_t cert, - gnutls_x509_crt_fmt_t format, void *output_data, - size_t * output_data_size) +gnutls_x509_crt_export(gnutls_x509_crt_t cert, + gnutls_x509_crt_fmt_t format, void *output_data, + size_t * output_data_size) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int (cert->cert, format, "CERTIFICATE", - output_data, output_data_size); + return _gnutls_x509_export_int(cert->cert, format, "CERTIFICATE", + output_data, output_data_size); } /** @@ -2659,53 +2571,51 @@ gnutls_x509_crt_export (gnutls_x509_crt_t cert, * Since: 3.1.3 **/ int -gnutls_x509_crt_export2 (gnutls_x509_crt_t cert, - gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) +gnutls_x509_crt_export2(gnutls_x509_crt_t cert, + gnutls_x509_crt_fmt_t format, gnutls_datum_t * out) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_export_int2 (cert->cert, format, "CERTIFICATE", out); + return _gnutls_x509_export_int2(cert->cert, format, "CERTIFICATE", + out); } int -_gnutls_get_key_id (gnutls_pk_algorithm_t pk, gnutls_pk_params_st * params, - unsigned char *output_data, - size_t * output_data_size) +_gnutls_get_key_id(gnutls_pk_algorithm_t pk, gnutls_pk_params_st * params, + unsigned char *output_data, size_t * output_data_size) { - int ret = 0; - gnutls_datum_t der = { NULL, 0 }; - const gnutls_digest_algorithm_t hash = GNUTLS_DIG_SHA1; - unsigned int digest_len = _gnutls_hash_get_algo_len(mac_to_entry(hash)); + int ret = 0; + gnutls_datum_t der = { NULL, 0 }; + const gnutls_digest_algorithm_t hash = GNUTLS_DIG_SHA1; + unsigned int digest_len = + _gnutls_hash_get_algo_len(mac_to_entry(hash)); - if (output_data == NULL || *output_data_size < digest_len) - { - gnutls_assert (); - *output_data_size = digest_len; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } + if (output_data == NULL || *output_data_size < digest_len) { + gnutls_assert(); + *output_data_size = digest_len; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } - ret = _gnutls_x509_encode_PKI_params(&der, pk, params); - if (ret < 0) - return gnutls_assert_val(ret); + ret = _gnutls_x509_encode_PKI_params(&der, pk, params); + if (ret < 0) + return gnutls_assert_val(ret); - ret = _gnutls_hash_fast(hash, der.data, der.size, output_data); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - *output_data_size = digest_len; + ret = _gnutls_hash_fast(hash, der.data, der.size, output_data); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + *output_data_size = digest_len; - ret = 0; + ret = 0; -cleanup: + cleanup: - _gnutls_free_datum (&der); - return ret; + _gnutls_free_datum(&der); + return ret; } /** @@ -2729,132 +2639,133 @@ cleanup: * returned, and 0 on success. **/ int -gnutls_x509_crt_get_key_id (gnutls_x509_crt_t crt, unsigned int flags, - unsigned char *output_data, - size_t * output_data_size) +gnutls_x509_crt_get_key_id(gnutls_x509_crt_t crt, unsigned int flags, + unsigned char *output_data, + size_t * output_data_size) { - int pk, ret = 0; - gnutls_pk_params_st params; + int pk, ret = 0; + gnutls_pk_params_st params; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + pk = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (pk < 0) { + gnutls_assert(); + return pk; + } - pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); - if (pk < 0) - { - gnutls_assert (); - return pk; - } + ret = _gnutls_x509_crt_get_mpis(crt, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_x509_crt_get_mpis (crt, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_get_key_id(pk, ¶ms, output_data, output_data_size); + ret = + _gnutls_get_key_id(pk, ¶ms, output_data, output_data_size); - gnutls_pk_params_release(¶ms); + gnutls_pk_params_release(¶ms); - return ret; + return ret; } static int -crl_issuer_matches (gnutls_x509_crl_t crl, gnutls_x509_crt_t cert) +crl_issuer_matches(gnutls_x509_crl_t crl, gnutls_x509_crt_t cert) { - if (_gnutls_x509_compare_raw_dn(&crl->raw_issuer_dn, &cert->raw_issuer_dn) != 0) - return 1; - else - return 0; + if (_gnutls_x509_compare_raw_dn + (&crl->raw_issuer_dn, &cert->raw_issuer_dn) != 0) + return 1; + else + return 0; } /* This is exactly as gnutls_x509_crt_check_revocation() except that * it calls func. */ int -_gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, - const gnutls_x509_crl_t * crl_list, - int crl_list_length, - gnutls_verify_output_function func) -{ - uint8_t serial[128]; - uint8_t cert_serial[128]; - size_t serial_size, cert_serial_size; - int ncerts, ret, i, j; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - for (j = 0; j < crl_list_length; j++) - { /* do for all the crls */ - - /* Step 1. check if issuer's DN match - */ - ret = crl_issuer_matches(crl_list[j], cert); - if (ret == 0) - { - /* issuers do not match so don't even - * bother checking. - */ - gnutls_assert(); - continue; - } - - /* Step 2. Read the certificate's serial number - */ - cert_serial_size = sizeof (cert_serial); - ret = gnutls_x509_crt_get_serial (cert, cert_serial, &cert_serial_size); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - /* Step 3. cycle through the CRL serials and compare with - * certificate serial we have. - */ - - ncerts = gnutls_x509_crl_get_crt_count (crl_list[j]); - if (ncerts < 0) - { - gnutls_assert (); - return ncerts; - } - - for (i = 0; i < ncerts; i++) - { - serial_size = sizeof (serial); - ret = - gnutls_x509_crl_get_crt_serial (crl_list[j], i, serial, - &serial_size, NULL); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - if (serial_size == cert_serial_size) - { - if (memcmp (serial, cert_serial, serial_size) == 0) - { - /* serials match */ - if (func) func(cert, NULL, crl_list[j], GNUTLS_CERT_REVOKED|GNUTLS_CERT_INVALID); - return 1; /* revoked! */ - } - } - } - if (func) func(cert, NULL, crl_list[j], 0); - - } - return 0; /* not revoked. */ +_gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, + const gnutls_x509_crl_t * crl_list, + int crl_list_length, + gnutls_verify_output_function func) +{ + uint8_t serial[128]; + uint8_t cert_serial[128]; + size_t serial_size, cert_serial_size; + int ncerts, ret, i, j; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + for (j = 0; j < crl_list_length; j++) { /* do for all the crls */ + + /* Step 1. check if issuer's DN match + */ + ret = crl_issuer_matches(crl_list[j], cert); + if (ret == 0) { + /* issuers do not match so don't even + * bother checking. + */ + gnutls_assert(); + continue; + } + + /* Step 2. Read the certificate's serial number + */ + cert_serial_size = sizeof(cert_serial); + ret = + gnutls_x509_crt_get_serial(cert, cert_serial, + &cert_serial_size); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + /* Step 3. cycle through the CRL serials and compare with + * certificate serial we have. + */ + + ncerts = gnutls_x509_crl_get_crt_count(crl_list[j]); + if (ncerts < 0) { + gnutls_assert(); + return ncerts; + } + + for (i = 0; i < ncerts; i++) { + serial_size = sizeof(serial); + ret = + gnutls_x509_crl_get_crt_serial(crl_list[j], i, + serial, + &serial_size, + NULL); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + if (serial_size == cert_serial_size) { + if (memcmp + (serial, cert_serial, + serial_size) == 0) { + /* serials match */ + if (func) + func(cert, NULL, + crl_list[j], + GNUTLS_CERT_REVOKED | + GNUTLS_CERT_INVALID); + return 1; /* revoked! */ + } + } + } + if (func) + func(cert, NULL, crl_list[j], 0); + + } + return 0; /* not revoked. */ } @@ -2871,11 +2782,12 @@ _gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, * negative error code is returned on error. **/ int -gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, - const gnutls_x509_crl_t * crl_list, - int crl_list_length) +gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, + const gnutls_x509_crl_t * crl_list, + int crl_list_length) { - return _gnutls_x509_crt_check_revocation(cert, crl_list, crl_list_length, NULL); + return _gnutls_x509_crt_check_revocation(cert, crl_list, + crl_list_length, NULL); } /** @@ -2895,36 +2807,33 @@ gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, * Since: 2.8.0 **/ int -gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt, - const gnutls_datum_t * signature, - gnutls_digest_algorithm_t * hash) +gnutls_x509_crt_get_verify_algorithm(gnutls_x509_crt_t crt, + const gnutls_datum_t * signature, + gnutls_digest_algorithm_t * hash) { - gnutls_pk_params_st issuer_params; - int ret; + gnutls_pk_params_st issuer_params; + int ret; - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_crt_get_mpis (crt, &issuer_params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_crt_get_mpis(crt, &issuer_params); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = _gnutls_x509_verify_algorithm (hash, - signature, - gnutls_x509_crt_get_pk_algorithm (crt, - NULL), - &issuer_params); + ret = _gnutls_x509_verify_algorithm(hash, + signature, + gnutls_x509_crt_get_pk_algorithm + (crt, NULL), &issuer_params); - /* release allocated mpis */ - gnutls_pk_params_release(&issuer_params); + /* release allocated mpis */ + gnutls_pk_params_release(&issuer_params); - return ret; + return ret; } @@ -2947,35 +2856,33 @@ gnutls_x509_crt_get_verify_algorithm (gnutls_x509_crt_t crt, * Since: 2.12.0 **/ int -gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt, - gnutls_digest_algorithm_t * - hash, unsigned int *mand) +gnutls_x509_crt_get_preferred_hash_algorithm(gnutls_x509_crt_t crt, + gnutls_digest_algorithm_t * + hash, unsigned int *mand) { - gnutls_pk_params_st issuer_params; - int ret; + gnutls_pk_params_st issuer_params; + int ret; - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = _gnutls_x509_crt_get_mpis (crt, &issuer_params); - if (ret < 0) - { - gnutls_assert (); - return ret; - } + ret = _gnutls_x509_crt_get_mpis(crt, &issuer_params); + if (ret < 0) { + gnutls_assert(); + return ret; + } - ret = - _gnutls_pk_get_hash_algorithm (gnutls_x509_crt_get_pk_algorithm - (crt, NULL), &issuer_params, - hash, mand); + ret = + _gnutls_pk_get_hash_algorithm(gnutls_x509_crt_get_pk_algorithm + (crt, NULL), &issuer_params, + hash, mand); - /* release allocated mpis */ - gnutls_pk_params_release(&issuer_params); + /* release allocated mpis */ + gnutls_pk_params_release(&issuer_params); - return ret; + return ret; } /** @@ -2995,26 +2902,26 @@ gnutls_x509_crt_get_preferred_hash_algorithm (gnutls_x509_crt_t crt, * is returned, and zero or positive code on success. **/ int -gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, - const gnutls_datum_t * data, - const gnutls_datum_t * signature) +gnutls_x509_crt_verify_data(gnutls_x509_crt_t crt, unsigned int flags, + const gnutls_datum_t * data, + const gnutls_datum_t * signature) { - int result; + int result; - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_verify_data (GNUTLS_DIG_UNKNOWN, data, signature, crt); - if (result < 0) - { - gnutls_assert (); - return result; - } + result = + _gnutls_x509_verify_data(GNUTLS_DIG_UNKNOWN, data, signature, + crt); + if (result < 0) { + gnutls_assert(); + return result; + } - return result; + return result; } /** @@ -3034,48 +2941,44 @@ gnutls_x509_crt_verify_data (gnutls_x509_crt_t crt, unsigned int flags, * is returned, and zero or positive code on success. **/ int -gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags, - const gnutls_datum_t * hash, - const gnutls_datum_t * signature) -{ - gnutls_pk_params_st params; - gnutls_digest_algorithm_t algo; - int ret; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_x509_crt_get_verify_algorithm (crt, signature, &algo); - if (ret < 0) - return gnutls_assert_val(ret); - - /* Read the MPI parameters from the issuer's certificate. - */ - ret = - _gnutls_x509_crt_get_mpis (crt, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = - pubkey_verify_hashed_data (gnutls_x509_crt_get_pk_algorithm (crt, NULL), - mac_to_entry(algo), - hash, signature, ¶ms); - if (ret < 0) - { - gnutls_assert (); - } - - /* release all allocated MPIs - */ - gnutls_pk_params_release(¶ms); - - return ret; +gnutls_x509_crt_verify_hash(gnutls_x509_crt_t crt, unsigned int flags, + const gnutls_datum_t * hash, + const gnutls_datum_t * signature) +{ + gnutls_pk_params_st params; + gnutls_digest_algorithm_t algo; + int ret; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_verify_algorithm(crt, signature, &algo); + if (ret < 0) + return gnutls_assert_val(ret); + + /* Read the MPI parameters from the issuer's certificate. + */ + ret = _gnutls_x509_crt_get_mpis(crt, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = + pubkey_verify_hashed_data(gnutls_x509_crt_get_pk_algorithm + (crt, NULL), mac_to_entry(algo), + hash, signature, ¶ms); + if (ret < 0) { + gnutls_assert(); + } + + /* release all allocated MPIs + */ + gnutls_pk_params_release(¶ms); + + return ret; } /** @@ -3100,106 +3003,104 @@ gnutls_x509_crt_verify_hash (gnutls_x509_crt_t crt, unsigned int flags, * returned. **/ int -gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t cert, - unsigned int seq, void *ret, - size_t * ret_size, - unsigned int *reason_flags, - unsigned int *critical) -{ - int result; - gnutls_datum_t dist_points = { NULL, 0 }; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - char name[ASN1_MAX_NAME_SIZE]; - int len; - gnutls_x509_subject_alt_name_t type; - uint8_t reasons[2]; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (*ret_size > 0 && ret) - memset (ret, 0, *ret_size); - else - *ret_size = 0; - - if (reason_flags) - *reason_flags = 0; - - result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.31", 0, &dist_points, - critical); - if (result < 0) - { - return result; - } - - if (dist_points.size == 0 || dist_points.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.CRLDistributionPoints", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&dist_points); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, dist_points.data, dist_points.size, NULL); - _gnutls_free_datum (&dist_points); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - /* Return the different names from the first CRLDistr. point. - * The whole thing is a mess. - */ - _gnutls_str_cpy (name, sizeof (name), "?1.distributionPoint.fullName"); - - result = _gnutls_parse_general_name (c2, name, seq, ret, ret_size, NULL, 0); - if (result < 0) - { - asn1_delete_structure (&c2); - return result; - } - - type = result; - - - /* Read the CRL reasons. - */ - if (reason_flags) - { - _gnutls_str_cpy (name, sizeof (name), "?1.reasons"); - - reasons[0] = reasons[1] = 0; - - len = sizeof (reasons); - result = asn1_read_value (c2, name, reasons, &len); - - if (result != ASN1_VALUE_NOT_FOUND && result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - *reason_flags = reasons[0] | (reasons[1] << 8); - } - - asn1_delete_structure (&c2); - - return type; +gnutls_x509_crt_get_crl_dist_points(gnutls_x509_crt_t cert, + unsigned int seq, void *ret, + size_t * ret_size, + unsigned int *reason_flags, + unsigned int *critical) +{ + int result; + gnutls_datum_t dist_points = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + char name[ASN1_MAX_NAME_SIZE]; + int len; + gnutls_x509_subject_alt_name_t type; + uint8_t reasons[2]; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (*ret_size > 0 && ret) + memset(ret, 0, *ret_size); + else + *ret_size = 0; + + if (reason_flags) + *reason_flags = 0; + + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.31", 0, + &dist_points, critical); + if (result < 0) { + return result; + } + + if (dist_points.size == 0 || dist_points.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&dist_points); + return _gnutls_asn2err(result); + } + + result = + asn1_der_decoding(&c2, dist_points.data, dist_points.size, + NULL); + _gnutls_free_datum(&dist_points); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* Return the different names from the first CRLDistr. point. + * The whole thing is a mess. + */ + _gnutls_str_cpy(name, sizeof(name), + "?1.distributionPoint.fullName"); + + result = + _gnutls_parse_general_name(c2, name, seq, ret, ret_size, NULL, + 0); + if (result < 0) { + asn1_delete_structure(&c2); + return result; + } + + type = result; + + + /* Read the CRL reasons. + */ + if (reason_flags) { + _gnutls_str_cpy(name, sizeof(name), "?1.reasons"); + + reasons[0] = reasons[1] = 0; + + len = sizeof(reasons); + result = asn1_read_value(c2, name, reasons, &len); + + if (result != ASN1_VALUE_NOT_FOUND + && result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + *reason_flags = reasons[0] | (reasons[1] << 8); + } + + asn1_delete_structure(&c2); + + return type; } /** @@ -3224,81 +3125,75 @@ gnutls_x509_crt_get_crl_dist_points (gnutls_x509_crt_t cert, * with the required size. On success 0 is returned. **/ int -gnutls_x509_crt_get_key_purpose_oid (gnutls_x509_crt_t cert, - int indx, void *oid, size_t * oid_size, - unsigned int *critical) -{ - char tmpstr[ASN1_MAX_NAME_SIZE]; - int result, len; - gnutls_datum_t id; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (oid) - memset (oid, 0, *oid_size); - else - *oid_size = 0; - - if ((result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &id, - critical)) < 0) - { - return result; - } - - if (id.size == 0 || id.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&id); - return _gnutls_asn2err (result); - } - - result = asn1_der_decoding (&c2, id.data, id.size, NULL); - _gnutls_free_datum (&id); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - indx++; - /* create a string like "?1" - */ - snprintf (tmpstr, sizeof (tmpstr), "?%u", indx); - - len = *oid_size; - result = asn1_read_value (c2, tmpstr, oid, &len); - - *oid_size = len; - asn1_delete_structure (&c2); - - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - { - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; +gnutls_x509_crt_get_key_purpose_oid(gnutls_x509_crt_t cert, + int indx, void *oid, size_t * oid_size, + unsigned int *critical) +{ + char tmpstr[ASN1_MAX_NAME_SIZE]; + int result, len; + gnutls_datum_t id; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (oid) + memset(oid, 0, *oid_size); + else + *oid_size = 0; + + if ((result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &id, + critical)) < 0) { + return result; + } + + if (id.size == 0 || id.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&id); + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&c2, id.data, id.size, NULL); + _gnutls_free_datum(&id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + indx++; + /* create a string like "?1" + */ + snprintf(tmpstr, sizeof(tmpstr), "?%u", indx); + + len = *oid_size; + result = asn1_read_value(c2, tmpstr, oid, &len); + + *oid_size = len; + asn1_delete_structure(&c2); + + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) { + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } @@ -3315,52 +3210,47 @@ gnutls_x509_crt_get_key_purpose_oid (gnutls_x509_crt_t cert, * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. **/ int -gnutls_x509_crt_get_pk_rsa_raw (gnutls_x509_crt_t crt, - gnutls_datum_t * m, gnutls_datum_t * e) -{ - int ret; - gnutls_pk_params_st params; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_x509_crt_get_pk_algorithm (crt, NULL); - if (ret != GNUTLS_PK_RSA) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis (crt, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - ret = _gnutls_mpi_dprint_lz (params.params[0], m); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_mpi_dprint_lz (params.params[1], e); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (m); - goto cleanup; - } - - ret = 0; - -cleanup: - gnutls_pk_params_release(¶ms); - return ret; +gnutls_x509_crt_get_pk_rsa_raw(gnutls_x509_crt_t crt, + gnutls_datum_t * m, gnutls_datum_t * e) +{ + int ret; + gnutls_pk_params_st params; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_RSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = _gnutls_mpi_dprint_lz(params.params[0], m); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_mpi_dprint_lz(params.params[1], e); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(m); + goto cleanup; + } + + ret = 0; + + cleanup: + gnutls_pk_params_release(¶ms); + return ret; } /** @@ -3378,79 +3268,72 @@ cleanup: * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. **/ int -gnutls_x509_crt_get_pk_dsa_raw (gnutls_x509_crt_t crt, - gnutls_datum_t * p, gnutls_datum_t * q, - gnutls_datum_t * g, gnutls_datum_t * y) -{ - int ret; - gnutls_pk_params_st params; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = gnutls_x509_crt_get_pk_algorithm (crt, NULL); - if (ret != GNUTLS_PK_DSA) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - ret = _gnutls_x509_crt_get_mpis (crt, ¶ms); - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - - /* P */ - ret = _gnutls_mpi_dprint_lz (params.params[0], p); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - /* Q */ - ret = _gnutls_mpi_dprint_lz (params.params[1], q); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - goto cleanup; - } - - - /* G */ - ret = _gnutls_mpi_dprint_lz (params.params[2], g); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - _gnutls_free_datum (q); - goto cleanup; - } - - - /* Y */ - ret = _gnutls_mpi_dprint_lz (params.params[3], y); - if (ret < 0) - { - gnutls_assert (); - _gnutls_free_datum (p); - _gnutls_free_datum (g); - _gnutls_free_datum (q); - goto cleanup; - } - - ret = 0; - -cleanup: - gnutls_pk_params_release(¶ms); - return ret; +gnutls_x509_crt_get_pk_dsa_raw(gnutls_x509_crt_t crt, + gnutls_datum_t * p, gnutls_datum_t * q, + gnutls_datum_t * g, gnutls_datum_t * y) +{ + int ret; + gnutls_pk_params_st params; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = gnutls_x509_crt_get_pk_algorithm(crt, NULL); + if (ret != GNUTLS_PK_DSA) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = _gnutls_x509_crt_get_mpis(crt, ¶ms); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + + /* P */ + ret = _gnutls_mpi_dprint_lz(params.params[0], p); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Q */ + ret = _gnutls_mpi_dprint_lz(params.params[1], q); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + goto cleanup; + } + + + /* G */ + ret = _gnutls_mpi_dprint_lz(params.params[2], g); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(q); + goto cleanup; + } + + + /* Y */ + ret = _gnutls_mpi_dprint_lz(params.params[3], y); + if (ret < 0) { + gnutls_assert(); + _gnutls_free_datum(p); + _gnutls_free_datum(g); + _gnutls_free_datum(q); + goto cleanup; + } + + ret = 0; + + cleanup: + gnutls_pk_params_release(¶ms); + return ret; } @@ -3474,89 +3357,93 @@ cleanup: * Since: 3.0 **/ int -gnutls_x509_crt_list_import2 (gnutls_x509_crt_t ** certs, - unsigned int * size, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) -{ -unsigned int init = 1024; -int ret; - - *certs = gnutls_malloc(sizeof(gnutls_x509_crt_t)*init); - if (*certs == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_list_import(*certs, &init, data, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); - if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) - { - *certs = gnutls_realloc_fast(*certs, sizeof(gnutls_x509_crt_t)*init); - if (*certs == NULL) - { - gnutls_assert(); - return GNUTLS_E_MEMORY_ERROR; - } - - ret = gnutls_x509_crt_list_import(*certs, &init, data, format, flags); - } - - if (ret < 0) - { - gnutls_free(*certs); - *certs = NULL; - return ret; - } - - *size = init; - return 0; +gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs, + unsigned int *size, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + unsigned int flags) +{ + unsigned int init = 1024; + int ret; + + *certs = gnutls_malloc(sizeof(gnutls_x509_crt_t) * init); + if (*certs == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crt_list_import(*certs, &init, data, format, + GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); + if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { + *certs = + gnutls_realloc_fast(*certs, + sizeof(gnutls_x509_crt_t) * init); + if (*certs == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = + gnutls_x509_crt_list_import(*certs, &init, data, + format, flags); + } + + if (ret < 0) { + gnutls_free(*certs); + *certs = NULL; + return ret; + } + + *size = init; + return 0; } static int check_if_sorted(gnutls_x509_crt_t * crt, int nr) { -char prev_dn[MAX_DN]; -char dn[MAX_DN]; -size_t prev_dn_size, dn_size; -int i, ret; - - /* check if the X.509 list is ordered */ - if (nr > 1) - { - - for (i=0;i<nr;i++) - { - if (i>0) - { - dn_size = sizeof(dn); - ret = gnutls_x509_crt_get_dn(crt[i], dn, &dn_size); - if (ret < 0) - { - ret = gnutls_assert_val(ret); - goto cleanup; - } - - if (dn_size != prev_dn_size || memcmp(dn, prev_dn, dn_size) != 0) - { - ret = gnutls_assert_val(GNUTLS_E_CERTIFICATE_LIST_UNSORTED); - goto cleanup; - } - } - - prev_dn_size = sizeof(prev_dn); - ret = gnutls_x509_crt_get_issuer_dn(crt[i], prev_dn, &prev_dn_size); - if (ret < 0) - { - ret = gnutls_assert_val(ret); - goto cleanup; - } - } - } - - ret = 0; - -cleanup: - return ret; + char prev_dn[MAX_DN]; + char dn[MAX_DN]; + size_t prev_dn_size, dn_size; + int i, ret; + + /* check if the X.509 list is ordered */ + if (nr > 1) { + + for (i = 0; i < nr; i++) { + if (i > 0) { + dn_size = sizeof(dn); + ret = + gnutls_x509_crt_get_dn(crt[i], dn, + &dn_size); + if (ret < 0) { + ret = gnutls_assert_val(ret); + goto cleanup; + } + + if (dn_size != prev_dn_size + || memcmp(dn, prev_dn, dn_size) != 0) { + ret = + gnutls_assert_val + (GNUTLS_E_CERTIFICATE_LIST_UNSORTED); + goto cleanup; + } + } + + prev_dn_size = sizeof(prev_dn); + ret = + gnutls_x509_crt_get_issuer_dn(crt[i], prev_dn, + &prev_dn_size); + if (ret < 0) { + ret = gnutls_assert_val(ret); + goto cleanup; + } + } + } + + ret = 0; + + cleanup: + return ret; } @@ -3584,135 +3471,129 @@ cleanup: * Returns: the number of certificates read or a negative error value. **/ int -gnutls_x509_crt_list_import (gnutls_x509_crt_t * certs, - unsigned int *cert_max, - const gnutls_datum_t * data, - gnutls_x509_crt_fmt_t format, unsigned int flags) -{ - int size; - const char *ptr; - gnutls_datum_t tmp; - int ret, nocopy = 0; - unsigned int count = 0, j; - - if (format == GNUTLS_X509_FMT_DER) - { - if (*cert_max < 1) - { - *cert_max = 1; - return GNUTLS_E_SHORT_MEMORY_BUFFER; - } - - count = 1; /* import only the first one */ - - ret = gnutls_x509_crt_init (&certs[0]); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - ret = gnutls_x509_crt_import (certs[0], data, format); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - *cert_max = 1; - return 1; - } - - /* move to the certificate - */ - ptr = memmem (data->data, data->size, - PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); - if (ptr == NULL) - ptr = memmem (data->data, data->size, - PEM_CERT_SEP2, sizeof (PEM_CERT_SEP2) - 1); - - if (ptr == NULL) - return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); - - count = 0; - - do - { - if (count >= *cert_max) - { - if (!(flags & GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) - break; - else - nocopy = 1; - } - - if (!nocopy) - { - ret = gnutls_x509_crt_init (&certs[count]); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - - tmp.data = (void *) ptr; - tmp.size = data->size - (ptr - (char *) data->data); - - ret = - gnutls_x509_crt_import (certs[count], &tmp, GNUTLS_X509_FMT_PEM); - if (ret < 0) - { - gnutls_assert (); - goto error; - } - } - - /* now we move ptr after the pem header - */ - ptr++; - /* find the next certificate (if any) - */ - size = data->size - (ptr - (char *) data->data); - - if (size > 0) - { - char *ptr2; - - ptr2 = memmem (ptr, size, PEM_CERT_SEP, sizeof (PEM_CERT_SEP) - 1); - if (ptr2 == NULL) - ptr2 = memmem (ptr, size, PEM_CERT_SEP2, - sizeof (PEM_CERT_SEP2) - 1); - - ptr = ptr2; - } - else - ptr = NULL; - - count++; - } - while (ptr != NULL); - - *cert_max = count; - - if (flags & GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED) - { - ret = check_if_sorted(certs, *cert_max); - if (ret < 0) - { - gnutls_assert(); - goto error; - } - } - - if (nocopy == 0) - return count; - else - return GNUTLS_E_SHORT_MEMORY_BUFFER; - -error: - for (j = 0; j < count; j++) - gnutls_x509_crt_deinit (certs[j]); - return ret; +gnutls_x509_crt_list_import(gnutls_x509_crt_t * certs, + unsigned int *cert_max, + const gnutls_datum_t * data, + gnutls_x509_crt_fmt_t format, + unsigned int flags) +{ + int size; + const char *ptr; + gnutls_datum_t tmp; + int ret, nocopy = 0; + unsigned int count = 0, j; + + if (format == GNUTLS_X509_FMT_DER) { + if (*cert_max < 1) { + *cert_max = 1; + return GNUTLS_E_SHORT_MEMORY_BUFFER; + } + + count = 1; /* import only the first one */ + + ret = gnutls_x509_crt_init(&certs[0]); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + ret = gnutls_x509_crt_import(certs[0], data, format); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + *cert_max = 1; + return 1; + } + + /* move to the certificate + */ + ptr = memmem(data->data, data->size, + PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); + if (ptr == NULL) + ptr = memmem(data->data, data->size, + PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); + + if (ptr == NULL) + return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); + + count = 0; + + do { + if (count >= *cert_max) { + if (! + (flags & + GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) + break; + else + nocopy = 1; + } + + if (!nocopy) { + ret = gnutls_x509_crt_init(&certs[count]); + if (ret < 0) { + gnutls_assert(); + goto error; + } + + tmp.data = (void *) ptr; + tmp.size = + data->size - (ptr - (char *) data->data); + + ret = + gnutls_x509_crt_import(certs[count], &tmp, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + gnutls_assert(); + goto error; + } + } + + /* now we move ptr after the pem header + */ + ptr++; + /* find the next certificate (if any) + */ + size = data->size - (ptr - (char *) data->data); + + if (size > 0) { + char *ptr2; + + ptr2 = + memmem(ptr, size, PEM_CERT_SEP, + sizeof(PEM_CERT_SEP) - 1); + if (ptr2 == NULL) + ptr2 = memmem(ptr, size, PEM_CERT_SEP2, + sizeof(PEM_CERT_SEP2) - 1); + + ptr = ptr2; + } else + ptr = NULL; + + count++; + } + while (ptr != NULL); + + *cert_max = count; + + if (flags & GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED) { + ret = check_if_sorted(certs, *cert_max); + if (ret < 0) { + gnutls_assert(); + goto error; + } + } + + if (nocopy == 0) + return count; + else + return GNUTLS_E_SHORT_MEMORY_BUFFER; + + error: + for (j = 0; j < count; j++) + gnutls_x509_crt_deinit(certs[j]); + return ret; } /** @@ -3732,31 +3613,29 @@ error: * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code. **/ int -gnutls_x509_crt_get_subject_unique_id (gnutls_x509_crt_t crt, char *buf, - size_t * buf_size) +gnutls_x509_crt_get_subject_unique_id(gnutls_x509_crt_t crt, char *buf, + size_t * buf_size) { - int result; - gnutls_datum_t datum = { NULL, 0 }; + int result; + gnutls_datum_t datum = { NULL, 0 }; - result = - _gnutls_x509_read_value (crt->cert, "tbsCertificate.subjectUniqueID", - &datum); + result = + _gnutls_x509_read_value(crt->cert, + "tbsCertificate.subjectUniqueID", + &datum); - if (datum.size > *buf_size) - { /* then we're not going to fit */ - *buf_size = datum.size; - buf[0] = '\0'; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - } - else - { - *buf_size = datum.size; - memcpy (buf, datum.data, datum.size); - } + if (datum.size > *buf_size) { /* then we're not going to fit */ + *buf_size = datum.size; + buf[0] = '\0'; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + *buf_size = datum.size; + memcpy(buf, datum.data, datum.size); + } - _gnutls_free_datum (&datum); + _gnutls_free_datum(&datum); - return result; + return result; } /** @@ -3778,125 +3657,126 @@ gnutls_x509_crt_get_subject_unique_id (gnutls_x509_crt_t crt, char *buf, * Since: 2.12.0 **/ int -gnutls_x509_crt_get_issuer_unique_id (gnutls_x509_crt_t crt, char *buf, - size_t * buf_size) +gnutls_x509_crt_get_issuer_unique_id(gnutls_x509_crt_t crt, char *buf, + size_t * buf_size) { - int result; - gnutls_datum_t datum = { NULL, 0 }; + int result; + gnutls_datum_t datum = { NULL, 0 }; - result = - _gnutls_x509_read_value (crt->cert, "tbsCertificate.issuerUniqueID", - &datum); + result = + _gnutls_x509_read_value(crt->cert, + "tbsCertificate.issuerUniqueID", + &datum); - if (datum.size > *buf_size) - { /* then we're not going to fit */ - *buf_size = datum.size; - buf[0] = '\0'; - result = GNUTLS_E_SHORT_MEMORY_BUFFER; - } - else - { - *buf_size = datum.size; - memcpy (buf, datum.data, datum.size); - } + if (datum.size > *buf_size) { /* then we're not going to fit */ + *buf_size = datum.size; + buf[0] = '\0'; + result = GNUTLS_E_SHORT_MEMORY_BUFFER; + } else { + *buf_size = datum.size; + memcpy(buf, datum.data, datum.size); + } - _gnutls_free_datum (&datum); + _gnutls_free_datum(&datum); - return result; + return result; } static int -_gnutls_parse_aia (ASN1_TYPE src, - unsigned int seq, - int what, - gnutls_datum_t * data) -{ - int len; - char nptr[ASN1_MAX_NAME_SIZE]; - int result; - gnutls_datum_t d; - const char *oid = NULL; - - seq++; /* 0->1, 1->2 etc */ - switch (what) - { - case GNUTLS_IA_ACCESSMETHOD_OID: - snprintf (nptr, sizeof (nptr), "?%u.accessMethod", seq); - break; - - case GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE: - snprintf (nptr, sizeof (nptr), "?%u.accessLocation", seq); - break; - - case GNUTLS_IA_CAISSUERS_URI: - oid = GNUTLS_OID_AD_CAISSUERS; - /* fall through */ - - case GNUTLS_IA_OCSP_URI: - if (oid == NULL) - oid = GNUTLS_OID_AD_OCSP; - { - char tmpoid[20]; - snprintf (nptr, sizeof (nptr), "?%u.accessMethod", seq); - len = sizeof (tmpoid); - result = asn1_read_value (src, nptr, tmpoid, &len); - - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - if ((unsigned)len != strlen (oid) + 1 || memcmp (tmpoid, oid, len) != 0) - return gnutls_assert_val(GNUTLS_E_UNKNOWN_ALGORITHM); - } - /* fall through */ - - case GNUTLS_IA_URI: - snprintf (nptr, sizeof (nptr), - "?%u.accessLocation.uniformResourceIdentifier", seq); - break; - - default: - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - } - - len = 0; - result = asn1_read_value (src, nptr, NULL, &len); - if (result == ASN1_VALUE_NOT_FOUND || result == ASN1_ELEMENT_NOT_FOUND) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - - if (result != ASN1_MEM_ERROR) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - d.size = len; - - d.data = gnutls_malloc (d.size); - if (d.data == NULL) - return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - - result = asn1_read_value (src, nptr, d.data, &len); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - gnutls_free (d.data); - return _gnutls_asn2err (result); - } - - if (data) - { - data->data = d.data; - data->size = d.size; - } - else - gnutls_free (d.data); - - return 0; +_gnutls_parse_aia(ASN1_TYPE src, + unsigned int seq, int what, gnutls_datum_t * data) +{ + int len; + char nptr[ASN1_MAX_NAME_SIZE]; + int result; + gnutls_datum_t d; + const char *oid = NULL; + + seq++; /* 0->1, 1->2 etc */ + switch (what) { + case GNUTLS_IA_ACCESSMETHOD_OID: + snprintf(nptr, sizeof(nptr), "?%u.accessMethod", seq); + break; + + case GNUTLS_IA_ACCESSLOCATION_GENERALNAME_TYPE: + snprintf(nptr, sizeof(nptr), "?%u.accessLocation", seq); + break; + + case GNUTLS_IA_CAISSUERS_URI: + oid = GNUTLS_OID_AD_CAISSUERS; + /* fall through */ + + case GNUTLS_IA_OCSP_URI: + if (oid == NULL) + oid = GNUTLS_OID_AD_OCSP; + { + char tmpoid[20]; + snprintf(nptr, sizeof(nptr), "?%u.accessMethod", + seq); + len = sizeof(tmpoid); + result = asn1_read_value(src, nptr, tmpoid, &len); + + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + if ((unsigned) len != strlen(oid) + 1 + || memcmp(tmpoid, oid, len) != 0) + return + gnutls_assert_val + (GNUTLS_E_UNKNOWN_ALGORITHM); + } + /* fall through */ + + case GNUTLS_IA_URI: + snprintf(nptr, sizeof(nptr), + "?%u.accessLocation.uniformResourceIdentifier", + seq); + break; + + default: + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } + + len = 0; + result = asn1_read_value(src, nptr, NULL, &len); + if (result == ASN1_VALUE_NOT_FOUND + || result == ASN1_ELEMENT_NOT_FOUND) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + if (result != ASN1_MEM_ERROR) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + d.size = len; + + d.data = gnutls_malloc(d.size); + if (d.data == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + result = asn1_read_value(src, nptr, d.data, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + gnutls_free(d.data); + return _gnutls_asn2err(result); + } + + if (data) { + data->data = d.data; + data->size = d.size; + } else + gnutls_free(d.data); + + return 0; } /** @@ -3969,61 +3849,58 @@ _gnutls_parse_aia (ASN1_TYPE src, * Since: 3.0 **/ int -gnutls_x509_crt_get_authority_info_access (gnutls_x509_crt_t crt, - unsigned int seq, - int what, - gnutls_datum_t * data, - unsigned int *critical) -{ - int ret; - gnutls_datum_t aia; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if ((ret = _gnutls_x509_crt_get_extension (crt, GNUTLS_OID_AIA, 0, &aia, - critical)) < 0) - return ret; - - if (aia.size == 0 || aia.data == NULL) - { - gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - } - - if (critical && *critical) - return GNUTLS_E_CONSTRAINT_ERROR; - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.AuthorityInfoAccessSyntax", &c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - _gnutls_free_datum (&aia); - return _gnutls_asn2err (ret); - } - - ret = asn1_der_decoding (&c2, aia.data, aia.size, NULL); - /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */ - _gnutls_free_datum (&aia); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (ret); - } - - ret = _gnutls_parse_aia (c2, seq, what, data); - - asn1_delete_structure (&c2); - if (ret < 0) - gnutls_assert (); - - return ret; +gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t crt, + unsigned int seq, + int what, + gnutls_datum_t * data, + unsigned int *critical) +{ + int ret; + gnutls_datum_t aia; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if ((ret = + _gnutls_x509_crt_get_extension(crt, GNUTLS_OID_AIA, 0, &aia, + critical)) < 0) + return ret; + + if (aia.size == 0 || aia.data == NULL) { + gnutls_assert(); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } + + if (critical && *critical) + return GNUTLS_E_CONSTRAINT_ERROR; + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.AuthorityInfoAccessSyntax", &c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + _gnutls_free_datum(&aia); + return _gnutls_asn2err(ret); + } + + ret = asn1_der_decoding(&c2, aia.data, aia.size, NULL); + /* asn1_print_structure (stdout, c2, "", ASN1_PRINT_ALL); */ + _gnutls_free_datum(&aia); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(ret); + } + + ret = _gnutls_parse_aia(c2, seq, what, data); + + asn1_delete_structure(&c2); + if (ret < 0) + gnutls_assert(); + + return ret; } /** @@ -4042,9 +3919,10 @@ gnutls_x509_crt_get_authority_info_access (gnutls_x509_crt_t crt, * Since: 3.1.0 * **/ -void gnutls_x509_crt_set_pin_function (gnutls_x509_crt_t crt, - gnutls_pin_callback_t fn, void *userdata) +void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt, + gnutls_pin_callback_t fn, + void *userdata) { - crt->pin.cb = fn; - crt->pin.data = userdata; + crt->pin.cb = fn; + crt->pin.data = userdata; } diff --git a/lib/x509/x509_dn.c b/lib/x509/x509_dn.c index 384ad87422..0131de04ad 100644 --- a/lib/x509/x509_dn.c +++ b/lib/x509/x509_dn.c @@ -31,136 +31,135 @@ #include <x509_b64.h> #include <c-ctype.h> -typedef int (*set_dn_func) (void*, const char *oid, unsigned int raw_flag, const void *name, unsigned int name_size); - +typedef int (*set_dn_func) (void *, const char *oid, unsigned int raw_flag, + const void *name, unsigned int name_size); + static -int dn_attr_crt_set( set_dn_func f, void* crt, const gnutls_datum_t * name, - const gnutls_datum_t * val) +int dn_attr_crt_set(set_dn_func f, void *crt, const gnutls_datum_t * name, + const gnutls_datum_t * val) { - char _oid[MAX_OID_SIZE]; - const char *oid; - int ret; - - if (name->size == 0 || val->size == 0) - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - - if (c_isdigit(name->data[0]) != 0) - { - if (name->size >= sizeof(_oid)) - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - - memcpy(_oid, name->data, name->size); - _oid[name->size] = 0; - - oid = _oid; - - if (gnutls_x509_dn_oid_known(oid) == 0) - { - _gnutls_debug_log("Unknown OID: '%s'\n", oid); - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - } - } - else - { - oid = _gnutls_ldap_string_to_oid((char*)name->data, name->size); - } - - if (oid == NULL) - { - _gnutls_debug_log("Unknown DN attribute: '%.*s'\n", (int)name->size, name->data); - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - } - - if (val->data[0] == '#') - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - - ret = f(crt, oid, 0, val->data, val->size); - if (ret < 0) - return gnutls_assert_val(ret); - - return 0; + char _oid[MAX_OID_SIZE]; + const char *oid; + int ret; + + if (name->size == 0 || val->size == 0) + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + + if (c_isdigit(name->data[0]) != 0) { + if (name->size >= sizeof(_oid)) + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + + memcpy(_oid, name->data, name->size); + _oid[name->size] = 0; + + oid = _oid; + + if (gnutls_x509_dn_oid_known(oid) == 0) { + _gnutls_debug_log("Unknown OID: '%s'\n", oid); + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + } + } else { + oid = + _gnutls_ldap_string_to_oid((char *) name->data, + name->size); + } + + if (oid == NULL) { + _gnutls_debug_log("Unknown DN attribute: '%.*s'\n", + (int) name->size, name->data); + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + } + + if (val->data[0] == '#') + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + + ret = f(crt, oid, 0, val->data, val->size); + if (ret < 0) + return gnutls_assert_val(ret); + + return 0; } -static int read_attr_and_val(const char** ptr, - gnutls_datum_t * name, - gnutls_datum_t * val) +static int read_attr_and_val(const char **ptr, + gnutls_datum_t * name, gnutls_datum_t * val) { -const unsigned char* p = (void*)*ptr; - - /* skip any space */ - while (c_isspace(*p)) - p++; - - /* Read the name */ - name->data = (void*)p; - while (*p != '=' && *p != 0 && !c_isspace(*p)) - p++; - - name->size = p - name->data; - - /* skip any space */ - while (c_isspace(*p)) - p++; - - if (*p != '=') - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - p++; - - while (c_isspace(*p)) - p++; - - /* Read value */ - val->data = (void*)p; - while (*p != 0 && !c_isspace(*p) && (*p != ',' || (*p == ',' && *(p-1) == '\\')) && *p != '\n') - p++; - val->size = p - (val->data); - - if (val->size == 0 || name->size == 0) - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - - *ptr = (void*)p; - - return 0; + const unsigned char *p = (void *) *ptr; + + /* skip any space */ + while (c_isspace(*p)) + p++; + + /* Read the name */ + name->data = (void *) p; + while (*p != '=' && *p != 0 && !c_isspace(*p)) + p++; + + name->size = p - name->data; + + /* skip any space */ + while (c_isspace(*p)) + p++; + + if (*p != '=') + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + p++; + + while (c_isspace(*p)) + p++; + + /* Read value */ + val->data = (void *) p; + while (*p != 0 && !c_isspace(*p) + && (*p != ',' || (*p == ',' && *(p - 1) == '\\')) + && *p != '\n') + p++; + val->size = p - (val->data); + + if (val->size == 0 || name->size == 0) + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + + *ptr = (void *) p; + + return 0; } static int -crt_set_dn (set_dn_func f, void* crt, const char *dn, const char** err) +crt_set_dn(set_dn_func f, void *crt, const char *dn, const char **err) { -const char *p = dn; -int ret; -gnutls_datum_t name, val; - - if (crt == NULL || dn == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - /* For each element */ - while (*p != 0 && *p != '\n') - { - if (err) - *err = p; - - ret = read_attr_and_val(&p, &name, &val); - if (ret < 0) - return gnutls_assert_val(ret); - - /* skip spaces and look for comma */ - while (c_isspace(*p)) - p++; - - ret = dn_attr_crt_set(f, crt, &name, &val); - if (ret < 0) - return gnutls_assert_val(ret); - - if (err) - *err = p; - - if (*p != ',' && *p != 0 && *p != '\n') - return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); - if (*p == ',') - p++; - } - - return 0; + const char *p = dn; + int ret; + gnutls_datum_t name, val; + + if (crt == NULL || dn == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + /* For each element */ + while (*p != 0 && *p != '\n') { + if (err) + *err = p; + + ret = read_attr_and_val(&p, &name, &val); + if (ret < 0) + return gnutls_assert_val(ret); + + /* skip spaces and look for comma */ + while (c_isspace(*p)) + p++; + + ret = dn_attr_crt_set(f, crt, &name, &val); + if (ret < 0) + return gnutls_assert_val(ret); + + if (err) + *err = p; + + if (*p != ',' && *p != 0 && *p != '\n') + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + if (*p == ',') + p++; + } + + return 0; } @@ -177,9 +176,11 @@ gnutls_datum_t name, val; * negative error value. **/ int -gnutls_x509_crt_set_dn (gnutls_x509_crt_t crt, const char *dn, const char** err) +gnutls_x509_crt_set_dn(gnutls_x509_crt_t crt, const char *dn, + const char **err) { - return crt_set_dn( (set_dn_func)gnutls_x509_crt_set_dn_by_oid, crt, dn, err); + return crt_set_dn((set_dn_func) gnutls_x509_crt_set_dn_by_oid, crt, + dn, err); } /** @@ -195,9 +196,12 @@ gnutls_x509_crt_set_dn (gnutls_x509_crt_t crt, const char *dn, const char** err) * negative error value. **/ int -gnutls_x509_crt_set_issuer_dn (gnutls_x509_crt_t crt, const char *dn, const char** err) +gnutls_x509_crt_set_issuer_dn(gnutls_x509_crt_t crt, const char *dn, + const char **err) { - return crt_set_dn( (set_dn_func)gnutls_x509_crt_set_issuer_dn_by_oid, crt, dn, err); + return crt_set_dn((set_dn_func) + gnutls_x509_crt_set_issuer_dn_by_oid, crt, dn, + err); } /** @@ -213,7 +217,9 @@ gnutls_x509_crt_set_issuer_dn (gnutls_x509_crt_t crt, const char *dn, const char * negative error value. **/ int -gnutls_x509_crq_set_dn (gnutls_x509_crq_t crq, const char *dn, const char** err) +gnutls_x509_crq_set_dn(gnutls_x509_crq_t crq, const char *dn, + const char **err) { - return crt_set_dn( (set_dn_func)gnutls_x509_crq_set_dn_by_oid, crq, dn, err); + return crt_set_dn((set_dn_func) gnutls_x509_crq_set_dn_by_oid, crq, + dn, err); } diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index 10cf0c5c57..8fa86e705c 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -40,65 +40,60 @@ #define HASH_OID_SHA384 "2.16.840.1.101.3.4.2.2" #define HASH_OID_SHA512 "2.16.840.1.101.3.4.2.3" -typedef struct gnutls_x509_crl_int -{ - ASN1_TYPE crl; - int use_extensions; - gnutls_datum_t raw_issuer_dn; +typedef struct gnutls_x509_crl_int { + ASN1_TYPE crl; + int use_extensions; + gnutls_datum_t raw_issuer_dn; } gnutls_x509_crl_int; -typedef struct gnutls_x509_crt_int -{ - ASN1_TYPE cert; - int use_extensions; - int expanded; /* a certificate has been expanded */ - - /* These two cached values allow fast calls to - * get_raw_*_dn(). */ - gnutls_datum_t raw_dn; - gnutls_datum_t raw_issuer_dn; - - struct pin_info_st pin; +typedef struct gnutls_x509_crt_int { + ASN1_TYPE cert; + int use_extensions; + int expanded; /* a certificate has been expanded */ + + /* These two cached values allow fast calls to + * get_raw_*_dn(). */ + gnutls_datum_t raw_dn; + gnutls_datum_t raw_issuer_dn; + + struct pin_info_st pin; } gnutls_x509_crt_int; -typedef struct gnutls_x509_crq_int -{ - ASN1_TYPE crq; +typedef struct gnutls_x509_crq_int { + ASN1_TYPE crq; } gnutls_x509_crq_int; -typedef struct gnutls_pkcs7_int -{ - ASN1_TYPE pkcs7; +typedef struct gnutls_pkcs7_int { + ASN1_TYPE pkcs7; } gnutls_pkcs7_int; -typedef struct gnutls_x509_privkey_int -{ - /* the size of params depends on the public - * key algorithm - */ - gnutls_pk_params_st params; +typedef struct gnutls_x509_privkey_int { + /* the size of params depends on the public + * key algorithm + */ + gnutls_pk_params_st params; - gnutls_pk_algorithm_t pk_algorithm; + gnutls_pk_algorithm_t pk_algorithm; - ASN1_TYPE key; + ASN1_TYPE key; } gnutls_x509_privkey_int; -int _gnutls_x509_crt_cpy (gnutls_x509_crt_t dest, gnutls_x509_crt_t src); +int _gnutls_x509_crt_cpy(gnutls_x509_crt_t dest, gnutls_x509_crt_t src); -int _gnutls_x509_compare_raw_dn (const gnutls_datum_t * dn1, - const gnutls_datum_t * dn2); +int _gnutls_x509_compare_raw_dn(const gnutls_datum_t * dn1, + const gnutls_datum_t * dn2); -int _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src); -int _gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t crl, - gnutls_datum_t * dn); +int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src); +int _gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl, + gnutls_datum_t * dn); /* sign.c */ -int _gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name, - gnutls_datum_t * tbs); -int _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, - gnutls_digest_algorithm_t, - gnutls_x509_crt_t issuer, - gnutls_privkey_t issuer_key); +int _gnutls_x509_get_tbs(ASN1_TYPE cert, const char *tbs_name, + gnutls_datum_t * tbs); +int _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, + gnutls_digest_algorithm_t, + gnutls_x509_crt_t issuer, + gnutls_privkey_t issuer_key); /* dn.c */ #define OID_X520_COUNTRY_NAME "2.5.4.6" @@ -111,198 +106,201 @@ int _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name, #define OID_LDAP_UID "0.9.2342.19200300.100.1.1" #define OID_PKCS9_EMAIL "1.2.840.113549.1.9.1" -int _gnutls_x509_parse_dn (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, char *buf, - size_t * sizeof_buf); +int _gnutls_x509_parse_dn(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, char *buf, + size_t * sizeof_buf); int -_gnutls_x509_get_dn (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, gnutls_datum_t * dn); +_gnutls_x509_get_dn(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, gnutls_datum_t * dn); int -_gnutls_x509_parse_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - const char *given_oid, int indx, - unsigned int raw_flag, - gnutls_datum_t* out); +_gnutls_x509_parse_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + const char *given_oid, int indx, + unsigned int raw_flag, gnutls_datum_t * out); -int _gnutls_x509_set_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, const char *oid, - int raw_flag, const char *name, int sizeof_name); +int _gnutls_x509_set_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, const char *oid, + int raw_flag, const char *name, + int sizeof_name); -int _gnutls_x509_get_dn_oid (ASN1_TYPE asn1_struct, - const char *asn1_rdn_name, - int indx, void *_oid, size_t * sizeof_oid); +int _gnutls_x509_get_dn_oid(ASN1_TYPE asn1_struct, + const char *asn1_rdn_name, + int indx, void *_oid, size_t * sizeof_oid); -int _gnutls_parse_general_name (ASN1_TYPE src, const char *src_name, - int seq, void *name, size_t * name_size, - unsigned int *ret_type, int othername_oid); +int _gnutls_parse_general_name(ASN1_TYPE src, const char *src_name, + int seq, void *name, size_t * name_size, + unsigned int *ret_type, int othername_oid); /* dsa.c */ /* verify.c */ -int gnutls_x509_crt_is_issuer (gnutls_x509_crt_t cert, - gnutls_x509_crt_t issuer); +int gnutls_x509_crt_is_issuer(gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer); int -_gnutls_x509_verify_algorithm (gnutls_digest_algorithm_t * hash, - const gnutls_datum_t * signature, - gnutls_pk_algorithm_t pk, - gnutls_pk_params_st * issuer_params); +_gnutls_x509_verify_algorithm(gnutls_digest_algorithm_t * hash, + const gnutls_datum_t * signature, + gnutls_pk_algorithm_t pk, + gnutls_pk_params_st * issuer_params); -int _gnutls_x509_verify_data (const mac_entry_st* me, - const gnutls_datum_t * data, - const gnutls_datum_t * signature, - gnutls_x509_crt_t issuer); +int _gnutls_x509_verify_data(const mac_entry_st * me, + const gnutls_datum_t * data, + const gnutls_datum_t * signature, + gnutls_x509_crt_t issuer); /* privkey.h */ -ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key (const gnutls_datum_t * - raw_key, - gnutls_x509_privkey_t pkey); -ASN1_TYPE _gnutls_privkey_decode_ecc_key (const gnutls_datum_t * - raw_key, - gnutls_x509_privkey_t pkey); +ASN1_TYPE _gnutls_privkey_decode_pkcs1_rsa_key(const gnutls_datum_t * + raw_key, + gnutls_x509_privkey_t pkey); +ASN1_TYPE _gnutls_privkey_decode_ecc_key(const gnutls_datum_t * + raw_key, + gnutls_x509_privkey_t pkey); int -_gnutls_x509_read_ecc_params (uint8_t * der, int dersize, gnutls_pk_params_st * params); +_gnutls_x509_read_ecc_params(uint8_t * der, int dersize, + gnutls_pk_params_st * params); -int _gnutls_asn1_encode_privkey (gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, gnutls_pk_params_st * params); +int _gnutls_asn1_encode_privkey(gnutls_pk_algorithm_t pk, ASN1_TYPE * c2, + gnutls_pk_params_st * params); /* extensions.c */ -int _gnutls_x509_crl_get_extension (gnutls_x509_crl_t crl, - const char *extension_id, int indx, - gnutls_datum_t * ret, - unsigned int *_critical); - -int _gnutls_x509_crl_get_extension_oid (gnutls_x509_crl_t crl, - int indx, void *oid, - size_t * sizeof_oid); - -int _gnutls_x509_crl_set_extension (gnutls_x509_crl_t crl, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical); - -int _gnutls_x509_crt_get_extension (gnutls_x509_crt_t cert, - const char *extension_id, int indx, - gnutls_datum_t * ret, - unsigned int *critical); -int _gnutls_x509_crt_get_extension_oid (gnutls_x509_crt_t cert, - int indx, void *ret, - size_t * ret_size); -int _gnutls_x509_ext_extract_keyUsage (uint16_t * keyUsage, - uint8_t * extnValue, int extnValueLen); -int _gnutls_x509_ext_extract_basicConstraints (unsigned int *CA, - int *pathLenConstraint, - uint8_t * extnValue, - int extnValueLen); -int _gnutls_x509_crt_set_extension (gnutls_x509_crt_t cert, - const char *extension_id, - const gnutls_datum_t * ext_data, - unsigned int critical); +int _gnutls_x509_crl_get_extension(gnutls_x509_crl_t crl, + const char *extension_id, int indx, + gnutls_datum_t * ret, + unsigned int *_critical); + +int _gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, + int indx, void *oid, + size_t * sizeof_oid); + +int _gnutls_x509_crl_set_extension(gnutls_x509_crl_t crl, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical); + +int _gnutls_x509_crt_get_extension(gnutls_x509_crt_t cert, + const char *extension_id, int indx, + gnutls_datum_t * ret, + unsigned int *critical); +int _gnutls_x509_crt_get_extension_oid(gnutls_x509_crt_t cert, + int indx, void *ret, + size_t * ret_size); +int _gnutls_x509_ext_extract_keyUsage(uint16_t * keyUsage, + uint8_t * extnValue, + int extnValueLen); +int _gnutls_x509_ext_extract_basicConstraints(unsigned int *CA, + int *pathLenConstraint, + uint8_t * extnValue, + int extnValueLen); +int _gnutls_x509_crt_set_extension(gnutls_x509_crt_t cert, + const char *extension_id, + const gnutls_datum_t * ext_data, + unsigned int critical); int -_gnutls_x509_ext_extract_number (uint8_t * number, - size_t * nr_size, - uint8_t * extnValue, int extnValueLen); +_gnutls_x509_ext_extract_number(uint8_t * number, + size_t * nr_size, + uint8_t * extnValue, int extnValueLen); int -_gnutls_x509_ext_gen_number (const uint8_t * nuber, size_t nr_size, - gnutls_datum_t * der_ext); - - -int _gnutls_x509_ext_gen_basicConstraints (int CA, int pathLenConstraint, - gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_keyUsage (uint16_t usage, gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_subject_alt_name (gnutls_x509_subject_alt_name_t - type, const void *data, - unsigned int data_size, - gnutls_datum_t * prev_der_ext, - gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_crl_dist_points (gnutls_x509_subject_alt_name_t type, - const void *data, - unsigned int data_size, - unsigned int reason_flags, - gnutls_datum_t * der_ext); -int _gnutls_x509_ext_gen_key_id (const void *id, size_t id_size, - gnutls_datum_t * der_data); -int _gnutls_x509_ext_gen_auth_key_id (const void *id, size_t id_size, - gnutls_datum_t * der_data); -int _gnutls_x509_ext_extract_proxyCertInfo (int *pathLenConstraint, - char **policyLanguage, - char **policy, - size_t * sizeof_policy, - uint8_t * extnValue, - int extnValueLen); -int _gnutls_x509_ext_gen_proxyCertInfo (int pathLenConstraint, - const char *policyLanguage, - const char *policy, - size_t sizeof_policy, - gnutls_datum_t * der_ext); +_gnutls_x509_ext_gen_number(const uint8_t * nuber, size_t nr_size, + gnutls_datum_t * der_ext); + + +int _gnutls_x509_ext_gen_basicConstraints(int CA, int pathLenConstraint, + gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_keyUsage(uint16_t usage, + gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_subject_alt_name(gnutls_x509_subject_alt_name_t + type, const void *data, + unsigned int data_size, + gnutls_datum_t * prev_der_ext, + gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_crl_dist_points(gnutls_x509_subject_alt_name_t + type, const void *data, + unsigned int data_size, + unsigned int reason_flags, + gnutls_datum_t * der_ext); +int _gnutls_x509_ext_gen_key_id(const void *id, size_t id_size, + gnutls_datum_t * der_data); +int _gnutls_x509_ext_gen_auth_key_id(const void *id, size_t id_size, + gnutls_datum_t * der_data); +int _gnutls_x509_ext_extract_proxyCertInfo(int *pathLenConstraint, + char **policyLanguage, + char **policy, + size_t * sizeof_policy, + uint8_t * extnValue, + int extnValueLen); +int _gnutls_x509_ext_gen_proxyCertInfo(int pathLenConstraint, + const char *policyLanguage, + const char *policy, + size_t sizeof_policy, + gnutls_datum_t * der_ext); /* mpi.c */ -int _gnutls_x509_crq_get_mpis (gnutls_x509_crq_t cert, - gnutls_pk_params_st*); +int _gnutls_x509_crq_get_mpis(gnutls_x509_crq_t cert, + gnutls_pk_params_st *); -int _gnutls_x509_crt_get_mpis (gnutls_x509_crt_t cert, - gnutls_pk_params_st * params); +int _gnutls_x509_crt_get_mpis(gnutls_x509_crt_t cert, + gnutls_pk_params_st * params); -int _gnutls_x509_read_pubkey_params (gnutls_pk_algorithm_t, uint8_t * der, int dersize, - gnutls_pk_params_st * params); +int _gnutls_x509_read_pubkey_params(gnutls_pk_algorithm_t, uint8_t * der, + int dersize, + gnutls_pk_params_st * params); -int _gnutls_x509_read_pubkey (gnutls_pk_algorithm_t, uint8_t * der, int dersize, - gnutls_pk_params_st * params); +int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t, uint8_t * der, + int dersize, gnutls_pk_params_st * params); -int _gnutls_x509_write_ecc_params (gnutls_pk_params_st * params, - gnutls_datum_t * der); -int _gnutls_x509_write_ecc_pubkey (gnutls_pk_params_st * params, - gnutls_datum_t * der); +int _gnutls_x509_write_ecc_params(gnutls_pk_params_st * params, + gnutls_datum_t * der); +int _gnutls_x509_write_ecc_pubkey(gnutls_pk_params_st * params, + gnutls_datum_t * der); int -_gnutls_x509_write_pubkey_params (gnutls_pk_algorithm_t algo, - gnutls_pk_params_st* params, - gnutls_datum_t * der); -int _gnutls_x509_write_pubkey (gnutls_pk_algorithm_t, gnutls_pk_params_st * params, - gnutls_datum_t * der); +_gnutls_x509_write_pubkey_params(gnutls_pk_algorithm_t algo, + gnutls_pk_params_st * params, + gnutls_datum_t * der); +int _gnutls_x509_write_pubkey(gnutls_pk_algorithm_t, + gnutls_pk_params_st * params, + gnutls_datum_t * der); -int _gnutls_x509_read_uint (ASN1_TYPE node, const char *value, - unsigned int *ret); +int _gnutls_x509_read_uint(ASN1_TYPE node, const char *value, + unsigned int *ret); -int _gnutls_x509_read_der_int (uint8_t * der, int dersize, bigint_t * out); +int _gnutls_x509_read_der_int(uint8_t * der, int dersize, bigint_t * out); -int _gnutls_x509_read_int (ASN1_TYPE node, const char *value, - bigint_t * ret_mpi); -int _gnutls_x509_write_int (ASN1_TYPE node, const char *value, bigint_t mpi, - int lz); -int _gnutls_x509_write_uint32 (ASN1_TYPE node, const char *value, - uint32_t num); +int _gnutls_x509_read_int(ASN1_TYPE node, const char *value, + bigint_t * ret_mpi); +int _gnutls_x509_write_int(ASN1_TYPE node, const char *value, bigint_t mpi, + int lz); +int _gnutls_x509_write_uint32(ASN1_TYPE node, const char *value, + uint32_t num); -int _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name, - gnutls_pk_algorithm_t pk_algorithm, - gnutls_digest_algorithm_t); +int _gnutls_x509_write_sig_params(ASN1_TYPE dst, const char *dst_name, + gnutls_pk_algorithm_t pk_algorithm, + gnutls_digest_algorithm_t); /* pkcs12.h */ #include <gnutls/pkcs12.h> -typedef struct gnutls_pkcs12_int -{ - ASN1_TYPE pkcs12; +typedef struct gnutls_pkcs12_int { + ASN1_TYPE pkcs12; } gnutls_pkcs12_int; #define MAX_BAG_ELEMENTS 32 -struct bag_element -{ - gnutls_datum_t data; - gnutls_pkcs12_bag_type_t type; - gnutls_datum_t local_key_id; - char *friendly_name; +struct bag_element { + gnutls_datum_t data; + gnutls_pkcs12_bag_type_t type; + gnutls_datum_t local_key_id; + char *friendly_name; }; -typedef struct gnutls_pkcs12_bag_int -{ - struct bag_element element[MAX_BAG_ELEMENTS]; - int bag_elements; +typedef struct gnutls_pkcs12_bag_int { + struct bag_element element[MAX_BAG_ELEMENTS]; + int bag_elements; } gnutls_pkcs12_bag_int; #define BAG_PKCS8_KEY "1.2.840.113549.1.12.10.1.1" @@ -322,63 +320,63 @@ typedef struct gnutls_pkcs12_bag_int #define KEY_ID_OID "1.2.840.113549.1.9.21" int -_gnutls_pkcs12_string_to_key (unsigned int id, const uint8_t * salt, - unsigned int salt_size, unsigned int iter, - const char *pw, unsigned int req_keylen, - uint8_t * keybuf); - -int _gnutls_pkcs7_decrypt_data (const gnutls_datum_t * data, - const char *password, gnutls_datum_t * dec); - -typedef enum schema_id -{ - PBES2_GENERIC, /* when the algorithm is unknown, temporal use when reading only */ - PBES2_3DES, /* the stuff in PKCS #5 */ - PBES2_AES_128, - PBES2_AES_192, - PBES2_AES_256, - PKCS12_3DES_SHA1, /* the stuff in PKCS #12 */ - PKCS12_ARCFOUR_SHA1, - PKCS12_RC2_40_SHA1 +_gnutls_pkcs12_string_to_key(unsigned int id, const uint8_t * salt, + unsigned int salt_size, unsigned int iter, + const char *pw, unsigned int req_keylen, + uint8_t * keybuf); + +int _gnutls_pkcs7_decrypt_data(const gnutls_datum_t * data, + const char *password, gnutls_datum_t * dec); + +typedef enum schema_id { + PBES2_GENERIC, /* when the algorithm is unknown, temporal use when reading only */ + PBES2_3DES, /* the stuff in PKCS #5 */ + PBES2_AES_128, + PBES2_AES_192, + PBES2_AES_256, + PKCS12_3DES_SHA1, /* the stuff in PKCS #12 */ + PKCS12_ARCFOUR_SHA1, + PKCS12_RC2_40_SHA1 } schema_id; -int _gnutls_pkcs_flags_to_schema (unsigned int flags); -int _gnutls_pkcs7_encrypt_data (schema_id schema, - const gnutls_datum_t * data, - const char *password, gnutls_datum_t * enc); -int _pkcs12_decode_safe_contents (const gnutls_datum_t * content, - gnutls_pkcs12_bag_t bag); +int _gnutls_pkcs_flags_to_schema(unsigned int flags); +int _gnutls_pkcs7_encrypt_data(schema_id schema, + const gnutls_datum_t * data, + const char *password, gnutls_datum_t * enc); +int _pkcs12_decode_safe_contents(const gnutls_datum_t * content, + gnutls_pkcs12_bag_t bag); int -_pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag, ASN1_TYPE * content, - int *enc); +_pkcs12_encode_safe_contents(gnutls_pkcs12_bag_t bag, ASN1_TYPE * content, + int *enc); -int _pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * in, gnutls_datum_t * out); -int _pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type, - const gnutls_datum_t * raw, gnutls_datum_t * out); +int _pkcs12_decode_crt_bag(gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * in, + gnutls_datum_t * out); +int _pkcs12_encode_crt_bag(gnutls_pkcs12_bag_type_t type, + const gnutls_datum_t * raw, + gnutls_datum_t * out); /* crq */ -int _gnutls_x509_crq_set_extension (gnutls_x509_crq_t crq, - const char *ext_id, - const gnutls_datum_t * ext_data, - unsigned int critical); +int _gnutls_x509_crq_set_extension(gnutls_x509_crq_t crq, + const char *ext_id, + const gnutls_datum_t * ext_data, + unsigned int critical); unsigned int -_gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, - int clist_size, - const gnutls_x509_crt_t * trusted_cas, - int tcas_size, - unsigned int flags, - gnutls_verify_output_function func); +_gnutls_x509_verify_certificate(const gnutls_x509_crt_t * certificate_list, + int clist_size, + const gnutls_x509_crt_t * trusted_cas, + int tcas_size, + unsigned int flags, + gnutls_verify_output_function func); -int -_gnutls_is_same_dn (gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); +int _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2); int -_gnutls_x509_crt_check_revocation (gnutls_x509_crt_t cert, - const gnutls_x509_crl_t * crl_list, - int crl_list_length, - gnutls_verify_output_function func); +_gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert, + const gnutls_x509_crl_t * crl_list, + int crl_list_length, + gnutls_verify_output_function func); #endif diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index c5e854e71c..71f5a5d0d4 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -34,7 +34,7 @@ #include "x509_int.h" #include <libtasn1.h> -static void disable_optional_stuff (gnutls_x509_crt_t cert); +static void disable_optional_stuff(gnutls_x509_crt_t cert); /** * gnutls_x509_crt_set_dn_by_oid: @@ -58,17 +58,16 @@ static void disable_optional_stuff (gnutls_x509_crt_t cert); * negative error value. **/ int -gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, - unsigned int raw_flag, const void *name, - unsigned int sizeof_name) +gnutls_x509_crt_set_dn_by_oid(gnutls_x509_crt_t crt, const char *oid, + unsigned int raw_flag, const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) - { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject", - oid, raw_flag, name, sizeof_name); + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.subject", + oid, raw_flag, name, sizeof_name); } /** @@ -97,19 +96,18 @@ gnutls_x509_crt_set_dn_by_oid (gnutls_x509_crt_t crt, const char *oid, * negative error value. **/ int -gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, - const char *oid, - unsigned int raw_flag, - const void *name, - unsigned int sizeof_name) +gnutls_x509_crt_set_issuer_dn_by_oid(gnutls_x509_crt_t crt, + const char *oid, + unsigned int raw_flag, + const void *name, + unsigned int sizeof_name) { - if (sizeof_name == 0 || name == NULL || crt == NULL) - { - return GNUTLS_E_INVALID_REQUEST; - } + if (sizeof_name == 0 || name == NULL || crt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } - return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.issuer", oid, - raw_flag, name, sizeof_name); + return _gnutls_x509_set_dn_oid(crt->cert, "tbsCertificate.issuer", + oid, raw_flag, name, sizeof_name); } /** @@ -130,33 +128,33 @@ gnutls_x509_crt_set_issuer_dn_by_oid (gnutls_x509_crt_t crt, * negative error value. **/ int -gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt, - unsigned int raw_flag, const void *name, - unsigned int sizeof_name) +gnutls_x509_crt_set_proxy_dn(gnutls_x509_crt_t crt, + gnutls_x509_crt_t eecrt, + unsigned int raw_flag, const void *name, + unsigned int sizeof_name) { - int result; - - if (crt == NULL || eecrt == NULL) - { - return GNUTLS_E_INVALID_REQUEST; - } - - result = asn1_copy_node (crt->cert, "tbsCertificate.subject", - eecrt->cert, "tbsCertificate.subject"); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - if (name && sizeof_name) - { - return _gnutls_x509_set_dn_oid (crt->cert, "tbsCertificate.subject", - GNUTLS_OID_X520_COMMON_NAME, - raw_flag, name, sizeof_name); - } - - return 0; + int result; + + if (crt == NULL || eecrt == NULL) { + return GNUTLS_E_INVALID_REQUEST; + } + + result = asn1_copy_node(crt->cert, "tbsCertificate.subject", + eecrt->cert, "tbsCertificate.subject"); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (name && sizeof_name) { + return _gnutls_x509_set_dn_oid(crt->cert, + "tbsCertificate.subject", + GNUTLS_OID_X520_COMMON_NAME, + raw_flag, name, + sizeof_name); + } + + return 0; } /** @@ -177,28 +175,28 @@ gnutls_x509_crt_set_proxy_dn (gnutls_x509_crt_t crt, gnutls_x509_crt_t eecrt, * negative error value. **/ int -gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) +gnutls_x509_crt_set_version(gnutls_x509_crt_t crt, unsigned int version) { - int result; - unsigned char null = version; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - if (null > 0) - null--; - - result = asn1_write_value (crt->cert, "tbsCertificate.version", &null, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + unsigned char null = version; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + if (null > 0) + null--; + + result = + asn1_write_value(crt->cert, "tbsCertificate.version", &null, + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -215,28 +213,26 @@ gnutls_x509_crt_set_version (gnutls_x509_crt_t crt, unsigned int version) * **/ int -gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) +gnutls_x509_crt_set_key(gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) { - int result; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = _gnutls_x509_encode_and_copy_PKI_params (crt->cert, - "tbsCertificate.subjectPublicKeyInfo", - key->pk_algorithm, - &key->params); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_encode_and_copy_PKI_params(crt->cert, + "tbsCertificate.subjectPublicKeyInfo", + key->pk_algorithm, + &key->params); + + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } /** @@ -251,39 +247,37 @@ gnutls_x509_crt_set_key (gnutls_x509_crt_t crt, gnutls_x509_privkey_t key) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) +int gnutls_x509_crt_set_crq(gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) { - int result; - - if (crt == NULL || crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_x509_crq_verify(crq, 0); - if (result < 0) - return gnutls_assert_val(result); - - result = asn1_copy_node (crt->cert, "tbsCertificate.subject", - crq->crq, "certificationRequestInfo.subject"); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = - asn1_copy_node (crt->cert, "tbsCertificate.subjectPublicKeyInfo", - crq->crq, "certificationRequestInfo.subjectPKInfo"); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - return 0; + int result; + + if (crt == NULL || crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_x509_crq_verify(crq, 0); + if (result < 0) + return gnutls_assert_val(result); + + result = asn1_copy_node(crt->cert, "tbsCertificate.subject", + crq->crq, + "certificationRequestInfo.subject"); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = + asn1_copy_node(crt->cert, + "tbsCertificate.subjectPublicKeyInfo", crq->crq, + "certificationRequestInfo.subjectPKInfo"); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + return 0; } /** @@ -300,80 +294,78 @@ gnutls_x509_crt_set_crq (gnutls_x509_crt_t crt, gnutls_x509_crq_t crq) * Since: 2.8.0 **/ int -gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt, - gnutls_x509_crq_t crq) +gnutls_x509_crt_set_crq_extensions(gnutls_x509_crt_t crt, + gnutls_x509_crq_t crq) { - size_t i; - - if (crt == NULL || crq == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - for (i = 0;; i++) - { - int result; - char oid[MAX_OID_SIZE]; - size_t oid_size; - uint8_t *extensions; - size_t extensions_size; - unsigned int critical; - gnutls_datum_t ext; - - oid_size = sizeof (oid); - result = gnutls_x509_crq_get_extension_info (crq, i, oid, - &oid_size, &critical); - if (result < 0) - { - if (result == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - - gnutls_assert (); - return result; - } - - extensions_size = 0; - result = gnutls_x509_crq_get_extension_data (crq, i, NULL, - &extensions_size); - if (result < 0) - { - gnutls_assert (); - return result; - } - - extensions = gnutls_malloc (extensions_size); - if (extensions == NULL) - { - gnutls_assert (); - return GNUTLS_E_MEMORY_ERROR; - } - - result = gnutls_x509_crq_get_extension_data (crq, i, extensions, - &extensions_size); - if (result < 0) - { - gnutls_assert (); - gnutls_free (extensions); - return result; - } - - ext.data = extensions; - ext.size = extensions_size; - - result = _gnutls_x509_crt_set_extension (crt, oid, &ext, critical); - gnutls_free (extensions); - if (result < 0) - { - gnutls_assert (); - return result; - } - } - - if (i > 0) - crt->use_extensions = 1; - - return 0; + size_t i; + + if (crt == NULL || crq == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + for (i = 0;; i++) { + int result; + char oid[MAX_OID_SIZE]; + size_t oid_size; + uint8_t *extensions; + size_t extensions_size; + unsigned int critical; + gnutls_datum_t ext; + + oid_size = sizeof(oid); + result = gnutls_x509_crq_get_extension_info(crq, i, oid, + &oid_size, + &critical); + if (result < 0) { + if (result == + GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + + gnutls_assert(); + return result; + } + + extensions_size = 0; + result = gnutls_x509_crq_get_extension_data(crq, i, NULL, + &extensions_size); + if (result < 0) { + gnutls_assert(); + return result; + } + + extensions = gnutls_malloc(extensions_size); + if (extensions == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + result = + gnutls_x509_crq_get_extension_data(crq, i, extensions, + &extensions_size); + if (result < 0) { + gnutls_assert(); + gnutls_free(extensions); + return result; + } + + ext.data = extensions; + ext.size = extensions_size; + + result = + _gnutls_x509_crt_set_extension(crt, oid, &ext, + critical); + gnutls_free(extensions); + if (result < 0) { + gnutls_assert(); + return result; + } + } + + if (i > 0) + crt->use_extensions = 1; + + return 0; } /** @@ -392,33 +384,32 @@ gnutls_x509_crt_set_crq_extensions (gnutls_x509_crt_t crt, * negative error value. **/ int -gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, - const char *oid, const void *buf, - size_t sizeof_buf, - unsigned int critical) +gnutls_x509_crt_set_extension_by_oid(gnutls_x509_crt_t crt, + const char *oid, const void *buf, + size_t sizeof_buf, + unsigned int critical) { - int result; - gnutls_datum_t der_data; + int result; + gnutls_datum_t der_data; - der_data.data = (void *) buf; - der_data.size = sizeof_buf; + der_data.data = (void *) buf; + der_data.size = sizeof_buf; - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - result = _gnutls_x509_crt_set_extension (crt, oid, &der_data, critical); - if (result < 0) - { - gnutls_assert (); - return result; - } + result = + _gnutls_x509_crt_set_extension(crt, oid, &der_data, critical); + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } @@ -436,41 +427,41 @@ gnutls_x509_crt_set_extension_by_oid (gnutls_x509_crt_t crt, * negative error value. **/ int -gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt, - unsigned int ca, int pathLenConstraint) +gnutls_x509_crt_set_basic_constraints(gnutls_x509_crt_t crt, + unsigned int ca, + int pathLenConstraint) { - int result; - gnutls_datum_t der_data; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_basicConstraints (ca, pathLenConstraint, - &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.19", &der_data, 1); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t der_data; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_basicConstraints(ca, pathLenConstraint, + &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.19", &der_data, 1); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -485,10 +476,9 @@ gnutls_x509_crt_set_basic_constraints (gnutls_x509_crt_t crt, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ -int -gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) +int gnutls_x509_crt_set_ca_status(gnutls_x509_crt_t crt, unsigned int ca) { - return gnutls_x509_crt_set_basic_constraints (crt, ca, -1); + return gnutls_x509_crt_set_basic_constraints(crt, ca, -1); } /** @@ -502,39 +492,38 @@ gnutls_x509_crt_set_ca_status (gnutls_x509_crt_t crt, unsigned int ca) * negative error value. **/ int -gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) +gnutls_x509_crt_set_key_usage(gnutls_x509_crt_t crt, unsigned int usage) { - int result; - gnutls_datum_t der_data; + int result; + gnutls_datum_t der_data; - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_keyUsage ((uint16_t) usage, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_keyUsage((uint16_t) usage, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.15", &der_data, 1); + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.15", &der_data, 1); - _gnutls_free_datum (&der_data); + _gnutls_free_datum(&der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } + if (result < 0) { + gnutls_assert(); + return result; + } - crt->use_extensions = 1; + crt->use_extensions = 1; - return 0; + return 0; } /** @@ -554,27 +543,25 @@ gnutls_x509_crt_set_key_usage (gnutls_x509_crt_t crt, unsigned int usage) * negative error value. **/ int -gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t - type, const char *data_string) +gnutls_x509_crt_set_subject_alternative_name(gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t + type, const char *data_string) { - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* only handle text extensions */ - if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME && - type != GNUTLS_SAN_URI) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return gnutls_x509_crt_set_subject_alt_name (crt, type, data_string, - strlen (data_string), - GNUTLS_FSAN_SET); + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* only handle text extensions */ + if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME && + type != GNUTLS_SAN_URI) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return gnutls_x509_crt_set_subject_alt_name(crt, type, data_string, + strlen(data_string), + GNUTLS_FSAN_SET); } /** @@ -604,69 +591,70 @@ gnutls_x509_crt_set_subject_alternative_name (gnutls_x509_crt_t crt, * Since: 2.6.0 **/ int -gnutls_x509_crt_set_subject_alt_name (gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t type, - const void *data, - unsigned int data_size, - unsigned int flags) +gnutls_x509_crt_set_subject_alt_name(gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t type, + const void *data, + unsigned int data_size, + unsigned int flags) { - int result; - gnutls_datum_t der_data = { NULL, 0 }; - gnutls_datum_t prev_der_data = { NULL, 0 }; - unsigned int critical = 0; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - - if (flags == GNUTLS_FSAN_APPEND) - { - result = _gnutls_x509_crt_get_extension (crt, "2.5.29.17", 0, - &prev_der_data, &critical); - if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return result; - } - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_subject_alt_name (type, data, data_size, - &prev_der_data, &der_data); - - if (flags == GNUTLS_FSAN_APPEND) - _gnutls_free_datum (&prev_der_data); - - if (result < 0) - { - gnutls_assert (); - goto finish; - } - - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.17", &der_data, - critical); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crt->use_extensions = 1; - - return 0; - -finish: - _gnutls_free_datum (&prev_der_data); - return result; + int result; + gnutls_datum_t der_data = { NULL, 0 }; + gnutls_datum_t prev_der_data = { NULL, 0 }; + unsigned int critical = 0; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + + if (flags == GNUTLS_FSAN_APPEND) { + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.17", 0, + &prev_der_data, + &critical); + if (result < 0 + && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return result; + } + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_subject_alt_name(type, data, data_size, + &prev_der_data, + &der_data); + + if (flags == GNUTLS_FSAN_APPEND) + _gnutls_free_datum(&prev_der_data); + + if (result < 0) { + gnutls_assert(); + goto finish; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.17", &der_data, + critical); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; + + finish: + _gnutls_free_datum(&prev_der_data); + return result; } /** @@ -685,46 +673,43 @@ finish: * negative error value. **/ int -gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt, - int pathLenConstraint, - const char *policyLanguage, - const char *policy, size_t sizeof_policy) +gnutls_x509_crt_set_proxy(gnutls_x509_crt_t crt, + int pathLenConstraint, + const char *policyLanguage, + const char *policy, size_t sizeof_policy) { - int result; - gnutls_datum_t der_data; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_proxyCertInfo (pathLenConstraint, - policyLanguage, - policy, sizeof_policy, - &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crt_set_extension (crt, "1.3.6.1.5.5.7.1.14", - &der_data, 1); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t der_data; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_proxyCertInfo(pathLenConstraint, + policyLanguage, + policy, sizeof_policy, + &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = _gnutls_x509_crt_set_extension(crt, "1.3.6.1.5.5.7.1.14", + &der_data, 1); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } /** @@ -739,64 +724,56 @@ gnutls_x509_crt_set_proxy (gnutls_x509_crt_t crt, * negative error value. **/ int -gnutls_x509_crt_set_private_key_usage_period (gnutls_x509_crt_t crt, - time_t activation, - time_t expiration) +gnutls_x509_crt_set_private_key_usage_period(gnutls_x509_crt_t crt, + time_t activation, + time_t expiration) { - int result; - gnutls_datum_t der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.PrivateKeyUsagePeriod", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_set_time (c2, - "notBefore", - activation, 1); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_set_time (c2, - "notAfter", - expiration, 1); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_der_encode (c2, "", &der_data, 0); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.16", - &der_data, 0); - - _gnutls_free_datum(&der_data); - - crt->use_extensions = 1; - -cleanup: - asn1_delete_structure (&c2); - - return result; + int result; + gnutls_datum_t der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.PrivateKeyUsagePeriod", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_set_time(c2, "notBefore", activation, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_set_time(c2, "notAfter", expiration, 1); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_crt_set_extension(crt, "2.5.29.16", + &der_data, 0); + + _gnutls_free_datum(&der_data); + + crt->use_extensions = 1; + + cleanup: + asn1_delete_structure(&c2); + + return result; } /** @@ -817,46 +794,43 @@ cleanup: * negative error value. **/ int -gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key, - gnutls_digest_algorithm_t dig, unsigned int flags) +gnutls_x509_crt_sign2(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, unsigned int flags) { - int result; - gnutls_privkey_t privkey; - - if (crt == NULL || issuer == NULL || issuer_key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = gnutls_privkey_init (&privkey); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = gnutls_privkey_import_x509 (privkey, issuer_key, 0); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = gnutls_x509_crt_privkey_sign (crt, issuer, privkey, dig, flags); - if (result < 0) - { - gnutls_assert (); - goto fail; - } - - result = 0; - -fail: - gnutls_privkey_deinit (privkey); - - return result; + int result; + gnutls_privkey_t privkey; + + if (crt == NULL || issuer == NULL || issuer_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = gnutls_privkey_init(&privkey); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = gnutls_privkey_import_x509(privkey, issuer_key, 0); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = + gnutls_x509_crt_privkey_sign(crt, issuer, privkey, dig, flags); + if (result < 0) { + gnutls_assert(); + goto fail; + } + + result = 0; + + fail: + gnutls_privkey_deinit(privkey); + + return result; } /** @@ -872,10 +846,11 @@ fail: * negative error value. **/ int -gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_x509_privkey_t issuer_key) +gnutls_x509_crt_sign(gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, + gnutls_x509_privkey_t issuer_key) { - return gnutls_x509_crt_sign2 (crt, issuer, issuer_key, GNUTLS_DIG_SHA1, 0); + return gnutls_x509_crt_sign2(crt, issuer, issuer_key, + GNUTLS_DIG_SHA1, 0); } /** @@ -890,17 +865,17 @@ gnutls_x509_crt_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, * negative error value. **/ int -gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) +gnutls_x509_crt_set_activation_time(gnutls_x509_crt_t cert, + time_t act_time) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - return _gnutls_x509_set_time (cert->cert, - "tbsCertificate.validity.notBefore", - act_time, 0); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notBefore", + act_time, 0); } /** @@ -914,15 +889,16 @@ gnutls_x509_crt_set_activation_time (gnutls_x509_crt_t cert, time_t act_time) * negative error value. **/ int -gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) +gnutls_x509_crt_set_expiration_time(gnutls_x509_crt_t cert, + time_t exp_time) { - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - return _gnutls_x509_set_time (cert->cert, - "tbsCertificate.validity.notAfter", exp_time, 0); + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + return _gnutls_x509_set_time(cert->cert, + "tbsCertificate.validity.notAfter", + exp_time, 0); } /** @@ -942,48 +918,47 @@ gnutls_x509_crt_set_expiration_time (gnutls_x509_crt_t cert, time_t exp_time) * negative error value. **/ int -gnutls_x509_crt_set_serial (gnutls_x509_crt_t cert, const void *serial, - size_t serial_size) +gnutls_x509_crt_set_serial(gnutls_x509_crt_t cert, const void *serial, + size_t serial_size) { - int ret; + int ret; - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - ret = - asn1_write_value (cert->cert, "tbsCertificate.serialNumber", serial, - serial_size); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } + ret = + asn1_write_value(cert->cert, "tbsCertificate.serialNumber", + serial, serial_size); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } - return 0; + return 0; } /* If OPTIONAL fields have not been initialized then * disable them. */ -static void -disable_optional_stuff (gnutls_x509_crt_t cert) +static void disable_optional_stuff(gnutls_x509_crt_t cert) { - asn1_write_value (cert->cert, "tbsCertificate.issuerUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.issuerUniqueID", NULL, + 0); - asn1_write_value (cert->cert, "tbsCertificate.subjectUniqueID", NULL, 0); + asn1_write_value(cert->cert, "tbsCertificate.subjectUniqueID", + NULL, 0); - if (cert->use_extensions == 0) - { - _gnutls_debug_log ("Disabling X.509 extensions.\n"); - asn1_write_value (cert->cert, "tbsCertificate.extensions", NULL, 0); - } + if (cert->use_extensions == 0) { + _gnutls_debug_log("Disabling X.509 extensions.\n"); + asn1_write_value(cert->cert, "tbsCertificate.extensions", + NULL, 0); + } - return; + return; } /** @@ -999,14 +974,14 @@ disable_optional_stuff (gnutls_x509_crt_t cert) * negative error value. **/ int -gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t type, - const void *data_string, - unsigned int reason_flags) +gnutls_x509_crt_set_crl_dist_points(gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t type, + const void *data_string, + unsigned int reason_flags) { - return gnutls_x509_crt_set_crl_dist_points2 (crt, type, data_string, - strlen (data_string), - reason_flags); + return gnutls_x509_crt_set_crl_dist_points2(crt, type, data_string, + strlen(data_string), + reason_flags); } /** @@ -1025,60 +1000,58 @@ gnutls_x509_crt_set_crl_dist_points (gnutls_x509_crt_t crt, * Since: 2.6.0 **/ int -gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt, - gnutls_x509_subject_alt_name_t type, - const void *data, - unsigned int data_size, - unsigned int reason_flags) +gnutls_x509_crt_set_crl_dist_points2(gnutls_x509_crt_t crt, + gnutls_x509_subject_alt_name_t type, + const void *data, + unsigned int data_size, + unsigned int reason_flags) { - int result; - gnutls_datum_t der_data = { NULL, 0 }; - gnutls_datum_t oldname = { NULL, 0 }; - unsigned int critical; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension (crt, "2.5.29.31", 0, &oldname, &critical); - - _gnutls_free_datum (&oldname); - - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = - _gnutls_x509_ext_gen_crl_dist_points (type, data, data_size, - reason_flags, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.31", &der_data, 0); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - crt->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t der_data = { NULL, 0 }; + gnutls_datum_t oldname = { NULL, 0 }; + unsigned int critical; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(crt, "2.5.29.31", 0, &oldname, + &critical); + + _gnutls_free_datum(&oldname); + + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = + _gnutls_x509_ext_gen_crl_dist_points(type, data, data_size, + reason_flags, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(crt, "2.5.29.31", &der_data, 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + crt->use_extensions = 1; + + return 0; } @@ -1095,43 +1068,41 @@ gnutls_x509_crt_set_crl_dist_points2 (gnutls_x509_crt_t crt, * negative error value. **/ int -gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, - gnutls_x509_crt_t src) +gnutls_x509_crt_cpy_crl_dist_points(gnutls_x509_crt_t dst, + gnutls_x509_crt_t src) { - int result; - gnutls_datum_t der_data; - unsigned int critical; - - if (dst == NULL || src == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension (src, "2.5.29.31", 0, &der_data, - &critical); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = - _gnutls_x509_crt_set_extension (dst, "2.5.29.31", &der_data, critical); - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - dst->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t der_data; + unsigned int critical; + + if (dst == NULL || src == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(src, "2.5.29.31", 0, &der_data, + &critical); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(dst, "2.5.29.31", &der_data, + critical); + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + dst->use_extensions = 1; + + return 0; } /** @@ -1147,54 +1118,53 @@ gnutls_x509_crt_cpy_crl_dist_points (gnutls_x509_crt_t dst, * negative error value. **/ int -gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, - const void *id, size_t id_size) +gnutls_x509_crt_set_subject_key_id(gnutls_x509_crt_t cert, + const void *id, size_t id_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.14", 0, &old_id, &critical); - - if (result >= 0) - _gnutls_free_datum (&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_key_id (id, id_size, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crt_set_extension (cert, "2.5.29.14", &der_data, 0); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.14", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.14", &der_data, + 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -1210,54 +1180,53 @@ gnutls_x509_crt_set_subject_key_id (gnutls_x509_crt_t cert, * negative error value. **/ int -gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert, - const void *id, size_t id_size) +gnutls_x509_crt_set_authority_key_id(gnutls_x509_crt_t cert, + const void *id, size_t id_size) { - int result; - gnutls_datum_t old_id, der_data; - unsigned int critical; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.35", 0, &old_id, &critical); - - if (result >= 0) - _gnutls_free_datum (&old_id); - if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* generate the extension. - */ - result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data); - if (result < 0) - { - gnutls_assert (); - return result; - } - - result = _gnutls_x509_crt_set_extension (cert, "2.5.29.35", &der_data, 0); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t old_id, der_data; + unsigned int critical; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.35", 0, &old_id, + &critical); + + if (result >= 0) + _gnutls_free_datum(&old_id); + if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* generate the extension. + */ + result = _gnutls_x509_ext_gen_auth_key_id(id, id_size, &der_data); + if (result < 0) { + gnutls_assert(); + return result; + } + + result = + _gnutls_x509_crt_set_extension(cert, "2.5.29.35", &der_data, + 0); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } /** @@ -1276,93 +1245,87 @@ gnutls_x509_crt_set_authority_key_id (gnutls_x509_crt_t cert, * otherwise a negative error code is returned. **/ int -gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert, - const void *oid, unsigned int critical) +gnutls_x509_crt_set_key_purpose_oid(gnutls_x509_crt_t cert, + const void *oid, unsigned int critical) { - int result; - gnutls_datum_t old_id, der_data; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if (cert == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = asn1_create_element - (_gnutls_get_pkix (), "PKIX1.ExtKeyUsageSyntax", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - /* Check if the extension already exists. - */ - result = - _gnutls_x509_crt_get_extension (cert, "2.5.29.37", 0, &old_id, NULL); - - if (result >= 0) - { - /* decode it. - */ - result = asn1_der_decoding (&c2, old_id.data, old_id.size, NULL); - _gnutls_free_datum (&old_id); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - } - - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - /* 2. Add the OID. - */ - result = asn1_write_value (c2, "?LAST", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - asn1_delete_structure (&c2); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_der_encode (c2, "", &der_data, 0); - asn1_delete_structure (&c2); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (result); - } - - result = _gnutls_x509_crt_set_extension (cert, "2.5.29.37", - &der_data, critical); - - _gnutls_free_datum (&der_data); - - if (result < 0) - { - gnutls_assert (); - return result; - } - - cert->use_extensions = 1; - - return 0; + int result; + gnutls_datum_t old_id, der_data; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (cert == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + /* Check if the extension already exists. + */ + result = + _gnutls_x509_crt_get_extension(cert, "2.5.29.37", 0, &old_id, + NULL); + + if (result >= 0) { + /* decode it. + */ + result = + asn1_der_decoding(&c2, old_id.data, old_id.size, NULL); + _gnutls_free_datum(&old_id); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + } + + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + /* 2. Add the OID. + */ + result = asn1_write_value(c2, "?LAST", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + asn1_delete_structure(&c2); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + asn1_delete_structure(&c2); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + result = _gnutls_x509_crt_set_extension(cert, "2.5.29.37", + &der_data, critical); + + _gnutls_free_datum(&der_data); + + if (result < 0) { + gnutls_assert(); + return result; + } + + cert->use_extensions = 1; + + return 0; } @@ -1384,45 +1347,43 @@ gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t cert, * negative error value. **/ int -gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer, - gnutls_privkey_t issuer_key, - gnutls_digest_algorithm_t dig, - unsigned int flags) +gnutls_x509_crt_privkey_sign(gnutls_x509_crt_t crt, + gnutls_x509_crt_t issuer, + gnutls_privkey_t issuer_key, + gnutls_digest_algorithm_t dig, + unsigned int flags) { - int result; - - if (crt == NULL || issuer == NULL || issuer_key == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - /* disable all the unneeded OPTIONAL fields. - */ - disable_optional_stuff (crt); - - result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate", - dig, issuer, issuer_key); - if (result < 0) - { - gnutls_assert (); - return result; - } - - return 0; + int result; + + if (crt == NULL || issuer == NULL || issuer_key == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + /* disable all the unneeded OPTIONAL fields. + */ + disable_optional_stuff(crt); + + result = _gnutls_x509_pkix_sign(crt->cert, "tbsCertificate", + dig, issuer, issuer_key); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; } -static const char* what_to_oid(int what) +static const char *what_to_oid(int what) { - switch(what) - { - case GNUTLS_IA_OCSP_URI: - return GNUTLS_OID_AD_OCSP; - case GNUTLS_IA_CAISSUERS_URI: - return GNUTLS_OID_AD_CAISSUERS; - default: - return NULL; - } + switch (what) { + case GNUTLS_IA_OCSP_URI: + return GNUTLS_OID_AD_OCSP; + case GNUTLS_IA_CAISSUERS_URI: + return GNUTLS_OID_AD_CAISSUERS; + default: + return NULL; + } } /** @@ -1447,161 +1408,152 @@ static const char* what_to_oid(int what) * Since: 3.0 **/ int -gnutls_x509_crt_set_authority_info_access (gnutls_x509_crt_t crt, - int what, - gnutls_datum_t * data) +gnutls_x509_crt_set_authority_info_access(gnutls_x509_crt_t crt, + int what, gnutls_datum_t * data) { - int ret, result; - gnutls_datum_t aia = { NULL, 0 }; - gnutls_datum_t der_data = { NULL, 0 }; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - const char* oid; - unsigned int c; - - if (crt == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - oid = what_to_oid(what); - if (oid == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - ret = asn1_create_element (_gnutls_get_pkix (), - "PKIX1.AuthorityInfoAccessSyntax", &c2); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - return _gnutls_asn2err (ret); - } - - ret = _gnutls_x509_crt_get_extension (crt, GNUTLS_OID_AIA, 0, &aia, - &c); - if (ret >= 0) /* decode it */ - { - ret = asn1_der_decoding (&c2, aia.data, aia.size, NULL); - if (ret != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (ret); - goto cleanup; - } - } - - /* generate the extension. - */ - /* 1. create a new element. - */ - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - /* 2. Add the OID. - */ - result = asn1_write_value (c2, "?LAST.accessMethod", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - /* accessLocation is a choice */ - result = asn1_write_value (c2, "?LAST.accessLocation", "uniformResourceIdentifier", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - result = asn1_write_value (c2, "?LAST.accessLocation.uniformResourceIdentifier", data->data, data->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - ret = _gnutls_asn2err (result); - goto cleanup; - } - - ret = _gnutls_x509_der_encode (c2, "", &der_data, 0); - if (ret < 0) - { - gnutls_assert (); - goto cleanup; - } - - ret = _gnutls_x509_crt_set_extension (crt, GNUTLS_OID_AIA, - &der_data, 0); - if (ret < 0) - gnutls_assert (); - - crt->use_extensions = 1; - -cleanup: - _gnutls_free_datum (&der_data); - _gnutls_free_datum(&aia); - asn1_delete_structure (&c2); - - return ret; + int ret, result; + gnutls_datum_t aia = { NULL, 0 }; + gnutls_datum_t der_data = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + const char *oid; + unsigned int c; + + if (crt == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + oid = what_to_oid(what); + if (oid == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + ret = asn1_create_element(_gnutls_get_pkix(), + "PKIX1.AuthorityInfoAccessSyntax", &c2); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(ret); + } + + ret = _gnutls_x509_crt_get_extension(crt, GNUTLS_OID_AIA, 0, &aia, + &c); + if (ret >= 0) { /* decode it */ + ret = asn1_der_decoding(&c2, aia.data, aia.size, NULL); + if (ret != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(ret); + goto cleanup; + } + } + + /* generate the extension. + */ + /* 1. create a new element. + */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + /* 2. Add the OID. + */ + result = asn1_write_value(c2, "?LAST.accessMethod", oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + /* accessLocation is a choice */ + result = + asn1_write_value(c2, "?LAST.accessLocation", + "uniformResourceIdentifier", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = + asn1_write_value(c2, + "?LAST.accessLocation.uniformResourceIdentifier", + data->data, data->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + ret = _gnutls_x509_der_encode(c2, "", &der_data, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = _gnutls_x509_crt_set_extension(crt, GNUTLS_OID_AIA, + &der_data, 0); + if (ret < 0) + gnutls_assert(); + + crt->use_extensions = 1; + + cleanup: + _gnutls_free_datum(&der_data); + _gnutls_free_datum(&aia); + asn1_delete_structure(&c2); + + return ret; } -static int encode_user_notice(const gnutls_datum_t* txt, gnutls_datum_t *der_data) +static int encode_user_notice(const gnutls_datum_t * txt, + gnutls_datum_t * der_data) { - int result; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - - if ((result = - asn1_create_element (_gnutls_get_pkix (), - "PKIX1.UserNotice", - &c2)) != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - /* delete noticeRef */ - result = - asn1_write_value (c2, "noticeRef", NULL, 0); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = - asn1_write_value (c2, "explicitText", "utf8String", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = - asn1_write_value (c2, "explicitText.utf8String", txt->data, txt->size); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto error; - } - - result = _gnutls_x509_der_encode(c2, "", der_data, 0); - if (result < 0) - { - gnutls_assert (); - goto error; - } - - result = 0; - -error: - asn1_delete_structure (&c2); - return result; + int result; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.UserNotice", + &c2)) != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + /* delete noticeRef */ + result = asn1_write_value(c2, "noticeRef", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = asn1_write_value(c2, "explicitText", "utf8String", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = + asn1_write_value(c2, "explicitText.utf8String", txt->data, + txt->size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto error; + } + + result = _gnutls_x509_der_encode(c2, "", der_data, 0); + if (result < 0) { + gnutls_assert(); + goto error; + } + + result = 0; + + error: + asn1_delete_structure(&c2); + return result; } @@ -1624,159 +1576,157 @@ error: * Since: 3.1.5 **/ int -gnutls_x509_crt_set_policy (gnutls_x509_crt_t crt, struct gnutls_x509_policy_st* policy, - unsigned int critical) +gnutls_x509_crt_set_policy(gnutls_x509_crt_t crt, + struct gnutls_x509_policy_st *policy, + unsigned int critical) { - int result; - unsigned i; - gnutls_datum_t der_data, tmpd, prev_der_data = {NULL, 0}; - ASN1_TYPE c2 = ASN1_TYPE_EMPTY; - const char* oid; - - if (crt == NULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - result = _gnutls_x509_crt_get_extension (crt, "2.5.29.32", 0, - &prev_der_data, NULL); - if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - { - gnutls_assert (); - return result; - } - - result = - asn1_create_element (_gnutls_get_pkix (), "PKIX1.certificatePolicies", &c2); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (prev_der_data.data != NULL) - { - result = - asn1_der_decoding (&c2, prev_der_data.data, prev_der_data.size, - NULL); - - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - } - - /* 1. write a new policy */ - result = asn1_write_value (c2, "", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - /* 2. Add the OID. - */ - result = asn1_write_value (c2, "?LAST.policyIdentifier", policy->oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - for (i=0;i<MIN(policy->qualifiers,GNUTLS_MAX_QUALIFIERS);i++) - { - result = asn1_write_value (c2, "?LAST.policyQualifiers", "NEW", 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI) - oid = "1.3.6.1.5.5.7.2.1"; - else if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_NOTICE) - oid = "1.3.6.1.5.5.7.2.2"; - else - { - result = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - goto cleanup; - } - - result = asn1_write_value (c2, "?LAST.policyQualifiers.?LAST.policyQualifierId", oid, 1); - if (result != ASN1_SUCCESS) - { - gnutls_assert (); - result = _gnutls_asn2err (result); - goto cleanup; - } - - if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI) - { - tmpd.data = (void*)policy->qualifier[i].data; - tmpd.size = policy->qualifier[i].size; - - result = _gnutls_x509_write_string(c2, "?LAST.policyQualifiers.?LAST.qualifier", - &tmpd, ASN1_ETYPE_IA5_STRING); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - } - else if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_NOTICE) - { - tmpd.data = (void*)policy->qualifier[i].data; - tmpd.size = policy->qualifier[i].size; - - if (tmpd.size > 200) - { - gnutls_assert(); - result = GNUTLS_E_INVALID_REQUEST; - goto cleanup; - } - - result = encode_user_notice(&tmpd, &der_data); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_write_value(c2, "?LAST.policyQualifiers.?LAST.qualifier", - &der_data); - _gnutls_free_datum(&der_data); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - } - } - - result = _gnutls_x509_der_encode (c2, "", &der_data, 0); - if (result < 0) - { - gnutls_assert(); - goto cleanup; - } - - result = _gnutls_x509_crt_set_extension (crt, "2.5.29.32", - &der_data, 0); - - _gnutls_free_datum(&der_data); - - crt->use_extensions = 1; - -cleanup: - asn1_delete_structure (&c2); - _gnutls_free_datum(&prev_der_data); - - return result; + int result; + unsigned i; + gnutls_datum_t der_data, tmpd, prev_der_data = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + const char *oid; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + result = _gnutls_x509_crt_get_extension(crt, "2.5.29.32", 0, + &prev_der_data, NULL); + if (result < 0 && result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + return result; + } + + result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.certificatePolicies", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (prev_der_data.data != NULL) { + result = + asn1_der_decoding(&c2, prev_der_data.data, + prev_der_data.size, NULL); + + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + } + + /* 1. write a new policy */ + result = asn1_write_value(c2, "", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + /* 2. Add the OID. + */ + result = + asn1_write_value(c2, "?LAST.policyIdentifier", policy->oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + for (i = 0; i < MIN(policy->qualifiers, GNUTLS_MAX_QUALIFIERS); + i++) { + result = + asn1_write_value(c2, "?LAST.policyQualifiers", "NEW", + 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI) + oid = "1.3.6.1.5.5.7.2.1"; + else if (policy->qualifier[i].type == + GNUTLS_X509_QUALIFIER_NOTICE) + oid = "1.3.6.1.5.5.7.2.2"; + else { + result = + gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; + } + + result = + asn1_write_value(c2, + "?LAST.policyQualifiers.?LAST.policyQualifierId", + oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + result = _gnutls_asn2err(result); + goto cleanup; + } + + if (policy->qualifier[i].type == GNUTLS_X509_QUALIFIER_URI) { + tmpd.data = (void *) policy->qualifier[i].data; + tmpd.size = policy->qualifier[i].size; + + result = + _gnutls_x509_write_string(c2, + "?LAST.policyQualifiers.?LAST.qualifier", + &tmpd, + ASN1_ETYPE_IA5_STRING); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } else if (policy->qualifier[i].type == + GNUTLS_X509_QUALIFIER_NOTICE) { + tmpd.data = (void *) policy->qualifier[i].data; + tmpd.size = policy->qualifier[i].size; + + if (tmpd.size > 200) { + gnutls_assert(); + result = GNUTLS_E_INVALID_REQUEST; + goto cleanup; + } + + result = encode_user_notice(&tmpd, &der_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = + _gnutls_x509_write_value(c2, + "?LAST.policyQualifiers.?LAST.qualifier", + &der_data); + _gnutls_free_datum(&der_data); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + } + } + + result = _gnutls_x509_der_encode(c2, "", &der_data, 0); + if (result < 0) { + gnutls_assert(); + goto cleanup; + } + + result = _gnutls_x509_crt_set_extension(crt, "2.5.29.32", + &der_data, 0); + + _gnutls_free_datum(&der_data); + + crt->use_extensions = 1; + + cleanup: + asn1_delete_structure(&c2); + _gnutls_free_datum(&prev_der_data); + + return result; } |