| blob | b7ea152efb93dadbc726c50f579cb124f0465e7c |
1 /*
2 * ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * licensing@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
56 /*
57 * Copyright 2002, 2003 Sun Microsystems, Inc. All rights reserved.
58 * Use is subject to license terms.
59 *
60 * All of the functions included here are internal to the pkcs12 functions
61 * in this library. None of these are exposed.
62 */
64 /*
65 * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
66 */
70 #include <stdio.h>
71 #include <string.h>
73 #include <openssl/crypto.h>
74 #include <openssl/err.h>
75 #include <openssl/x509.h>
77 #include <openssl/pkcs12.h>
78 #include <p12aux.h>
79 #include <auxutil.h>
80 #include <p12err.h>
82 /*
83 * asc2bmpstring - Convert a regular C ASCII string to an ASn1_STRING in
84 * ASN1_BMPSTRING format.
85 *
86 * Arguments:
87 * str - String to be convered.
88 * len - Length of the string.
89 *
90 * Returns:
91 * == NULL - An error occurred. Error information (accessible by
92 * ERR_get_error()) is set.
93 * != NULL - Points to an ASN1_BMPSTRING structure with the converted
94 * string as a value.
95 */
96 ASN1_BMPSTRING *
98 {
103 /* Convert the character to the bmp format. */
104 #if OPENSSL_VERSION_NUMBER < 0x10000000L
106 #else
108 #endif
111 }
113 /*
114 * Adjust for possible pair of NULL bytes at the end because
115 * asc2uni() returns a doubly null terminated string.
116 */
120 /* Construct comparison string with correct format */
126 }
132 }
134 /*
135 * utf82ascstr - Convert a UTF8STRING string to a regular C ASCII string.
136 * This goes through an intermediate step with a ASN1_STRING type of
137 * IA5STRING (International Alphabet 5, which is the same as ASCII).
138 *
139 * Arguments:
140 * str - UTF8STRING to be converted.
141 *
142 * Returns:
143 * == NULL - An error occurred. Error information (accessible by
144 * ERR_get_error()) is set.
145 * != NULL - Points to a NULL-termianted ASCII string. The caller must
146 * free it.
147 */
148 uchar_t *
150 {
151 ASN1_STRING tmpstr;
160 }
167 B_ASN1_IA5STRING);
171 }
177 }
184 }
186 /*
187 * set_results - Given two pointers to stacks of private keys, certs or CA
188 * CA certs, either copy the second stack to the first, or append the
189 * contents of the second to the first.
190 *
191 * Arguments:
192 * pkeys - Points to stack of pkeys
193 * work_kl - Points to working stack of pkeys
194 * certs - Points to stack of certs
195 * work_cl - Points to working stack of certs
196 * cacerts - Points to stack of CA certs
197 * work_ca - Points to working stack of CA certs
198 * xtrakeys - Points to stack of unmatcned pkeys
199 * work_xl - Points to working stack of unmatcned pkeys
200 *
201 * The arguments are in pairs. The first of each pair points to a stack
202 * of keys or certs. The second of the pair points at a 'working stack'
203 * of the same type of entities. Actions taken are as follows:
204 *
205 * - If either the first or second argument is NULL, or if there are no
206 * members in the second stack, there is nothing to do.
207 * - If the first argument points to a pointer which is NULL, then there
208 * is no existing stack for the first argument. Copy the stack pointer
209 * from the second argument to the first argument and NULL out the stack
210 * pointer for the second.
211 * - Otherwise, go through the elements of the second stack, removing each
212 * and adding it to the first stack.
213 *
214 * Returns:
215 * == -1 - An error occurred. Call ERR_get_error() to get error information.
216 * == 0 - No matching returns were found.
217 * > 0 - This is the arithmetic 'or' of the FOUND_* bits that indicate which
218 * of the requested entries were manipulated.
219 */
220 int
225 {
236 }
237 }
239 }
248 }
249 }
251 }
261 }
262 }
264 }
274 }
275 }
277 }
280 }
282 /*
283 * find_attr - Look for a given attribute of the type associated with the NID.
284 *
285 * Arguments:
286 * nid - NID for the attribute to be found (either NID_friendlyName or
287 * NID_locakKeyId)
288 * str - ASN1_STRING-type structure containing the value to be found,
289 * FriendlyName expects a ASN1_BMPSTRING and localKeyID uses a
290 * ASN1_STRING.
291 * kl - Points to a stack of private keys.
292 * pkey - Points at a location where the address of the matching private
293 * key will be stored.
294 * cl - Points to a stack of client certs with matching private keys.
295 * cert - Points to locaiton where the address of the matching client cert
296 * will be returned
297 *
298 * This function is designed to process lists of certs and private keys.
299 * This is made complex because these the attributes are stored differently
300 * for certs and for keys. For certs, only a few attributes are retained.
301 * FriendlyName is stored in the aux structure, under the name 'alias'.
302 * LocalKeyId is also stored in the aux structure, under the name 'keyid'.
303 * A pkey structure has a stack of attributes.
304 *
305 * The basic approach is:
306 * - If there there is no stack of certs but a stack of private keys exists,
307 * search the stack of keys for a match. Alternately, if there is a stack
308 * of certs and no private keys, search the certs.
309 *
310 * - If there are both certs and keys, assume that the matching certs and
311 * keys are in their respective stacks, with matching entries in the same
312 * order. Search for the name or keyid in the stack of certs. If it is
313 * not found, then this function returns 0 (nothing found).
314 *
315 * - Once a cert is found, verify that the key actually matches by
316 * comparing the private key with the public key (in the cert).
317 * If they don't match, return an error.
318 *
319 * A pointer to cert and/or pkey which matches the name or keyid is stored
320 * in the return arguments.
321 *
322 * Returns:
323 * 0 - No matches were found.
324 * > 0 - Bits set based on FOUND_* definitions, indicating what was found.
325 * This can be FOUND_PKEY, FOUND_CERT or (FOUND_PKEY | FOUND_CERT).
326 */
327 int
330 {
351 }
357 }
364 }
365 }
378 }
386 }
387 }
393 }
394 }
398 }
399 }
402 /*
403 * Looking for pkey to match a cert? If so, assume that
404 * lists of certs and their matching pkeys are in the same
405 * order. Call X509_check_private_key() to verify this
406 * assumption.
407 */
415 }
431 }
432 }
433 }
436 }
438 /*
439 * find_attr_by_nid - Given a ASN1_TYPE, return the offset of a X509_ATTRIBUTE
440 * of the type specified by the given NID.
441 *
442 * Arguments:
443 * attrs - Stack of attributes to search
444 * nid - NID of the attribute being searched for
445 *
446 * Returns:
447 * -1 None found
448 * != -1 Offset of the matching attribute.
449 */
450 int
452 {
463 }
465 }
467 /*
468 * get_key_cert - Get a cert and its matching key from the stacks of certs
469 * and keys. They are removed from the stacks.
470 *
471 * Arguments:
472 * n - Offset of the entries to return.
473 * kl - Points to a stack of private keys that matches the list of
474 * certs below.
475 * pkey - Points at location where the address of the matching private
476 * key will be stored.
477 * cl - Points to a stack of client certs with matching private keys.
478 * cert - Points to locaiton where the address of the matching client cert
479 * will be returned
480 *
481 * The assumption is that the stacks of keys and certs contain key/cert pairs,
482 * with entries in the same order and hence at the same offset. Provided
483 * the key and cert selected match, each will be removed from its stack and
484 * returned.
485 *
486 * A stack of certs can be passed in without a stack of private keys, and vise
487 * versa. In that case, the indicated key/cert will be returned.
488 *
489 * Returns:
490 * 0 - No matches were found.
491 * > 0 - Bits set based on FOUND_* definitions, indicating what is returned.
492 * This can be FOUND_PKEY, FOUND_CERT or (FOUND_PKEY | FOUND_CERT).
493 */
494 int
497 {
510 }
511 }
518 }
519 }
522 }
524 /*
525 * type2attrib - Given a ASN1_TYPE, return a X509_ATTRIBUTE of the type
526 * specified by the given NID.
527 *
528 * Arguments:
529 * ty - Type structure to be made into an attribute
530 * nid - NID of the attribute
531 *
532 * Returns:
533 * NULL An error occurred.
534 * != NULL An X509_ATTRIBUTE structure.
535 */
536 X509_ATTRIBUTE *
538 {
548 }
553 }
555 /*
556 * attrib2type - Given a X509_ATTRIBUTE, return pointer to the ASN1_TYPE
557 * component
558 *
559 * Arguments:
560 * attr - Attribute structure containing a type.
561 *
562 * Returns:
563 * NULL An error occurred.
564 * != NULL An ASN1_TYPE structure.
565 */
566 ASN1_TYPE *
568 {
578 }
580 /*
581 * move_certs - Given two stacks of certs, remove the certs from
582 * the second stack and append them to the first.
583 *
584 * Arguments:
585 * dst - the stack to receive the certs from 'src'
586 * src - the stack whose certs are to be moved.
587 *
588 * Returns:
589 * -1 - An error occurred. The error status is set.
590 * >= 0 - The number of certs that were copied.
591 */
592 int
594 {
604 }
605 count++;
606 }
609 }
611 /*
612 * print_time - Given an ASN1_TIME, print one or both of the times.
613 *
614 * Arguments:
615 * fp - File to write to
616 * t - The time to format and print.
617 *
618 * Returns:
619 * 0 - Error occurred while opening or writing.
620 * > 0 - Success.
621 */
622 int
624 {
630 }
637 }