search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
new polarssl
[syren.git] / src / libpolarssl / x509_crl.c
blobeb880002138c53c5405c09f7ce953cc256ab24e3
1 /*
2 * X.509 certificate and private key decoding
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25 /*
26 * The ITU-T X.509 standard defines a certificate format for PKI.
27 *
28 * http://www.ietf.org/rfc/rfc3279.txt
29 * http://www.ietf.org/rfc/rfc3280.txt
30 *
31 * ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
32 *
33 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
34 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
35 */
36
37 #if !defined(POLARSSL_CONFIG_FILE)
38 #include "config.h"
39 #else
40 #include POLARSSL_CONFIG_FILE
41 #endif
42
43 #if defined(POLARSSL_X509_CRL_PARSE_C)
44
45 #include "x509_crl.h"
46 #include "oid.h"
47 #if defined(POLARSSL_PEM_PARSE_C)
48 #include "pem.h"
49 #endif
50
51 #if defined(POLARSSL_PLATFORM_C)
52 #include "platform.h"
53 #else
54 #define polarssl_malloc malloc
55 #define polarssl_free free
56 #endif
57
58 #include <string.h>
59 #include <stdlib.h>
60 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
61
62 #include <windows.h>
63 #else
64 #include <time.h>
65 #endif
66
67 #if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
68 #include <stdio.h>
69 #endif
70
71 /*
72 * Version ::= INTEGER { v1(0), v2(1) }
73 */
74 static int x509_crl_get_version( unsigned char **p,
75 const unsigned char *end,
76 int *ver )
77 {
78 int ret;
79
80 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
81 {
82 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
83 {
84 *ver = 0;
85 return( 0 );
86 }
87
88 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
89 }
90
91 return( 0 );
92 }
93
94 /*
95 * X.509 CRL v2 extensions (no extensions parsed yet.)
96 */
97 static int x509_get_crl_ext( unsigned char **p,
98 const unsigned char *end,
99 x509_buf *ext )
100 {
101 int ret;
102 size_t len = 0;
103
104 /* Get explicit tag */
105 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
106 {
107 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
108 return( 0 );
109
110 return( ret );
111 }
112
113 while( *p < end )
114 {
115 if( ( ret = asn1_get_tag( p, end, &len,
116 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
117 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
118
119 *p += len;
120 }
121
122 if( *p != end )
123 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
124 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
125
126 return( 0 );
127 }
128
129 /*
130 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
131 */
132 static int x509_get_crl_entry_ext( unsigned char **p,
133 const unsigned char *end,
134 x509_buf *ext )
135 {
136 int ret;
137 size_t len = 0;
138
139 /* OPTIONAL */
140 if (end <= *p)
141 return( 0 );
142
143 ext->tag = **p;
144 ext->p = *p;
145
146 /*
147 * Get CRL-entry extension sequence header
148 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
149 */
150 if( ( ret = asn1_get_tag( p, end, &ext->len,
151 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
152 {
153 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
154 {
155 ext->p = NULL;
156 return( 0 );
157 }
158 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
159 }
160
161 end = *p + ext->len;
162
163 if( end != *p + ext->len )
164 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
165 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
166
167 while( *p < end )
168 {
169 if( ( ret = asn1_get_tag( p, end, &len,
170 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
171 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
172
173 *p += len;
174 }
175
176 if( *p != end )
177 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
178 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
179
180 return( 0 );
181 }
182
183 /*
184 * X.509 CRL Entries
185 */
186 static int x509_get_entries( unsigned char **p,
187 const unsigned char *end,
188 x509_crl_entry *entry )
189 {
190 int ret;
191 size_t entry_len;
192 x509_crl_entry *cur_entry = entry;
193
194 if( *p == end )
195 return( 0 );
196
197 if( ( ret = asn1_get_tag( p, end, &entry_len,
198 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
199 {
200 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
201 return( 0 );
202
203 return( ret );
204 }
205
206 end = *p + entry_len;
207
208 while( *p < end )
209 {
210 size_t len2;
211 const unsigned char *end2;
212
213 if( ( ret = asn1_get_tag( p, end, &len2,
214 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
215 {
216 return( ret );
217 }
218
219 cur_entry->raw.tag = **p;
220 cur_entry->raw.p = *p;
221 cur_entry->raw.len = len2;
222 end2 = *p + len2;
223
224 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
225 return( ret );
226
227 if( ( ret = x509_get_time( p, end2,
228 &cur_entry->revocation_date ) ) != 0 )
229 return( ret );
230
231 if( ( ret = x509_get_crl_entry_ext( p, end2,
232 &cur_entry->entry_ext ) ) != 0 )
233 return( ret );
234
235 if ( *p < end )
236 {
237 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
238
239 if( cur_entry->next == NULL )
240 return( POLARSSL_ERR_X509_MALLOC_FAILED );
241
242 cur_entry = cur_entry->next;
243 memset( cur_entry, 0, sizeof( x509_crl_entry ) );
244 }
245 }
246
247 return( 0 );
248 }
249
250 /*
251 * Parse one or more CRLs and add them to the chained list
252 */
253 int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
254 {
255 int ret;
256 size_t len;
257 unsigned char *p, *end;
258 x509_crl *crl;
259 #if defined(POLARSSL_PEM_PARSE_C)
260 size_t use_len;
261 pem_context pem;
262 #endif
263
264 crl = chain;
265
266 /*
267 * Check for valid input
268 */
269 if( crl == NULL || buf == NULL )
270 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
271
272 while( crl->version != 0 && crl->next != NULL )
273 crl = crl->next;
274
275 /*
276 * Add new CRL on the end of the chain if needed.
277 */
278 if ( crl->version != 0 && crl->next == NULL)
279 {
280 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
281
282 if( crl->next == NULL )
283 {
284 x509_crl_free( crl );
285 return( POLARSSL_ERR_X509_MALLOC_FAILED );
286 }
287
288 crl = crl->next;
289 x509_crl_init( crl );
290 }
291
292 #if defined(POLARSSL_PEM_PARSE_C)
293 pem_init( &pem );
294 ret = pem_read_buffer( &pem,
295 "-----BEGIN X509 CRL-----",
296 "-----END X509 CRL-----",
297 buf, NULL, 0, &use_len );
298
299 if( ret == 0 )
300 {
301 /*
302 * Was PEM encoded
303 */
304 buflen -= use_len;
305 buf += use_len;
306
307 /*
308 * Steal PEM buffer
309 */
310 p = pem.buf;
311 pem.buf = NULL;
312 len = pem.buflen;
313 pem_free( &pem );
314 }
315 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
316 {
317 pem_free( &pem );
318 return( ret );
319 }
320 else
321 #endif /* POLARSSL_PEM_PARSE_C */
322 {
323 /*
324 * nope, copy the raw DER data
325 */
326 p = (unsigned char *) polarssl_malloc( len = buflen );
327
328 if( p == NULL )
329 return( POLARSSL_ERR_X509_MALLOC_FAILED );
330
331 memcpy( p, buf, buflen );
332
333 buflen = 0;
334 }
335
336 crl->raw.p = p;
337 crl->raw.len = len;
338 end = p + len;
339
340 /*
341 * CertificateList ::= SEQUENCE {
342 * tbsCertList TBSCertList,
343 * signatureAlgorithm AlgorithmIdentifier,
344 * signatureValue BIT STRING }
345 */
346 if( ( ret = asn1_get_tag( &p, end, &len,
347 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
348 {
349 x509_crl_free( crl );
350 return( POLARSSL_ERR_X509_INVALID_FORMAT );
351 }
352
353 if( len != (size_t) ( end - p ) )
354 {
355 x509_crl_free( crl );
356 return( POLARSSL_ERR_X509_INVALID_FORMAT +
357 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
358 }
359
360 /*
361 * TBSCertList ::= SEQUENCE {
362 */
363 crl->tbs.p = p;
364
365 if( ( ret = asn1_get_tag( &p, end, &len,
366 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
367 {
368 x509_crl_free( crl );
369 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
370 }
371
372 end = p + len;
373 crl->tbs.len = end - crl->tbs.p;
374
375 /*
376 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
377 * -- if present, MUST be v2
378 *
379 * signature AlgorithmIdentifier
380 */
381 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
382 ( ret = x509_get_alg_null( &p, end, &crl->sig_oid1 ) ) != 0 )
383 {
384 x509_crl_free( crl );
385 return( ret );
386 }
387
388 crl->version++;
389
390 if( crl->version > 2 )
391 {
392 x509_crl_free( crl );
393 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
394 }
395
396 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md,
397 &crl->sig_pk ) ) != 0 )
398 {
399 x509_crl_free( crl );
400 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
401 }
402
403 /*
404 * issuer Name
405 */
406 crl->issuer_raw.p = p;
407
408 if( ( ret = asn1_get_tag( &p, end, &len,
409 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
410 {
411 x509_crl_free( crl );
412 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
413 }
414
415 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
416 {
417 x509_crl_free( crl );
418 return( ret );
419 }
420
421 crl->issuer_raw.len = p - crl->issuer_raw.p;
422
423 /*
424 * thisUpdate Time
425 * nextUpdate Time OPTIONAL
426 */
427 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
428 {
429 x509_crl_free( crl );
430 return( ret );
431 }
432
433 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
434 {
435 if ( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
436 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
437 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
438 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
439 {
440 x509_crl_free( crl );
441 return( ret );
442 }
443 }
444
445 /*
446 * revokedCertificates SEQUENCE OF SEQUENCE {
447 * userCertificate CertificateSerialNumber,
448 * revocationDate Time,
449 * crlEntryExtensions Extensions OPTIONAL
450 * -- if present, MUST be v2
451 * } OPTIONAL
452 */
453 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
454 {
455 x509_crl_free( crl );
456 return( ret );
457 }
458
459 /*
460 * crlExtensions EXPLICIT Extensions OPTIONAL
461 * -- if present, MUST be v2
462 */
463 if( crl->version == 2 )
464 {
465 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
466
467 if( ret != 0 )
468 {
469 x509_crl_free( crl );
470 return( ret );
471 }
472 }
473
474 if( p != end )
475 {
476 x509_crl_free( crl );
477 return( POLARSSL_ERR_X509_INVALID_FORMAT +
478 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
479 }
480
481 end = crl->raw.p + crl->raw.len;
482
483 /*
484 * signatureAlgorithm AlgorithmIdentifier,
485 * signatureValue BIT STRING
486 */
487 if( ( ret = x509_get_alg_null( &p, end, &crl->sig_oid2 ) ) != 0 )
488 {
489 x509_crl_free( crl );
490 return( ret );
491 }
492
493 if( crl->sig_oid1.len != crl->sig_oid2.len ||
494 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
495 {
496 x509_crl_free( crl );
497 return( POLARSSL_ERR_X509_SIG_MISMATCH );
498 }
499
500 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
501 {
502 x509_crl_free( crl );
503 return( ret );
504 }
505
506 if( p != end )
507 {
508 x509_crl_free( crl );
509 return( POLARSSL_ERR_X509_INVALID_FORMAT +
510 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
511 }
512
513 if( buflen > 0 )
514 {
515 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
516
517 if( crl->next == NULL )
518 {
519 x509_crl_free( crl );
520 return( POLARSSL_ERR_X509_MALLOC_FAILED );
521 }
522
523 crl = crl->next;
524 x509_crl_init( crl );
525
526 return( x509_crl_parse( crl, buf, buflen ) );
527 }
528
529 return( 0 );
530 }
531
532 #if defined(POLARSSL_FS_IO)
533 /*
534 * Load one or more CRLs and add them to the chained list
535 */
536 int x509_crl_parse_file( x509_crl *chain, const char *path )
537 {
538 int ret;
539 size_t n;
540 unsigned char *buf;
541
542 if ( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
543 return( ret );
544
545 ret = x509_crl_parse( chain, buf, n );
546
547 memset( buf, 0, n + 1 );
548 polarssl_free( buf );
549
550 return( ret );
551 }
552 #endif /* POLARSSL_FS_IO */
553
554 #if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
555 !defined(EFI32)
556 #include <stdarg.h>
557
558 #if !defined vsnprintf
559 #define vsnprintf _vsnprintf
560 #endif // vsnprintf
561
562 /*
563 * Windows _snprintf and _vsnprintf are not compatible to linux versions.
564 * Result value is not size of buffer needed, but -1 if no fit is possible.
565 *
566 * This fuction tries to 'fix' this by at least suggesting enlarging the
567 * size by 20.
568 */
569 static int compat_snprintf(char *str, size_t size, const char *format, ...)
570 {
571 va_list ap;
572 int res = -1;
573
574 va_start( ap, format );
575
576 res = vsnprintf( str, size, format, ap );
577
578 va_end( ap );
579
580 // No quick fix possible
581 if ( res < 0 )
582 return( (int) size + 20 );
583
584 return res;
585 }
586
587 #define snprintf compat_snprintf
588 #endif /* _MSC_VER && !snprintf && !EFIX64 && !EFI32 */
589
590 #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
591
592 #define SAFE_SNPRINTF() \
593 { \
594 if( ret == -1 ) \
595 return( -1 ); \
596 \
597 if ( (unsigned int) ret > n ) { \
598 p[n - 1] = '\0'; \
599 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
600 } \
601 \
602 n -= (unsigned int) ret; \
603 p += (unsigned int) ret; \
604 }
605
606 /*
607 * Return an informational string about the certificate.
608 */
609 #define BEFORE_COLON 14
610 #define BC "14"
611 /*
612 * Return an informational string about the CRL.
613 */
614 int x509_crl_info( char *buf, size_t size, const char *prefix,
615 const x509_crl *crl )
616 {
617 int ret;
618 size_t n;
619 char *p;
620 const char *desc;
621 const x509_crl_entry *entry;
622
623 p = buf;
624 n = size;
625
626 ret = snprintf( p, n, "%sCRL version : %d",
627 prefix, crl->version );
628 SAFE_SNPRINTF();
629
630 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
631 SAFE_SNPRINTF();
632 ret = x509_dn_gets( p, n, &crl->issuer );
633 SAFE_SNPRINTF();
634
635 ret = snprintf( p, n, "\n%sthis update : " \
636 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
637 crl->this_update.year, crl->this_update.mon,
638 crl->this_update.day, crl->this_update.hour,
639 crl->this_update.min, crl->this_update.sec );
640 SAFE_SNPRINTF();
641
642 ret = snprintf( p, n, "\n%snext update : " \
643 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
644 crl->next_update.year, crl->next_update.mon,
645 crl->next_update.day, crl->next_update.hour,
646 crl->next_update.min, crl->next_update.sec );
647 SAFE_SNPRINTF();
648
649 entry = &crl->entry;
650
651 ret = snprintf( p, n, "\n%sRevoked certificates:",
652 prefix );
653 SAFE_SNPRINTF();
654
655 while( entry != NULL && entry->raw.len != 0 )
656 {
657 ret = snprintf( p, n, "\n%sserial number: ",
658 prefix );
659 SAFE_SNPRINTF();
660
661 ret = x509_serial_gets( p, n, &entry->serial);
662 SAFE_SNPRINTF();
663
664 ret = snprintf( p, n, " revocation date: " \
665 "%04d-%02d-%02d %02d:%02d:%02d",
666 entry->revocation_date.year, entry->revocation_date.mon,
667 entry->revocation_date.day, entry->revocation_date.hour,
668 entry->revocation_date.min, entry->revocation_date.sec );
669 SAFE_SNPRINTF();
670
671 entry = entry->next;
672 }
673
674 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
675 SAFE_SNPRINTF();
676
677 ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc );
678 if( ret != 0 )
679 ret = snprintf( p, n, "???" );
680 else
681 ret = snprintf( p, n, "%s", desc );
682 SAFE_SNPRINTF();
683
684 ret = snprintf( p, n, "\n" );
685 SAFE_SNPRINTF();
686
687 return( (int) ( size - n ) );
688 }
689
690 /*
691 * Initialize a CRL chain
692 */
693 void x509_crl_init( x509_crl *crl )
694 {
695 memset( crl, 0, sizeof(x509_crl) );
696 }
697
698 /*
699 * Unallocate all CRL data
700 */
701 void x509_crl_free( x509_crl *crl )
702 {
703 x509_crl *crl_cur = crl;
704 x509_crl *crl_prv;
705 x509_name *name_cur;
706 x509_name *name_prv;
707 x509_crl_entry *entry_cur;
708 x509_crl_entry *entry_prv;
709
710 if( crl == NULL )
711 return;
712
713 do
714 {
715 name_cur = crl_cur->issuer.next;
716 while( name_cur != NULL )
717 {
718 name_prv = name_cur;
719 name_cur = name_cur->next;
720 memset( name_prv, 0, sizeof( x509_name ) );
721 polarssl_free( name_prv );
722 }
723
724 entry_cur = crl_cur->entry.next;
725 while( entry_cur != NULL )
726 {
727 entry_prv = entry_cur;
728 entry_cur = entry_cur->next;
729 memset( entry_prv, 0, sizeof( x509_crl_entry ) );
730 polarssl_free( entry_prv );
731 }
732
733 if( crl_cur->raw.p != NULL )
734 {
735 memset( crl_cur->raw.p, 0, crl_cur->raw.len );
736 polarssl_free( crl_cur->raw.p );
737 }
738
739 crl_cur = crl_cur->next;
740 }
741 while( crl_cur != NULL );
742
743 crl_cur = crl;
744 do
745 {
746 crl_prv = crl_cur;
747 crl_cur = crl_cur->next;
748
749 memset( crl_prv, 0, sizeof( x509_crl ) );
750 if( crl_prv != crl )
751 polarssl_free( crl_prv );
752 }
753 while( crl_cur != NULL );
754 }
755
756 #endif /* POLARSSL_X509_CRL_PARSE_C */
syren