- Improved X509 certificate parsing to include extended certificate fields, such as Key Usage
This commit is contained in:
parent
b63b0afc05
commit
74111d30b7
3 changed files with 552 additions and 60 deletions
|
@ -11,6 +11,8 @@ Note: Most of these features have been donated by Fox-IT
|
||||||
* Added reading of DHM context from memory and file
|
* Added reading of DHM context from memory and file
|
||||||
* Added verification callback on certificate chain
|
* Added verification callback on certificate chain
|
||||||
verification to allow external blacklisting.
|
verification to allow external blacklisting.
|
||||||
|
* Improved X509 certificate parsing to include extended
|
||||||
|
certificate fields, including Key Usage.
|
||||||
|
|
||||||
= Version 0.14.0 released on 2010-08-16
|
= Version 0.14.0 released on 2010-08-16
|
||||||
Features
|
Features
|
||||||
|
|
|
@ -144,13 +144,132 @@
|
||||||
#define X509_ISSUER 0x01
|
#define X509_ISSUER 0x01
|
||||||
#define X509_SUBJECT 0x02
|
#define X509_SUBJECT 0x02
|
||||||
|
|
||||||
|
/** Returns the size of the binary string, without the trailing \0 */
|
||||||
|
#define OID_SIZE(x) (sizeof(x) - 1)
|
||||||
|
|
||||||
#define OID_X520 "\x55\x04"
|
#define OID_X520 "\x55\x04"
|
||||||
#define OID_CN "\x55\x04\x03"
|
#define OID_CN OID_X520 "\x03"
|
||||||
|
|
||||||
#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
|
#define OID_PKCS1 "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
|
||||||
#define OID_PKCS1_RSA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"
|
#define OID_PKCS1_RSA OID_PKCS1 "\x01"
|
||||||
#define OID_PKCS1_RSA_SHA "\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05"
|
#define OID_PKCS1_RSA_SHA OID_PKCS1 "\x05"
|
||||||
|
|
||||||
#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
|
#define OID_PKCS9 "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
|
||||||
#define OID_PKCS9_EMAIL "\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"
|
#define OID_PKCS9_EMAIL OID_PKCS9 "\x01"
|
||||||
|
|
||||||
|
/** ISO arc for standard certificate and CRL extensions */
|
||||||
|
#define OID_ID_CE "\x55\x1D" /**< id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Private Internet Extensions
|
||||||
|
* { iso(1) identified-organization(3) dod(6) internet(1)
|
||||||
|
* security(5) mechanisms(5) pkix(7) }
|
||||||
|
*/
|
||||||
|
#define OID_PKIX "\x2B\x06\x01\x05\x05\x07"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* OIDs for standard certificate extensions
|
||||||
|
*/
|
||||||
|
#define OID_AUTHORITY_KEY_IDENTIFIER OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */
|
||||||
|
#define OID_SUBJECT_KEY_IDENTIFIER OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */
|
||||||
|
#define OID_KEY_USAGE OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } */
|
||||||
|
#define OID_CERTIFICATE_POLICIES OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } */
|
||||||
|
#define OID_POLICY_MAPPINGS OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } */
|
||||||
|
#define OID_SUBJECT_ALT_NAME OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } */
|
||||||
|
#define OID_ISSUER_ALT_NAME OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } */
|
||||||
|
#define OID_SUBJECT_DIRECTORY_ATTRS OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } */
|
||||||
|
#define OID_BASIC_CONSTRAINTS OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } */
|
||||||
|
#define OID_NAME_CONSTRAINTS OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } */
|
||||||
|
#define OID_POLICY_CONSTRAINTS OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } */
|
||||||
|
#define OID_EXTENDED_KEY_USAGE OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
|
||||||
|
#define OID_CRL_DISTRIBUTION_POINTS OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } */
|
||||||
|
#define OID_INIHIBIT_ANYPOLICY OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } */
|
||||||
|
#define OID_FRESHEST_CRL OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 v3 Key Usage Extension flags
|
||||||
|
*/
|
||||||
|
#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
|
||||||
|
#define KU_NON_REPUDIATION (0x40) /* bit 1 */
|
||||||
|
#define KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
|
||||||
|
#define KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
|
||||||
|
#define KU_KEY_AGREEMENT (0x08) /* bit 4 */
|
||||||
|
#define KU_KEY_CERT_SIGN (0x04) /* bit 5 */
|
||||||
|
#define KU_CRL_SIGN (0x02) /* bit 6 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 v3 Extended key usage OIDs
|
||||||
|
*/
|
||||||
|
#define OID_ANY_EXTENDED_KEY_USAGE OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
|
||||||
|
|
||||||
|
#define OID_KP OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
|
||||||
|
#define OID_SERVER_AUTH OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
|
||||||
|
#define OID_CLIENT_AUTH OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
|
||||||
|
#define OID_CODE_SIGNING OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
|
||||||
|
#define OID_EMAIL_PROTECTION OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
|
||||||
|
#define OID_TIME_STAMPING OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
|
||||||
|
#define OID_OCSP_SIGNING OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
|
||||||
|
|
||||||
|
#define STRING_SERVER_AUTH "TLS Web Server Authentication"
|
||||||
|
#define STRING_CLIENT_AUTH "TLS Web Client Authentication"
|
||||||
|
#define STRING_CODE_SIGNING "Code Signing"
|
||||||
|
#define STRING_EMAIL_PROTECTION "E-mail Protection"
|
||||||
|
#define STRING_TIME_STAMPING "Time Stamping"
|
||||||
|
#define STRING_OCSP_SIGNING "OCSP Signing"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* OIDs for CRL extensions
|
||||||
|
*/
|
||||||
|
#define OID_PRIVATE_KEY_USAGE_PERIOD OID_ID_CE "\x10"
|
||||||
|
#define OID_CRL_NUMBER OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Netscape certificate extensions
|
||||||
|
*/
|
||||||
|
#define OID_NETSCAPE "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */
|
||||||
|
#define OID_NS_CERT OID_NETSCAPE "\x01"
|
||||||
|
#define OID_NS_CERT_TYPE OID_NS_CERT "\x01"
|
||||||
|
#define OID_NS_BASE_URL OID_NS_CERT "\x02"
|
||||||
|
#define OID_NS_REVOCATION_URL OID_NS_CERT "\x03"
|
||||||
|
#define OID_NS_CA_REVOCATION_URL OID_NS_CERT "\x04"
|
||||||
|
#define OID_NS_RENEWAL_URL OID_NS_CERT "\x07"
|
||||||
|
#define OID_NS_CA_POLICY_URL OID_NS_CERT "\x08"
|
||||||
|
#define OID_NS_SSL_SERVER_NAME OID_NS_CERT "\x0C"
|
||||||
|
#define OID_NS_COMMENT OID_NS_CERT "\x0D"
|
||||||
|
#define OID_NS_DATA_TYPE OID_NETSCAPE "\x02"
|
||||||
|
#define OID_NS_CERT_SEQUENCE OID_NS_DATA_TYPE "\x05"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Netscape certificate types
|
||||||
|
* (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
|
||||||
|
#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
|
||||||
|
#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
|
||||||
|
#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
|
||||||
|
#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
|
||||||
|
#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
|
||||||
|
#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
|
||||||
|
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
|
||||||
|
|
||||||
|
#define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
|
||||||
|
#define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
|
||||||
|
#define EXT_KEY_USAGE (1 << 2)
|
||||||
|
#define EXT_CERTIFICATE_POLICIES (1 << 3)
|
||||||
|
#define EXT_POLICY_MAPPINGS (1 << 4)
|
||||||
|
#define EXT_SUBJECT_ALT_NAME (1 << 5)
|
||||||
|
#define EXT_ISSUER_ALT_NAME (1 << 6)
|
||||||
|
#define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
|
||||||
|
#define EXT_BASIC_CONSTRAINTS (1 << 8)
|
||||||
|
#define EXT_NAME_CONSTRAINTS (1 << 9)
|
||||||
|
#define EXT_POLICY_CONSTRAINTS (1 << 10)
|
||||||
|
#define EXT_EXTENDED_KEY_USAGE (1 << 11)
|
||||||
|
#define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
|
||||||
|
#define EXT_INIHIBIT_ANYPOLICY (1 << 13)
|
||||||
|
#define EXT_FRESHEST_CRL (1 << 14)
|
||||||
|
|
||||||
|
#define EXT_NS_CERT_TYPE (1 << 16)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @addtogroup x509_module
|
* @addtogroup x509_module
|
||||||
|
@ -172,6 +291,17 @@ typedef struct _x509_buf
|
||||||
}
|
}
|
||||||
x509_buf;
|
x509_buf;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for ASN1 bit strings.
|
||||||
|
*/
|
||||||
|
typedef struct _x509_bitstring
|
||||||
|
{
|
||||||
|
int len; /**< ASN1 length, e.g. in octets. */
|
||||||
|
unsigned char unused_bits; /**< Number of unused bits at the end of the string */
|
||||||
|
unsigned char *p; /**< Raw ASN1 data for the bit string */
|
||||||
|
}
|
||||||
|
x509_bitstring;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Container for ASN1 named information objects.
|
* Container for ASN1 named information objects.
|
||||||
* It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).
|
* It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).
|
||||||
|
@ -184,6 +314,16 @@ typedef struct _x509_name
|
||||||
}
|
}
|
||||||
x509_name;
|
x509_name;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for a sequence of ASN.1 items
|
||||||
|
*/
|
||||||
|
typedef struct _x509_sequence
|
||||||
|
{
|
||||||
|
x509_buf buf; /**< Buffer containing the given ASN.1 item. */
|
||||||
|
struct _x509_sequence *next; /**< The next entry in the sequence. */
|
||||||
|
}
|
||||||
|
x509_sequence;
|
||||||
|
|
||||||
/** Container for date and time (precision in seconds). */
|
/** Container for date and time (precision in seconds). */
|
||||||
typedef struct _x509_time
|
typedef struct _x509_time
|
||||||
{
|
{
|
||||||
|
@ -220,9 +360,16 @@ typedef struct _x509_cert
|
||||||
x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
||||||
x509_buf v3_ext; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
|
x509_buf v3_ext; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
|
||||||
|
|
||||||
|
int ext_types; /**< Bit string containing detected and parsed extensions */
|
||||||
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
||||||
int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. */
|
int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. */
|
||||||
|
|
||||||
|
unsigned char key_usage; /**< Optional key usage extension value: See the values below */
|
||||||
|
|
||||||
|
x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
|
||||||
|
|
||||||
|
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */
|
||||||
|
|
||||||
x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */
|
x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */
|
||||||
x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
|
x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
|
||||||
int sig_alg; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */
|
int sig_alg; /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */
|
||||||
|
@ -476,6 +623,28 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix,
|
||||||
int x509parse_crl_info( char *buf, size_t size, const char *prefix,
|
int x509parse_crl_info( char *buf, size_t size, const char *prefix,
|
||||||
const x509_crl *crl );
|
const x509_crl *crl );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Give an known OID, return its descriptive string.
|
||||||
|
*
|
||||||
|
* \param oid buffer containing the oid
|
||||||
|
*
|
||||||
|
* \return Return a string if the OID is known,
|
||||||
|
* or NULL otherwise.
|
||||||
|
*/
|
||||||
|
const char *x509_oid_get_description( x509_buf *oid );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* \brief Give an OID, return a string version of its OID number.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param oid Buffer containing the OID
|
||||||
|
*
|
||||||
|
* \return The amount of data written to the buffer, or -1 in
|
||||||
|
* case of an error.
|
||||||
|
*/
|
||||||
|
int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Check a given x509_time against the system time and check
|
* \brief Check a given x509_time against the system time and check
|
||||||
* if it is valid.
|
* if it is valid.
|
||||||
|
@ -521,6 +690,17 @@ int x509parse_verify( x509_cert *crt,
|
||||||
int (*f_vrfy)(void *, x509_cert *, int, int),
|
int (*f_vrfy)(void *, x509_cert *, int, int),
|
||||||
void *p_vrfy );
|
void *p_vrfy );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Verify the certificate signature
|
||||||
|
*
|
||||||
|
* \param crt a certificate to be verified
|
||||||
|
* \param crl the CRL to verify against
|
||||||
|
*
|
||||||
|
* \return 1 if the certificate is revoked, 0 otherwise
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
int x509parse_revoked( const x509_cert *crt, const x509_crl *crl );
|
||||||
|
|
||||||
/** @} name Functions to verify a certificate */
|
/** @} name Functions to verify a certificate */
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -170,6 +170,89 @@ static int asn1_get_mpi( unsigned char **p,
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int asn1_get_bitstring( unsigned char **p, const unsigned char *end,
|
||||||
|
x509_bitstring *bs)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
/* Certificate type is a single byte bitstring */
|
||||||
|
if( ( ret = asn1_get_tag( p, end, &bs->len, ASN1_BIT_STRING ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
/* Check length, subtract one for actual bit string length */
|
||||||
|
if ( bs->len < 1 )
|
||||||
|
return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
|
||||||
|
bs->len -= 1;
|
||||||
|
|
||||||
|
/* Get number of unused bits, ensure unused bits <= 7 */
|
||||||
|
bs->unused_bits = **p;
|
||||||
|
if( bs->unused_bits > 7 )
|
||||||
|
return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
(*p)++;
|
||||||
|
|
||||||
|
/* Get actual bitstring */
|
||||||
|
bs->p = *p;
|
||||||
|
*p += bs->len;
|
||||||
|
|
||||||
|
if( *p != end )
|
||||||
|
return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parses and splits an ASN.1 "SEQUENCE OF <tag>"
|
||||||
|
*/
|
||||||
|
static int asn1_get_sequence_of( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
x509_sequence *cur,
|
||||||
|
int tag)
|
||||||
|
{
|
||||||
|
int ret, len;
|
||||||
|
x509_buf *buf;
|
||||||
|
|
||||||
|
/* Get main sequence tag */
|
||||||
|
if( ( ret = asn1_get_tag( p, end, &len,
|
||||||
|
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( *p + len != end )
|
||||||
|
return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
while( *p < end )
|
||||||
|
{
|
||||||
|
buf = &(cur->buf);
|
||||||
|
buf->tag = **p;
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_tag( p, end, &buf->len, tag ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
buf->p = *p;
|
||||||
|
*p += buf->len;
|
||||||
|
|
||||||
|
/* Allocate and assign next pointer */
|
||||||
|
if (*p < end)
|
||||||
|
{
|
||||||
|
cur->next = (x509_sequence *) malloc(
|
||||||
|
sizeof( x509_sequence ) );
|
||||||
|
|
||||||
|
if( cur->next == NULL )
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Set final sequence entry's next pointer to NULL */
|
||||||
|
cur->next = NULL;
|
||||||
|
|
||||||
|
if( *p != end )
|
||||||
|
return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||||
*/
|
*/
|
||||||
|
@ -524,6 +607,7 @@ static int x509_get_sig( unsigned char **p,
|
||||||
if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
|
if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE | ret );
|
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE | ret );
|
||||||
|
|
||||||
|
|
||||||
if( --len < 1 || *(*p)++ != 0 )
|
if( --len < 1 || *(*p)++ != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE );
|
return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE );
|
||||||
|
|
||||||
|
@ -638,21 +722,132 @@ static int x509_get_crl_ext( unsigned char **p,
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int x509_get_basic_constraints( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
int is_critical,
|
||||||
|
int *ca_istrue,
|
||||||
|
int *max_pathlen )
|
||||||
|
{
|
||||||
|
int ret, len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* BasicConstraints ::= SEQUENCE {
|
||||||
|
* cA BOOLEAN DEFAULT FALSE,
|
||||||
|
* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
|
||||||
|
*/
|
||||||
|
int is_cacert = 0; /* DEFAULT FALSE */
|
||||||
|
*max_pathlen = 0; /* endless */
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_tag( p, end, &len,
|
||||||
|
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
if( *p == end )
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_bool( p, end, &is_cacert ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
ret = asn1_get_int( p, end, &is_cacert );
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
if( is_cacert != 0 )
|
||||||
|
is_cacert = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( *p == end )
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
if( *p != end )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
|
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
(*max_pathlen)++;
|
||||||
|
|
||||||
|
*ca_istrue = is_critical & is_cacert;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int x509_get_ns_cert_type( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
unsigned char *ns_cert_type)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
x509_bitstring bs = {0};
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
if( bs.len != 1 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
|
POLARSSL_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
|
||||||
|
/* Get actual bitstring */
|
||||||
|
*ns_cert_type = *bs.p;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int x509_get_key_usage( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
unsigned char *key_usage)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
x509_bitstring bs = {0};
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
if( bs.len != 1 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
|
POLARSSL_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
|
||||||
|
/* Get actual bitstring */
|
||||||
|
*key_usage = *bs.p;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* X.509 v3 extensions (only BasicConstraints are parsed)
|
* ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
|
||||||
|
*
|
||||||
|
* KeyPurposeId ::= OBJECT IDENTIFIER
|
||||||
|
*/
|
||||||
|
static int x509_get_ext_key_usage( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
x509_sequence *ext_key_usage)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
/* Sequence length must be >= 1 */
|
||||||
|
if( ext_key_usage->buf.p == NULL )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
|
POLARSSL_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 v3 extensions
|
||||||
|
*
|
||||||
|
* TODO: Perform all of the basic constraints tests required by the RFC
|
||||||
|
* TODO: Set values for undetected extensions to a sane default?
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
static int x509_get_crt_ext( unsigned char **p,
|
static int x509_get_crt_ext( unsigned char **p,
|
||||||
const unsigned char *end,
|
const unsigned char *end,
|
||||||
x509_buf *ext,
|
x509_cert *crt )
|
||||||
int *ca_istrue,
|
|
||||||
int *max_pathlen )
|
|
||||||
{
|
{
|
||||||
int ret, len;
|
int ret, len;
|
||||||
int is_critical = 1;
|
|
||||||
int is_cacert = 0;
|
|
||||||
unsigned char *end_ext_data, *end_ext_octet;
|
unsigned char *end_ext_data, *end_ext_octet;
|
||||||
|
|
||||||
if( ( ret = x509_get_ext( p, end, ext ) ) != 0 )
|
if( ( ret = x509_get_ext( p, end, &crt->v3_ext ) ) != 0 )
|
||||||
{
|
{
|
||||||
if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
|
if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
@ -662,77 +857,107 @@ static int x509_get_crt_ext( unsigned char **p,
|
||||||
|
|
||||||
while( *p < end )
|
while( *p < end )
|
||||||
{
|
{
|
||||||
|
/*
|
||||||
|
* Extension ::= SEQUENCE {
|
||||||
|
* extnID OBJECT IDENTIFIER,
|
||||||
|
* critical BOOLEAN DEFAULT FALSE,
|
||||||
|
* extnValue OCTET STRING }
|
||||||
|
*/
|
||||||
|
x509_buf extn_oid = {0, 0, NULL};
|
||||||
|
int is_critical = 0; /* DEFAULT FALSE */
|
||||||
|
|
||||||
if( ( ret = asn1_get_tag( p, end, &len,
|
if( ( ret = asn1_get_tag( p, end, &len,
|
||||||
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
|
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
end_ext_data = *p + len;
|
end_ext_data = *p + len;
|
||||||
|
|
||||||
if( memcmp( *p, "\x06\x03\x55\x1D\x13", 5 ) != 0 )
|
/* Get extension ID */
|
||||||
{
|
extn_oid.tag = **p;
|
||||||
*p += len;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
*p += 5;
|
if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
extn_oid.p = *p;
|
||||||
|
*p += extn_oid.len;
|
||||||
|
|
||||||
|
if( ( end - *p ) < 1 )
|
||||||
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
|
POLARSSL_ERR_ASN1_OUT_OF_DATA );
|
||||||
|
|
||||||
|
/* Get optional critical */
|
||||||
if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
|
if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
|
||||||
( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
|
( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
|
/* Data should be octet string type */
|
||||||
if( ( ret = asn1_get_tag( p, end_ext_data, &len,
|
if( ( ret = asn1_get_tag( p, end_ext_data, &len,
|
||||||
ASN1_OCTET_STRING ) ) != 0 )
|
ASN1_OCTET_STRING ) ) != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
||||||
|
|
||||||
/*
|
|
||||||
* BasicConstraints ::= SEQUENCE {
|
|
||||||
* cA BOOLEAN DEFAULT FALSE,
|
|
||||||
* pathLenConstraint INTEGER (0..MAX) OPTIONAL }
|
|
||||||
*/
|
|
||||||
end_ext_octet = *p + len;
|
end_ext_octet = *p + len;
|
||||||
|
|
||||||
if( end_ext_octet != end_ext_data )
|
if( end_ext_octet != end_ext_data )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
if( ( ret = asn1_get_tag( p, end_ext_octet, &len,
|
/*
|
||||||
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
|
* Detect supported extensions
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
*/
|
||||||
|
if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) &&
|
||||||
if( *p == end_ext_octet )
|
memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 )
|
||||||
continue;
|
|
||||||
|
|
||||||
if( ( ret = asn1_get_bool( p, end_ext_octet, &is_cacert ) ) != 0 )
|
|
||||||
{
|
{
|
||||||
if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
|
/* Parse basic constraints */
|
||||||
ret = asn1_get_int( p, end_ext_octet, &is_cacert );
|
if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
|
||||||
|
is_critical, &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
|
||||||
if( ret != 0 )
|
return ( ret );
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
crt->ext_types |= EXT_BASIC_CONSTRAINTS;
|
||||||
|
|
||||||
if( is_cacert != 0 )
|
|
||||||
is_cacert = 1;
|
|
||||||
}
|
}
|
||||||
|
else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) &&
|
||||||
|
memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 )
|
||||||
|
{
|
||||||
|
/* Parse netscape certificate type */
|
||||||
|
if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
|
||||||
|
&crt->ns_cert_type ) ) != 0 )
|
||||||
|
return ( ret );
|
||||||
|
crt->ext_types |= EXT_NS_CERT_TYPE;
|
||||||
|
}
|
||||||
|
else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) &&
|
||||||
|
memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 )
|
||||||
|
{
|
||||||
|
/* Parse key usage */
|
||||||
|
if( ( ret = x509_get_key_usage( p, end_ext_octet,
|
||||||
|
&crt->key_usage ) ) != 0 )
|
||||||
|
return ( ret );
|
||||||
|
crt->ext_types |= EXT_KEY_USAGE;
|
||||||
|
}
|
||||||
|
else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) &&
|
||||||
|
memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 )
|
||||||
|
{
|
||||||
|
/* Parse extended key usage */
|
||||||
|
if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
|
||||||
|
&crt->ext_key_usage ) ) != 0 )
|
||||||
|
return ( ret );
|
||||||
|
crt->ext_types |= EXT_EXTENDED_KEY_USAGE;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* No parser found, skip extension */
|
||||||
|
*p = end_ext_octet;
|
||||||
|
|
||||||
if( *p == end_ext_octet )
|
if( is_critical )
|
||||||
continue;
|
{
|
||||||
|
/* Data is marked as critical: fail */
|
||||||
if( ( ret = asn1_get_int( p, end_ext_octet, max_pathlen ) ) != 0 )
|
return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS | ret );
|
POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
|
||||||
|
}
|
||||||
if( *p != end_ext_octet )
|
}
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
|
||||||
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
|
||||||
|
|
||||||
max_pathlen++;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if( *p != end )
|
if( *p != end )
|
||||||
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS |
|
||||||
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
*ca_istrue = is_critical & is_cacert;
|
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -783,7 +1008,8 @@ static int x509_get_entries( unsigned char **p,
|
||||||
if( ( ret = x509_get_crl_ext( p, end, &cur_entry->entry_ext ) ) != 0 )
|
if( ( ret = x509_get_crl_ext( p, end, &cur_entry->entry_ext ) ) != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
|
||||||
if ( *p < end ) {
|
if ( *p < end )
|
||||||
|
{
|
||||||
cur_entry->next = malloc( sizeof( x509_crl_entry ) );
|
cur_entry->next = malloc( sizeof( x509_crl_entry ) );
|
||||||
cur_entry = cur_entry->next;
|
cur_entry = cur_entry->next;
|
||||||
memset( cur_entry, 0, sizeof( x509_crl_entry ) );
|
memset( cur_entry, 0, sizeof( x509_crl_entry ) );
|
||||||
|
@ -1099,8 +1325,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, int buflen )
|
||||||
|
|
||||||
if( crt->version == 3 )
|
if( crt->version == 3 )
|
||||||
{
|
{
|
||||||
ret = x509_get_crt_ext( &p, end, &crt->v3_ext,
|
ret = x509_get_crt_ext( &p, end, crt);
|
||||||
&crt->ca_istrue, &crt->max_pathlen );
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
x509_free( crt );
|
x509_free( crt );
|
||||||
|
@ -2006,7 +2231,8 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
||||||
|
|
||||||
while( name != NULL )
|
while( name != NULL )
|
||||||
{
|
{
|
||||||
if( name != dn ) {
|
if( name != dn )
|
||||||
|
{
|
||||||
ret = snprintf( p, n, ", " );
|
ret = snprintf( p, n, ", " );
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
|
@ -2055,9 +2281,9 @@ int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ret = snprintf( p, n, "\?\?=" );
|
ret = snprintf( p, n, "\?\?=" );
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
}
|
}
|
||||||
|
|
||||||
for( i = 0; i < name->val.len; i++ )
|
for( i = 0; i < name->val.len; i++ )
|
||||||
|
@ -2156,6 +2382,76 @@ int x509parse_cert_info( char *buf, size_t size, const char *prefix,
|
||||||
return( size - n );
|
return( size - n );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Compare a given OID string with an OID x509_buf * */
|
||||||
|
#define OID_CMP(oid_str, oid_buf) \
|
||||||
|
( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \
|
||||||
|
memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0)
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return an informational string describing the given OID
|
||||||
|
*/
|
||||||
|
const char *x509_oid_get_description( x509_buf *oid )
|
||||||
|
{
|
||||||
|
if ( oid == NULL )
|
||||||
|
return ( NULL );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_SERVER_AUTH, oid ) )
|
||||||
|
return( STRING_SERVER_AUTH );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_CLIENT_AUTH, oid ) )
|
||||||
|
return( STRING_CLIENT_AUTH );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_CODE_SIGNING, oid ) )
|
||||||
|
return( STRING_CODE_SIGNING );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_EMAIL_PROTECTION, oid ) )
|
||||||
|
return( STRING_EMAIL_PROTECTION );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_TIME_STAMPING, oid ) )
|
||||||
|
return( STRING_TIME_STAMPING );
|
||||||
|
|
||||||
|
else if( OID_CMP( OID_OCSP_SIGNING, oid ) )
|
||||||
|
return( STRING_OCSP_SIGNING );
|
||||||
|
|
||||||
|
return( NULL );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Return the x.y.z.... style numeric string for the given OID */
|
||||||
|
int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
|
||||||
|
{
|
||||||
|
int ret, n, i;
|
||||||
|
unsigned int value;
|
||||||
|
char *p;
|
||||||
|
|
||||||
|
p = buf;
|
||||||
|
n = size;
|
||||||
|
|
||||||
|
/* First byte contains first two dots */
|
||||||
|
if( oid->len > 0 )
|
||||||
|
{
|
||||||
|
ret = snprintf( p, n, "%d.%d", oid->p[0]/40, oid->p[0]%40 );
|
||||||
|
SAFE_SNPRINTF();
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TODO: value can overflow in value. */
|
||||||
|
value = 0;
|
||||||
|
for( i=1; i < oid->len; i++ )
|
||||||
|
{
|
||||||
|
value <<= 7;
|
||||||
|
value += oid->p[i] & 0x7F;
|
||||||
|
|
||||||
|
if( !( oid->p[i] & 0x80 ) )
|
||||||
|
{
|
||||||
|
/* Last byte */
|
||||||
|
ret = snprintf( p, n, ".%d", value );
|
||||||
|
SAFE_SNPRINTF();
|
||||||
|
value = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return( size - n );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Return an informational string about the CRL.
|
* Return an informational string about the CRL.
|
||||||
*/
|
*/
|
||||||
|
@ -2207,7 +2503,8 @@ int x509parse_crl_info( char *buf, size_t size, const char *prefix,
|
||||||
nr = ( entry->serial.len <= 32 )
|
nr = ( entry->serial.len <= 32 )
|
||||||
? entry->serial.len : 32;
|
? entry->serial.len : 32;
|
||||||
|
|
||||||
for( i = 0; i < nr; i++ ) {
|
for( i = 0; i < nr; i++ )
|
||||||
|
{
|
||||||
ret = snprintf( p, n, "%02X%s",
|
ret = snprintf( p, n, "%02X%s",
|
||||||
entry->serial.p[i], ( i < nr - 1 ) ? ":" : "" );
|
entry->serial.p[i], ( i < nr - 1 ) ? ":" : "" );
|
||||||
SAFE_SNPRINTF();
|
SAFE_SNPRINTF();
|
||||||
|
@ -2402,7 +2699,8 @@ int x509parse_verify( x509_cert *crt,
|
||||||
verify_ok = 0;
|
verify_ok = 0;
|
||||||
|
|
||||||
/* crt is verified to be a child of the parent cur, call verify callback */
|
/* crt is verified to be a child of the parent cur, call verify callback */
|
||||||
if( NULL != f_vrfy ) {
|
if( NULL != f_vrfy )
|
||||||
|
{
|
||||||
if ( f_vrfy( p_vrfy, crt, pathlen-1, verify_ok ) != 0 )
|
if ( f_vrfy( p_vrfy, crt, pathlen-1, verify_ok ) != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||||
} else if ( verify_ok == 0 ) {
|
} else if ( verify_ok == 0 ) {
|
||||||
|
@ -2509,7 +2807,8 @@ int x509parse_verify( x509_cert *crt,
|
||||||
|
|
||||||
|
|
||||||
/* Verification succeeded, call callback on top cert */
|
/* Verification succeeded, call callback on top cert */
|
||||||
if( NULL != f_vrfy ) {
|
if( NULL != f_vrfy )
|
||||||
|
{
|
||||||
if ( f_vrfy(p_vrfy, crt, pathlen - 1, 1) != 0 )
|
if ( f_vrfy(p_vrfy, crt, pathlen - 1, 1) != 0 )
|
||||||
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
|
||||||
}
|
}
|
||||||
|
@ -2526,6 +2825,8 @@ void x509_free( x509_cert *crt )
|
||||||
x509_cert *cert_prv;
|
x509_cert *cert_prv;
|
||||||
x509_name *name_cur;
|
x509_name *name_cur;
|
||||||
x509_name *name_prv;
|
x509_name *name_prv;
|
||||||
|
x509_sequence *seq_cur;
|
||||||
|
x509_sequence *seq_prv;
|
||||||
|
|
||||||
if( crt == NULL )
|
if( crt == NULL )
|
||||||
return;
|
return;
|
||||||
|
@ -2552,6 +2853,15 @@ void x509_free( x509_cert *crt )
|
||||||
free( name_prv );
|
free( name_prv );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
seq_cur = cert_cur->ext_key_usage.next;
|
||||||
|
while( seq_cur != NULL )
|
||||||
|
{
|
||||||
|
seq_prv = seq_cur;
|
||||||
|
seq_cur = seq_cur->next;
|
||||||
|
memset( seq_prv, 0, sizeof( x509_sequence ) );
|
||||||
|
free( seq_prv );
|
||||||
|
}
|
||||||
|
|
||||||
if( cert_cur->raw.p != NULL )
|
if( cert_cur->raw.p != NULL )
|
||||||
{
|
{
|
||||||
memset( cert_cur->raw.p, 0, cert_cur->raw.len );
|
memset( cert_cur->raw.p, 0, cert_cur->raw.len );
|
||||||
|
|
Loading…
Reference in a new issue