1 /***************************************************************************
2 * Copyright (c) 2024 Microsoft Corporation
3 *
4 * This program and the accompanying materials are made available under the
5 * terms of the MIT License which is available at
6 * https://opensource.org/licenses/MIT.
7 *
8 * SPDX-License-Identifier: MIT
9 **************************************************************************/
10
11
12 /**************************************************************************/
13 /**************************************************************************/
14 /** */
15 /** NetX Secure Component */
16 /** */
17 /** X.509 Digital Certificates */
18 /** */
19 /**************************************************************************/
20 /**************************************************************************/
21
22 #define NX_SECURE_SOURCE_CODE
23
24
25 #include "nx_secure_x509.h"
26
27
28 /* OIDs for X509 items
29 OID encoding scheme:
30 - First byte (ISO prefix) is equal to 40X + Y for X.Y,
31 so 1.2 becomes 40 + 2 = 42 = 0x2A.
32 - Values longer than 7 bits are broken into 7-bit segments.
33 The lowest byte has a top bit of 0 and all the rest are
34 padded and have a top bit of 1. So 113549 (RSA) becomes
35 encoded in 3 bytes (113549 requires 20 bits in 4-bit nibbles
36 and 20 / 7 bits = 3 bytes) Therefore, 113549 becomes an
37 encoded value of 0x86, 0xF7, 0x0D.
38 - See Davies, "Implementing SSL/TLS" ch. 5.
39 */
40 /* OID values that may be of use in the future.
41 static const UCHAR NX_SECURE_X509_OID_ISO_PREFIX[] = { 0x2A }; // 1.2
42 static const UCHAR NX_SECURE_X509_OID_USA[] = { 0x2A, 0x86, 0x48 }; // ISO.840
43 static const UCHAR NX_SECURE_X509_OID_RSA_CORP[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D }; // ISO.USA.113549
44 */
45 static const UCHAR NX_SECURE_X509_OID_RSA[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01}; /* ISO.USA.RSA.1.1.1 */
46 static const UCHAR NX_SECURE_X509_OID_RSA_MD5[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04}; /* ISO.USA.RSA.1.1.4 */
47 static const UCHAR NX_SECURE_X509_OID_RSA_SHA1[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05}; /* ISO.USA.RSA.1.1.5 */
48 static const UCHAR NX_SECURE_X509_OID_RSA_SHA256[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B}; /* ISO.USA.RSA.1.1.11 */
49 static const UCHAR NX_SECURE_X509_OID_RSA_SHA384[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C}; /* ISO.USA.RSA.1.1.12 */
50 static const UCHAR NX_SECURE_X509_OID_RSA_SHA512[] = {0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D}; /* ISO.USA.RSA.1.1.13 */
51
52 /* static const UCHAR NX_SECURE_X509_OID_NIST_SHA256[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}; */ /* 2.16.840.1.101.3.4.2.1 NIST algorithm SHA256. */
53
54 /* RFC 3729 OIDs. */
55 static const UCHAR NX_SECURE_X509_OID_DH[] = {0x2A, 0x86, 0x48, 0xCE, 0x3E, 0x02, 0x01}; /* ISO.USA.10046.2.1 - ANSI X9.42 DH public number. */
56 static const UCHAR NX_SECURE_X509_OID_DSS_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x38, 0x04, 0x03}; /* ISO.USA.10040.4.3 - ANSI X9-57 x9Algorithm DSA-SHA1. */
57 /*static const UCHAR NX_SECURE_X509_OID_ECC_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01}; */ /* ISO.USA.10045.4.1 - ANSI X9-62 ECDSA with SHA1. */
58
59 /* OIDs for X509 distinguished names.
60 ASN.1 prefix (ISO-ITU.DirectoryServices.AttributeType) :
61 id-at ::= { joint-iso-ccitt(2) ds(5) 4 }
62 DER encoding: 0x55, 0x04
63 */
64 static const UCHAR NX_SECURE_X509_OID_COMMON_NAME[] = {0x55, 0x04, 0x03}; /* ISO-ITU.DirectoryServices.AttributeType.CommonName */
65 static const UCHAR NX_SECURE_X509_OID_SURNAME[] = {0x55, 0x04, 0x04}; /* ISO-ITU.DirectoryServices.AttributeType.Surname */
66 static const UCHAR NX_SECURE_X509_OID_SERIAL_NUMBER[] = {0x55, 0x04, 0x05}; /* ISO-ITU.DirectoryServices.AttributeType.SerialNumber */
67 static const UCHAR NX_SECURE_X509_OID_COUNTRY_NAME[] = {0x55, 0x04, 0x06}; /* ISO-ITU.DirectoryServices.AttributeType.CountryName */
68 static const UCHAR NX_SECURE_X509_OID_LOCALITY[] = {0x55, 0x04, 0x07}; /* ISO-ITU.DirectoryServices.AttributeType.LocalityName */
69 static const UCHAR NX_SECURE_X509_OID_STATE[] = {0x55, 0x04, 0x08}; /* ISO-ITU.DirectoryServices.AttributeType.StateName */
70 static const UCHAR NX_SECURE_X509_OID_ORGANIZATION[] = {0x55, 0x04, 0x0A}; /* ISO-ITU.DirectoryServices.AttributeType.OrganizationName */
71 static const UCHAR NX_SECURE_X509_OID_ORG_UINT[] = {0x55, 0x04, 0x0B}; /* ISO-ITU.DirectoryServices.AttributeType.OrganizationalUnitName */
72 static const UCHAR NX_SECURE_X509_OID_TITLE[] = {0x55, 0x04, 0x0C}; /* ISO-ITU.DirectoryServices.AttributeType.Title */
73 static const UCHAR NX_SECURE_X509_OID_NAME[] = {0x55, 0x04, 0x29}; /* ISO-ITU.DirectoryServices.AttributeType.Name */
74 static const UCHAR NX_SECURE_X509_OID_GIVEN_NAME[] = {0x55, 0x04, 0x2A}; /* ISO-ITU.DirectoryServices.AttributeType.GivenName */
75 static const UCHAR NX_SECURE_X509_OID_INITIALS[] = {0x55, 0x04, 0x2B}; /* ISO-ITU.DirectoryServices.AttributeType.Initials */
76 static const UCHAR NX_SECURE_X509_OID_GENERATION[] = {0x55, 0x04, 0x2C}; /* ISO-ITU.DirectoryServices.AttributeType.GenerationQualifier */
77 static const UCHAR NX_SECURE_X509_OID_DN_QUALIFIER[] = {0x55, 0x04, 0x2E}; /* ISO-ITU.DirectoryServices.AttributeType.DnQualifier */
78 static const UCHAR NX_SECURE_X509_OID_PSEUDONYM[] = {0x55, 0x04, 0x41}; /* ISO-ITU.DirectoryServices.AttributeType.Pseudonym */
79
80 /* X.509 Certificate extensions OIDs from RFC 5280. */
81 /* id-ce OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 29 } */
82 /* static const UCHAR NX_SECURE_X509_OID_EXTENSIONS_PREFIX[] = {0x55, 0x1D }; */ /* 2.5.29 */
83 static const UCHAR NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES[] = {0x55, 0x1D, 0x09}; /* id-ce.9 Directory attributes extension. */
84 static const UCHAR NX_SECURE_X509_OID_SUBJECT_KEY_ID[] = {0x55, 0x1D, 0x0E}; /* id-ce.14 Subject key identifier extension. */
85 static const UCHAR NX_SECURE_X509_OID_KEY_USAGE[] = {0x55, 0x1D, 0x0F}; /* id-ce.15 Key usage extension. */
86 static const UCHAR NX_SECURE_X509_OID_SUBJECT_ALT_NAME[] = {0x55, 0x1D, 0x11}; /* id-ce.17 Subject alternative name. */
87 static const UCHAR NX_SECURE_X509_OID_ISSUER_ALT_NAME[] = {0x55, 0x1D, 0x12}; /* id-ce.18 Issuer alternative name. */
88 static const UCHAR NX_SECURE_X509_OID_BASIC_CONSTRAINTS[] = {0x55, 0x1D, 0x13}; /* id-ce.19 Basic constraints extension.*/
89 static const UCHAR NX_SECURE_X509_OID_NAME_CONSTRAINTS[] = {0x55, 0x1D, 0x1E}; /* id-ce.30 Name constraints extension.*/
90 static const UCHAR NX_SECURE_X509_OID_CRL_DISTRIBUTION[] = {0x55, 0x1D, 0x1F}; /* id-ce.31 CRL distribution points extension.*/
91 static const UCHAR NX_SECURE_X509_OID_CERTIFICATE_POLICIES[] = {0x55, 0x1D, 0x20}; /* id-ce.32 Certificate policies extension.*/
92 static const UCHAR NX_SECURE_X509_OID_ANY_POLICY[] = {0x55, 0x1D, 0x20, 0x00}; /* id-ce.32.0 anyPolicy identifier. */
93 static const UCHAR NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS[] = {0x55, 0x1D, 0x21}; /* id-ce.33 Certificate policy mapping extension.*/
94 static const UCHAR NX_SECURE_X509_OID_AUTHORITY_KEY_ID[] = {0x55, 0x1D, 0x23}; /* id-ce.35 Authority key identifier extension.*/
95 static const UCHAR NX_SECURE_X509_OID_POLICY_CONSTRAINTS[] = {0x55, 0x1D, 0x24}; /* id-ce.36 Policy constraints extension.*/
96 static const UCHAR NX_SECURE_X509_OID_EXTENDED_KEY_USAGE[] = {0x55, 0x1D, 0x25}; /* id-ce.37 Extended key usage extension.*/
97 static const UCHAR NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE[] = {0x55, 0x1D, 0x25, 0x00}; /* id-ce.37.0 anyExtendedKeyUsage.*/
98 static const UCHAR NX_SECURE_X509_OID_FRESHEST_CRL[] = {0x55, 0x1D, 0x2E}; /* id-ce.46 Freshest CRL distribution extension.*/
99 static const UCHAR NX_SECURE_X509_OID_INHIBIT_ANYPOLICY[] = {0x55, 0x1D, 0x36}; /* id-ce.54 Inhibit anyPolicy extension.*/
100
101
102 /* X.509 Private Internet extensions OIDs from RFC 5280. */
103 /* id-pkix OBJECT IDENTIFIER ::=
104 { iso(1) identified-organization(3) dod(6) internet(1)
105 security(5) mechanisms(5) pkix(7) }
106
107 id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
108 id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
109 */
110 /* static const UCHAR NX_SECURE_X509_OID_PKIX_PREFIX[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07 }; */ /* 1.3.6.1.5.5.7 */
111 static const UCHAR NX_SECURE_X509_OID_PKIX_EXT_PREFIX[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01}; /* id-pkix.1 (id-pe) */
112 static const UCHAR NX_SECURE_X509_OID_PKIX_AIA[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01}; /* id-pe.1 Authority Information Access PKIX extension. */
113 static const UCHAR NX_SECURE_X509_OID_PKIX_SIA[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x0B}; /* id-pe.11 Subject Information Access PKIX extension. */
114 static const UCHAR NX_SECURE_X509_OID_PKIX_QT[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02}; /* id-pkix.2 Policy prefix (id-qt). */
115 static const UCHAR NX_SECURE_X509_OID_PKIX_QT_CPS[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01}; /* id-qt.1 CPS Policy. */
116 static const UCHAR NX_SECURE_X509_OID_PKIX_QT_UNOTICE[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02}; /* id-qt.2 Unotice Policy prefix. */
117
118 /* Extended key usage extension OIDs. */
119 static const UCHAR NX_SECURE_X509_OID_PKIX_KP[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03}; /* id-pkix.3 (id-kp) */
120 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x1}; /* id-pkix.3.1 Server authentication. */
121 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x2}; /* id-pkix.3.2 Client authentication. */
122 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x3}; /* id-pkix.3.3 Code signing. */
123 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x4}; /* id-pkix.3.4 Email protection. */
124 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x8}; /* id-pkix.3.8 Time stamping. */
125 static const UCHAR NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING[] = {0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x9}; /* id-pkix.3.9 OCSP signing. */
126
127 /* Miscellaneous OIDs. */
128 static const UCHAR NX_SECURE_X509_OID_NETSCAPE_COMMENT[] = {0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d};
129
130 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
131 /* RFC 5480 OIDs. */
132 static const UCHAR NX_SECURE_X509_OID_EC[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01}; /* ISO.USA.10045.2.1 - ANSI X9.62 EC public key. */
133 static const UCHAR NX_SECURE_X509_OID_SECP192R1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x01}; /* ISO.USA.10045.3.1.1 - Named curve: secp192r1. */
134 static const UCHAR NX_SECURE_X509_OID_SECP224R1[] = {0x2B, 0x81, 0x04, 0x00, 0x21}; /* ISO.Identified Organization.Certicom.curve.33 - Named curve: secp224r1. */
135 static const UCHAR NX_SECURE_X509_OID_SECP256R1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}; /* ISO.USA.10045.3.1.7 - Named curve: secp256r1. */
136 static const UCHAR NX_SECURE_X509_OID_SECP384R1[] = {0x2B, 0x81, 0x04, 0x00, 0x22}; /* ISO.Identified Organization.Certicom.curve.34 - Named curve: secp384r1. */
137 static const UCHAR NX_SECURE_X509_OID_SECP521R1[] = {0x2B, 0x81, 0x04, 0x00, 0x23}; /* ISO.Identified Organization.Certicom.curve.35 - Named curve: secp521r1. */
138 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA1[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x01}; /* ISO.USA.10045.4.1 - ecdsa-with-SHA1. */
139 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA224[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x01}; /* ISO.USA.10045.4.3.1 - ecdsa-with-SHA224. */
140 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA256[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02}; /* ISO.USA.10045.4.3.2 - ecdsa-with-SHA256. */
141 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA384[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x03}; /* ISO.USA.10045.4.3.3 - ecdsa-with-SHA384. */
142 static const UCHAR NX_SECURE_X509_OID_ECDSA_SHA512[] = {0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x04}; /* ISO.USA.10045.4.3.4 - ecdsa-with-SHA512. */
143 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */
144
145 /* Lookup table for OID to type mapping. */
146 typedef struct NX_SECURE_X509_OID_MAP_STRUCT
147 {
148 UINT nx_secure_oid_map_type;
149
150 const UCHAR *nx_secure_oid_map_oid;
151
152 UINT nx_secure_oid_map_oid_size;
153 } NX_SECURE_X509_OID_MAP;
154
155 NX_SECURE_X509_OID_MAP _nx_secure_x509_oid_map[] =
156 {
157 {NX_SECURE_TLS_X509_TYPE_RSA, NX_SECURE_X509_OID_RSA, sizeof(NX_SECURE_X509_OID_RSA)},
158 {NX_SECURE_TLS_X509_TYPE_RSA_MD5, NX_SECURE_X509_OID_RSA_MD5, sizeof(NX_SECURE_X509_OID_RSA_MD5)},
159 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_1, NX_SECURE_X509_OID_RSA_SHA1, sizeof(NX_SECURE_X509_OID_RSA_SHA1)},
160 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_256, NX_SECURE_X509_OID_RSA_SHA256, sizeof(NX_SECURE_X509_OID_RSA_SHA256)},
161 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_384, NX_SECURE_X509_OID_RSA_SHA384, sizeof(NX_SECURE_X509_OID_RSA_SHA384)},
162 {NX_SECURE_TLS_X509_TYPE_RSA_SHA_512, NX_SECURE_X509_OID_RSA_SHA512, sizeof(NX_SECURE_X509_OID_RSA_SHA512)},
163 {NX_SECURE_TLS_X509_TYPE_DH, NX_SECURE_X509_OID_DH, sizeof(NX_SECURE_X509_OID_DH)},
164 {NX_SECURE_TLS_X509_TYPE_DSS_SHA_1, NX_SECURE_X509_OID_DSS_SHA1, sizeof(NX_SECURE_X509_OID_DSS_SHA1)},
165 {NX_SECURE_TLS_X509_TYPE_COMMON_NAME, NX_SECURE_X509_OID_COMMON_NAME, sizeof(NX_SECURE_X509_OID_COMMON_NAME)},
166 {NX_SECURE_TLS_X509_TYPE_COUNTRY, NX_SECURE_X509_OID_COUNTRY_NAME, sizeof(NX_SECURE_X509_OID_COUNTRY_NAME)},
167 {NX_SECURE_TLS_X509_TYPE_LOCALITY, NX_SECURE_X509_OID_LOCALITY, sizeof(NX_SECURE_X509_OID_LOCALITY)},
168 {NX_SECURE_TLS_X509_TYPE_STATE, NX_SECURE_X509_OID_STATE, sizeof(NX_SECURE_X509_OID_STATE)},
169 {NX_SECURE_TLS_X509_TYPE_ORGANIZATION, NX_SECURE_X509_OID_ORGANIZATION, sizeof(NX_SECURE_X509_OID_ORGANIZATION)},
170 {NX_SECURE_TLS_X509_TYPE_ORG_UNIT, NX_SECURE_X509_OID_ORG_UINT, sizeof(NX_SECURE_X509_OID_ORG_UINT)},
171 {NX_SECURE_TLS_X509_TYPE_DIRECTORY_ATTRIBUTES , NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES , sizeof(NX_SECURE_X509_OID_DIRECTORY_ATTRIBUTES)},
172 {NX_SECURE_TLS_X509_TYPE_SUBJECT_KEY_ID , NX_SECURE_X509_OID_SUBJECT_KEY_ID , sizeof(NX_SECURE_X509_OID_SUBJECT_KEY_ID)},
173 {NX_SECURE_TLS_X509_TYPE_KEY_USAGE , NX_SECURE_X509_OID_KEY_USAGE , sizeof(NX_SECURE_X509_OID_KEY_USAGE)},
174 {NX_SECURE_TLS_X509_TYPE_SUBJECT_ALT_NAME , NX_SECURE_X509_OID_SUBJECT_ALT_NAME , sizeof(NX_SECURE_X509_OID_SUBJECT_ALT_NAME)},
175 {NX_SECURE_TLS_X509_TYPE_ISSUER_ALT_NAME , NX_SECURE_X509_OID_ISSUER_ALT_NAME , sizeof(NX_SECURE_X509_OID_ISSUER_ALT_NAME)},
176 {NX_SECURE_TLS_X509_TYPE_BASIC_CONSTRAINTS , NX_SECURE_X509_OID_BASIC_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_BASIC_CONSTRAINTS)},
177 {NX_SECURE_TLS_X509_TYPE_NAME_CONSTRAINTS , NX_SECURE_X509_OID_NAME_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_NAME_CONSTRAINTS)},
178 {NX_SECURE_TLS_X509_TYPE_CRL_DISTRIBUTION , NX_SECURE_X509_OID_CRL_DISTRIBUTION , sizeof(NX_SECURE_X509_OID_CRL_DISTRIBUTION)},
179 {NX_SECURE_TLS_X509_TYPE_CERTIFICATE_POLICIES , NX_SECURE_X509_OID_CERTIFICATE_POLICIES , sizeof(NX_SECURE_X509_OID_CERTIFICATE_POLICIES)},
180 {NX_SECURE_TLS_X509_TYPE_CERT_POLICY_MAPPINGS , NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS , sizeof(NX_SECURE_X509_OID_CERT_POLICY_MAPPINGS)},
181 {NX_SECURE_TLS_X509_TYPE_AUTHORITY_KEY_ID , NX_SECURE_X509_OID_AUTHORITY_KEY_ID , sizeof(NX_SECURE_X509_OID_AUTHORITY_KEY_ID)},
182 {NX_SECURE_TLS_X509_TYPE_POLICY_CONSTRAINTS , NX_SECURE_X509_OID_POLICY_CONSTRAINTS , sizeof(NX_SECURE_X509_OID_POLICY_CONSTRAINTS)},
183 {NX_SECURE_TLS_X509_TYPE_EXTENDED_KEY_USAGE , NX_SECURE_X509_OID_EXTENDED_KEY_USAGE , sizeof(NX_SECURE_X509_OID_EXTENDED_KEY_USAGE)},
184 {NX_SECURE_TLS_X509_TYPE_ANY_EXTENDED_KEY_USAGE, NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE, sizeof(NX_SECURE_X509_OID_ANY_EXTENDED_KEY_USAGE)},
185 {NX_SECURE_TLS_X509_TYPE_FRESHEST_CRL , NX_SECURE_X509_OID_FRESHEST_CRL , sizeof(NX_SECURE_X509_OID_FRESHEST_CRL)},
186 {NX_SECURE_TLS_X509_TYPE_INHIBIT_ANYPOLICY , NX_SECURE_X509_OID_INHIBIT_ANYPOLICY , sizeof(NX_SECURE_X509_OID_INHIBIT_ANYPOLICY)},
187 {NX_SECURE_TLS_X509_TYPE_SURNAME , NX_SECURE_X509_OID_SURNAME , sizeof(NX_SECURE_X509_OID_SURNAME)},
188 {NX_SECURE_TLS_X509_TYPE_SERIAL_NUMBER , NX_SECURE_X509_OID_SERIAL_NUMBER , sizeof(NX_SECURE_X509_OID_SERIAL_NUMBER)},
189 {NX_SECURE_TLS_X509_TYPE_TITLE , NX_SECURE_X509_OID_TITLE , sizeof(NX_SECURE_X509_OID_TITLE)},
190 {NX_SECURE_TLS_X509_TYPE_NAME , NX_SECURE_X509_OID_NAME , sizeof(NX_SECURE_X509_OID_NAME)},
191 {NX_SECURE_TLS_X509_TYPE_GIVEN_NAME , NX_SECURE_X509_OID_GIVEN_NAME , sizeof(NX_SECURE_X509_OID_GIVEN_NAME)},
192 {NX_SECURE_TLS_X509_TYPE_INITIALS , NX_SECURE_X509_OID_INITIALS , sizeof(NX_SECURE_X509_OID_INITIALS)},
193 {NX_SECURE_TLS_X509_TYPE_GENERATION , NX_SECURE_X509_OID_GENERATION , sizeof(NX_SECURE_X509_OID_GENERATION)},
194 {NX_SECURE_TLS_X509_TYPE_DN_QUALIFIER , NX_SECURE_X509_OID_DN_QUALIFIER , sizeof(NX_SECURE_X509_OID_DN_QUALIFIER)},
195 {NX_SECURE_TLS_X509_TYPE_PSEUDONYM , NX_SECURE_X509_OID_PSEUDONYM , sizeof(NX_SECURE_X509_OID_PSEUDONYM)},
196 {NX_SECURE_TLS_X509_TYPE_PKIX_EXT_PREFIX , NX_SECURE_X509_OID_PKIX_EXT_PREFIX , sizeof(NX_SECURE_X509_OID_PKIX_EXT_PREFIX)},
197 {NX_SECURE_TLS_X509_TYPE_PKIX_AIA , NX_SECURE_X509_OID_PKIX_AIA , sizeof(NX_SECURE_X509_OID_PKIX_AIA)},
198 {NX_SECURE_TLS_X509_TYPE_PKIX_SIA , NX_SECURE_X509_OID_PKIX_SIA , sizeof(NX_SECURE_X509_OID_PKIX_SIA)},
199 {NX_SECURE_TLS_X509_TYPE_NETSCAPE_COMMENT , NX_SECURE_X509_OID_NETSCAPE_COMMENT , sizeof(NX_SECURE_X509_OID_NETSCAPE_COMMENT)},
200 {NX_SECURE_TLS_X509_TYPE_ANY_POLICY , NX_SECURE_X509_OID_ANY_POLICY , sizeof(NX_SECURE_X509_OID_ANY_POLICY)},
201 {NX_SECURE_TLS_X509_TYPE_PKIX_QT , NX_SECURE_X509_OID_PKIX_QT , sizeof(NX_SECURE_X509_OID_PKIX_QT)},
202 {NX_SECURE_TLS_X509_TYPE_PKIX_QT_CPS , NX_SECURE_X509_OID_PKIX_QT_CPS , sizeof(NX_SECURE_X509_OID_PKIX_QT_CPS)},
203 {NX_SECURE_TLS_X509_TYPE_PKIX_QT_UNOTICE , NX_SECURE_X509_OID_PKIX_QT_UNOTICE , sizeof(NX_SECURE_X509_OID_PKIX_QT_UNOTICE)},
204 {NX_SECURE_TLS_X509_TYPE_PKIX_KP , NX_SECURE_X509_OID_PKIX_KP , sizeof(NX_SECURE_X509_OID_PKIX_KP)},
205 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_SERVER_AUTH , NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH , sizeof(NX_SECURE_X509_OID_PKIX_KP_SERVER_AUTH)},
206 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_CLIENT_AUTH , NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH , sizeof(NX_SECURE_X509_OID_PKIX_KP_CLIENT_AUTH)},
207 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_CODE_SIGNING , NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING , sizeof(NX_SECURE_X509_OID_PKIX_KP_CODE_SIGNING)},
208 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_EMAIL_PROTECT , NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT , sizeof(NX_SECURE_X509_OID_PKIX_KP_EMAIL_PROTECT)},
209 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_TIME_STAMPING , NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING , sizeof(NX_SECURE_X509_OID_PKIX_KP_TIME_STAMPING)},
210 {NX_SECURE_TLS_X509_TYPE_PKIX_KP_OCSP_SIGNING , NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING , sizeof(NX_SECURE_X509_OID_PKIX_KP_OCSP_SIGNING)},
211 #ifdef NX_SECURE_ENABLE_ECC_CIPHERSUITE
212 {NX_SECURE_TLS_X509_TYPE_EC , NX_SECURE_X509_OID_EC , sizeof(NX_SECURE_X509_OID_EC)},
213 {NX_SECURE_TLS_X509_EC_SECP192R1 , NX_SECURE_X509_OID_SECP192R1 , sizeof(NX_SECURE_X509_OID_SECP192R1)},
214 {NX_SECURE_TLS_X509_EC_SECP224R1 , NX_SECURE_X509_OID_SECP224R1 , sizeof(NX_SECURE_X509_OID_SECP224R1)},
215 {NX_SECURE_TLS_X509_EC_SECP256R1 , NX_SECURE_X509_OID_SECP256R1 , sizeof(NX_SECURE_X509_OID_SECP256R1)},
216 {NX_SECURE_TLS_X509_EC_SECP384R1 , NX_SECURE_X509_OID_SECP384R1 , sizeof(NX_SECURE_X509_OID_SECP384R1)},
217 {NX_SECURE_TLS_X509_EC_SECP521R1 , NX_SECURE_X509_OID_SECP521R1 , sizeof(NX_SECURE_X509_OID_SECP521R1)},
218 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_1 , NX_SECURE_X509_OID_ECDSA_SHA1 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA1)},
219 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_224 , NX_SECURE_X509_OID_ECDSA_SHA224 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA224)},
220 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_256 , NX_SECURE_X509_OID_ECDSA_SHA256 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA256)},
221 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_384 , NX_SECURE_X509_OID_ECDSA_SHA384 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA384)},
222 {NX_SECURE_TLS_X509_TYPE_ECDSA_SHA_512 , NX_SECURE_X509_OID_ECDSA_SHA512 , sizeof(NX_SECURE_X509_OID_ECDSA_SHA512)},
223 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */
224 };
225
226 static const UINT _nx_secure_x509_oid_map_size = sizeof(_nx_secure_x509_oid_map) / sizeof(NX_SECURE_X509_OID_MAP);
227
228 /**************************************************************************/
229 /* */
230 /* FUNCTION RELEASE */
231 /* */
232 /* _nx_secure_x509_oid_parse PORTABLE C */
233 /* 6.1.6 */
234 /* AUTHOR */
235 /* */
236 /* Timothy Stapko, Microsoft Corporation */
237 /* */
238 /* DESCRIPTION */
239 /* */
240 /* This function parses a DER-encoded Object Identifier (OID) string */
241 /* and returns an internally-defined constant for further use in X.509 */
242 /* parsing routines. */
243 /* */
244 /* INPUT */
245 /* */
246 /* oid OID data to be parsed */
247 /* length Length of OID data in buffer */
248 /* oid_value Return OID internal integer */
249 /* */
250 /* OUTPUT */
251 /* */
252 /* None */
253 /* */
254 /* CALLS */
255 /* */
256 /* None */
257 /* */
258 /* CALLED BY */
259 /* */
260 /* _nx_secure_x509_crl_signature_algorithm_parse */
261 /* Parse signature algorithm in */
262 /* _nx_secure_x509_distinguished_name_parse */
263 /* Parse Distinguished Name */
264 /* _nx_secure_x509_extension_find Find extension in certificate */
265 /* _nx_secure_x509_extended_key_usage_extension_parse */
266 /* Parse Extended KeyUsage */
267 /* extension */
268 /* _nx_secure_x509_parse_public_key Parse public key in */
269 /* certificate */
270 /* _nx_secure_x509_parse_signature_algorithm */
271 /* Parse signature algorithm in */
272 /* _nx_secure_x509_policy_qualifiers_parse */
273 /* Parse policy qualifiers */
274 /* */
275 /* RELEASE HISTORY */
276 /* */
277 /* DATE NAME DESCRIPTION */
278 /* */
279 /* 05-19-2020 Timothy Stapko Initial Version 6.0 */
280 /* 09-30-2020 Timothy Stapko Modified comment(s), */
281 /* resulting in version 6.1 */
282 /* 04-02-2021 Timothy Stapko Modified comment(s), */
283 /* removed dependency on TLS, */
284 /* resulting in version 6.1.6 */
285 /* */
286 /**************************************************************************/
_nx_secure_x509_oid_parse(const UCHAR * oid,ULONG length,UINT * oid_value)287 VOID _nx_secure_x509_oid_parse(const UCHAR *oid, ULONG length, UINT *oid_value)
288 {
289 INT compare_val;
290 UINT i;
291
292 /* Check for OID type. */
293 for (i = 0; i < _nx_secure_x509_oid_map_size; ++i)
294 {
295 /* Make sure the length isn't greater than the size of the OID we are comparing against. */
296 if (length <= _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid_size)
297 {
298 compare_val = NX_SECURE_MEMCMP(oid, _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid, _nx_secure_x509_oid_map[i].nx_secure_oid_map_oid_size);
299 if (compare_val == 0)
300 {
301 *oid_value = _nx_secure_x509_oid_map[i].nx_secure_oid_map_type;
302 return;
303 }
304 }
305 }
306
307 *oid_value = NX_SECURE_TLS_X509_TYPE_UNKNOWN;
308 }
309
310
