00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033
00034
00035
00036
00037 #include "polarssl/config.h"
00038
00039 #if defined(POLARSSL_X509_CRL_PARSE_C)
00040
00041 #include "polarssl/x509_crl.h"
00042 #include "polarssl/oid.h"
00043 #if defined(POLARSSL_PEM_PARSE_C)
00044 #include "polarssl/pem.h"
00045 #endif
00046
00047 #if defined(POLARSSL_MEMORY_C)
00048 #include "polarssl/memory.h"
00049 #else
00050 #define polarssl_malloc malloc
00051 #define polarssl_free free
00052 #endif
00053
00054 #include <string.h>
00055 #include <stdlib.h>
00056 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
00057
00058 #include <windows.h>
00059 #else
00060 #include <time.h>
00061 #endif
00062
00063 #if defined(POLARSSL_FS_IO) || defined(EFIX64) || defined(EFI32)
00064 #include <stdio.h>
00065 #endif
00066
00067
00068
00069
00070 static int x509_crl_get_version( unsigned char **p,
00071 const unsigned char *end,
00072 int *ver )
00073 {
00074 int ret;
00075
00076 if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
00077 {
00078 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
00079 {
00080 *ver = 0;
00081 return( 0 );
00082 }
00083
00084 return( POLARSSL_ERR_X509_INVALID_VERSION + ret );
00085 }
00086
00087 return( 0 );
00088 }
00089
00090
00091
00092
00093 static int x509_get_crl_ext( unsigned char **p,
00094 const unsigned char *end,
00095 x509_buf *ext )
00096 {
00097 int ret;
00098 size_t len = 0;
00099
00100
00101 if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
00102 {
00103 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
00104 return( 0 );
00105
00106 return( ret );
00107 }
00108
00109 while( *p < end )
00110 {
00111 if( ( ret = asn1_get_tag( p, end, &len,
00112 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00113 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
00114
00115 *p += len;
00116 }
00117
00118 if( *p != end )
00119 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
00120 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00121
00122 return( 0 );
00123 }
00124
00125
00126
00127
00128 static int x509_get_crl_entry_ext( unsigned char **p,
00129 const unsigned char *end,
00130 x509_buf *ext )
00131 {
00132 int ret;
00133 size_t len = 0;
00134
00135
00136 if (end <= *p)
00137 return( 0 );
00138
00139 ext->tag = **p;
00140 ext->p = *p;
00141
00142
00143
00144
00145
00146 if( ( ret = asn1_get_tag( p, end, &ext->len,
00147 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00148 {
00149 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
00150 {
00151 ext->p = NULL;
00152 return( 0 );
00153 }
00154 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
00155 }
00156
00157 end = *p + ext->len;
00158
00159 if( end != *p + ext->len )
00160 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
00161 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00162
00163 while( *p < end )
00164 {
00165 if( ( ret = asn1_get_tag( p, end, &len,
00166 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00167 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret );
00168
00169 *p += len;
00170 }
00171
00172 if( *p != end )
00173 return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
00174 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00175
00176 return( 0 );
00177 }
00178
00179
00180
00181
00182 static int x509_get_entries( unsigned char **p,
00183 const unsigned char *end,
00184 x509_crl_entry *entry )
00185 {
00186 int ret;
00187 size_t entry_len;
00188 x509_crl_entry *cur_entry = entry;
00189
00190 if( *p == end )
00191 return( 0 );
00192
00193 if( ( ret = asn1_get_tag( p, end, &entry_len,
00194 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
00195 {
00196 if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
00197 return( 0 );
00198
00199 return( ret );
00200 }
00201
00202 end = *p + entry_len;
00203
00204 while( *p < end )
00205 {
00206 size_t len2;
00207 const unsigned char *end2;
00208
00209 if( ( ret = asn1_get_tag( p, end, &len2,
00210 ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
00211 {
00212 return( ret );
00213 }
00214
00215 cur_entry->raw.tag = **p;
00216 cur_entry->raw.p = *p;
00217 cur_entry->raw.len = len2;
00218 end2 = *p + len2;
00219
00220 if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
00221 return( ret );
00222
00223 if( ( ret = x509_get_time( p, end2, &cur_entry->revocation_date ) ) != 0 )
00224 return( ret );
00225
00226 if( ( ret = x509_get_crl_entry_ext( p, end2, &cur_entry->entry_ext ) ) != 0 )
00227 return( ret );
00228
00229 if ( *p < end )
00230 {
00231 cur_entry->next = polarssl_malloc( sizeof( x509_crl_entry ) );
00232
00233 if( cur_entry->next == NULL )
00234 return( POLARSSL_ERR_X509_MALLOC_FAILED );
00235
00236 cur_entry = cur_entry->next;
00237 memset( cur_entry, 0, sizeof( x509_crl_entry ) );
00238 }
00239 }
00240
00241 return( 0 );
00242 }
00243
00244
00245
00246
00247 int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
00248 {
00249 int ret;
00250 size_t len;
00251 unsigned char *p, *end;
00252 x509_crl *crl;
00253 #if defined(POLARSSL_PEM_PARSE_C)
00254 size_t use_len;
00255 pem_context pem;
00256 #endif
00257
00258 crl = chain;
00259
00260
00261
00262
00263 if( crl == NULL || buf == NULL )
00264 return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
00265
00266 while( crl->version != 0 && crl->next != NULL )
00267 crl = crl->next;
00268
00269
00270
00271
00272 if ( crl->version != 0 && crl->next == NULL)
00273 {
00274 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
00275
00276 if( crl->next == NULL )
00277 {
00278 x509_crl_free( crl );
00279 return( POLARSSL_ERR_X509_MALLOC_FAILED );
00280 }
00281
00282 crl = crl->next;
00283 x509_crl_init( crl );
00284 }
00285
00286 #if defined(POLARSSL_PEM_PARSE_C)
00287 pem_init( &pem );
00288 ret = pem_read_buffer( &pem,
00289 "-----BEGIN X509 CRL-----",
00290 "-----END X509 CRL-----",
00291 buf, NULL, 0, &use_len );
00292
00293 if( ret == 0 )
00294 {
00295
00296
00297
00298 buflen -= use_len;
00299 buf += use_len;
00300
00301
00302
00303
00304 p = pem.buf;
00305 pem.buf = NULL;
00306 len = pem.buflen;
00307 pem_free( &pem );
00308 }
00309 else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
00310 {
00311 pem_free( &pem );
00312 return( ret );
00313 }
00314 else
00315 #endif
00316 {
00317
00318
00319
00320 p = (unsigned char *) polarssl_malloc( len = buflen );
00321
00322 if( p == NULL )
00323 return( POLARSSL_ERR_X509_MALLOC_FAILED );
00324
00325 memcpy( p, buf, buflen );
00326
00327 buflen = 0;
00328 }
00329
00330 crl->raw.p = p;
00331 crl->raw.len = len;
00332 end = p + len;
00333
00334
00335
00336
00337
00338
00339
00340 if( ( ret = asn1_get_tag( &p, end, &len,
00341 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00342 {
00343 x509_crl_free( crl );
00344 return( POLARSSL_ERR_X509_INVALID_FORMAT );
00345 }
00346
00347 if( len != (size_t) ( end - p ) )
00348 {
00349 x509_crl_free( crl );
00350 return( POLARSSL_ERR_X509_INVALID_FORMAT +
00351 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00352 }
00353
00354
00355
00356
00357 crl->tbs.p = p;
00358
00359 if( ( ret = asn1_get_tag( &p, end, &len,
00360 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00361 {
00362 x509_crl_free( crl );
00363 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
00364 }
00365
00366 end = p + len;
00367 crl->tbs.len = end - crl->tbs.p;
00368
00369
00370
00371
00372
00373
00374
00375 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
00376 ( ret = x509_get_alg_null( &p, end, &crl->sig_oid1 ) ) != 0 )
00377 {
00378 x509_crl_free( crl );
00379 return( ret );
00380 }
00381
00382 crl->version++;
00383
00384 if( crl->version > 2 )
00385 {
00386 x509_crl_free( crl );
00387 return( POLARSSL_ERR_X509_UNKNOWN_VERSION );
00388 }
00389
00390 if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_md,
00391 &crl->sig_pk ) ) != 0 )
00392 {
00393 x509_crl_free( crl );
00394 return( POLARSSL_ERR_X509_UNKNOWN_SIG_ALG );
00395 }
00396
00397
00398
00399
00400 crl->issuer_raw.p = p;
00401
00402 if( ( ret = asn1_get_tag( &p, end, &len,
00403 ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
00404 {
00405 x509_crl_free( crl );
00406 return( POLARSSL_ERR_X509_INVALID_FORMAT + ret );
00407 }
00408
00409 if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
00410 {
00411 x509_crl_free( crl );
00412 return( ret );
00413 }
00414
00415 crl->issuer_raw.len = p - crl->issuer_raw.p;
00416
00417
00418
00419
00420
00421 if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
00422 {
00423 x509_crl_free( crl );
00424 return( ret );
00425 }
00426
00427 if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
00428 {
00429 if ( ret != ( POLARSSL_ERR_X509_INVALID_DATE +
00430 POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
00431 ret != ( POLARSSL_ERR_X509_INVALID_DATE +
00432 POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
00433 {
00434 x509_crl_free( crl );
00435 return( ret );
00436 }
00437 }
00438
00439
00440
00441
00442
00443
00444
00445
00446
00447 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
00448 {
00449 x509_crl_free( crl );
00450 return( ret );
00451 }
00452
00453
00454
00455
00456
00457 if( crl->version == 2 )
00458 {
00459 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
00460
00461 if( ret != 0 )
00462 {
00463 x509_crl_free( crl );
00464 return( ret );
00465 }
00466 }
00467
00468 if( p != end )
00469 {
00470 x509_crl_free( crl );
00471 return( POLARSSL_ERR_X509_INVALID_FORMAT +
00472 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00473 }
00474
00475 end = crl->raw.p + crl->raw.len;
00476
00477
00478
00479
00480
00481 if( ( ret = x509_get_alg_null( &p, end, &crl->sig_oid2 ) ) != 0 )
00482 {
00483 x509_crl_free( crl );
00484 return( ret );
00485 }
00486
00487 if( crl->sig_oid1.len != crl->sig_oid2.len ||
00488 memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
00489 {
00490 x509_crl_free( crl );
00491 return( POLARSSL_ERR_X509_SIG_MISMATCH );
00492 }
00493
00494 if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
00495 {
00496 x509_crl_free( crl );
00497 return( ret );
00498 }
00499
00500 if( p != end )
00501 {
00502 x509_crl_free( crl );
00503 return( POLARSSL_ERR_X509_INVALID_FORMAT +
00504 POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
00505 }
00506
00507 if( buflen > 0 )
00508 {
00509 crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
00510
00511 if( crl->next == NULL )
00512 {
00513 x509_crl_free( crl );
00514 return( POLARSSL_ERR_X509_MALLOC_FAILED );
00515 }
00516
00517 crl = crl->next;
00518 x509_crl_init( crl );
00519
00520 return( x509_crl_parse( crl, buf, buflen ) );
00521 }
00522
00523 return( 0 );
00524 }
00525
00526 #if defined(POLARSSL_FS_IO)
00527
00528
00529
00530 int x509_crl_parse_file( x509_crl *chain, const char *path )
00531 {
00532 int ret;
00533 size_t n;
00534 unsigned char *buf;
00535
00536 if ( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
00537 return( ret );
00538
00539 ret = x509_crl_parse( chain, buf, n );
00540
00541 memset( buf, 0, n + 1 );
00542 polarssl_free( buf );
00543
00544 return( ret );
00545 }
00546 #endif
00547
00548 #if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
00549 !defined(EFI32)
00550 #include <stdarg.h>
00551
00552 #if !defined vsnprintf
00553 #define vsnprintf _vsnprintf
00554 #endif // vsnprintf
00555
00556
00557
00558
00559
00560
00561
00562
00563 static int compat_snprintf(char *str, size_t size, const char *format, ...)
00564 {
00565 va_list ap;
00566 int res = -1;
00567
00568 va_start( ap, format );
00569
00570 res = vsnprintf( str, size, format, ap );
00571
00572 va_end( ap );
00573
00574
00575 if ( res < 0 )
00576 return( (int) size + 20 );
00577
00578 return res;
00579 }
00580
00581 #define snprintf compat_snprintf
00582 #endif
00583
00584 #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
00585
00586 #define SAFE_SNPRINTF() \
00587 { \
00588 if( ret == -1 ) \
00589 return( -1 ); \
00590 \
00591 if ( (unsigned int) ret > n ) { \
00592 p[n - 1] = '\0'; \
00593 return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
00594 } \
00595 \
00596 n -= (unsigned int) ret; \
00597 p += (unsigned int) ret; \
00598 }
00599
00600
00601
00602
00603 #define BEFORE_COLON 14
00604 #define BC "14"
00605
00606
00607
00608 int x509_crl_info( char *buf, size_t size, const char *prefix,
00609 const x509_crl *crl )
00610 {
00611 int ret;
00612 size_t n;
00613 char *p;
00614 const char *desc;
00615 const x509_crl_entry *entry;
00616
00617 p = buf;
00618 n = size;
00619
00620 ret = snprintf( p, n, "%sCRL version : %d",
00621 prefix, crl->version );
00622 SAFE_SNPRINTF();
00623
00624 ret = snprintf( p, n, "\n%sissuer name : ", prefix );
00625 SAFE_SNPRINTF();
00626 ret = x509_dn_gets( p, n, &crl->issuer );
00627 SAFE_SNPRINTF();
00628
00629 ret = snprintf( p, n, "\n%sthis update : " \
00630 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
00631 crl->this_update.year, crl->this_update.mon,
00632 crl->this_update.day, crl->this_update.hour,
00633 crl->this_update.min, crl->this_update.sec );
00634 SAFE_SNPRINTF();
00635
00636 ret = snprintf( p, n, "\n%snext update : " \
00637 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
00638 crl->next_update.year, crl->next_update.mon,
00639 crl->next_update.day, crl->next_update.hour,
00640 crl->next_update.min, crl->next_update.sec );
00641 SAFE_SNPRINTF();
00642
00643 entry = &crl->entry;
00644
00645 ret = snprintf( p, n, "\n%sRevoked certificates:",
00646 prefix );
00647 SAFE_SNPRINTF();
00648
00649 while( entry != NULL && entry->raw.len != 0 )
00650 {
00651 ret = snprintf( p, n, "\n%sserial number: ",
00652 prefix );
00653 SAFE_SNPRINTF();
00654
00655 ret = x509_serial_gets( p, n, &entry->serial);
00656 SAFE_SNPRINTF();
00657
00658 ret = snprintf( p, n, " revocation date: " \
00659 "%04d-%02d-%02d %02d:%02d:%02d",
00660 entry->revocation_date.year, entry->revocation_date.mon,
00661 entry->revocation_date.day, entry->revocation_date.hour,
00662 entry->revocation_date.min, entry->revocation_date.sec );
00663 SAFE_SNPRINTF();
00664
00665 entry = entry->next;
00666 }
00667
00668 ret = snprintf( p, n, "\n%ssigned using : ", prefix );
00669 SAFE_SNPRINTF();
00670
00671 ret = oid_get_sig_alg_desc( &crl->sig_oid1, &desc );
00672 if( ret != 0 )
00673 ret = snprintf( p, n, "???" );
00674 else
00675 ret = snprintf( p, n, "%s", desc );
00676 SAFE_SNPRINTF();
00677
00678 ret = snprintf( p, n, "\n" );
00679 SAFE_SNPRINTF();
00680
00681 return( (int) ( size - n ) );
00682 }
00683
00684
00685
00686
00687 void x509_crl_init( x509_crl *crl )
00688 {
00689 memset( crl, 0, sizeof(x509_crl) );
00690 }
00691
00692
00693
00694
00695 void x509_crl_free( x509_crl *crl )
00696 {
00697 x509_crl *crl_cur = crl;
00698 x509_crl *crl_prv;
00699 x509_name *name_cur;
00700 x509_name *name_prv;
00701 x509_crl_entry *entry_cur;
00702 x509_crl_entry *entry_prv;
00703
00704 if( crl == NULL )
00705 return;
00706
00707 do
00708 {
00709 name_cur = crl_cur->issuer.next;
00710 while( name_cur != NULL )
00711 {
00712 name_prv = name_cur;
00713 name_cur = name_cur->next;
00714 memset( name_prv, 0, sizeof( x509_name ) );
00715 polarssl_free( name_prv );
00716 }
00717
00718 entry_cur = crl_cur->entry.next;
00719 while( entry_cur != NULL )
00720 {
00721 entry_prv = entry_cur;
00722 entry_cur = entry_cur->next;
00723 memset( entry_prv, 0, sizeof( x509_crl_entry ) );
00724 polarssl_free( entry_prv );
00725 }
00726
00727 if( crl_cur->raw.p != NULL )
00728 {
00729 memset( crl_cur->raw.p, 0, crl_cur->raw.len );
00730 polarssl_free( crl_cur->raw.p );
00731 }
00732
00733 crl_cur = crl_cur->next;
00734 }
00735 while( crl_cur != NULL );
00736
00737 crl_cur = crl;
00738 do
00739 {
00740 crl_prv = crl_cur;
00741 crl_cur = crl_cur->next;
00742
00743 memset( crl_prv, 0, sizeof( x509_crl ) );
00744 if( crl_prv != crl )
00745 polarssl_free( crl_prv );
00746 }
00747 while( crl_cur != NULL );
00748 }
00749
00750 #endif