1 /*
2 * X.509 certificate parsing and verification
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * The ITU-T X.509 standard defines a certificate format for PKI.
9 *
10 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
11 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
12 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
13 *
14 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
15 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
16 *
17 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_X509_CRT_PARSE_C)
23
24 #include "mbedtls/x509_crt.h"
25 #include "x509_internal.h"
26 #include "mbedtls/error.h"
27 #include "mbedtls/oid.h"
28 #include "mbedtls/platform_util.h"
29
30 #include <string.h>
31
32 #if defined(MBEDTLS_PEM_PARSE_C)
33 #include "mbedtls/pem.h"
34 #endif
35
36 #if defined(MBEDTLS_USE_PSA_CRYPTO)
37 #include "psa/crypto.h"
38 #include "psa_util_internal.h"
39 #include "mbedtls/psa_util.h"
40 #endif /* MBEDTLS_USE_PSA_CRYPTO */
41 #include "pk_internal.h"
42
43 #include "mbedtls/platform.h"
44
45 #if defined(MBEDTLS_THREADING_C)
46 #include "mbedtls/threading.h"
47 #endif
48
49 #if defined(MBEDTLS_HAVE_TIME)
50 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
51 #ifndef WIN32_LEAN_AND_MEAN
52 #define WIN32_LEAN_AND_MEAN
53 #endif
54 #include <windows.h>
55 #else
56 #include <time.h>
57 #endif
58 #endif
59
60 #if defined(MBEDTLS_FS_IO)
61 #include <stdio.h>
62 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
63 #include <sys/types.h>
64 #include <sys/stat.h>
65 #if defined(__MBED__)
66 #include <platform/mbed_retarget.h>
67 #else
68 #include <dirent.h>
69 #endif /* __MBED__ */
70 #include <errno.h>
71 #endif /* !_WIN32 || EFIX64 || EFI32 */
72 #endif
73
74 /*
75 * Item in a verification chain: cert and flags for it
76 */
77 typedef struct {
78 mbedtls_x509_crt *crt;
79 uint32_t flags;
80 } x509_crt_verify_chain_item;
81
82 /*
83 * Max size of verification chain: end-entity + intermediates + trusted root
84 */
85 #define X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
86
87 /* Default profile. Do not remove items unless there are serious security
88 * concerns. */
89 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
90 {
91 /* Hashes from SHA-256 and above. Note that this selection
92 * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
93 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
94 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
95 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
96 0xFFFFFFF, /* Any PK alg */
97 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
98 /* Curves at or above 128-bit security level. Note that this selection
99 * should be aligned with ssl_preset_default_curves in ssl_tls.c. */
100 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
101 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
102 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
103 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
104 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
105 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
106 0,
107 #else /* MBEDTLS_PK_HAVE_ECC_KEYS */
108 0,
109 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
110 2048,
111 };
112
113 /* Next-generation profile. Currently identical to the default, but may
114 * be tightened at any time. */
115 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
116 {
117 /* Hashes from SHA-256 and above. */
118 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
119 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
120 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
121 0xFFFFFFF, /* Any PK alg */
122 #if defined(MBEDTLS_ECP_C)
123 /* Curves at or above 128-bit security level. */
124 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
125 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
126 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
127 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
128 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
129 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
130 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256K1),
131 #else
132 0,
133 #endif
134 2048,
135 };
136
137 /*
138 * NSA Suite B Profile
139 */
140 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
141 {
142 /* Only SHA-256 and 384 */
143 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
144 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384),
145 /* Only ECDSA */
146 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
147 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
148 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
149 /* Only NIST P-256 and P-384 */
150 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
151 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
152 #else /* MBEDTLS_PK_HAVE_ECC_KEYS */
153 0,
154 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
155 0,
156 };
157
158 /*
159 * Empty / all-forbidden profile
160 */
161 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none =
162 {
163 0,
164 0,
165 0,
166 (uint32_t) -1,
167 };
168
169 /*
170 * Check md_alg against profile
171 * Return 0 if md_alg is acceptable for this profile, -1 otherwise
172 */
x509_profile_check_md_alg(const mbedtls_x509_crt_profile * profile,mbedtls_md_type_t md_alg)173 static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile,
174 mbedtls_md_type_t md_alg)
175 {
176 if (md_alg == MBEDTLS_MD_NONE) {
177 return -1;
178 }
179
180 if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) {
181 return 0;
182 }
183
184 return -1;
185 }
186
187 /*
188 * Check pk_alg against profile
189 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
190 */
x509_profile_check_pk_alg(const mbedtls_x509_crt_profile * profile,mbedtls_pk_type_t pk_alg)191 static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile,
192 mbedtls_pk_type_t pk_alg)
193 {
194 if (pk_alg == MBEDTLS_PK_NONE) {
195 return -1;
196 }
197
198 if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) {
199 return 0;
200 }
201
202 return -1;
203 }
204
205 /*
206 * Check key against profile
207 * Return 0 if pk is acceptable for this profile, -1 otherwise
208 */
x509_profile_check_key(const mbedtls_x509_crt_profile * profile,const mbedtls_pk_context * pk)209 static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
210 const mbedtls_pk_context *pk)
211 {
212 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk);
213
214 #if defined(MBEDTLS_RSA_C)
215 if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) {
216 if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) {
217 return 0;
218 }
219
220 return -1;
221 }
222 #endif /* MBEDTLS_RSA_C */
223
224 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
225 if (pk_alg == MBEDTLS_PK_ECDSA ||
226 pk_alg == MBEDTLS_PK_ECKEY ||
227 pk_alg == MBEDTLS_PK_ECKEY_DH) {
228 const mbedtls_ecp_group_id gid = mbedtls_pk_get_ec_group_id(pk);
229
230 if (gid == MBEDTLS_ECP_DP_NONE) {
231 return -1;
232 }
233
234 if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) {
235 return 0;
236 }
237
238 return -1;
239 }
240 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
241
242 return -1;
243 }
244
245 /*
246 * Like memcmp, but case-insensitive and always returns -1 if different
247 */
x509_memcasecmp(const void * s1,const void * s2,size_t len)248 static int x509_memcasecmp(const void *s1, const void *s2, size_t len)
249 {
250 size_t i;
251 unsigned char diff;
252 const unsigned char *n1 = s1, *n2 = s2;
253
254 for (i = 0; i < len; i++) {
255 diff = n1[i] ^ n2[i];
256
257 if (diff == 0) {
258 continue;
259 }
260
261 if (diff == 32 &&
262 ((n1[i] >= 'a' && n1[i] <= 'z') ||
263 (n1[i] >= 'A' && n1[i] <= 'Z'))) {
264 continue;
265 }
266
267 return -1;
268 }
269
270 return 0;
271 }
272
273 /*
274 * Return 0 if name matches wildcard, -1 otherwise
275 */
x509_check_wildcard(const char * cn,const mbedtls_x509_buf * name)276 static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name)
277 {
278 size_t i;
279 size_t cn_idx = 0, cn_len = strlen(cn);
280
281 /* We can't have a match if there is no wildcard to match */
282 if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') {
283 return -1;
284 }
285
286 for (i = 0; i < cn_len; ++i) {
287 if (cn[i] == '.') {
288 cn_idx = i;
289 break;
290 }
291 }
292
293 if (cn_idx == 0) {
294 return -1;
295 }
296
297 if (cn_len - cn_idx == name->len - 1 &&
298 x509_memcasecmp(name->p + 1, cn + cn_idx, name->len - 1) == 0) {
299 return 0;
300 }
301
302 return -1;
303 }
304
305 /*
306 * Compare two X.509 strings, case-insensitive, and allowing for some encoding
307 * variations (but not all).
308 *
309 * Return 0 if equal, -1 otherwise.
310 */
x509_string_cmp(const mbedtls_x509_buf * a,const mbedtls_x509_buf * b)311 static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b)
312 {
313 if (a->tag == b->tag &&
314 a->len == b->len &&
315 memcmp(a->p, b->p, b->len) == 0) {
316 return 0;
317 }
318
319 if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
320 (b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
321 a->len == b->len &&
322 x509_memcasecmp(a->p, b->p, b->len) == 0) {
323 return 0;
324 }
325
326 return -1;
327 }
328
329 /*
330 * Compare two X.509 Names (aka rdnSequence).
331 *
332 * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
333 * we sometimes return unequal when the full algorithm would return equal,
334 * but never the other way. (In particular, we don't do Unicode normalisation
335 * or space folding.)
336 *
337 * Return 0 if equal, -1 otherwise.
338 */
x509_name_cmp(const mbedtls_x509_name * a,const mbedtls_x509_name * b)339 static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b)
340 {
341 /* Avoid recursion, it might not be optimised by the compiler */
342 while (a != NULL || b != NULL) {
343 if (a == NULL || b == NULL) {
344 return -1;
345 }
346
347 /* type */
348 if (a->oid.tag != b->oid.tag ||
349 a->oid.len != b->oid.len ||
350 memcmp(a->oid.p, b->oid.p, b->oid.len) != 0) {
351 return -1;
352 }
353
354 /* value */
355 if (x509_string_cmp(&a->val, &b->val) != 0) {
356 return -1;
357 }
358
359 /* structure of the list of sets */
360 if (a->next_merged != b->next_merged) {
361 return -1;
362 }
363
364 a = a->next;
365 b = b->next;
366 }
367
368 /* a == NULL == b */
369 return 0;
370 }
371
372 /*
373 * Reset (init or clear) a verify_chain
374 */
x509_crt_verify_chain_reset(mbedtls_x509_crt_verify_chain * ver_chain)375 static void x509_crt_verify_chain_reset(
376 mbedtls_x509_crt_verify_chain *ver_chain)
377 {
378 size_t i;
379
380 for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) {
381 ver_chain->items[i].crt = NULL;
382 ver_chain->items[i].flags = (uint32_t) -1;
383 }
384
385 ver_chain->len = 0;
386
387 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
388 ver_chain->trust_ca_cb_result = NULL;
389 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
390 }
391
392 /*
393 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
394 */
x509_get_version(unsigned char ** p,const unsigned char * end,int * ver)395 static int x509_get_version(unsigned char **p,
396 const unsigned char *end,
397 int *ver)
398 {
399 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
400 size_t len;
401
402 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
403 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
404 0)) != 0) {
405 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
406 *ver = 0;
407 return 0;
408 }
409
410 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
411 }
412
413 end = *p + len;
414
415 if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
416 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
417 }
418
419 if (*p != end) {
420 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION,
421 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
422 }
423
424 return 0;
425 }
426
427 /*
428 * Validity ::= SEQUENCE {
429 * notBefore Time,
430 * notAfter Time }
431 */
x509_get_dates(unsigned char ** p,const unsigned char * end,mbedtls_x509_time * from,mbedtls_x509_time * to)432 static int x509_get_dates(unsigned char **p,
433 const unsigned char *end,
434 mbedtls_x509_time *from,
435 mbedtls_x509_time *to)
436 {
437 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
438 size_t len;
439
440 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
441 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
442 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
443 }
444
445 end = *p + len;
446
447 if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) {
448 return ret;
449 }
450
451 if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) {
452 return ret;
453 }
454
455 if (*p != end) {
456 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
457 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
458 }
459
460 return 0;
461 }
462
463 /*
464 * X.509 v2/v3 unique identifier (not parsed)
465 */
x509_get_uid(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * uid,int n)466 static int x509_get_uid(unsigned char **p,
467 const unsigned char *end,
468 mbedtls_x509_buf *uid, int n)
469 {
470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
471
472 if (*p == end) {
473 return 0;
474 }
475
476 uid->tag = **p;
477
478 if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
479 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
480 n)) != 0) {
481 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
482 return 0;
483 }
484
485 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
486 }
487
488 uid->p = *p;
489 *p += uid->len;
490
491 return 0;
492 }
493
x509_get_basic_constraints(unsigned char ** p,const unsigned char * end,int * ca_istrue,int * max_pathlen)494 static int x509_get_basic_constraints(unsigned char **p,
495 const unsigned char *end,
496 int *ca_istrue,
497 int *max_pathlen)
498 {
499 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
500 size_t len;
501
502 /*
503 * BasicConstraints ::= SEQUENCE {
504 * cA BOOLEAN DEFAULT FALSE,
505 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
506 */
507 *ca_istrue = 0; /* DEFAULT FALSE */
508 *max_pathlen = 0; /* endless */
509
510 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
511 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
512 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
513 }
514
515 if (*p == end) {
516 return 0;
517 }
518
519 if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
520 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
521 ret = mbedtls_asn1_get_int(p, end, ca_istrue);
522 }
523
524 if (ret != 0) {
525 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
526 }
527
528 if (*ca_istrue != 0) {
529 *ca_istrue = 1;
530 }
531 }
532
533 if (*p == end) {
534 return 0;
535 }
536
537 if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) {
538 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
539 }
540
541 if (*p != end) {
542 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
543 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
544 }
545
546 /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
547 * overflow, which is an undefined behavior. */
548 if (*max_pathlen == INT_MAX) {
549 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
550 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
551 }
552
553 (*max_pathlen)++;
554
555 return 0;
556 }
557
558 /*
559 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
560 *
561 * KeyPurposeId ::= OBJECT IDENTIFIER
562 */
x509_get_ext_key_usage(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * ext_key_usage)563 static int x509_get_ext_key_usage(unsigned char **p,
564 const unsigned char *end,
565 mbedtls_x509_sequence *ext_key_usage)
566 {
567 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
568
569 if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) {
570 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
571 }
572
573 /* Sequence length must be >= 1 */
574 if (ext_key_usage->buf.p == NULL) {
575 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
576 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
577 }
578
579 return 0;
580 }
581
582 /*
583 * SubjectKeyIdentifier ::= KeyIdentifier
584 *
585 * KeyIdentifier ::= OCTET STRING
586 */
x509_get_subject_key_id(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * subject_key_id)587 static int x509_get_subject_key_id(unsigned char **p,
588 const unsigned char *end,
589 mbedtls_x509_buf *subject_key_id)
590 {
591 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
592 size_t len = 0u;
593
594 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
595 MBEDTLS_ASN1_OCTET_STRING)) != 0) {
596 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
597 }
598
599 subject_key_id->len = len;
600 subject_key_id->tag = MBEDTLS_ASN1_OCTET_STRING;
601 subject_key_id->p = *p;
602 *p += len;
603
604 if (*p != end) {
605 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
606 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
607 }
608
609 return 0;
610 }
611
612 /*
613 * AuthorityKeyIdentifier ::= SEQUENCE {
614 * keyIdentifier [0] KeyIdentifier OPTIONAL,
615 * authorityCertIssuer [1] GeneralNames OPTIONAL,
616 * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
617 *
618 * KeyIdentifier ::= OCTET STRING
619 */
x509_get_authority_key_id(unsigned char ** p,unsigned char * end,mbedtls_x509_authority * authority_key_id)620 static int x509_get_authority_key_id(unsigned char **p,
621 unsigned char *end,
622 mbedtls_x509_authority *authority_key_id)
623 {
624 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
625 size_t len = 0u;
626
627 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
628 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
629 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
630 }
631
632 if (*p + len != end) {
633 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
634 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
635 }
636
637 ret = mbedtls_asn1_get_tag(p, end, &len,
638 MBEDTLS_ASN1_CONTEXT_SPECIFIC);
639
640 /* KeyIdentifier is an OPTIONAL field */
641 if (ret == 0) {
642 authority_key_id->keyIdentifier.len = len;
643 authority_key_id->keyIdentifier.p = *p;
644 /* Setting tag of the keyIdentfier intentionally to 0x04.
645 * Although the .keyIdentfier field is CONTEXT_SPECIFIC ([0] OPTIONAL),
646 * its tag with the content is the payload of on OCTET STRING primitive */
647 authority_key_id->keyIdentifier.tag = MBEDTLS_ASN1_OCTET_STRING;
648
649 *p += len;
650 } else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
651 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
652 }
653
654 if (*p < end) {
655 /* Getting authorityCertIssuer using the required specific class tag [1] */
656 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
657 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
658 1)) != 0) {
659 /* authorityCertIssuer and authorityCertSerialNumber MUST both
660 be present or both be absent. At this point we expect to have both. */
661 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
662 }
663 /* "end" also includes the CertSerialNumber field so "len" shall be used */
664 ret = mbedtls_x509_get_subject_alt_name_ext(p,
665 (*p+len),
666 &authority_key_id->authorityCertIssuer);
667 if (ret != 0) {
668 return ret;
669 }
670
671 /* Getting authorityCertSerialNumber using the required specific class tag [2] */
672 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
673 MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2)) != 0) {
674 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
675 }
676 authority_key_id->authorityCertSerialNumber.len = len;
677 authority_key_id->authorityCertSerialNumber.p = *p;
678 authority_key_id->authorityCertSerialNumber.tag = MBEDTLS_ASN1_INTEGER;
679 *p += len;
680 }
681
682 if (*p != end) {
683 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
684 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
685 }
686
687 return 0;
688 }
689
690 /*
691 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
692 *
693 * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
694 *
695 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
696 *
697 * PolicyInformation ::= SEQUENCE {
698 * policyIdentifier CertPolicyId,
699 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
700 * PolicyQualifierInfo OPTIONAL }
701 *
702 * CertPolicyId ::= OBJECT IDENTIFIER
703 *
704 * PolicyQualifierInfo ::= SEQUENCE {
705 * policyQualifierId PolicyQualifierId,
706 * qualifier ANY DEFINED BY policyQualifierId }
707 *
708 * -- policyQualifierIds for Internet policy qualifiers
709 *
710 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
711 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
712 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
713 *
714 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
715 *
716 * Qualifier ::= CHOICE {
717 * cPSuri CPSuri,
718 * userNotice UserNotice }
719 *
720 * CPSuri ::= IA5String
721 *
722 * UserNotice ::= SEQUENCE {
723 * noticeRef NoticeReference OPTIONAL,
724 * explicitText DisplayText OPTIONAL }
725 *
726 * NoticeReference ::= SEQUENCE {
727 * organization DisplayText,
728 * noticeNumbers SEQUENCE OF INTEGER }
729 *
730 * DisplayText ::= CHOICE {
731 * ia5String IA5String (SIZE (1..200)),
732 * visibleString VisibleString (SIZE (1..200)),
733 * bmpString BMPString (SIZE (1..200)),
734 * utf8String UTF8String (SIZE (1..200)) }
735 *
736 * NOTE: we only parse and use anyPolicy without qualifiers at this point
737 * as defined in RFC 5280.
738 */
x509_get_certificate_policies(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * certificate_policies)739 static int x509_get_certificate_policies(unsigned char **p,
740 const unsigned char *end,
741 mbedtls_x509_sequence *certificate_policies)
742 {
743 int ret, parse_ret = 0;
744 size_t len;
745 mbedtls_asn1_buf *buf;
746 mbedtls_asn1_sequence *cur = certificate_policies;
747
748 /* Get main sequence tag */
749 ret = mbedtls_asn1_get_tag(p, end, &len,
750 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
751 if (ret != 0) {
752 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
753 }
754
755 if (*p + len != end) {
756 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
757 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
758 }
759
760 /*
761 * Cannot be an empty sequence.
762 */
763 if (len == 0) {
764 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
765 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
766 }
767
768 while (*p < end) {
769 mbedtls_x509_buf policy_oid;
770 const unsigned char *policy_end;
771
772 /*
773 * Get the policy sequence
774 */
775 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
776 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
777 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
778 }
779
780 policy_end = *p + len;
781
782 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
783 MBEDTLS_ASN1_OID)) != 0) {
784 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
785 }
786
787 policy_oid.tag = MBEDTLS_ASN1_OID;
788 policy_oid.len = len;
789 policy_oid.p = *p;
790
791 /*
792 * Only AnyPolicy is currently supported when enforcing policy.
793 */
794 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) {
795 /*
796 * Set the parsing return code but continue parsing, in case this
797 * extension is critical.
798 */
799 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
800 }
801
802 /* Allocate and assign next pointer */
803 if (cur->buf.p != NULL) {
804 if (cur->next != NULL) {
805 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
806 }
807
808 cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
809
810 if (cur->next == NULL) {
811 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
812 MBEDTLS_ERR_ASN1_ALLOC_FAILED);
813 }
814
815 cur = cur->next;
816 }
817
818 buf = &(cur->buf);
819 buf->tag = policy_oid.tag;
820 buf->p = policy_oid.p;
821 buf->len = policy_oid.len;
822
823 *p += len;
824
825 /*
826 * If there is an optional qualifier, then *p < policy_end
827 * Check the Qualifier len to verify it doesn't exceed policy_end.
828 */
829 if (*p < policy_end) {
830 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
831 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
832 0) {
833 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
834 }
835 /*
836 * Skip the optional policy qualifiers.
837 */
838 *p += len;
839 }
840
841 if (*p != policy_end) {
842 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
843 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
844 }
845 }
846
847 /* Set final sequence entry's next pointer to NULL */
848 cur->next = NULL;
849
850 if (*p != end) {
851 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
852 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
853 }
854
855 return parse_ret;
856 }
857
858 /*
859 * X.509 v3 extensions
860 *
861 */
x509_get_crt_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_crt * crt,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)862 static int x509_get_crt_ext(unsigned char **p,
863 const unsigned char *end,
864 mbedtls_x509_crt *crt,
865 mbedtls_x509_crt_ext_cb_t cb,
866 void *p_ctx)
867 {
868 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
869 size_t len;
870 unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
871
872 if (*p == end) {
873 return 0;
874 }
875
876 if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) {
877 return ret;
878 }
879
880 end = crt->v3_ext.p + crt->v3_ext.len;
881 while (*p < end) {
882 /*
883 * Extension ::= SEQUENCE {
884 * extnID OBJECT IDENTIFIER,
885 * critical BOOLEAN DEFAULT FALSE,
886 * extnValue OCTET STRING }
887 */
888 mbedtls_x509_buf extn_oid = { 0, 0, NULL };
889 int is_critical = 0; /* DEFAULT FALSE */
890 int ext_type = 0;
891
892 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
893 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
894 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
895 }
896
897 end_ext_data = *p + len;
898
899 /* Get extension ID */
900 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
901 MBEDTLS_ASN1_OID)) != 0) {
902 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
903 }
904
905 extn_oid.tag = MBEDTLS_ASN1_OID;
906 extn_oid.p = *p;
907 *p += extn_oid.len;
908
909 /* Get optional critical */
910 if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
911 (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
912 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
913 }
914
915 /* Data should be octet string type */
916 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
917 MBEDTLS_ASN1_OCTET_STRING)) != 0) {
918 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
919 }
920
921 start_ext_octet = *p;
922 end_ext_octet = *p + len;
923
924 if (end_ext_octet != end_ext_data) {
925 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
926 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
927 }
928
929 /*
930 * Detect supported extensions
931 */
932 ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
933
934 if (ret != 0) {
935 /* Give the callback (if any) a chance to handle the extension */
936 if (cb != NULL) {
937 ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet);
938 if (ret != 0 && is_critical) {
939 return ret;
940 }
941 *p = end_ext_octet;
942 continue;
943 }
944
945 /* No parser found, skip extension */
946 *p = end_ext_octet;
947
948 if (is_critical) {
949 /* Data is marked as critical: fail */
950 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
951 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
952 }
953 continue;
954 }
955
956 /* Forbid repeated extensions */
957 if ((crt->ext_types & ext_type) != 0) {
958 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
959 }
960
961 crt->ext_types |= ext_type;
962
963 switch (ext_type) {
964 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
965 /* Parse basic constraints */
966 if ((ret = x509_get_basic_constraints(p, end_ext_octet,
967 &crt->ca_istrue, &crt->max_pathlen)) != 0) {
968 return ret;
969 }
970 break;
971
972 case MBEDTLS_X509_EXT_KEY_USAGE:
973 /* Parse key usage */
974 if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet,
975 &crt->key_usage)) != 0) {
976 return ret;
977 }
978 break;
979
980 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
981 /* Parse extended key usage */
982 if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
983 &crt->ext_key_usage)) != 0) {
984 return ret;
985 }
986 break;
987
988 case MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER:
989 /* Parse subject key identifier */
990 if ((ret = x509_get_subject_key_id(p, end_ext_data,
991 &crt->subject_key_id)) != 0) {
992 return ret;
993 }
994 break;
995
996 case MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER:
997 /* Parse authority key identifier */
998 if ((ret = x509_get_authority_key_id(p, end_ext_octet,
999 &crt->authority_key_id)) != 0) {
1000 return ret;
1001 }
1002 break;
1003 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
1004 /* Parse subject alt name
1005 * SubjectAltName ::= GeneralNames
1006 */
1007 if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
1008 &crt->subject_alt_names)) != 0) {
1009 return ret;
1010 }
1011 break;
1012
1013 case MBEDTLS_X509_EXT_NS_CERT_TYPE:
1014 /* Parse netscape certificate type */
1015 if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet,
1016 &crt->ns_cert_type)) != 0) {
1017 return ret;
1018 }
1019 break;
1020
1021 case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
1022 /* Parse certificate policies type */
1023 if ((ret = x509_get_certificate_policies(p, end_ext_octet,
1024 &crt->certificate_policies)) != 0) {
1025 /* Give the callback (if any) a chance to handle the extension
1026 * if it contains unsupported policies */
1027 if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
1028 cb(p_ctx, crt, &extn_oid, is_critical,
1029 start_ext_octet, end_ext_octet) == 0) {
1030 break;
1031 }
1032
1033 if (is_critical) {
1034 return ret;
1035 } else
1036 /*
1037 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
1038 * cannot interpret or enforce the policy. However, it is up to
1039 * the user to choose how to enforce the policies,
1040 * unless the extension is critical.
1041 */
1042 if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
1043 return ret;
1044 }
1045 }
1046 break;
1047
1048 default:
1049 /*
1050 * If this is a non-critical extension, which the oid layer
1051 * supports, but there isn't an x509 parser for it,
1052 * skip the extension.
1053 */
1054 if (is_critical) {
1055 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
1056 } else {
1057 *p = end_ext_octet;
1058 }
1059 }
1060 }
1061
1062 if (*p != end) {
1063 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
1064 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1065 }
1066
1067 return 0;
1068 }
1069
1070 /*
1071 * Parse and fill a single X.509 certificate in DER format
1072 */
x509_crt_parse_der_core(mbedtls_x509_crt * crt,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1073 static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
1074 const unsigned char *buf,
1075 size_t buflen,
1076 int make_copy,
1077 mbedtls_x509_crt_ext_cb_t cb,
1078 void *p_ctx)
1079 {
1080 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1081 size_t len;
1082 unsigned char *p, *end, *crt_end;
1083 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
1084
1085 memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
1086 memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
1087 memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
1088
1089 /*
1090 * Check for valid input
1091 */
1092 if (crt == NULL || buf == NULL) {
1093 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1094 }
1095
1096 /* Use the original buffer until we figure out actual length. */
1097 p = (unsigned char *) buf;
1098 len = buflen;
1099 end = p + len;
1100
1101 /*
1102 * Certificate ::= SEQUENCE {
1103 * tbsCertificate TBSCertificate,
1104 * signatureAlgorithm AlgorithmIdentifier,
1105 * signatureValue BIT STRING }
1106 */
1107 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1108 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1109 mbedtls_x509_crt_free(crt);
1110 return MBEDTLS_ERR_X509_INVALID_FORMAT;
1111 }
1112
1113 end = crt_end = p + len;
1114 crt->raw.len = (size_t) (crt_end - buf);
1115 if (make_copy != 0) {
1116 /* Create and populate a new buffer for the raw field. */
1117 crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
1118 if (crt->raw.p == NULL) {
1119 return MBEDTLS_ERR_X509_ALLOC_FAILED;
1120 }
1121
1122 memcpy(crt->raw.p, buf, crt->raw.len);
1123 crt->own_buffer = 1;
1124
1125 p += crt->raw.len - len;
1126 end = crt_end = p + len;
1127 } else {
1128 crt->raw.p = (unsigned char *) buf;
1129 crt->own_buffer = 0;
1130 }
1131
1132 /*
1133 * TBSCertificate ::= SEQUENCE {
1134 */
1135 crt->tbs.p = p;
1136
1137 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1138 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1139 mbedtls_x509_crt_free(crt);
1140 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1141 }
1142
1143 end = p + len;
1144 crt->tbs.len = (size_t) (end - crt->tbs.p);
1145
1146 /*
1147 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1148 *
1149 * CertificateSerialNumber ::= INTEGER
1150 *
1151 * signature AlgorithmIdentifier
1152 */
1153 if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
1154 (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
1155 (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
1156 &sig_params1)) != 0) {
1157 mbedtls_x509_crt_free(crt);
1158 return ret;
1159 }
1160
1161 if (crt->version < 0 || crt->version > 2) {
1162 mbedtls_x509_crt_free(crt);
1163 return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
1164 }
1165
1166 crt->version++;
1167
1168 if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
1169 &crt->sig_md, &crt->sig_pk,
1170 &crt->sig_opts)) != 0) {
1171 mbedtls_x509_crt_free(crt);
1172 return ret;
1173 }
1174
1175 /*
1176 * issuer Name
1177 */
1178 crt->issuer_raw.p = p;
1179
1180 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1181 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1182 mbedtls_x509_crt_free(crt);
1183 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1184 }
1185
1186 if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
1187 mbedtls_x509_crt_free(crt);
1188 return ret;
1189 }
1190
1191 crt->issuer_raw.len = (size_t) (p - crt->issuer_raw.p);
1192
1193 /*
1194 * Validity ::= SEQUENCE {
1195 * notBefore Time,
1196 * notAfter Time }
1197 *
1198 */
1199 if ((ret = x509_get_dates(&p, end, &crt->valid_from,
1200 &crt->valid_to)) != 0) {
1201 mbedtls_x509_crt_free(crt);
1202 return ret;
1203 }
1204
1205 /*
1206 * subject Name
1207 */
1208 crt->subject_raw.p = p;
1209
1210 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1211 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1212 mbedtls_x509_crt_free(crt);
1213 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1214 }
1215
1216 if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
1217 mbedtls_x509_crt_free(crt);
1218 return ret;
1219 }
1220
1221 crt->subject_raw.len = (size_t) (p - crt->subject_raw.p);
1222
1223 /*
1224 * SubjectPublicKeyInfo
1225 */
1226 crt->pk_raw.p = p;
1227 if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
1228 mbedtls_x509_crt_free(crt);
1229 return ret;
1230 }
1231 crt->pk_raw.len = (size_t) (p - crt->pk_raw.p);
1232
1233 /*
1234 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1235 * -- If present, version shall be v2 or v3
1236 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1237 * -- If present, version shall be v2 or v3
1238 * extensions [3] EXPLICIT Extensions OPTIONAL
1239 * -- If present, version shall be v3
1240 */
1241 if (crt->version == 2 || crt->version == 3) {
1242 ret = x509_get_uid(&p, end, &crt->issuer_id, 1);
1243 if (ret != 0) {
1244 mbedtls_x509_crt_free(crt);
1245 return ret;
1246 }
1247 }
1248
1249 if (crt->version == 2 || crt->version == 3) {
1250 ret = x509_get_uid(&p, end, &crt->subject_id, 2);
1251 if (ret != 0) {
1252 mbedtls_x509_crt_free(crt);
1253 return ret;
1254 }
1255 }
1256
1257 if (crt->version == 3) {
1258 ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx);
1259 if (ret != 0) {
1260 mbedtls_x509_crt_free(crt);
1261 return ret;
1262 }
1263 }
1264
1265 if (p != end) {
1266 mbedtls_x509_crt_free(crt);
1267 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1268 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1269 }
1270
1271 end = crt_end;
1272
1273 /*
1274 * }
1275 * -- end of TBSCertificate
1276 *
1277 * signatureAlgorithm AlgorithmIdentifier,
1278 * signatureValue BIT STRING
1279 */
1280 if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
1281 mbedtls_x509_crt_free(crt);
1282 return ret;
1283 }
1284
1285 if (crt->sig_oid.len != sig_oid2.len ||
1286 memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
1287 sig_params1.tag != sig_params2.tag ||
1288 sig_params1.len != sig_params2.len ||
1289 (sig_params1.len != 0 &&
1290 memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
1291 mbedtls_x509_crt_free(crt);
1292 return MBEDTLS_ERR_X509_SIG_MISMATCH;
1293 }
1294
1295 if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
1296 mbedtls_x509_crt_free(crt);
1297 return ret;
1298 }
1299
1300 if (p != end) {
1301 mbedtls_x509_crt_free(crt);
1302 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1303 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1304 }
1305
1306 return 0;
1307 }
1308
1309 /*
1310 * Parse one X.509 certificate in DER format from a buffer and add them to a
1311 * chained list
1312 */
mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1313 static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain,
1314 const unsigned char *buf,
1315 size_t buflen,
1316 int make_copy,
1317 mbedtls_x509_crt_ext_cb_t cb,
1318 void *p_ctx)
1319 {
1320 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1321 mbedtls_x509_crt *crt = chain, *prev = NULL;
1322
1323 /*
1324 * Check for valid input
1325 */
1326 if (crt == NULL || buf == NULL) {
1327 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1328 }
1329
1330 while (crt->version != 0 && crt->next != NULL) {
1331 prev = crt;
1332 crt = crt->next;
1333 }
1334
1335 /*
1336 * Add new certificate on the end of the chain if needed.
1337 */
1338 if (crt->version != 0 && crt->next == NULL) {
1339 crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
1340
1341 if (crt->next == NULL) {
1342 return MBEDTLS_ERR_X509_ALLOC_FAILED;
1343 }
1344
1345 prev = crt;
1346 mbedtls_x509_crt_init(crt->next);
1347 crt = crt->next;
1348 }
1349
1350 ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx);
1351 if (ret != 0) {
1352 if (prev) {
1353 prev->next = NULL;
1354 }
1355
1356 if (crt != chain) {
1357 mbedtls_free(crt);
1358 }
1359
1360 return ret;
1361 }
1362
1363 return 0;
1364 }
1365
mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1366 int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
1367 const unsigned char *buf,
1368 size_t buflen)
1369 {
1370 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL);
1371 }
1372
mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1373 int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
1374 const unsigned char *buf,
1375 size_t buflen,
1376 int make_copy,
1377 mbedtls_x509_crt_ext_cb_t cb,
1378 void *p_ctx)
1379 {
1380 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx);
1381 }
1382
mbedtls_x509_crt_parse_der(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1383 int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
1384 const unsigned char *buf,
1385 size_t buflen)
1386 {
1387 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL);
1388 }
1389
1390 /*
1391 * Parse one or more PEM certificates from a buffer and add them to the chained
1392 * list
1393 */
mbedtls_x509_crt_parse(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1394 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain,
1395 const unsigned char *buf,
1396 size_t buflen)
1397 {
1398 #if defined(MBEDTLS_PEM_PARSE_C)
1399 int success = 0, first_error = 0, total_failed = 0;
1400 int buf_format = MBEDTLS_X509_FORMAT_DER;
1401 #endif
1402
1403 /*
1404 * Check for valid input
1405 */
1406 if (chain == NULL || buf == NULL) {
1407 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1408 }
1409
1410 /*
1411 * Determine buffer content. Buffer contains either one DER certificate or
1412 * one or more PEM certificates.
1413 */
1414 #if defined(MBEDTLS_PEM_PARSE_C)
1415 if (buflen != 0 && buf[buflen - 1] == '\0' &&
1416 strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
1417 buf_format = MBEDTLS_X509_FORMAT_PEM;
1418 }
1419
1420 if (buf_format == MBEDTLS_X509_FORMAT_DER) {
1421 return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1422 }
1423 #else
1424 return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1425 #endif
1426
1427 #if defined(MBEDTLS_PEM_PARSE_C)
1428 if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
1429 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1430 mbedtls_pem_context pem;
1431
1432 /* 1 rather than 0 since the terminating NULL byte is counted in */
1433 while (buflen > 1) {
1434 size_t use_len;
1435 mbedtls_pem_init(&pem);
1436
1437 /* If we get there, we know the string is null-terminated */
1438 ret = mbedtls_pem_read_buffer(&pem,
1439 "-----BEGIN CERTIFICATE-----",
1440 "-----END CERTIFICATE-----",
1441 buf, NULL, 0, &use_len);
1442
1443 if (ret == 0) {
1444 /*
1445 * Was PEM encoded
1446 */
1447 buflen -= use_len;
1448 buf += use_len;
1449 } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
1450 return ret;
1451 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1452 mbedtls_pem_free(&pem);
1453
1454 /*
1455 * PEM header and footer were found
1456 */
1457 buflen -= use_len;
1458 buf += use_len;
1459
1460 if (first_error == 0) {
1461 first_error = ret;
1462 }
1463
1464 total_failed++;
1465 continue;
1466 } else {
1467 break;
1468 }
1469
1470 ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
1471
1472 mbedtls_pem_free(&pem);
1473
1474 if (ret != 0) {
1475 /*
1476 * Quit parsing on a memory error
1477 */
1478 if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) {
1479 return ret;
1480 }
1481
1482 if (first_error == 0) {
1483 first_error = ret;
1484 }
1485
1486 total_failed++;
1487 continue;
1488 }
1489
1490 success = 1;
1491 }
1492 }
1493
1494 if (success) {
1495 return total_failed;
1496 } else if (first_error) {
1497 return first_error;
1498 } else {
1499 return MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT;
1500 }
1501 #endif /* MBEDTLS_PEM_PARSE_C */
1502 }
1503
1504 #if defined(MBEDTLS_FS_IO)
1505 /*
1506 * Load one or more certificates and add them to the chained list
1507 */
mbedtls_x509_crt_parse_file(mbedtls_x509_crt * chain,const char * path)1508 int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
1509 {
1510 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1511 size_t n;
1512 unsigned char *buf;
1513
1514 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
1515 return ret;
1516 }
1517
1518 ret = mbedtls_x509_crt_parse(chain, buf, n);
1519
1520 mbedtls_zeroize_and_free(buf, n);
1521
1522 return ret;
1523 }
1524
mbedtls_x509_crt_parse_path(mbedtls_x509_crt * chain,const char * path)1525 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
1526 {
1527 int ret = 0;
1528 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
1529 int w_ret;
1530 WCHAR szDir[MAX_PATH];
1531 char filename[MAX_PATH];
1532 char *p;
1533 size_t len = strlen(path);
1534
1535 WIN32_FIND_DATAW file_data;
1536 HANDLE hFind;
1537
1538 if (len > MAX_PATH - 3) {
1539 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1540 }
1541
1542 memset(szDir, 0, sizeof(szDir));
1543 memset(filename, 0, MAX_PATH);
1544 memcpy(filename, path, len);
1545 filename[len++] = '\\';
1546 p = filename + len;
1547 filename[len++] = '*';
1548
1549 /*
1550 * Note this function uses the code page CP_ACP which is the system default
1551 * ANSI codepage. The input string is always described in BYTES and the
1552 * output length is described in WCHARs.
1553 */
1554 w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int) len, szDir,
1555 MAX_PATH - 3);
1556 if (w_ret == 0) {
1557 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1558 }
1559
1560 hFind = FindFirstFileW(szDir, &file_data);
1561 if (hFind == INVALID_HANDLE_VALUE) {
1562 return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1563 }
1564
1565 len = MAX_PATH - len;
1566 do {
1567 memset(p, 0, len);
1568
1569 if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
1570 continue;
1571 }
1572 w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
1573 -1, p, (int) len, NULL, NULL);
1574 if (w_ret == 0) {
1575 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1576 goto cleanup;
1577 }
1578
1579 w_ret = mbedtls_x509_crt_parse_file(chain, filename);
1580 if (w_ret < 0) {
1581 ret++;
1582 } else {
1583 ret += w_ret;
1584 }
1585 } while (FindNextFileW(hFind, &file_data) != 0);
1586
1587 if (GetLastError() != ERROR_NO_MORE_FILES) {
1588 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1589 }
1590
1591 cleanup:
1592 FindClose(hFind);
1593 #else /* _WIN32 */
1594 int t_ret;
1595 int snp_ret;
1596 struct stat sb;
1597 struct dirent *entry;
1598 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
1599 DIR *dir = opendir(path);
1600
1601 if (dir == NULL) {
1602 return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1603 }
1604
1605 #if defined(MBEDTLS_THREADING_C)
1606 if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
1607 closedir(dir);
1608 return ret;
1609 }
1610 #endif /* MBEDTLS_THREADING_C */
1611
1612 memset(&sb, 0, sizeof(sb));
1613
1614 while ((entry = readdir(dir)) != NULL) {
1615 snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name),
1616 "%s/%s", path, entry->d_name);
1617
1618 if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) {
1619 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1620 goto cleanup;
1621 } else if (stat(entry_name, &sb) == -1) {
1622 if (errno == ENOENT) {
1623 /* Broken symbolic link - ignore this entry.
1624 stat(2) will return this error for either (a) a dangling
1625 symlink or (b) a missing file.
1626 Given that we have just obtained the filename from readdir,
1627 assume that it does exist and therefore treat this as a
1628 dangling symlink. */
1629 continue;
1630 } else {
1631 /* Some other file error; report the error. */
1632 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1633 goto cleanup;
1634 }
1635 }
1636
1637 if (!S_ISREG(sb.st_mode)) {
1638 continue;
1639 }
1640
1641 // Ignore parse errors
1642 //
1643 t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
1644 if (t_ret < 0) {
1645 ret++;
1646 } else {
1647 ret += t_ret;
1648 }
1649 }
1650
1651 cleanup:
1652 closedir(dir);
1653
1654 #if defined(MBEDTLS_THREADING_C)
1655 if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) {
1656 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1657 }
1658 #endif /* MBEDTLS_THREADING_C */
1659
1660 #endif /* _WIN32 */
1661
1662 return ret;
1663 }
1664 #endif /* MBEDTLS_FS_IO */
1665
1666 #if !defined(MBEDTLS_X509_REMOVE_INFO)
1667 #define PRINT_ITEM(i) \
1668 do { \
1669 ret = mbedtls_snprintf(p, n, "%s" i, sep); \
1670 MBEDTLS_X509_SAFE_SNPRINTF; \
1671 sep = ", "; \
1672 } while (0)
1673
1674 #define CERT_TYPE(type, name) \
1675 do { \
1676 if (ns_cert_type & (type)) { \
1677 PRINT_ITEM(name); \
1678 } \
1679 } while (0)
1680
1681 #define KEY_USAGE(code, name) \
1682 do { \
1683 if (key_usage & (code)) { \
1684 PRINT_ITEM(name); \
1685 } \
1686 } while (0)
1687
x509_info_ext_key_usage(char ** buf,size_t * size,const mbedtls_x509_sequence * extended_key_usage)1688 static int x509_info_ext_key_usage(char **buf, size_t *size,
1689 const mbedtls_x509_sequence *extended_key_usage)
1690 {
1691 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1692 const char *desc;
1693 size_t n = *size;
1694 char *p = *buf;
1695 const mbedtls_x509_sequence *cur = extended_key_usage;
1696 const char *sep = "";
1697
1698 while (cur != NULL) {
1699 if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) {
1700 desc = "???";
1701 }
1702
1703 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
1704 MBEDTLS_X509_SAFE_SNPRINTF;
1705
1706 sep = ", ";
1707
1708 cur = cur->next;
1709 }
1710
1711 *size = n;
1712 *buf = p;
1713
1714 return 0;
1715 }
1716
x509_info_cert_policies(char ** buf,size_t * size,const mbedtls_x509_sequence * certificate_policies)1717 static int x509_info_cert_policies(char **buf, size_t *size,
1718 const mbedtls_x509_sequence *certificate_policies)
1719 {
1720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1721 const char *desc;
1722 size_t n = *size;
1723 char *p = *buf;
1724 const mbedtls_x509_sequence *cur = certificate_policies;
1725 const char *sep = "";
1726
1727 while (cur != NULL) {
1728 if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) {
1729 desc = "???";
1730 }
1731
1732 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
1733 MBEDTLS_X509_SAFE_SNPRINTF;
1734
1735 sep = ", ";
1736
1737 cur = cur->next;
1738 }
1739
1740 *size = n;
1741 *buf = p;
1742
1743 return 0;
1744 }
1745
1746 /*
1747 * Return an informational string about the certificate.
1748 */
1749 #define BEFORE_COLON 18
1750 #define BC "18"
mbedtls_x509_crt_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crt * crt)1751 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
1752 const mbedtls_x509_crt *crt)
1753 {
1754 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1755 size_t n;
1756 char *p;
1757 char key_size_str[BEFORE_COLON];
1758
1759 p = buf;
1760 n = size;
1761
1762 if (NULL == crt) {
1763 ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
1764 MBEDTLS_X509_SAFE_SNPRINTF;
1765
1766 return (int) (size - n);
1767 }
1768
1769 ret = mbedtls_snprintf(p, n, "%scert. version : %d\n",
1770 prefix, crt->version);
1771 MBEDTLS_X509_SAFE_SNPRINTF;
1772 ret = mbedtls_snprintf(p, n, "%sserial number : ",
1773 prefix);
1774 MBEDTLS_X509_SAFE_SNPRINTF;
1775
1776 ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
1777 MBEDTLS_X509_SAFE_SNPRINTF;
1778
1779 ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix);
1780 MBEDTLS_X509_SAFE_SNPRINTF;
1781 ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
1782 MBEDTLS_X509_SAFE_SNPRINTF;
1783
1784 ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix);
1785 MBEDTLS_X509_SAFE_SNPRINTF;
1786 ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
1787 MBEDTLS_X509_SAFE_SNPRINTF;
1788
1789 ret = mbedtls_snprintf(p, n, "\n%sissued on : " \
1790 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1791 crt->valid_from.year, crt->valid_from.mon,
1792 crt->valid_from.day, crt->valid_from.hour,
1793 crt->valid_from.min, crt->valid_from.sec);
1794 MBEDTLS_X509_SAFE_SNPRINTF;
1795
1796 ret = mbedtls_snprintf(p, n, "\n%sexpires on : " \
1797 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1798 crt->valid_to.year, crt->valid_to.mon,
1799 crt->valid_to.day, crt->valid_to.hour,
1800 crt->valid_to.min, crt->valid_to.sec);
1801 MBEDTLS_X509_SAFE_SNPRINTF;
1802
1803 ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
1804 MBEDTLS_X509_SAFE_SNPRINTF;
1805
1806 ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
1807 crt->sig_md, crt->sig_opts);
1808 MBEDTLS_X509_SAFE_SNPRINTF;
1809
1810 /* Key size */
1811 if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
1812 mbedtls_pk_get_name(&crt->pk))) != 0) {
1813 return ret;
1814 }
1815
1816 ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
1817 (int) mbedtls_pk_get_bitlen(&crt->pk));
1818 MBEDTLS_X509_SAFE_SNPRINTF;
1819
1820 /*
1821 * Optional extensions
1822 */
1823
1824 if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
1825 ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
1826 crt->ca_istrue ? "true" : "false");
1827 MBEDTLS_X509_SAFE_SNPRINTF;
1828
1829 if (crt->max_pathlen > 0) {
1830 ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
1831 MBEDTLS_X509_SAFE_SNPRINTF;
1832 }
1833 }
1834
1835 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
1836 ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
1837 MBEDTLS_X509_SAFE_SNPRINTF;
1838
1839 if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
1840 &crt->subject_alt_names,
1841 prefix)) != 0) {
1842 return ret;
1843 }
1844 }
1845
1846 if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
1847 ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
1848 MBEDTLS_X509_SAFE_SNPRINTF;
1849
1850 if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
1851 return ret;
1852 }
1853 }
1854
1855 if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
1856 ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
1857 MBEDTLS_X509_SAFE_SNPRINTF;
1858
1859 if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
1860 return ret;
1861 }
1862 }
1863
1864 if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
1865 ret = mbedtls_snprintf(p, n, "\n%sext key usage : ", prefix);
1866 MBEDTLS_X509_SAFE_SNPRINTF;
1867
1868 if ((ret = x509_info_ext_key_usage(&p, &n,
1869 &crt->ext_key_usage)) != 0) {
1870 return ret;
1871 }
1872 }
1873
1874 if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) {
1875 ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix);
1876 MBEDTLS_X509_SAFE_SNPRINTF;
1877
1878 if ((ret = x509_info_cert_policies(&p, &n,
1879 &crt->certificate_policies)) != 0) {
1880 return ret;
1881 }
1882 }
1883
1884 ret = mbedtls_snprintf(p, n, "\n");
1885 MBEDTLS_X509_SAFE_SNPRINTF;
1886
1887 return (int) (size - n);
1888 }
1889
1890 struct x509_crt_verify_string {
1891 int code;
1892 const char *string;
1893 };
1894
1895 #define X509_CRT_ERROR_INFO(err, err_str, info) { err, info },
1896 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
1897 MBEDTLS_X509_CRT_ERROR_INFO_LIST
1898 { 0, NULL }
1899 };
1900 #undef X509_CRT_ERROR_INFO
1901
mbedtls_x509_crt_verify_info(char * buf,size_t size,const char * prefix,uint32_t flags)1902 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
1903 uint32_t flags)
1904 {
1905 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1906 const struct x509_crt_verify_string *cur;
1907 char *p = buf;
1908 size_t n = size;
1909
1910 for (cur = x509_crt_verify_strings; cur->string != NULL; cur++) {
1911 if ((flags & cur->code) == 0) {
1912 continue;
1913 }
1914
1915 ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
1916 MBEDTLS_X509_SAFE_SNPRINTF;
1917 flags ^= cur->code;
1918 }
1919
1920 if (flags != 0) {
1921 ret = mbedtls_snprintf(p, n, "%sUnknown reason "
1922 "(this should not happen)\n", prefix);
1923 MBEDTLS_X509_SAFE_SNPRINTF;
1924 }
1925
1926 return (int) (size - n);
1927 }
1928 #endif /* MBEDTLS_X509_REMOVE_INFO */
1929
mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt * crt,unsigned int usage)1930 int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
1931 unsigned int usage)
1932 {
1933 unsigned int usage_must, usage_may;
1934 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
1935 | MBEDTLS_X509_KU_DECIPHER_ONLY;
1936
1937 if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) {
1938 return 0;
1939 }
1940
1941 usage_must = usage & ~may_mask;
1942
1943 if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) {
1944 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1945 }
1946
1947 usage_may = usage & may_mask;
1948
1949 if (((crt->key_usage & may_mask) | usage_may) != usage_may) {
1950 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1951 }
1952
1953 return 0;
1954 }
1955
mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt * crt,const char * usage_oid,size_t usage_len)1956 int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
1957 const char *usage_oid,
1958 size_t usage_len)
1959 {
1960 const mbedtls_x509_sequence *cur;
1961
1962 /* Extension is not mandatory, absent means no restriction */
1963 if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) {
1964 return 0;
1965 }
1966
1967 /*
1968 * Look for the requested usage (or wildcard ANY) in our list
1969 */
1970 for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
1971 const mbedtls_x509_buf *cur_oid = &cur->buf;
1972
1973 if (cur_oid->len == usage_len &&
1974 memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
1975 return 0;
1976 }
1977
1978 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) {
1979 return 0;
1980 }
1981 }
1982
1983 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1984 }
1985
1986 #if defined(MBEDTLS_X509_CRL_PARSE_C)
1987 /*
1988 * Return 1 if the certificate is revoked, or 0 otherwise.
1989 */
mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt * crt,const mbedtls_x509_crl * crl)1990 int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
1991 {
1992 const mbedtls_x509_crl_entry *cur = &crl->entry;
1993
1994 while (cur != NULL && cur->serial.len != 0) {
1995 if (crt->serial.len == cur->serial.len &&
1996 memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
1997 return 1;
1998 }
1999
2000 cur = cur->next;
2001 }
2002
2003 return 0;
2004 }
2005
2006 /*
2007 * Check that the given certificate is not revoked according to the CRL.
2008 * Skip validation if no CRL for the given CA is present.
2009 */
x509_crt_verifycrl(mbedtls_x509_crt * crt,mbedtls_x509_crt * ca,mbedtls_x509_crl * crl_list,const mbedtls_x509_crt_profile * profile,const mbedtls_x509_time * now)2010 static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
2011 mbedtls_x509_crl *crl_list,
2012 const mbedtls_x509_crt_profile *profile,
2013 const mbedtls_x509_time *now)
2014 {
2015 int flags = 0;
2016 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2017 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2018 psa_algorithm_t psa_algorithm;
2019 #else
2020 const mbedtls_md_info_t *md_info;
2021 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2022 size_t hash_length;
2023
2024 if (ca == NULL) {
2025 return flags;
2026 }
2027
2028 while (crl_list != NULL) {
2029 if (crl_list->version == 0 ||
2030 x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) {
2031 crl_list = crl_list->next;
2032 continue;
2033 }
2034
2035 /*
2036 * Check if the CA is configured to sign CRLs
2037 */
2038 if (mbedtls_x509_crt_check_key_usage(ca,
2039 MBEDTLS_X509_KU_CRL_SIGN) != 0) {
2040 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2041 break;
2042 }
2043
2044 /*
2045 * Check if CRL is correctly signed by the trusted CA
2046 */
2047 if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) {
2048 flags |= MBEDTLS_X509_BADCRL_BAD_MD;
2049 }
2050
2051 if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) {
2052 flags |= MBEDTLS_X509_BADCRL_BAD_PK;
2053 }
2054
2055 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2056 psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
2057 if (psa_hash_compute(psa_algorithm,
2058 crl_list->tbs.p,
2059 crl_list->tbs.len,
2060 hash,
2061 sizeof(hash),
2062 &hash_length) != PSA_SUCCESS) {
2063 /* Note: this can't happen except after an internal error */
2064 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2065 break;
2066 }
2067 #else
2068 md_info = mbedtls_md_info_from_type(crl_list->sig_md);
2069 hash_length = mbedtls_md_get_size(md_info);
2070 if (mbedtls_md(md_info,
2071 crl_list->tbs.p,
2072 crl_list->tbs.len,
2073 hash) != 0) {
2074 /* Note: this can't happen except after an internal error */
2075 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2076 break;
2077 }
2078 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2079
2080 if (x509_profile_check_key(profile, &ca->pk) != 0) {
2081 flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2082 }
2083
2084 if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
2085 crl_list->sig_md, hash, hash_length,
2086 crl_list->sig.p, crl_list->sig.len) != 0) {
2087 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2088 break;
2089 }
2090
2091 #if defined(MBEDTLS_HAVE_TIME_DATE)
2092 /*
2093 * Check for validity of CRL (Do not drop out)
2094 */
2095 if (mbedtls_x509_time_cmp(&crl_list->next_update, now) < 0) {
2096 flags |= MBEDTLS_X509_BADCRL_EXPIRED;
2097 }
2098
2099 if (mbedtls_x509_time_cmp(&crl_list->this_update, now) > 0) {
2100 flags |= MBEDTLS_X509_BADCRL_FUTURE;
2101 }
2102 #else
2103 ((void) now);
2104 #endif
2105
2106 /*
2107 * Check if certificate is revoked
2108 */
2109 if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
2110 flags |= MBEDTLS_X509_BADCERT_REVOKED;
2111 break;
2112 }
2113
2114 crl_list = crl_list->next;
2115 }
2116
2117 return flags;
2118 }
2119 #endif /* MBEDTLS_X509_CRL_PARSE_C */
2120
2121 /*
2122 * Check the signature of a certificate by its parent
2123 */
x509_crt_check_signature(const mbedtls_x509_crt * child,mbedtls_x509_crt * parent,mbedtls_x509_crt_restart_ctx * rs_ctx)2124 static int x509_crt_check_signature(const mbedtls_x509_crt *child,
2125 mbedtls_x509_crt *parent,
2126 mbedtls_x509_crt_restart_ctx *rs_ctx)
2127 {
2128 size_t hash_len;
2129 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2130 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
2131 const mbedtls_md_info_t *md_info;
2132 md_info = mbedtls_md_info_from_type(child->sig_md);
2133 hash_len = mbedtls_md_get_size(md_info);
2134
2135 /* Note: hash errors can happen only after an internal error */
2136 if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
2137 return -1;
2138 }
2139 #else
2140 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
2141 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2142
2143 status = psa_hash_compute(hash_alg,
2144 child->tbs.p,
2145 child->tbs.len,
2146 hash,
2147 sizeof(hash),
2148 &hash_len);
2149 if (status != PSA_SUCCESS) {
2150 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2151 }
2152
2153 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2154 /* Skip expensive computation on obvious mismatch */
2155 if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
2156 return -1;
2157 }
2158
2159 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2160 if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
2161 return mbedtls_pk_verify_restartable(&parent->pk,
2162 child->sig_md, hash, hash_len,
2163 child->sig.p, child->sig.len, &rs_ctx->pk);
2164 }
2165 #else
2166 (void) rs_ctx;
2167 #endif
2168
2169 return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
2170 child->sig_md, hash, hash_len,
2171 child->sig.p, child->sig.len);
2172 }
2173
2174 /*
2175 * Check if 'parent' is a suitable parent (signing CA) for 'child'.
2176 * Return 0 if yes, -1 if not.
2177 *
2178 * top means parent is a locally-trusted certificate
2179 */
x509_crt_check_parent(const mbedtls_x509_crt * child,const mbedtls_x509_crt * parent,int top)2180 static int x509_crt_check_parent(const mbedtls_x509_crt *child,
2181 const mbedtls_x509_crt *parent,
2182 int top)
2183 {
2184 int need_ca_bit;
2185
2186 /* Parent must be the issuer */
2187 if (x509_name_cmp(&child->issuer, &parent->subject) != 0) {
2188 return -1;
2189 }
2190
2191 /* Parent must have the basicConstraints CA bit set as a general rule */
2192 need_ca_bit = 1;
2193
2194 /* Exception: v1/v2 certificates that are locally trusted. */
2195 if (top && parent->version < 3) {
2196 need_ca_bit = 0;
2197 }
2198
2199 if (need_ca_bit && !parent->ca_istrue) {
2200 return -1;
2201 }
2202
2203 if (need_ca_bit &&
2204 mbedtls_x509_crt_check_key_usage(parent, MBEDTLS_X509_KU_KEY_CERT_SIGN) != 0) {
2205 return -1;
2206 }
2207
2208 return 0;
2209 }
2210
2211 /*
2212 * Find a suitable parent for child in candidates, or return NULL.
2213 *
2214 * Here suitable is defined as:
2215 * 1. subject name matches child's issuer
2216 * 2. if necessary, the CA bit is set and key usage allows signing certs
2217 * 3. for trusted roots, the signature is correct
2218 * (for intermediates, the signature is checked and the result reported)
2219 * 4. pathlen constraints are satisfied
2220 *
2221 * If there's a suitable candidate which is also time-valid, return the first
2222 * such. Otherwise, return the first suitable candidate (or NULL if there is
2223 * none).
2224 *
2225 * The rationale for this rule is that someone could have a list of trusted
2226 * roots with two versions on the same root with different validity periods.
2227 * (At least one user reported having such a list and wanted it to just work.)
2228 * The reason we don't just require time-validity is that generally there is
2229 * only one version, and if it's expired we want the flags to state that
2230 * rather than NOT_TRUSTED, as would be the case if we required it here.
2231 *
2232 * The rationale for rule 3 (signature for trusted roots) is that users might
2233 * have two versions of the same CA with different keys in their list, and the
2234 * way we select the correct one is by checking the signature (as we don't
2235 * rely on key identifier extensions). (This is one way users might choose to
2236 * handle key rollover, another relies on self-issued certs, see [SIRO].)
2237 *
2238 * Arguments:
2239 * - [in] child: certificate for which we're looking for a parent
2240 * - [in] candidates: chained list of potential parents
2241 * - [out] r_parent: parent found (or NULL)
2242 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2243 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2244 * of the chain, 0 otherwise
2245 * - [in] path_cnt: number of intermediates seen so far
2246 * - [in] self_cnt: number of self-signed intermediates seen so far
2247 * (will never be greater than path_cnt)
2248 * - [in-out] rs_ctx: context for restarting operations
2249 *
2250 * Return value:
2251 * - 0 on success
2252 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2253 */
x509_crt_find_parent_in(mbedtls_x509_crt * child,mbedtls_x509_crt * candidates,mbedtls_x509_crt ** r_parent,int * r_signature_is_good,int top,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx,const mbedtls_x509_time * now)2254 static int x509_crt_find_parent_in(
2255 mbedtls_x509_crt *child,
2256 mbedtls_x509_crt *candidates,
2257 mbedtls_x509_crt **r_parent,
2258 int *r_signature_is_good,
2259 int top,
2260 unsigned path_cnt,
2261 unsigned self_cnt,
2262 mbedtls_x509_crt_restart_ctx *rs_ctx,
2263 const mbedtls_x509_time *now)
2264 {
2265 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2266 mbedtls_x509_crt *parent, *fallback_parent;
2267 int signature_is_good = 0, fallback_signature_is_good;
2268
2269 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2270 /* did we have something in progress? */
2271 if (rs_ctx != NULL && rs_ctx->parent != NULL) {
2272 /* restore saved state */
2273 parent = rs_ctx->parent;
2274 fallback_parent = rs_ctx->fallback_parent;
2275 fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
2276
2277 /* clear saved state */
2278 rs_ctx->parent = NULL;
2279 rs_ctx->fallback_parent = NULL;
2280 rs_ctx->fallback_signature_is_good = 0;
2281
2282 /* resume where we left */
2283 goto check_signature;
2284 }
2285 #endif
2286
2287 fallback_parent = NULL;
2288 fallback_signature_is_good = 0;
2289
2290 for (parent = candidates; parent != NULL; parent = parent->next) {
2291 /* basic parenting skills (name, CA bit, key usage) */
2292 if (x509_crt_check_parent(child, parent, top) != 0) {
2293 continue;
2294 }
2295
2296 /* +1 because stored max_pathlen is 1 higher that the actual value */
2297 if (parent->max_pathlen > 0 &&
2298 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt) {
2299 continue;
2300 }
2301
2302 /* Signature */
2303 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2304 check_signature:
2305 #endif
2306 ret = x509_crt_check_signature(child, parent, rs_ctx);
2307
2308 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2309 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2310 /* save state */
2311 rs_ctx->parent = parent;
2312 rs_ctx->fallback_parent = fallback_parent;
2313 rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
2314
2315 return ret;
2316 }
2317 #else
2318 (void) ret;
2319 #endif
2320
2321 signature_is_good = ret == 0;
2322 if (top && !signature_is_good) {
2323 continue;
2324 }
2325
2326 #if defined(MBEDTLS_HAVE_TIME_DATE)
2327 /* optional time check */
2328 if (mbedtls_x509_time_cmp(&parent->valid_to, now) < 0 || /* past */
2329 mbedtls_x509_time_cmp(&parent->valid_from, now) > 0) { /* future */
2330 if (fallback_parent == NULL) {
2331 fallback_parent = parent;
2332 fallback_signature_is_good = signature_is_good;
2333 }
2334
2335 continue;
2336 }
2337 #else
2338 ((void) now);
2339 #endif
2340
2341 *r_parent = parent;
2342 *r_signature_is_good = signature_is_good;
2343
2344 break;
2345 }
2346
2347 if (parent == NULL) {
2348 *r_parent = fallback_parent;
2349 *r_signature_is_good = fallback_signature_is_good;
2350 }
2351
2352 return 0;
2353 }
2354
2355 /*
2356 * Find a parent in trusted CAs or the provided chain, or return NULL.
2357 *
2358 * Searches in trusted CAs first, and return the first suitable parent found
2359 * (see find_parent_in() for definition of suitable).
2360 *
2361 * Arguments:
2362 * - [in] child: certificate for which we're looking for a parent, followed
2363 * by a chain of possible intermediates
2364 * - [in] trust_ca: list of locally trusted certificates
2365 * - [out] parent: parent found (or NULL)
2366 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2367 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2368 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
2369 * - [in] self_cnt: number of self-signed certs in the chain so far
2370 * (will always be no greater than path_cnt)
2371 * - [in-out] rs_ctx: context for restarting operations
2372 *
2373 * Return value:
2374 * - 0 on success
2375 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2376 */
x509_crt_find_parent(mbedtls_x509_crt * child,mbedtls_x509_crt * trust_ca,mbedtls_x509_crt ** parent,int * parent_is_trusted,int * signature_is_good,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx,const mbedtls_x509_time * now)2377 static int x509_crt_find_parent(
2378 mbedtls_x509_crt *child,
2379 mbedtls_x509_crt *trust_ca,
2380 mbedtls_x509_crt **parent,
2381 int *parent_is_trusted,
2382 int *signature_is_good,
2383 unsigned path_cnt,
2384 unsigned self_cnt,
2385 mbedtls_x509_crt_restart_ctx *rs_ctx,
2386 const mbedtls_x509_time *now)
2387 {
2388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2389 mbedtls_x509_crt *search_list;
2390
2391 *parent_is_trusted = 1;
2392
2393 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2394 /* restore then clear saved state if we have some stored */
2395 if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
2396 *parent_is_trusted = rs_ctx->parent_is_trusted;
2397 rs_ctx->parent_is_trusted = -1;
2398 }
2399 #endif
2400
2401 while (1) {
2402 search_list = *parent_is_trusted ? trust_ca : child->next;
2403
2404 ret = x509_crt_find_parent_in(child, search_list,
2405 parent, signature_is_good,
2406 *parent_is_trusted,
2407 path_cnt, self_cnt, rs_ctx, now);
2408
2409 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2410 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2411 /* save state */
2412 rs_ctx->parent_is_trusted = *parent_is_trusted;
2413 return ret;
2414 }
2415 #else
2416 (void) ret;
2417 #endif
2418
2419 /* stop here if found or already in second iteration */
2420 if (*parent != NULL || *parent_is_trusted == 0) {
2421 break;
2422 }
2423
2424 /* prepare second iteration */
2425 *parent_is_trusted = 0;
2426 }
2427
2428 /* extra precaution against mistakes in the caller */
2429 if (*parent == NULL) {
2430 *parent_is_trusted = 0;
2431 *signature_is_good = 0;
2432 }
2433
2434 return 0;
2435 }
2436
2437 /*
2438 * Check if an end-entity certificate is locally trusted
2439 *
2440 * Currently we require such certificates to be self-signed (actually only
2441 * check for self-issued as self-signatures are not checked)
2442 */
x509_crt_check_ee_locally_trusted(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca)2443 static int x509_crt_check_ee_locally_trusted(
2444 mbedtls_x509_crt *crt,
2445 mbedtls_x509_crt *trust_ca)
2446 {
2447 mbedtls_x509_crt *cur;
2448
2449 /* must be self-issued */
2450 if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) {
2451 return -1;
2452 }
2453
2454 /* look for an exact match with trusted cert */
2455 for (cur = trust_ca; cur != NULL; cur = cur->next) {
2456 if (crt->raw.len == cur->raw.len &&
2457 memcmp(crt->raw.p, cur->raw.p, crt->raw.len) == 0) {
2458 return 0;
2459 }
2460 }
2461
2462 /* too bad */
2463 return -1;
2464 }
2465
2466 /*
2467 * Build and verify a certificate chain
2468 *
2469 * Given a peer-provided list of certificates EE, C1, ..., Cn and
2470 * a list of trusted certs R1, ... Rp, try to build and verify a chain
2471 * EE, Ci1, ... Ciq [, Rj]
2472 * such that every cert in the chain is a child of the next one,
2473 * jumping to a trusted root as early as possible.
2474 *
2475 * Verify that chain and return it with flags for all issues found.
2476 *
2477 * Special cases:
2478 * - EE == Rj -> return a one-element list containing it
2479 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
2480 * -> return that chain with NOT_TRUSTED set on Ciq
2481 *
2482 * Tests for (aspects of) this function should include at least:
2483 * - trusted EE
2484 * - EE -> trusted root
2485 * - EE -> intermediate CA -> trusted root
2486 * - if relevant: EE untrusted
2487 * - if relevant: EE -> intermediate, untrusted
2488 * with the aspect under test checked at each relevant level (EE, int, root).
2489 * For some aspects longer chains are required, but usually length 2 is
2490 * enough (but length 1 is not in general).
2491 *
2492 * Arguments:
2493 * - [in] crt: the cert list EE, C1, ..., Cn
2494 * - [in] trust_ca: the trusted list R1, ..., Rp
2495 * - [in] ca_crl, profile: as in verify_with_profile()
2496 * - [out] ver_chain: the built and verified chain
2497 * Only valid when return value is 0, may contain garbage otherwise!
2498 * Restart note: need not be the same when calling again to resume.
2499 * - [in-out] rs_ctx: context for restarting operations
2500 *
2501 * Return value:
2502 * - non-zero if the chain could not be fully built and examined
2503 * - 0 is the chain was successfully built and examined,
2504 * even if it was found to be invalid
2505 */
x509_crt_verify_chain(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,mbedtls_x509_crt_verify_chain * ver_chain,mbedtls_x509_crt_restart_ctx * rs_ctx)2506 static int x509_crt_verify_chain(
2507 mbedtls_x509_crt *crt,
2508 mbedtls_x509_crt *trust_ca,
2509 mbedtls_x509_crl *ca_crl,
2510 mbedtls_x509_crt_ca_cb_t f_ca_cb,
2511 void *p_ca_cb,
2512 const mbedtls_x509_crt_profile *profile,
2513 mbedtls_x509_crt_verify_chain *ver_chain,
2514 mbedtls_x509_crt_restart_ctx *rs_ctx)
2515 {
2516 /* Don't initialize any of those variables here, so that the compiler can
2517 * catch potential issues with jumping ahead when restarting */
2518 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2519 uint32_t *flags;
2520 mbedtls_x509_crt_verify_chain_item *cur;
2521 mbedtls_x509_crt *child;
2522 mbedtls_x509_crt *parent;
2523 int parent_is_trusted;
2524 int child_is_trusted;
2525 int signature_is_good;
2526 unsigned self_cnt;
2527 mbedtls_x509_crt *cur_trust_ca = NULL;
2528 mbedtls_x509_time now;
2529
2530 #if defined(MBEDTLS_HAVE_TIME_DATE)
2531 if (mbedtls_x509_time_gmtime(mbedtls_time(NULL), &now) != 0) {
2532 return MBEDTLS_ERR_X509_FATAL_ERROR;
2533 }
2534 #endif
2535
2536 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2537 /* resume if we had an operation in progress */
2538 if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
2539 /* restore saved state */
2540 *ver_chain = rs_ctx->ver_chain; /* struct copy */
2541 self_cnt = rs_ctx->self_cnt;
2542
2543 /* restore derived state */
2544 cur = &ver_chain->items[ver_chain->len - 1];
2545 child = cur->crt;
2546 flags = &cur->flags;
2547
2548 goto find_parent;
2549 }
2550 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2551
2552 child = crt;
2553 self_cnt = 0;
2554 parent_is_trusted = 0;
2555 child_is_trusted = 0;
2556
2557 while (1) {
2558 /* Add certificate to the verification chain */
2559 cur = &ver_chain->items[ver_chain->len];
2560 cur->crt = child;
2561 cur->flags = 0;
2562 ver_chain->len++;
2563 flags = &cur->flags;
2564
2565 #if defined(MBEDTLS_HAVE_TIME_DATE)
2566 /* Check time-validity (all certificates) */
2567 if (mbedtls_x509_time_cmp(&child->valid_to, &now) < 0) {
2568 *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
2569 }
2570
2571 if (mbedtls_x509_time_cmp(&child->valid_from, &now) > 0) {
2572 *flags |= MBEDTLS_X509_BADCERT_FUTURE;
2573 }
2574 #endif
2575
2576 /* Stop here for trusted roots (but not for trusted EE certs) */
2577 if (child_is_trusted) {
2578 return 0;
2579 }
2580
2581 /* Check signature algorithm: MD & PK algs */
2582 if (x509_profile_check_md_alg(profile, child->sig_md) != 0) {
2583 *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
2584 }
2585
2586 if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) {
2587 *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2588 }
2589
2590 /* Special case: EE certs that are locally trusted */
2591 if (ver_chain->len == 1 &&
2592 x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
2593 return 0;
2594 }
2595
2596 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2597 find_parent:
2598 #endif
2599
2600 /* Obtain list of potential trusted signers from CA callback,
2601 * or use statically provided list. */
2602 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2603 if (f_ca_cb != NULL) {
2604 mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result);
2605 mbedtls_free(ver_chain->trust_ca_cb_result);
2606 ver_chain->trust_ca_cb_result = NULL;
2607
2608 ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result);
2609 if (ret != 0) {
2610 return MBEDTLS_ERR_X509_FATAL_ERROR;
2611 }
2612
2613 cur_trust_ca = ver_chain->trust_ca_cb_result;
2614 } else
2615 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2616 {
2617 ((void) f_ca_cb);
2618 ((void) p_ca_cb);
2619 cur_trust_ca = trust_ca;
2620 }
2621
2622 /* Look for a parent in trusted CAs or up the chain */
2623 ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
2624 &parent_is_trusted, &signature_is_good,
2625 ver_chain->len - 1, self_cnt, rs_ctx,
2626 &now);
2627
2628 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2629 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2630 /* save state */
2631 rs_ctx->in_progress = x509_crt_rs_find_parent;
2632 rs_ctx->self_cnt = self_cnt;
2633 rs_ctx->ver_chain = *ver_chain; /* struct copy */
2634
2635 return ret;
2636 }
2637 #else
2638 (void) ret;
2639 #endif
2640
2641 /* No parent? We're done here */
2642 if (parent == NULL) {
2643 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2644 return 0;
2645 }
2646
2647 /* Count intermediate self-issued (not necessarily self-signed) certs.
2648 * These can occur with some strategies for key rollover, see [SIRO],
2649 * and should be excluded from max_pathlen checks. */
2650 if (ver_chain->len != 1 &&
2651 x509_name_cmp(&child->issuer, &child->subject) == 0) {
2652 self_cnt++;
2653 }
2654
2655 /* path_cnt is 0 for the first intermediate CA,
2656 * and if parent is trusted it's not an intermediate CA */
2657 if (!parent_is_trusted &&
2658 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
2659 /* return immediately to avoid overflow the chain array */
2660 return MBEDTLS_ERR_X509_FATAL_ERROR;
2661 }
2662
2663 /* signature was checked while searching parent */
2664 if (!signature_is_good) {
2665 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2666 }
2667
2668 /* check size of signing key */
2669 if (x509_profile_check_key(profile, &parent->pk) != 0) {
2670 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2671 }
2672
2673 #if defined(MBEDTLS_X509_CRL_PARSE_C)
2674 /* Check trusted CA's CRL for the given crt */
2675 *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile, &now);
2676 #else
2677 (void) ca_crl;
2678 #endif
2679
2680 /* prepare for next iteration */
2681 child = parent;
2682 parent = NULL;
2683 child_is_trusted = parent_is_trusted;
2684 signature_is_good = 0;
2685 }
2686 }
2687
2688 #ifdef _WIN32
2689 #ifdef _MSC_VER
2690 #pragma comment(lib, "ws2_32.lib")
2691 #include <winsock2.h>
2692 #include <ws2tcpip.h>
2693 #elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
2694 #include <winsock2.h>
2695 #include <ws2tcpip.h>
2696 #else
2697 /* inet_pton() is not supported, fallback to software version */
2698 #define MBEDTLS_TEST_SW_INET_PTON
2699 #endif
2700 #elif defined(__sun)
2701 /* Solaris requires -lsocket -lnsl for inet_pton() */
2702 #elif defined(__has_include)
2703 #if __has_include(<sys/socket.h>)
2704 #include <sys/socket.h>
2705 #endif
2706 #if __has_include(<arpa/inet.h>)
2707 #include <arpa/inet.h>
2708 #endif
2709 #endif
2710
2711 /* Use whether or not AF_INET6 is defined to indicate whether or not to use
2712 * the platform inet_pton() or a local implementation (below). The local
2713 * implementation may be used even in cases where the platform provides
2714 * inet_pton(), e.g. when there are different includes required and/or the
2715 * platform implementation requires dependencies on additional libraries.
2716 * Specifically, Windows requires custom includes and additional link
2717 * dependencies, and Solaris requires additional link dependencies.
2718 * Also, as a coarse heuristic, use the local implementation if the compiler
2719 * does not support __has_include(), or if the definition of AF_INET6 is not
2720 * provided by headers included (or not) via __has_include() above.
2721 * MBEDTLS_TEST_SW_INET_PTON is a bypass define to force testing of this code //no-check-names
2722 * despite having a platform that has inet_pton. */
2723 #if !defined(AF_INET6) || defined(MBEDTLS_TEST_SW_INET_PTON) //no-check-names
2724 /* Definition located further below to possibly reduce compiler inlining */
2725 static int x509_inet_pton_ipv4(const char *src, void *dst);
2726
2727 #define li_cton(c, n) \
2728 (((n) = (c) - '0') <= 9 || (((n) = ((c)&0xdf) - 'A') <= 5 ? ((n) += 10) : 0))
2729
x509_inet_pton_ipv6(const char * src,void * dst)2730 static int x509_inet_pton_ipv6(const char *src, void *dst)
2731 {
2732 const unsigned char *p = (const unsigned char *) src;
2733 int nonzero_groups = 0, num_digits, zero_group_start = -1;
2734 uint16_t addr[8];
2735 do {
2736 /* note: allows excess leading 0's, e.g. 1:0002:3:... */
2737 uint16_t group = num_digits = 0;
2738 for (uint8_t digit; num_digits < 4; num_digits++) {
2739 if (li_cton(*p, digit) == 0) {
2740 break;
2741 }
2742 group = (group << 4) | digit;
2743 p++;
2744 }
2745 if (num_digits != 0) {
2746 MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
2747 nonzero_groups++;
2748 if (*p == '\0') {
2749 break;
2750 } else if (*p == '.') {
2751 /* Don't accept IPv4 too early or late */
2752 if ((nonzero_groups == 0 && zero_group_start == -1) ||
2753 nonzero_groups >= 7) {
2754 break;
2755 }
2756
2757 /* Walk back to prior ':', then parse as IPv4-mapped */
2758 int steps = 4;
2759 do {
2760 p--;
2761 steps--;
2762 } while (*p != ':' && steps > 0);
2763
2764 if (*p != ':') {
2765 break;
2766 }
2767 p++;
2768 nonzero_groups--;
2769 if (x509_inet_pton_ipv4((const char *) p,
2770 addr + nonzero_groups) != 0) {
2771 break;
2772 }
2773
2774 nonzero_groups += 2;
2775 p = (const unsigned char *) "";
2776 break;
2777 } else if (*p != ':') {
2778 return -1;
2779 }
2780 } else {
2781 /* Don't accept a second zero group or an invalid delimiter */
2782 if (zero_group_start != -1 || *p != ':') {
2783 return -1;
2784 }
2785 zero_group_start = nonzero_groups;
2786
2787 /* Accept a zero group at start, but it has to be a double colon */
2788 if (zero_group_start == 0 && *++p != ':') {
2789 return -1;
2790 }
2791
2792 if (p[1] == '\0') {
2793 ++p;
2794 break;
2795 }
2796 }
2797 ++p;
2798 } while (nonzero_groups < 8);
2799
2800 if (*p != '\0') {
2801 return -1;
2802 }
2803
2804 if (zero_group_start != -1) {
2805 if (nonzero_groups > 6) {
2806 return -1;
2807 }
2808 int zero_groups = 8 - nonzero_groups;
2809 int groups_after_zero = nonzero_groups - zero_group_start;
2810
2811 /* Move the non-zero part to after the zeroes */
2812 if (groups_after_zero) {
2813 memmove(addr + zero_group_start + zero_groups,
2814 addr + zero_group_start,
2815 groups_after_zero * sizeof(*addr));
2816 }
2817 memset(addr + zero_group_start, 0, zero_groups * sizeof(*addr));
2818 } else {
2819 if (nonzero_groups != 8) {
2820 return -1;
2821 }
2822 }
2823 memcpy(dst, addr, sizeof(addr));
2824 return 0;
2825 }
2826
x509_inet_pton_ipv4(const char * src,void * dst)2827 static int x509_inet_pton_ipv4(const char *src, void *dst)
2828 {
2829 const unsigned char *p = (const unsigned char *) src;
2830 uint8_t *res = (uint8_t *) dst;
2831 uint8_t digit, num_digits = 0;
2832 uint8_t num_octets = 0;
2833 uint16_t octet;
2834
2835 do {
2836 octet = num_digits = 0;
2837 do {
2838 digit = *p - '0';
2839 if (digit > 9) {
2840 break;
2841 }
2842
2843 /* Don't allow leading zeroes. These might mean octal format,
2844 * which this implementation does not support. */
2845 if (octet == 0 && num_digits > 0) {
2846 return -1;
2847 }
2848
2849 octet = octet * 10 + digit;
2850 num_digits++;
2851 p++;
2852 } while (num_digits < 3);
2853
2854 if (octet >= 256 || num_digits > 3 || num_digits == 0) {
2855 return -1;
2856 }
2857 *res++ = (uint8_t) octet;
2858 num_octets++;
2859 } while (num_octets < 4 && *p++ == '.');
2860 return num_octets == 4 && *p == '\0' ? 0 : -1;
2861 }
2862
2863 #else
2864
x509_inet_pton_ipv6(const char * src,void * dst)2865 static int x509_inet_pton_ipv6(const char *src, void *dst)
2866 {
2867 return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
2868 }
2869
x509_inet_pton_ipv4(const char * src,void * dst)2870 static int x509_inet_pton_ipv4(const char *src, void *dst)
2871 {
2872 return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
2873 }
2874
2875 #endif /* !AF_INET6 || MBEDTLS_TEST_SW_INET_PTON */ //no-check-names
2876
mbedtls_x509_crt_parse_cn_inet_pton(const char * cn,void * dst)2877 size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst)
2878 {
2879 return strchr(cn, ':') == NULL
2880 ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
2881 : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
2882 }
2883
2884 /*
2885 * Check for CN match
2886 */
x509_crt_check_cn(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)2887 static int x509_crt_check_cn(const mbedtls_x509_buf *name,
2888 const char *cn, size_t cn_len)
2889 {
2890 /* try exact match */
2891 if (name->len == cn_len &&
2892 x509_memcasecmp(cn, name->p, cn_len) == 0) {
2893 return 0;
2894 }
2895
2896 /* try wildcard match */
2897 if (x509_check_wildcard(cn, name) == 0) {
2898 return 0;
2899 }
2900
2901 return -1;
2902 }
2903
x509_crt_check_san_ip(const mbedtls_x509_sequence * san,const char * cn,size_t cn_len)2904 static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
2905 const char *cn, size_t cn_len)
2906 {
2907 uint32_t ip[4];
2908 cn_len = mbedtls_x509_crt_parse_cn_inet_pton(cn, ip);
2909 if (cn_len == 0) {
2910 return -1;
2911 }
2912
2913 for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
2914 const unsigned char san_type = (unsigned char) cur->buf.tag &
2915 MBEDTLS_ASN1_TAG_VALUE_MASK;
2916 if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
2917 cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
2918 return 0;
2919 }
2920 }
2921
2922 return -1;
2923 }
2924
x509_crt_check_san_uri(const mbedtls_x509_sequence * san,const char * cn,size_t cn_len)2925 static int x509_crt_check_san_uri(const mbedtls_x509_sequence *san,
2926 const char *cn, size_t cn_len)
2927 {
2928 for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
2929 const unsigned char san_type = (unsigned char) cur->buf.tag &
2930 MBEDTLS_ASN1_TAG_VALUE_MASK;
2931 if (san_type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER &&
2932 cur->buf.len == cn_len && memcmp(cur->buf.p, cn, cn_len) == 0) {
2933 return 0;
2934 }
2935 }
2936
2937 return -1;
2938 }
2939
2940 /*
2941 * Check for SAN match, see RFC 5280 Section 4.2.1.6
2942 */
x509_crt_check_san(const mbedtls_x509_sequence * san,const char * cn,size_t cn_len)2943 static int x509_crt_check_san(const mbedtls_x509_sequence *san,
2944 const char *cn, size_t cn_len)
2945 {
2946 int san_ip = 0;
2947 int san_uri = 0;
2948 /* Prioritize DNS name over other subtypes due to popularity */
2949 for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
2950 switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
2951 case MBEDTLS_X509_SAN_DNS_NAME:
2952 if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
2953 return 0;
2954 }
2955 break;
2956 case MBEDTLS_X509_SAN_IP_ADDRESS:
2957 san_ip = 1;
2958 break;
2959 case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
2960 san_uri = 1;
2961 break;
2962 /* (We may handle other types here later.) */
2963 default: /* Unrecognized type */
2964 break;
2965 }
2966 }
2967 if (san_ip) {
2968 if (x509_crt_check_san_ip(san, cn, cn_len) == 0) {
2969 return 0;
2970 }
2971 }
2972 if (san_uri) {
2973 if (x509_crt_check_san_uri(san, cn, cn_len) == 0) {
2974 return 0;
2975 }
2976 }
2977
2978 return -1;
2979 }
2980
2981 /*
2982 * Verify the requested CN - only call this if cn is not NULL!
2983 */
x509_crt_verify_name(const mbedtls_x509_crt * crt,const char * cn,uint32_t * flags)2984 static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
2985 const char *cn,
2986 uint32_t *flags)
2987 {
2988 const mbedtls_x509_name *name;
2989 size_t cn_len = strlen(cn);
2990
2991 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
2992 if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
2993 return;
2994 }
2995 } else {
2996 for (name = &crt->subject; name != NULL; name = name->next) {
2997 if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
2998 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
2999 return;
3000 }
3001 }
3002
3003 }
3004
3005 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
3006 }
3007
3008 /*
3009 * Merge the flags for all certs in the chain, after calling callback
3010 */
x509_crt_merge_flags_with_cb(uint32_t * flags,const mbedtls_x509_crt_verify_chain * ver_chain,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3011 static int x509_crt_merge_flags_with_cb(
3012 uint32_t *flags,
3013 const mbedtls_x509_crt_verify_chain *ver_chain,
3014 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3015 void *p_vrfy)
3016 {
3017 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3018 unsigned i;
3019 uint32_t cur_flags;
3020 const mbedtls_x509_crt_verify_chain_item *cur;
3021
3022 for (i = ver_chain->len; i != 0; --i) {
3023 cur = &ver_chain->items[i-1];
3024 cur_flags = cur->flags;
3025
3026 if (NULL != f_vrfy) {
3027 if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) {
3028 return ret;
3029 }
3030 }
3031
3032 *flags |= cur_flags;
3033 }
3034
3035 return 0;
3036 }
3037
3038 /*
3039 * Verify the certificate validity, with profile, restartable version
3040 *
3041 * This function:
3042 * - checks the requested CN (if any)
3043 * - checks the type and size of the EE cert's key,
3044 * as that isn't done as part of chain building/verification currently
3045 * - builds and verifies the chain
3046 * - then calls the callback and merges the flags
3047 *
3048 * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
3049 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
3050 * verification routine to search for trusted signers, and CRLs will
3051 * be disabled. Otherwise, `trust_ca` will be used as the static list
3052 * of trusted signers, and `ca_crl` will be use as the static list
3053 * of CRLs.
3054 */
x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)3055 static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt,
3056 mbedtls_x509_crt *trust_ca,
3057 mbedtls_x509_crl *ca_crl,
3058 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3059 void *p_ca_cb,
3060 const mbedtls_x509_crt_profile *profile,
3061 const char *cn, uint32_t *flags,
3062 int (*f_vrfy)(void *,
3063 mbedtls_x509_crt *,
3064 int,
3065 uint32_t *),
3066 void *p_vrfy,
3067 mbedtls_x509_crt_restart_ctx *rs_ctx)
3068 {
3069 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3070 mbedtls_pk_type_t pk_type;
3071 mbedtls_x509_crt_verify_chain ver_chain;
3072 uint32_t ee_flags;
3073
3074 *flags = 0;
3075 ee_flags = 0;
3076 x509_crt_verify_chain_reset(&ver_chain);
3077
3078 if (profile == NULL) {
3079 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
3080 goto exit;
3081 }
3082
3083 /* check name if requested */
3084 if (cn != NULL) {
3085 x509_crt_verify_name(crt, cn, &ee_flags);
3086 }
3087
3088 /* Check the type and size of the key */
3089 pk_type = mbedtls_pk_get_type(&crt->pk);
3090
3091 if (x509_profile_check_pk_alg(profile, pk_type) != 0) {
3092 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
3093 }
3094
3095 if (x509_profile_check_key(profile, &crt->pk) != 0) {
3096 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
3097 }
3098
3099 /* Check the chain */
3100 ret = x509_crt_verify_chain(crt, trust_ca, ca_crl,
3101 f_ca_cb, p_ca_cb, profile,
3102 &ver_chain, rs_ctx);
3103
3104 if (ret != 0) {
3105 goto exit;
3106 }
3107
3108 /* Merge end-entity flags */
3109 ver_chain.items[0].flags |= ee_flags;
3110
3111 /* Build final flags, calling callback on the way if any */
3112 ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy);
3113
3114 exit:
3115
3116 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3117 mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result);
3118 mbedtls_free(ver_chain.trust_ca_cb_result);
3119 ver_chain.trust_ca_cb_result = NULL;
3120 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3121
3122 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3123 if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
3124 mbedtls_x509_crt_restart_free(rs_ctx);
3125 }
3126 #endif
3127
3128 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
3129 * the SSL module for authmode optional, but non-zero return from the
3130 * callback means a fatal error so it shouldn't be ignored */
3131 if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
3132 ret = MBEDTLS_ERR_X509_FATAL_ERROR;
3133 }
3134
3135 if (ret != 0) {
3136 *flags = (uint32_t) -1;
3137 return ret;
3138 }
3139
3140 if (*flags != 0) {
3141 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
3142 }
3143
3144 return 0;
3145 }
3146
3147
3148 /*
3149 * Verify the certificate validity (default profile, not restartable)
3150 */
mbedtls_x509_crt_verify(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3151 int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
3152 mbedtls_x509_crt *trust_ca,
3153 mbedtls_x509_crl *ca_crl,
3154 const char *cn, uint32_t *flags,
3155 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3156 void *p_vrfy)
3157 {
3158 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3159 NULL, NULL,
3160 &mbedtls_x509_crt_profile_default,
3161 cn, flags,
3162 f_vrfy, p_vrfy, NULL);
3163 }
3164
3165 /*
3166 * Verify the certificate validity (user-chosen profile, not restartable)
3167 */
mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3168 int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
3169 mbedtls_x509_crt *trust_ca,
3170 mbedtls_x509_crl *ca_crl,
3171 const mbedtls_x509_crt_profile *profile,
3172 const char *cn, uint32_t *flags,
3173 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3174 void *p_vrfy)
3175 {
3176 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3177 NULL, NULL,
3178 profile, cn, flags,
3179 f_vrfy, p_vrfy, NULL);
3180 }
3181
3182 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3183 /*
3184 * Verify the certificate validity (user-chosen profile, CA callback,
3185 * not restartable).
3186 */
mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3187 int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
3188 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3189 void *p_ca_cb,
3190 const mbedtls_x509_crt_profile *profile,
3191 const char *cn, uint32_t *flags,
3192 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3193 void *p_vrfy)
3194 {
3195 return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL,
3196 f_ca_cb, p_ca_cb,
3197 profile, cn, flags,
3198 f_vrfy, p_vrfy, NULL);
3199 }
3200 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3201
mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)3202 int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
3203 mbedtls_x509_crt *trust_ca,
3204 mbedtls_x509_crl *ca_crl,
3205 const mbedtls_x509_crt_profile *profile,
3206 const char *cn, uint32_t *flags,
3207 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3208 void *p_vrfy,
3209 mbedtls_x509_crt_restart_ctx *rs_ctx)
3210 {
3211 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3212 NULL, NULL,
3213 profile, cn, flags,
3214 f_vrfy, p_vrfy, rs_ctx);
3215 }
3216
3217
3218 /*
3219 * Initialize a certificate chain
3220 */
mbedtls_x509_crt_init(mbedtls_x509_crt * crt)3221 void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
3222 {
3223 memset(crt, 0, sizeof(mbedtls_x509_crt));
3224 }
3225
3226 /*
3227 * Unallocate all certificate data
3228 */
mbedtls_x509_crt_free(mbedtls_x509_crt * crt)3229 void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
3230 {
3231 mbedtls_x509_crt *cert_cur = crt;
3232 mbedtls_x509_crt *cert_prv;
3233
3234 while (cert_cur != NULL) {
3235 mbedtls_pk_free(&cert_cur->pk);
3236
3237 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
3238 mbedtls_free(cert_cur->sig_opts);
3239 #endif
3240
3241 mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next);
3242 mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next);
3243 mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
3244 mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next);
3245 mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
3246 mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next);
3247
3248 if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
3249 mbedtls_zeroize_and_free(cert_cur->raw.p, cert_cur->raw.len);
3250 }
3251
3252 cert_prv = cert_cur;
3253 cert_cur = cert_cur->next;
3254
3255 mbedtls_platform_zeroize(cert_prv, sizeof(mbedtls_x509_crt));
3256 if (cert_prv != crt) {
3257 mbedtls_free(cert_prv);
3258 }
3259 }
3260 }
3261
3262 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3263 /*
3264 * Initialize a restart context
3265 */
mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx * ctx)3266 void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
3267 {
3268 mbedtls_pk_restart_init(&ctx->pk);
3269
3270 ctx->parent = NULL;
3271 ctx->fallback_parent = NULL;
3272 ctx->fallback_signature_is_good = 0;
3273
3274 ctx->parent_is_trusted = -1;
3275
3276 ctx->in_progress = x509_crt_rs_none;
3277 ctx->self_cnt = 0;
3278 x509_crt_verify_chain_reset(&ctx->ver_chain);
3279 }
3280
3281 /*
3282 * Free the components of a restart context
3283 */
mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx * ctx)3284 void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
3285 {
3286 if (ctx == NULL) {
3287 return;
3288 }
3289
3290 mbedtls_pk_restart_free(&ctx->pk);
3291 mbedtls_x509_crt_restart_init(ctx);
3292 }
3293 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
3294
mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt * crt)3295 int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt)
3296 {
3297 if ((crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) != 0) {
3298 return crt->MBEDTLS_PRIVATE(ca_istrue);
3299 }
3300 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
3301 }
3302
3303 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3304
