2001-11-06 18:34:19 +00:00
|
|
|
/*
|
2002-01-17 11:44:27 +00:00
|
|
|
* pkcs15-cert.c: PKCS #15 certificate functions
|
2001-11-01 15:43:20 +00:00
|
|
|
*
|
2006-12-19 21:31:17 +00:00
|
|
|
* Copyright (C) 2001, 2002 Juha Yrjölä <juha.yrjola@iki.fi>
|
2001-11-06 18:34:19 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
2001-11-01 15:43:20 +00:00
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2001-11-06 18:34:19 +00:00
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
2001-11-01 15:43:20 +00:00
|
|
|
*
|
2001-11-06 18:34:19 +00:00
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
2001-11-01 15:43:20 +00:00
|
|
|
*/
|
|
|
|
|
|
2015-04-22 21:55:33 +00:00
|
|
|
#if HAVE_CONFIG_H
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "config.h"
|
2015-04-22 21:55:33 +00:00
|
|
|
#endif
|
2010-03-04 08:14:36 +00:00
|
|
|
|
2001-11-01 15:43:20 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <stdio.h>
|
2001-12-11 14:52:17 +00:00
|
|
|
#include <sys/stat.h>
|
2002-10-19 14:04:52 +00:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2001-12-11 14:52:17 +00:00
|
|
|
#include <unistd.h>
|
2002-06-14 12:52:56 +00:00
|
|
|
#endif
|
2001-11-01 15:43:20 +00:00
|
|
|
#include <assert.h>
|
|
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "internal.h"
|
|
|
|
|
#include "asn1.h"
|
|
|
|
|
#include "pkcs15.h"
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
static int
|
2012-12-25 19:05:45 +00:00
|
|
|
parse_x509_cert(sc_context_t *ctx, struct sc_pkcs15_der *der, struct sc_pkcs15_cert *cert)
|
2001-12-29 19:03:46 +00:00
|
|
|
{
|
|
|
|
|
int r;
|
2010-11-08 17:05:40 +00:00
|
|
|
struct sc_algorithm_id sig_alg;
|
2012-12-25 19:05:45 +00:00
|
|
|
struct sc_pkcs15_pubkey *pubkey = NULL;
|
2013-03-17 12:35:45 +00:00
|
|
|
unsigned char *serial = NULL, *issuer = NULL, *subject = NULL, *buf = der->value;
|
|
|
|
|
size_t serial_len = 0, issuer_len = 0, subject_len = 0, data_len = 0, buflen = der->len;
|
2002-01-10 12:33:56 +00:00
|
|
|
struct sc_asn1_entry asn1_version[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "version", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, &cert->version, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2001-12-29 19:03:46 +00:00
|
|
|
};
|
2002-04-21 18:54:10 +00:00
|
|
|
struct sc_asn1_entry asn1_extensions[] = {
|
2016-08-15 11:38:29 +00:00
|
|
|
{ "x509v3", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL| SC_ASN1_ALLOC, &cert->extensions, &cert->extensions_len },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-04-21 18:54:10 +00:00
|
|
|
};
|
2002-01-10 12:33:56 +00:00
|
|
|
struct sc_asn1_entry asn1_tbscert[] = {
|
2005-08-05 07:24:43 +00:00
|
|
|
{ "version", SC_ASN1_STRUCT, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, asn1_version, NULL },
|
2010-05-25 08:06:28 +00:00
|
|
|
{ "serialNumber", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC, &serial, &serial_len },
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "signature", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
|
2013-03-17 12:35:45 +00:00
|
|
|
{ "issuer", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_ALLOC, &issuer, &issuer_len },
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "validity", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
|
2013-03-17 12:35:45 +00:00
|
|
|
{ "subject", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_ALLOC, &subject, &subject_len },
|
2010-11-08 17:05:40 +00:00
|
|
|
/* Use a callback to get the algorithm, parameters and pubkey into sc_pkcs15_pubkey */
|
2014-02-16 21:35:52 +00:00
|
|
|
{ "subjectPublicKeyInfo",SC_ASN1_CALLBACK, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, sc_pkcs15_pubkey_from_spki_fields, &pubkey },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ "extensions", SC_ASN1_STRUCT, SC_ASN1_CTX | 3 | SC_ASN1_CONS, SC_ASN1_OPTIONAL, asn1_extensions, NULL },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2001-12-29 19:03:46 +00:00
|
|
|
};
|
2002-01-10 12:33:56 +00:00
|
|
|
struct sc_asn1_entry asn1_cert[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "tbsCertificate", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, asn1_tbscert, NULL },
|
|
|
|
|
{ "signatureAlgorithm", SC_ASN1_ALGORITHM_ID, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, &sig_alg, NULL },
|
|
|
|
|
{ "signatureValue", SC_ASN1_BIT_STRING, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2001-12-29 19:03:46 +00:00
|
|
|
};
|
2010-05-25 08:06:28 +00:00
|
|
|
struct sc_asn1_entry asn1_serial_number[] = {
|
2010-06-21 10:49:58 +00:00
|
|
|
{ "serialNumber", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC, NULL, NULL },
|
2010-05-25 08:06:28 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
|
|
|
|
};
|
2013-03-17 12:35:45 +00:00
|
|
|
struct sc_asn1_entry asn1_subject[] = {
|
|
|
|
|
{ "subject", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_ALLOC, NULL, NULL },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
|
|
|
|
};
|
|
|
|
|
struct sc_asn1_entry asn1_issuer[] = {
|
|
|
|
|
{ "issuer", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_ALLOC, NULL, NULL },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
2001-12-29 19:03:46 +00:00
|
|
|
const u8 *obj;
|
|
|
|
|
size_t objlen;
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2020-09-01 14:43:39 +00:00
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
|
|
2002-04-17 18:32:06 +00:00
|
|
|
memset(cert, 0, sizeof(*cert));
|
2012-09-30 20:38:27 +00:00
|
|
|
obj = sc_asn1_verify_tag(ctx, buf, buflen, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, &objlen);
|
|
|
|
|
if (obj == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "X.509 certificate not found");
|
|
|
|
|
|
2012-12-25 19:05:45 +00:00
|
|
|
data_len = objlen + (obj - buf);
|
|
|
|
|
cert->data.value = malloc(data_len);
|
|
|
|
|
if (!cert->data.value)
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
|
|
|
memcpy(cert->data.value, buf, data_len);
|
|
|
|
|
cert->data.len = data_len;
|
|
|
|
|
|
2002-01-07 18:23:34 +00:00
|
|
|
r = sc_asn1_decode(ctx, asn1_cert, obj, objlen, NULL, NULL);
|
2018-03-22 13:23:58 +00:00
|
|
|
cert->key = pubkey;
|
2001-12-29 19:03:46 +00:00
|
|
|
cert->version++;
|
|
|
|
|
|
2018-03-22 13:23:58 +00:00
|
|
|
LOG_TEST_GOTO_ERR(ctx, r, "ASN.1 parsing of certificate failed");
|
|
|
|
|
|
2012-12-25 19:05:45 +00:00
|
|
|
if (!pubkey)
|
2018-03-22 13:23:58 +00:00
|
|
|
LOG_TEST_GOTO_ERR(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "Unable to decode subjectPublicKeyInfo from cert");
|
2012-12-25 19:05:45 +00:00
|
|
|
|
2002-04-17 18:32:06 +00:00
|
|
|
|
2010-05-25 08:06:28 +00:00
|
|
|
if (serial && serial_len) {
|
|
|
|
|
sc_format_asn1_entry(asn1_serial_number + 0, serial, &serial_len, 1);
|
|
|
|
|
r = sc_asn1_encode(ctx, asn1_serial_number, &cert->serial, &cert->serial_len);
|
2018-03-22 13:23:58 +00:00
|
|
|
LOG_TEST_GOTO_ERR(ctx, r, "ASN.1 encoding of serial failed");
|
2010-05-25 08:06:28 +00:00
|
|
|
}
|
|
|
|
|
|
2013-03-17 12:35:45 +00:00
|
|
|
if (subject && subject_len) {
|
|
|
|
|
sc_format_asn1_entry(asn1_subject + 0, subject, &subject_len, 1);
|
|
|
|
|
r = sc_asn1_encode(ctx, asn1_subject, &cert->subject, &cert->subject_len);
|
2018-03-22 13:23:58 +00:00
|
|
|
LOG_TEST_GOTO_ERR(ctx, r, "ASN.1 encoding of subject");
|
2013-03-17 12:35:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (issuer && issuer_len) {
|
|
|
|
|
sc_format_asn1_entry(asn1_issuer + 0, issuer, &issuer_len, 1);
|
|
|
|
|
r = sc_asn1_encode(ctx, asn1_issuer, &cert->issuer, &cert->issuer_len);
|
2018-03-22 13:23:58 +00:00
|
|
|
LOG_TEST_GOTO_ERR(ctx, r, "ASN.1 encoding of issuer");
|
2013-03-17 12:35:45 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-22 13:23:58 +00:00
|
|
|
err:
|
2020-09-01 15:19:25 +00:00
|
|
|
/* not used for anything */
|
|
|
|
|
sc_asn1_clear_algorithm_id(&sig_alg);
|
2018-03-22 13:23:58 +00:00
|
|
|
free(serial);
|
|
|
|
|
free(subject);
|
|
|
|
|
free(issuer);
|
|
|
|
|
|
2020-09-01 14:43:39 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, r);
|
2001-11-01 15:43:20 +00:00
|
|
|
}
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2016-08-15 11:38:29 +00:00
|
|
|
/* Get a component of Distinguished Name (e.i. subject or issuer) USING the oid tag.
|
|
|
|
|
* dn can be either cert->subject or cert->issuer.
|
|
|
|
|
* dn_len would be cert->subject_len or cert->issuer_len.
|
|
|
|
|
*
|
|
|
|
|
* Common types:
|
2016-11-18 17:39:26 +00:00
|
|
|
* CN: struct sc_object_id type = {{2, 5, 4, 3, -1}};
|
|
|
|
|
* Country: struct sc_object_id type = {{2, 5, 4, 6, -1}};
|
|
|
|
|
* L: struct sc_object_id type = {{2, 5, 4, 7, -1}};
|
|
|
|
|
* S: struct sc_object_id type = {{2, 5, 4, 8, -1}};
|
|
|
|
|
* O: struct sc_object_id type = {{2, 5, 4, 10, -1}};
|
|
|
|
|
* OU: struct sc_object_id type = {{2, 5, 4, 11, -1}};
|
2016-08-15 11:38:29 +00:00
|
|
|
*
|
|
|
|
|
* if *name is NULL, sc_pkcs15_get_name_from_dn will allocate space for name.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_get_name_from_dn(struct sc_context *ctx, const u8 *dn, size_t dn_len,
|
|
|
|
|
const struct sc_object_id *type, u8 **name, size_t *name_len)
|
|
|
|
|
{
|
|
|
|
|
const u8 *rdn = NULL;
|
|
|
|
|
const u8 *next_ava = NULL;
|
|
|
|
|
size_t rdn_len = 0;
|
|
|
|
|
size_t next_ava_len = 0;
|
|
|
|
|
int rv;
|
|
|
|
|
|
|
|
|
|
rdn = sc_asn1_skip_tag(ctx, &dn, &dn_len, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, &rdn_len);
|
|
|
|
|
if (rdn == NULL)
|
2018-04-14 17:38:34 +00:00
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of Distinguished Name");
|
2016-08-15 11:38:29 +00:00
|
|
|
|
|
|
|
|
for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
|
|
|
|
|
const u8 *ava, *dummy, *oidp;
|
|
|
|
|
struct sc_object_id oid;
|
|
|
|
|
size_t ava_len, dummy_len, oid_len;
|
|
|
|
|
|
|
|
|
|
/* unwrap the set and point to the next ava */
|
|
|
|
|
ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
|
|
|
|
|
if (ava == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA");
|
|
|
|
|
|
|
|
|
|
/* It would be nice to use sc_asn1_decode here to parse the entire AVA, but we are missing 1 critical
|
|
|
|
|
* function in the templates: the ability to accept any tag for value. This prevents us from just
|
|
|
|
|
* grabbing the value as is out of the template. AVA's can have tags of PRINTABLE_STRING,
|
|
|
|
|
* TELETEXSTRING, T61STRING or UTF8_STRING with PRINTABLE_STRING and UTF8_STRING being the most common.
|
|
|
|
|
* The other feature that would be nice is returning a pointer to our requested data using the space
|
|
|
|
|
* of the parent (basically what this code is doing here), rather than allocating and copying.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* unwrap the sequence */
|
|
|
|
|
dummy = ava; dummy_len = ava_len;
|
|
|
|
|
ava = sc_asn1_skip_tag(ctx, &dummy, &dummy_len, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, &ava_len);
|
|
|
|
|
if (ava == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA");
|
|
|
|
|
|
|
|
|
|
/* unwrap the oid */
|
|
|
|
|
oidp = sc_asn1_skip_tag(ctx, &ava, &ava_len, SC_ASN1_TAG_OBJECT, &oid_len);
|
|
|
|
|
if (ava == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA OID");
|
|
|
|
|
|
|
|
|
|
/* Convert to OID */
|
|
|
|
|
rv = sc_asn1_decode_object_id(oidp, oid_len, &oid);
|
|
|
|
|
if (rv != SC_SUCCESS)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA OID");
|
|
|
|
|
|
|
|
|
|
if (sc_compare_oid(&oid, type) == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* Yes, then return the name */
|
|
|
|
|
dummy = sc_asn1_skip_tag(ctx, &ava, &ava_len, ava[0] & SC_ASN1_TAG_PRIMITIVE, &dummy_len);
|
2020-05-18 14:45:24 +00:00
|
|
|
if (dummy == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA name");
|
2016-08-15 11:38:29 +00:00
|
|
|
if (*name == NULL) {
|
|
|
|
|
*name = malloc(dummy_len);
|
|
|
|
|
if (*name == NULL)
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
|
|
|
|
*name_len = dummy_len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*name_len = MIN(dummy_len, *name_len);
|
|
|
|
|
memcpy(*name, dummy, *name_len);
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_ASN1_OBJECT_NOT_FOUND);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Get a specific extension from the cert.
|
|
|
|
|
* The extension is identified by it's oid value.
|
|
|
|
|
* NOTE: extensions can occur in any number or any order, which is why we
|
|
|
|
|
* can't parse them with a single pass of the asn1 decoder.
|
2018-04-14 17:38:34 +00:00
|
|
|
* If is_critical is supplied, then it is set to 1 if the extension is critical
|
2016-08-15 11:38:29 +00:00
|
|
|
* and 0 if it is not.
|
|
|
|
|
* The data in the extension is extension specific.
|
|
|
|
|
* The following are common extension values:
|
2016-11-18 17:39:26 +00:00
|
|
|
* Subject Key ID: struct sc_object_id type = {{2, 5, 29, 14, -1}};
|
|
|
|
|
* Key Usage: struct sc_object_id type = {{2, 5, 29, 15, -1}};
|
|
|
|
|
* Subject Alt Name: struct sc_object_id type = {{2, 5, 29, 17, -1}};
|
|
|
|
|
* Basic Constraints: struct sc_object_id type = {{2, 5, 29, 19, -1}};
|
|
|
|
|
* CRL Distribution Points: struct sc_object_id type = {{2, 5, 29, 31, -1}};
|
|
|
|
|
* Certificate Policies: struct sc_object_id type = {{2, 5, 29, 32, -1}};
|
|
|
|
|
* Extended Key Usage: struct sc_object_id type = {{2, 5, 29, 37, -1}};
|
2016-08-15 11:38:29 +00:00
|
|
|
*
|
|
|
|
|
* if *ext_val is NULL, sc_pkcs15_get_extension will allocate space for ext_val.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_get_extension(struct sc_context *ctx, struct sc_pkcs15_cert *cert,
|
|
|
|
|
const struct sc_object_id *type, u8 **ext_val,
|
|
|
|
|
size_t *ext_val_len, int *is_critical)
|
|
|
|
|
{
|
|
|
|
|
const u8 *ext = NULL;
|
|
|
|
|
const u8 *next_ext = NULL;
|
|
|
|
|
size_t ext_len = 0;
|
|
|
|
|
size_t next_ext_len = 0;
|
|
|
|
|
struct sc_object_id oid;
|
2016-11-18 17:39:26 +00:00
|
|
|
u8 *val = NULL;
|
|
|
|
|
size_t val_len = 0;
|
2016-08-15 11:38:29 +00:00
|
|
|
int critical;
|
|
|
|
|
int r;
|
|
|
|
|
struct sc_asn1_entry asn1_cert_ext[] = {
|
|
|
|
|
{ "x509v3 entry OID", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT, 0, &oid, 0 },
|
|
|
|
|
{ "criticalFlag", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, &critical, NULL },
|
|
|
|
|
{ "extensionValue",SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_ALLOC, &val, &val_len },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
2019-08-12 12:02:24 +00:00
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
|
|
2016-08-15 11:38:29 +00:00
|
|
|
for (next_ext = cert->extensions, next_ext_len = cert->extensions_len; next_ext_len; ) {
|
|
|
|
|
/* unwrap the set and point to the next ava */
|
|
|
|
|
ext = sc_asn1_skip_tag(ctx, &next_ext, &next_ext_len,
|
|
|
|
|
SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, &ext_len);
|
|
|
|
|
if (ext == NULL)
|
|
|
|
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ASN1_OBJECT, "ASN.1 decoding of AVA");
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* use the sc_asn1_decoder for clarity. NOTE it would be more efficient to do this by hand
|
2017-02-27 10:05:12 +00:00
|
|
|
* so we avoid the many malloc/frees here, but one hopes that one day the asn1_decode will allow
|
2016-08-15 11:38:29 +00:00
|
|
|
* a 'static pointer' flag that returns a const pointer to the actual asn1 space so we only need
|
|
|
|
|
* to make a final copy of the extension value before we return */
|
|
|
|
|
critical = 0;
|
|
|
|
|
r = sc_asn1_decode(ctx, asn1_cert_ext, ext, ext_len, NULL, NULL);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
LOG_FUNC_RETURN(ctx, r);
|
|
|
|
|
|
|
|
|
|
/* is it the RN we are looking for */
|
2016-10-10 20:21:46 +00:00
|
|
|
if (sc_compare_oid(&oid, type) != 0) {
|
2016-08-15 11:38:29 +00:00
|
|
|
if (*ext_val == NULL) {
|
2016-10-10 20:21:46 +00:00
|
|
|
*ext_val = val;
|
2016-08-15 11:38:29 +00:00
|
|
|
val = NULL;
|
|
|
|
|
*ext_val_len = val_len;
|
2016-10-10 20:21:46 +00:00
|
|
|
/* do not free here -- return the allocated value to caller */
|
2016-08-15 11:38:29 +00:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
*ext_val_len = MIN(*ext_val_len, val_len);
|
2019-01-28 08:56:50 +00:00
|
|
|
if (val) {
|
|
|
|
|
memcpy(*ext_val, val, *ext_val_len);
|
|
|
|
|
free(val);
|
|
|
|
|
}
|
2016-08-15 11:38:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (is_critical)
|
|
|
|
|
*is_critical = critical;
|
|
|
|
|
|
|
|
|
|
r = val_len;
|
|
|
|
|
LOG_FUNC_RETURN(ctx, r);
|
|
|
|
|
}
|
2016-11-18 17:39:26 +00:00
|
|
|
if (val) {
|
|
|
|
|
free(val);
|
|
|
|
|
val = NULL;
|
|
|
|
|
}
|
2016-08-15 11:38:29 +00:00
|
|
|
}
|
2016-11-18 17:39:26 +00:00
|
|
|
if (val)
|
|
|
|
|
free(val);
|
2016-08-15 11:38:29 +00:00
|
|
|
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_ASN1_OBJECT_NOT_FOUND);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get an extension whose value is a bit string. These include keyUsage and extendedKeyUsage.
|
|
|
|
|
* See above for the other parameters.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_get_bitstring_extension(struct sc_context *ctx,
|
|
|
|
|
struct sc_pkcs15_cert *cert, const struct sc_object_id *type,
|
2017-08-31 19:27:47 +00:00
|
|
|
unsigned int *value, int *is_critical)
|
2016-08-15 11:38:29 +00:00
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
u8 *bit_string = NULL;
|
|
|
|
|
size_t bit_string_len=0, val_len = sizeof(*value);
|
|
|
|
|
struct sc_asn1_entry asn1_bit_string[] = {
|
2017-08-31 19:27:47 +00:00
|
|
|
{ "bitString", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, value, &val_len },
|
2016-08-15 11:38:29 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
|
|
|
|
};
|
|
|
|
|
|
2019-08-12 12:02:24 +00:00
|
|
|
LOG_FUNC_CALLED(ctx);
|
|
|
|
|
|
2016-08-15 11:38:29 +00:00
|
|
|
r = sc_pkcs15_get_extension(ctx, cert, type, &bit_string, &bit_string_len, is_critical);
|
|
|
|
|
LOG_TEST_RET(ctx, r, "Get extension error");
|
|
|
|
|
|
|
|
|
|
r = sc_asn1_decode(ctx, asn1_bit_string, bit_string, bit_string_len, NULL, NULL);
|
2017-02-27 10:05:12 +00:00
|
|
|
free(bit_string);
|
2020-11-16 11:31:58 +00:00
|
|
|
LOG_TEST_RET(ctx, r, "Decoding extension bit string");
|
2016-08-15 11:38:29 +00:00
|
|
|
|
|
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-10-12 15:26:45 +00:00
|
|
|
int
|
|
|
|
|
sc_pkcs15_pubkey_from_cert(struct sc_context *ctx,
|
|
|
|
|
struct sc_pkcs15_der *cert_blob, struct sc_pkcs15_pubkey **out)
|
|
|
|
|
{
|
|
|
|
|
int rv;
|
|
|
|
|
struct sc_pkcs15_cert * cert;
|
|
|
|
|
|
|
|
|
|
cert = calloc(1, sizeof(struct sc_pkcs15_cert));
|
|
|
|
|
if (cert == NULL)
|
|
|
|
|
return SC_ERROR_OUT_OF_MEMORY;
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2012-12-25 19:05:45 +00:00
|
|
|
rv = parse_x509_cert(ctx, cert_blob, cert);
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2010-10-12 15:26:45 +00:00
|
|
|
*out = cert->key;
|
|
|
|
|
cert->key = NULL;
|
|
|
|
|
sc_pkcs15_free_certificate(cert);
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, rv);
|
2010-10-12 15:26:45 +00:00
|
|
|
}
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_read_certificate(struct sc_pkcs15_card *p15card, const struct sc_pkcs15_cert_info *info,
|
|
|
|
|
struct sc_pkcs15_cert **cert_out)
|
2001-11-01 15:43:20 +00:00
|
|
|
{
|
2013-05-02 06:47:08 +00:00
|
|
|
struct sc_context *ctx = NULL;
|
|
|
|
|
struct sc_pkcs15_cert *cert = NULL;
|
2012-10-21 14:30:06 +00:00
|
|
|
struct sc_pkcs15_der der;
|
|
|
|
|
int r;
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2017-02-22 08:32:18 +00:00
|
|
|
if (p15card == NULL || info == NULL || cert_out == NULL) {
|
|
|
|
|
return SC_ERROR_INVALID_ARGUMENTS;
|
|
|
|
|
}
|
2013-05-02 06:47:08 +00:00
|
|
|
ctx = p15card->card->ctx;
|
|
|
|
|
LOG_FUNC_CALLED(ctx);
|
2002-12-02 13:39:36 +00:00
|
|
|
|
2012-10-21 14:30:06 +00:00
|
|
|
if (info->value.len && info->value.value) {
|
|
|
|
|
sc_der_copy(&der, &info->value);
|
|
|
|
|
}
|
|
|
|
|
else if (info->path.len) {
|
|
|
|
|
r = sc_pkcs15_read_file(p15card, &info->path, &der.value, &der.len);
|
2013-05-02 06:47:08 +00:00
|
|
|
LOG_TEST_RET(ctx, r, "Unable to read certificate file.");
|
2012-09-30 20:38:27 +00:00
|
|
|
}
|
2012-10-21 14:30:06 +00:00
|
|
|
else {
|
2013-05-02 06:47:08 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OBJECT_NOT_FOUND);
|
2003-11-19 20:28:02 +00:00
|
|
|
}
|
2002-12-02 13:39:36 +00:00
|
|
|
|
Do not cast the return value of malloc(3) and calloc(3)
From http://en.wikipedia.org/wiki/Malloc#Casting_and_type_safety
" Casting and type safety
malloc returns a void pointer (void *), which indicates that it is a
pointer to a region of unknown data type. One may "cast" (see type
conversion) this pointer to a specific type, as in
int *ptr = (int*)malloc(10 * sizeof (int));
When using C, this is considered bad practice; it is redundant under the
C standard. Moreover, putting in a cast may mask failure to include the
header stdlib.h, in which the prototype for malloc is found. In the
absence of a prototype for malloc, the C compiler will assume that
malloc returns an int, and will issue a warning in a context such as the
above, provided the error is not masked by a cast. On certain
architectures and data models (such as LP64 on 64 bit systems, where
long and pointers are 64 bit and int is 32 bit), this error can actually
result in undefined behavior, as the implicitly declared malloc returns
a 32 bit value whereas the actually defined function returns a 64 bit
value. Depending on calling conventions and memory layout, this may
result in stack smashing.
The returned pointer need not be explicitly cast to a more specific
pointer type, since ANSI C defines an implicit conversion between the
void pointer type and other pointers to objects. An explicit cast of
malloc's return value is sometimes performed because malloc originally
returned a char *, but this cast is unnecessary in standard C
code.[4][5] Omitting the cast, however, creates an incompatibility with
C++, which does require it.
The lack of a specific pointer type returned from malloc is type-unsafe
behaviour: malloc allocates based on byte count but not on type. This
distinguishes it from the C++ new operator that returns a pointer whose
type relies on the operand. (see C Type Safety). "
See also
http://www.opensc-project.org/pipermail/opensc-devel/2010-August/014586.html
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4636 c6295689-39f2-0310-b995-f0e70906c6a9
2010-08-18 15:08:51 +00:00
|
|
|
cert = malloc(sizeof(struct sc_pkcs15_cert));
|
2001-11-01 15:43:20 +00:00
|
|
|
if (cert == NULL) {
|
2012-10-21 14:30:06 +00:00
|
|
|
free(der.value);
|
2013-05-02 06:47:08 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
2001-11-01 15:43:20 +00:00
|
|
|
}
|
|
|
|
|
memset(cert, 0, sizeof(struct sc_pkcs15_cert));
|
2013-05-02 06:47:08 +00:00
|
|
|
if (parse_x509_cert(ctx, &der, cert)) {
|
2012-10-21 14:30:06 +00:00
|
|
|
free(der.value);
|
2010-10-12 15:26:45 +00:00
|
|
|
sc_pkcs15_free_certificate(cert);
|
2013-05-02 06:47:08 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ASN1_OBJECT);
|
2001-11-01 15:43:20 +00:00
|
|
|
}
|
2012-12-25 19:05:45 +00:00
|
|
|
free(der.value);
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2001-11-01 15:43:20 +00:00
|
|
|
*cert_out = cert;
|
2013-05-02 06:47:08 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
2001-11-01 15:43:20 +00:00
|
|
|
}
|
|
|
|
|
|
2013-05-02 06:47:08 +00:00
|
|
|
|
2002-01-10 12:33:56 +00:00
|
|
|
static const struct sc_asn1_entry c_asn1_cred_ident[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "idType", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL },
|
|
|
|
|
{ "idValue", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-01-10 12:33:56 +00:00
|
|
|
};
|
|
|
|
|
static const struct sc_asn1_entry c_asn1_com_cert_attr[] = {
|
2016-08-15 11:38:29 +00:00
|
|
|
{ "iD", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL },
|
|
|
|
|
{ "authority", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL },
|
|
|
|
|
{ "identifier", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
|
2002-01-10 12:33:56 +00:00
|
|
|
/* FIXME: Add rest of the optional fields */
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-01-10 12:33:56 +00:00
|
|
|
};
|
2003-11-19 20:28:02 +00:00
|
|
|
static const struct sc_asn1_entry c_asn1_x509_cert_value_choice[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_OPTIONAL, NULL, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ "direct", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL | SC_ASN1_ALLOC, NULL, NULL },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2003-11-19 20:28:02 +00:00
|
|
|
};
|
2002-01-10 12:33:56 +00:00
|
|
|
static const struct sc_asn1_entry c_asn1_x509_cert_attr[] = {
|
2005-08-05 07:24:43 +00:00
|
|
|
{ "value", SC_ASN1_CHOICE, 0, 0, NULL, NULL },
|
|
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-01-10 12:33:56 +00:00
|
|
|
};
|
|
|
|
|
static const struct sc_asn1_entry c_asn1_type_cert_attr[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "x509CertificateAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-01-10 12:33:56 +00:00
|
|
|
};
|
|
|
|
|
static const struct sc_asn1_entry c_asn1_cert[] = {
|
2006-01-20 20:52:36 +00:00
|
|
|
{ "x509Certificate", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL },
|
2005-08-05 07:24:43 +00:00
|
|
|
{ NULL, 0, 0, 0, NULL, NULL }
|
2002-01-10 12:33:56 +00:00
|
|
|
};
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_decode_cdf_entry(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *obj,
|
|
|
|
|
const u8 ** buf, size_t *buflen)
|
2001-11-01 15:43:20 +00:00
|
|
|
{
|
2016-11-18 17:39:26 +00:00
|
|
|
sc_context_t *ctx = p15card->card->ctx;
|
2002-01-24 16:02:54 +00:00
|
|
|
struct sc_pkcs15_cert_info info;
|
2002-01-10 12:33:56 +00:00
|
|
|
struct sc_asn1_entry asn1_cred_ident[3], asn1_com_cert_attr[4],
|
|
|
|
|
asn1_x509_cert_attr[2], asn1_type_cert_attr[2],
|
2003-11-19 20:28:02 +00:00
|
|
|
asn1_cert[2], asn1_x509_cert_value_choice[3];
|
2016-11-18 17:39:26 +00:00
|
|
|
struct sc_asn1_pkcs15_object cert_obj = {
|
|
|
|
|
obj, asn1_com_cert_attr, NULL,
|
|
|
|
|
asn1_type_cert_attr };
|
2003-11-19 20:28:02 +00:00
|
|
|
sc_pkcs15_der_t *der = &info.value;
|
2001-12-19 21:58:04 +00:00
|
|
|
u8 id_value[128];
|
2002-05-26 12:31:23 +00:00
|
|
|
int id_type;
|
|
|
|
|
size_t id_value_len = sizeof(id_value);
|
2001-12-19 21:58:04 +00:00
|
|
|
int r;
|
2002-01-10 12:33:56 +00:00
|
|
|
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_cred_ident, asn1_cred_ident);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_com_cert_attr, asn1_com_cert_attr);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_x509_cert_attr, asn1_x509_cert_attr);
|
2003-11-19 20:28:02 +00:00
|
|
|
sc_copy_asn1_entry(c_asn1_x509_cert_value_choice, asn1_x509_cert_value_choice);
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_copy_asn1_entry(c_asn1_type_cert_attr, asn1_type_cert_attr);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_cert, asn1_cert);
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_format_asn1_entry(asn1_cred_ident + 0, &id_type, NULL, 0);
|
|
|
|
|
sc_format_asn1_entry(asn1_cred_ident + 1, &id_value, &id_value_len, 0);
|
2002-01-24 16:02:54 +00:00
|
|
|
sc_format_asn1_entry(asn1_com_cert_attr + 0, &info.id, NULL, 0);
|
|
|
|
|
sc_format_asn1_entry(asn1_com_cert_attr + 1, &info.authority, NULL, 0);
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_format_asn1_entry(asn1_com_cert_attr + 2, asn1_cred_ident, NULL, 0);
|
2003-11-19 20:28:02 +00:00
|
|
|
sc_format_asn1_entry(asn1_x509_cert_attr + 0, asn1_x509_cert_value_choice, NULL, 0);
|
|
|
|
|
sc_format_asn1_entry(asn1_x509_cert_value_choice + 0, &info.path, NULL, 0);
|
2004-06-18 20:49:54 +00:00
|
|
|
sc_format_asn1_entry(asn1_x509_cert_value_choice + 1, &der->value, &der->len, 0);
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_format_asn1_entry(asn1_type_cert_attr + 0, asn1_x509_cert_attr, NULL, 0);
|
|
|
|
|
sc_format_asn1_entry(asn1_cert + 0, &cert_obj, NULL, 0);
|
2001-12-19 21:58:04 +00:00
|
|
|
|
2016-11-18 17:39:26 +00:00
|
|
|
/* Fill in defaults */
|
|
|
|
|
memset(&info, 0, sizeof(info));
|
2002-01-24 16:02:54 +00:00
|
|
|
info.authority = 0;
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2002-01-07 18:23:34 +00:00
|
|
|
r = sc_asn1_decode(ctx, asn1_cert, *buf, *buflen, buf, buflen);
|
2003-11-19 20:28:02 +00:00
|
|
|
/* In case of error, trash the cert value (direct coding) */
|
|
|
|
|
if (r < 0 && der->value)
|
|
|
|
|
free(der->value);
|
2002-01-24 16:02:54 +00:00
|
|
|
if (r == SC_ERROR_ASN1_END_OF_CONTENTS)
|
|
|
|
|
return r;
|
2012-09-30 20:38:27 +00:00
|
|
|
LOG_TEST_RET(ctx, r, "ASN.1 decoding failed");
|
2011-01-18 16:31:41 +00:00
|
|
|
|
2019-10-31 08:38:27 +00:00
|
|
|
if (!p15card->app || !p15card->app->ddo.aid.len) {
|
|
|
|
|
if (!p15card->file_app) {
|
2019-11-14 12:16:37 +00:00
|
|
|
free(der->value);
|
2019-10-31 08:38:27 +00:00
|
|
|
return SC_ERROR_INTERNAL;
|
|
|
|
|
}
|
2011-01-18 16:31:41 +00:00
|
|
|
r = sc_pkcs15_make_absolute_path(&p15card->file_app->path, &info.path);
|
2012-09-30 20:38:27 +00:00
|
|
|
LOG_TEST_RET(ctx, r, "Cannot make absolute path");
|
2011-01-18 16:31:41 +00:00
|
|
|
}
|
2012-09-30 20:38:27 +00:00
|
|
|
else {
|
2011-01-18 16:31:41 +00:00
|
|
|
info.path.aid = p15card->app->ddo.aid;
|
|
|
|
|
}
|
2012-09-30 20:38:27 +00:00
|
|
|
sc_log(ctx, "Certificate path '%s'", sc_print_path(&info.path));
|
2011-01-18 16:31:41 +00:00
|
|
|
|
2019-03-06 12:10:34 +00:00
|
|
|
switch (p15card->opts.private_certificate) {
|
|
|
|
|
case SC_PKCS15_CARD_OPTS_PRIV_CERT_DECLASSIFY:
|
|
|
|
|
sc_log(ctx, "Declassifying certificate");
|
|
|
|
|
obj->flags &= ~SC_PKCS15_CO_FLAG_PRIVATE;
|
|
|
|
|
break;
|
|
|
|
|
case SC_PKCS15_CARD_OPTS_PRIV_CERT_IGNORE:
|
|
|
|
|
sc_log(ctx, "Ignoring certificate");
|
2019-11-14 12:16:37 +00:00
|
|
|
free(der->value);
|
2019-03-06 12:10:34 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2002-01-24 16:02:54 +00:00
|
|
|
obj->type = SC_PKCS15_TYPE_CERT_X509;
|
|
|
|
|
obj->data = malloc(sizeof(info));
|
|
|
|
|
if (obj->data == NULL)
|
2012-09-30 20:38:27 +00:00
|
|
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
2002-01-24 16:02:54 +00:00
|
|
|
memcpy(obj->data, &info, sizeof(info));
|
|
|
|
|
|
|
|
|
|
return 0;
|
2001-11-01 15:43:20 +00:00
|
|
|
}
|
|
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_encode_cdf_entry(sc_context_t *ctx, const struct sc_pkcs15_object *obj,
|
|
|
|
|
u8 **buf, size_t *bufsize)
|
2002-01-10 12:33:56 +00:00
|
|
|
{
|
|
|
|
|
struct sc_asn1_entry asn1_cred_ident[3], asn1_com_cert_attr[4],
|
|
|
|
|
asn1_x509_cert_attr[2], asn1_type_cert_attr[2],
|
2003-11-19 20:28:02 +00:00
|
|
|
asn1_cert[2], asn1_x509_cert_value_choice[3];
|
|
|
|
|
struct sc_pkcs15_cert_info *infop = (sc_pkcs15_cert_info_t *) obj->data;
|
|
|
|
|
sc_pkcs15_der_t *der = &infop->value;
|
2002-04-04 15:02:08 +00:00
|
|
|
struct sc_asn1_pkcs15_object cert_obj = { (struct sc_pkcs15_object *) obj,
|
2002-03-03 00:32:28 +00:00
|
|
|
asn1_com_cert_attr, NULL,
|
|
|
|
|
asn1_type_cert_attr };
|
2002-01-10 12:33:56 +00:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_cred_ident, asn1_cred_ident);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_com_cert_attr, asn1_com_cert_attr);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_x509_cert_attr, asn1_x509_cert_attr);
|
2003-11-19 20:28:02 +00:00
|
|
|
sc_copy_asn1_entry(c_asn1_x509_cert_value_choice, asn1_x509_cert_value_choice);
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_copy_asn1_entry(c_asn1_type_cert_attr, asn1_type_cert_attr);
|
|
|
|
|
sc_copy_asn1_entry(c_asn1_cert, asn1_cert);
|
2012-09-30 20:38:27 +00:00
|
|
|
|
2002-01-16 23:59:18 +00:00
|
|
|
sc_format_asn1_entry(asn1_com_cert_attr + 0, (void *) &infop->id, NULL, 1);
|
|
|
|
|
if (infop->authority)
|
|
|
|
|
sc_format_asn1_entry(asn1_com_cert_attr + 1, (void *) &infop->authority, NULL, 1);
|
2003-11-19 20:28:02 +00:00
|
|
|
if (infop->path.len || !der->value) {
|
|
|
|
|
sc_format_asn1_entry(asn1_x509_cert_value_choice + 0, &infop->path, NULL, 1);
|
|
|
|
|
} else {
|
|
|
|
|
sc_format_asn1_entry(asn1_x509_cert_value_choice + 1, der->value, &der->len, 1);
|
|
|
|
|
}
|
|
|
|
|
sc_format_asn1_entry(asn1_type_cert_attr + 0, &asn1_x509_cert_value_choice, NULL, 1);
|
2002-01-10 12:33:56 +00:00
|
|
|
sc_format_asn1_entry(asn1_cert + 0, (void *) &cert_obj, NULL, 1);
|
|
|
|
|
|
2002-01-17 23:47:03 +00:00
|
|
|
r = sc_asn1_encode(ctx, asn1_cert, buf, bufsize);
|
2002-01-10 12:33:56 +00:00
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-12 12:02:24 +00:00
|
|
|
/* Only certain usages are valid for a given algorithm, return all the usages
|
|
|
|
|
* that the algorithm supports so we can use it as a filter for all
|
|
|
|
|
* the public and private key usages
|
|
|
|
|
*/
|
|
|
|
|
static unsigned int
|
|
|
|
|
sc_pkcs15_alg_flags_from_algorithm(int algorithm)
|
|
|
|
|
{
|
|
|
|
|
switch (algorithm) {
|
|
|
|
|
case SC_ALGORITHM_RSA:
|
|
|
|
|
return SC_PKCS15_PRKEY_USAGE_ENCRYPT | SC_PKCS15_PRKEY_USAGE_WRAP |
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_VERIFY | SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER |
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP |
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER |
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
case SC_ALGORITHM_DSA:
|
|
|
|
|
return SC_PKCS15_PRKEY_USAGE_VERIFY| SC_PKCS15_PRKEY_USAGE_SIGN |
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
#ifdef SC_ALGORITHM_DH
|
|
|
|
|
case SC_ALGORITHM_DH:
|
|
|
|
|
return SC_PKCS15_PRKEY_USAGE_DERIVE ;
|
|
|
|
|
#endif
|
|
|
|
|
case SC_ALGORITHM_EC:
|
|
|
|
|
return SC_PKCS15_PRKEY_USAGE_DERIVE | SC_PKCS15_PRKEY_USAGE_VERIFY|
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
case SC_ALGORITHM_GOSTR3410:
|
|
|
|
|
return SC_PKCS15_PRKEY_USAGE_DERIVE | SC_PKCS15_PRKEY_USAGE_VERIFY|
|
|
|
|
|
SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* These are the cert key usage bits that map to various PKCS #11 (and thus PKCS #15) flags */
|
|
|
|
|
#define SC_PKCS15_X509_USAGE_SIGNATURE \
|
|
|
|
|
(SC_X509_DIGITAL_SIGNATURE | \
|
|
|
|
|
SC_X509_NON_REPUDIATION | \
|
|
|
|
|
SC_X509_KEY_CERT_SIGN | \
|
|
|
|
|
SC_X509_CRL_SIGN)
|
|
|
|
|
#define SC_PKCS15_X509_USAGE_DERIVE \
|
|
|
|
|
SC_X509_KEY_AGREEMENT
|
|
|
|
|
#define SC_PKCS15_X509_USAGE_UNWRAP \
|
|
|
|
|
(SC_X509_KEY_ENCIPHERMENT | \
|
|
|
|
|
SC_X509_KEY_AGREEMENT)
|
|
|
|
|
#define SC_PKCS15_X509_USAGE_DECRYPT \
|
|
|
|
|
(SC_X509_DATA_ENCIPHERMENT | \
|
|
|
|
|
SC_X509_ENCIPHER_ONLY)
|
|
|
|
|
#define SC_PKCS15_X509_USAGE_NONREPUDIATION \
|
|
|
|
|
SC_X509_NON_REPUDIATION
|
|
|
|
|
|
|
|
|
|
/* map a cert usage and algorithm to public and private key usages */
|
|
|
|
|
int
|
|
|
|
|
sc_pkcs15_map_usage(unsigned int cert_usage, int algorithm,
|
|
|
|
|
unsigned int *pub_usage_ptr, unsigned int *pr_usage_ptr,
|
|
|
|
|
int allow_nonrepudiation)
|
|
|
|
|
{
|
|
|
|
|
unsigned int pub_usage = 0, pr_usage = 0;
|
|
|
|
|
unsigned int alg_flags = sc_pkcs15_alg_flags_from_algorithm(algorithm);
|
|
|
|
|
|
|
|
|
|
if (cert_usage & SC_PKCS15_X509_USAGE_SIGNATURE) {
|
|
|
|
|
pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY|SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER;
|
|
|
|
|
pr_usage |= SC_PKCS15_PRKEY_USAGE_SIGN|SC_PKCS15_PRKEY_USAGE_SIGNRECOVER;
|
|
|
|
|
}
|
|
|
|
|
if (cert_usage & SC_PKCS15_X509_USAGE_DERIVE) {
|
|
|
|
|
pub_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
|
|
|
|
|
pr_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
|
|
|
|
|
}
|
|
|
|
|
if (cert_usage & (SC_PKCS15_X509_USAGE_DECRYPT|SC_PKCS15_X509_USAGE_UNWRAP)) {
|
|
|
|
|
pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT;
|
|
|
|
|
pr_usage |= SC_PKCS15_PRKEY_USAGE_DECRYPT;
|
|
|
|
|
}
|
|
|
|
|
if (allow_nonrepudiation && (cert_usage & SC_PKCS15_X509_USAGE_NONREPUDIATION)) {
|
|
|
|
|
pub_usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
pr_usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
|
|
|
|
|
}
|
|
|
|
|
/* filter usages algorithm */
|
|
|
|
|
if (pub_usage_ptr) {
|
|
|
|
|
*pub_usage_ptr = pub_usage & alg_flags;
|
|
|
|
|
}
|
|
|
|
|
if (pr_usage_ptr) {
|
|
|
|
|
*pr_usage_ptr = pr_usage & alg_flags;
|
|
|
|
|
}
|
|
|
|
|
return SC_SUCCESS;
|
|
|
|
|
}
|
2012-09-30 20:38:27 +00:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sc_pkcs15_free_certificate(struct sc_pkcs15_cert *cert)
|
2001-11-01 15:43:20 +00:00
|
|
|
{
|
2017-02-22 08:32:18 +00:00
|
|
|
if (cert == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
2001-11-05 19:39:18 +00:00
|
|
|
|
2018-03-22 13:23:58 +00:00
|
|
|
sc_pkcs15_free_pubkey(cert->key);
|
2002-03-20 13:08:09 +00:00
|
|
|
free(cert->subject);
|
2002-03-15 15:19:34 +00:00
|
|
|
free(cert->issuer);
|
2002-03-19 10:04:11 +00:00
|
|
|
free(cert->serial);
|
2012-09-30 20:38:27 +00:00
|
|
|
free(cert->data.value);
|
2016-08-15 11:38:29 +00:00
|
|
|
free(cert->extensions);
|
2001-11-01 15:43:20 +00:00
|
|
|
free(cert);
|
|
|
|
|
}
|
2004-12-18 14:14:57 +00:00
|
|
|
|
2012-09-30 20:38:27 +00:00
|
|
|
|
|
|
|
|
void
|
|
|
|
|
sc_pkcs15_free_cert_info(sc_pkcs15_cert_info_t *cert)
|
2004-12-18 14:14:57 +00:00
|
|
|
{
|
|
|
|
|
if (!cert)
|
|
|
|
|
return;
|
2018-03-22 13:23:58 +00:00
|
|
|
free(cert->value.value);
|
2004-12-18 14:14:57 +00:00
|
|
|
free(cert);
|
|
|
|
|
}
|
