1 /*
2 * X.509 certificate parsing and verification
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The ITU-T X.509 standard defines a certificate format for PKI.
21 *
22 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
23 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
24 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
25 *
26 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
27 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
28 *
29 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
30 */
31
32 #include "common.h"
33
34 #if defined(MBEDTLS_X509_CRT_PARSE_C)
35
36 #include "mbedtls/x509_crt.h"
37 #include "mbedtls/error.h"
38 #include "mbedtls/oid.h"
39 #include "mbedtls/platform_util.h"
40
41 #include <string.h>
42
43 #if defined(MBEDTLS_PEM_PARSE_C)
44 #include "mbedtls/pem.h"
45 #endif
46
47 #if defined(MBEDTLS_USE_PSA_CRYPTO)
48 #include "psa/crypto.h"
49 #include "mbedtls/psa_util.h"
50 #endif
51
52 #if defined(MBEDTLS_PLATFORM_C)
53 #include "mbedtls/platform.h"
54 #else
55 #include <stdio.h>
56 #include <stdlib.h>
57 #define mbedtls_free free
58 #define mbedtls_calloc calloc
59 #define mbedtls_snprintf snprintf
60 #endif
61
62 #if defined(MBEDTLS_THREADING_C)
63 #include "mbedtls/threading.h"
64 #endif
65
66 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
67 #include <windows.h>
68 #else
69 #include <time.h>
70 #endif
71
72 #if defined(MBEDTLS_FS_IO)
73 #include <stdio.h>
74 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
75 #include <sys/types.h>
76 #include <sys/stat.h>
77 #include <dirent.h>
78 #endif /* !_WIN32 || EFIX64 || EFI32 */
79 #endif
80
81 /*
82 * Item in a verification chain: cert and flags for it
83 */
84 typedef struct {
85 mbedtls_x509_crt *crt;
86 uint32_t flags;
87 } x509_crt_verify_chain_item;
88
89 /*
90 * Max size of verification chain: end-entity + intermediates + trusted root
91 */
92 #define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
93
94 /*
95 * Default profile
96 */
97 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
98 {
99 #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
100 /* Allow SHA-1 (weak, but still safe in controlled environments) */
101 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
102 #endif
103 /* Only SHA-2 hashes */
104 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
105 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
106 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
107 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
108 0xFFFFFFF, /* Any PK alg */
109 0xFFFFFFF, /* Any curve */
110 2048,
111 };
112
113 /*
114 * Next-default profile
115 */
116 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
117 {
118 /* Hashes from SHA-256 and above */
119 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
120 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
121 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
122 0xFFFFFFF, /* Any PK alg */
123 #if defined(MBEDTLS_ECP_C)
124 /* Curves at or above 128-bit security level */
125 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
126 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
127 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
128 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
129 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
130 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
131 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
132 #else
133 0,
134 #endif
135 2048,
136 };
137
138 /*
139 * NSA Suite B Profile
140 */
141 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
142 {
143 /* Only SHA-256 and 384 */
144 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
145 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
146 /* Only ECDSA */
147 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) |
148 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ),
149 #if defined(MBEDTLS_ECP_C)
150 /* Only NIST P-256 and P-384 */
151 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
152 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
153 #else
154 0,
155 #endif
156 0,
157 };
158
159 /*
160 * Check md_alg against profile
161 * Return 0 if md_alg is acceptable for this profile, -1 otherwise
162 */
x509_profile_check_md_alg(const mbedtls_x509_crt_profile * profile,mbedtls_md_type_t md_alg)163 static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
164 mbedtls_md_type_t md_alg )
165 {
166 if( md_alg == MBEDTLS_MD_NONE )
167 return( -1 );
168
169 if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
170 return( 0 );
171
172 return( -1 );
173 }
174
175 /*
176 * Check pk_alg against profile
177 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
178 */
x509_profile_check_pk_alg(const mbedtls_x509_crt_profile * profile,mbedtls_pk_type_t pk_alg)179 static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
180 mbedtls_pk_type_t pk_alg )
181 {
182 if( pk_alg == MBEDTLS_PK_NONE )
183 return( -1 );
184
185 if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
186 return( 0 );
187
188 return( -1 );
189 }
190
191 /*
192 * Check key against profile
193 * Return 0 if pk is acceptable for this profile, -1 otherwise
194 */
x509_profile_check_key(const mbedtls_x509_crt_profile * profile,const mbedtls_pk_context * pk)195 static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
196 const mbedtls_pk_context *pk )
197 {
198 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
199
200 #if defined(MBEDTLS_RSA_C)
201 if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
202 {
203 if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
204 return( 0 );
205
206 return( -1 );
207 }
208 #endif
209
210 #if defined(MBEDTLS_ECP_C)
211 if( pk_alg == MBEDTLS_PK_ECDSA ||
212 pk_alg == MBEDTLS_PK_ECKEY ||
213 pk_alg == MBEDTLS_PK_ECKEY_DH )
214 {
215 const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
216
217 if( gid == MBEDTLS_ECP_DP_NONE )
218 return( -1 );
219
220 if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
221 return( 0 );
222
223 return( -1 );
224 }
225 #endif
226
227 return( -1 );
228 }
229
230 /*
231 * Like memcmp, but case-insensitive and always returns -1 if different
232 */
x509_memcasecmp(const void * s1,const void * s2,size_t len)233 static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
234 {
235 size_t i;
236 unsigned char diff;
237 const unsigned char *n1 = s1, *n2 = s2;
238
239 for( i = 0; i < len; i++ )
240 {
241 diff = n1[i] ^ n2[i];
242
243 if( diff == 0 )
244 continue;
245
246 if( diff == 32 &&
247 ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
248 ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
249 {
250 continue;
251 }
252
253 return( -1 );
254 }
255
256 return( 0 );
257 }
258
259 /*
260 * Return 0 if name matches wildcard, -1 otherwise
261 */
x509_check_wildcard(const char * cn,const mbedtls_x509_buf * name)262 static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name )
263 {
264 size_t i;
265 size_t cn_idx = 0, cn_len = strlen( cn );
266
267 /* We can't have a match if there is no wildcard to match */
268 if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
269 return( -1 );
270
271 for( i = 0; i < cn_len; ++i )
272 {
273 if( cn[i] == '.' )
274 {
275 cn_idx = i;
276 break;
277 }
278 }
279
280 if( cn_idx == 0 )
281 return( -1 );
282
283 if( cn_len - cn_idx == name->len - 1 &&
284 x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
285 {
286 return( 0 );
287 }
288
289 return( -1 );
290 }
291
292 /*
293 * Compare two X.509 strings, case-insensitive, and allowing for some encoding
294 * variations (but not all).
295 *
296 * Return 0 if equal, -1 otherwise.
297 */
x509_string_cmp(const mbedtls_x509_buf * a,const mbedtls_x509_buf * b)298 static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
299 {
300 if( a->tag == b->tag &&
301 a->len == b->len &&
302 memcmp( a->p, b->p, b->len ) == 0 )
303 {
304 return( 0 );
305 }
306
307 if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
308 ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
309 a->len == b->len &&
310 x509_memcasecmp( a->p, b->p, b->len ) == 0 )
311 {
312 return( 0 );
313 }
314
315 return( -1 );
316 }
317
318 /*
319 * Compare two X.509 Names (aka rdnSequence).
320 *
321 * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
322 * we sometimes return unequal when the full algorithm would return equal,
323 * but never the other way. (In particular, we don't do Unicode normalisation
324 * or space folding.)
325 *
326 * Return 0 if equal, -1 otherwise.
327 */
x509_name_cmp(const mbedtls_x509_name * a,const mbedtls_x509_name * b)328 static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
329 {
330 /* Avoid recursion, it might not be optimised by the compiler */
331 while( a != NULL || b != NULL )
332 {
333 if( a == NULL || b == NULL )
334 return( -1 );
335
336 /* type */
337 if( a->oid.tag != b->oid.tag ||
338 a->oid.len != b->oid.len ||
339 memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
340 {
341 return( -1 );
342 }
343
344 /* value */
345 if( x509_string_cmp( &a->val, &b->val ) != 0 )
346 return( -1 );
347
348 /* structure of the list of sets */
349 if( a->next_merged != b->next_merged )
350 return( -1 );
351
352 a = a->next;
353 b = b->next;
354 }
355
356 /* a == NULL == b */
357 return( 0 );
358 }
359
360 /*
361 * Reset (init or clear) a verify_chain
362 */
x509_crt_verify_chain_reset(mbedtls_x509_crt_verify_chain * ver_chain)363 static void x509_crt_verify_chain_reset(
364 mbedtls_x509_crt_verify_chain *ver_chain )
365 {
366 size_t i;
367
368 for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
369 {
370 ver_chain->items[i].crt = NULL;
371 ver_chain->items[i].flags = (uint32_t) -1;
372 }
373
374 ver_chain->len = 0;
375
376 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
377 ver_chain->trust_ca_cb_result = NULL;
378 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
379 }
380
381 /*
382 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
383 */
x509_get_version(unsigned char ** p,const unsigned char * end,int * ver)384 static int x509_get_version( unsigned char **p,
385 const unsigned char *end,
386 int *ver )
387 {
388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
389 size_t len;
390
391 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
392 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 )
393 {
394 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
395 {
396 *ver = 0;
397 return( 0 );
398 }
399
400 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
401 }
402
403 end = *p + len;
404
405 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
406 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
407
408 if( *p != end )
409 return( MBEDTLS_ERR_X509_INVALID_VERSION +
410 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
411
412 return( 0 );
413 }
414
415 /*
416 * Validity ::= SEQUENCE {
417 * notBefore Time,
418 * notAfter Time }
419 */
x509_get_dates(unsigned char ** p,const unsigned char * end,mbedtls_x509_time * from,mbedtls_x509_time * to)420 static int x509_get_dates( unsigned char **p,
421 const unsigned char *end,
422 mbedtls_x509_time *from,
423 mbedtls_x509_time *to )
424 {
425 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
426 size_t len;
427
428 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
429 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
430 return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
431
432 end = *p + len;
433
434 if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
435 return( ret );
436
437 if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
438 return( ret );
439
440 if( *p != end )
441 return( MBEDTLS_ERR_X509_INVALID_DATE +
442 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
443
444 return( 0 );
445 }
446
447 /*
448 * X.509 v2/v3 unique identifier (not parsed)
449 */
x509_get_uid(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * uid,int n)450 static int x509_get_uid( unsigned char **p,
451 const unsigned char *end,
452 mbedtls_x509_buf *uid, int n )
453 {
454 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
455
456 if( *p == end )
457 return( 0 );
458
459 uid->tag = **p;
460
461 if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
462 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
463 {
464 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
465 return( 0 );
466
467 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
468 }
469
470 uid->p = *p;
471 *p += uid->len;
472
473 return( 0 );
474 }
475
x509_get_basic_constraints(unsigned char ** p,const unsigned char * end,int * ca_istrue,int * max_pathlen)476 static int x509_get_basic_constraints( unsigned char **p,
477 const unsigned char *end,
478 int *ca_istrue,
479 int *max_pathlen )
480 {
481 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
482 size_t len;
483
484 /*
485 * BasicConstraints ::= SEQUENCE {
486 * cA BOOLEAN DEFAULT FALSE,
487 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
488 */
489 *ca_istrue = 0; /* DEFAULT FALSE */
490 *max_pathlen = 0; /* endless */
491
492 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
493 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
494 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
495
496 if( *p == end )
497 return( 0 );
498
499 if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
500 {
501 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
502 ret = mbedtls_asn1_get_int( p, end, ca_istrue );
503
504 if( ret != 0 )
505 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
506
507 if( *ca_istrue != 0 )
508 *ca_istrue = 1;
509 }
510
511 if( *p == end )
512 return( 0 );
513
514 if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
515 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
516
517 if( *p != end )
518 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
519 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
520
521 /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
522 * overflow, which is an undefined behavior. */
523 if( *max_pathlen == INT_MAX )
524 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
525 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
526
527 (*max_pathlen)++;
528
529 return( 0 );
530 }
531
x509_get_ns_cert_type(unsigned char ** p,const unsigned char * end,unsigned char * ns_cert_type)532 static int x509_get_ns_cert_type( unsigned char **p,
533 const unsigned char *end,
534 unsigned char *ns_cert_type)
535 {
536 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
537 mbedtls_x509_bitstring bs = { 0, 0, NULL };
538
539 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
540 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
541
542 if( bs.len != 1 )
543 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
544 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
545
546 /* Get actual bitstring */
547 *ns_cert_type = *bs.p;
548 return( 0 );
549 }
550
x509_get_key_usage(unsigned char ** p,const unsigned char * end,unsigned int * key_usage)551 static int x509_get_key_usage( unsigned char **p,
552 const unsigned char *end,
553 unsigned int *key_usage)
554 {
555 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
556 size_t i;
557 mbedtls_x509_bitstring bs = { 0, 0, NULL };
558
559 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
560 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
561
562 if( bs.len < 1 )
563 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
564 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
565
566 /* Get actual bitstring */
567 *key_usage = 0;
568 for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
569 {
570 *key_usage |= (unsigned int) bs.p[i] << (8*i);
571 }
572
573 return( 0 );
574 }
575
576 /*
577 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
578 *
579 * KeyPurposeId ::= OBJECT IDENTIFIER
580 */
x509_get_ext_key_usage(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * ext_key_usage)581 static int x509_get_ext_key_usage( unsigned char **p,
582 const unsigned char *end,
583 mbedtls_x509_sequence *ext_key_usage)
584 {
585 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
586
587 if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
588 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
589
590 /* Sequence length must be >= 1 */
591 if( ext_key_usage->buf.p == NULL )
592 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
593 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
594
595 return( 0 );
596 }
597
598 /*
599 * SubjectAltName ::= GeneralNames
600 *
601 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
602 *
603 * GeneralName ::= CHOICE {
604 * otherName [0] OtherName,
605 * rfc822Name [1] IA5String,
606 * dNSName [2] IA5String,
607 * x400Address [3] ORAddress,
608 * directoryName [4] Name,
609 * ediPartyName [5] EDIPartyName,
610 * uniformResourceIdentifier [6] IA5String,
611 * iPAddress [7] OCTET STRING,
612 * registeredID [8] OBJECT IDENTIFIER }
613 *
614 * OtherName ::= SEQUENCE {
615 * type-id OBJECT IDENTIFIER,
616 * value [0] EXPLICIT ANY DEFINED BY type-id }
617 *
618 * EDIPartyName ::= SEQUENCE {
619 * nameAssigner [0] DirectoryString OPTIONAL,
620 * partyName [1] DirectoryString }
621 *
622 * NOTE: we list all types, but only use dNSName and otherName
623 * of type HwModuleName, as defined in RFC 4108, at this point.
624 */
x509_get_subject_alt_name(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * subject_alt_name)625 static int x509_get_subject_alt_name( unsigned char **p,
626 const unsigned char *end,
627 mbedtls_x509_sequence *subject_alt_name )
628 {
629 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
630 size_t len, tag_len;
631 mbedtls_asn1_buf *buf;
632 unsigned char tag;
633 mbedtls_asn1_sequence *cur = subject_alt_name;
634
635 /* Get main sequence tag */
636 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
637 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
638 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
639
640 if( *p + len != end )
641 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
642 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
643
644 while( *p < end )
645 {
646 mbedtls_x509_subject_alternative_name dummy_san_buf;
647 memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );
648
649 tag = **p;
650 (*p)++;
651 if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
652 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
653
654 if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
655 MBEDTLS_ASN1_CONTEXT_SPECIFIC )
656 {
657 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
658 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
659 }
660
661 /*
662 * Check that the SAN is structured correctly.
663 */
664 ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
665 /*
666 * In case the extension is malformed, return an error,
667 * and clear the allocated sequences.
668 */
669 if( ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
670 {
671 mbedtls_x509_sequence *seq_cur = subject_alt_name->next;
672 mbedtls_x509_sequence *seq_prv;
673 while( seq_cur != NULL )
674 {
675 seq_prv = seq_cur;
676 seq_cur = seq_cur->next;
677 mbedtls_platform_zeroize( seq_prv,
678 sizeof( mbedtls_x509_sequence ) );
679 mbedtls_free( seq_prv );
680 }
681 subject_alt_name->next = NULL;
682 return( ret );
683 }
684
685 /* Allocate and assign next pointer */
686 if( cur->buf.p != NULL )
687 {
688 if( cur->next != NULL )
689 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
690
691 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
692
693 if( cur->next == NULL )
694 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
695 MBEDTLS_ERR_ASN1_ALLOC_FAILED );
696
697 cur = cur->next;
698 }
699
700 buf = &(cur->buf);
701 buf->tag = tag;
702 buf->p = *p;
703 buf->len = tag_len;
704 *p += buf->len;
705 }
706
707 /* Set final sequence entry's next pointer to NULL */
708 cur->next = NULL;
709
710 if( *p != end )
711 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
712 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
713
714 return( 0 );
715 }
716
717 /*
718 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
719 *
720 * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
721 *
722 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
723 *
724 * PolicyInformation ::= SEQUENCE {
725 * policyIdentifier CertPolicyId,
726 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
727 * PolicyQualifierInfo OPTIONAL }
728 *
729 * CertPolicyId ::= OBJECT IDENTIFIER
730 *
731 * PolicyQualifierInfo ::= SEQUENCE {
732 * policyQualifierId PolicyQualifierId,
733 * qualifier ANY DEFINED BY policyQualifierId }
734 *
735 * -- policyQualifierIds for Internet policy qualifiers
736 *
737 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
738 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
739 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
740 *
741 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
742 *
743 * Qualifier ::= CHOICE {
744 * cPSuri CPSuri,
745 * userNotice UserNotice }
746 *
747 * CPSuri ::= IA5String
748 *
749 * UserNotice ::= SEQUENCE {
750 * noticeRef NoticeReference OPTIONAL,
751 * explicitText DisplayText OPTIONAL }
752 *
753 * NoticeReference ::= SEQUENCE {
754 * organization DisplayText,
755 * noticeNumbers SEQUENCE OF INTEGER }
756 *
757 * DisplayText ::= CHOICE {
758 * ia5String IA5String (SIZE (1..200)),
759 * visibleString VisibleString (SIZE (1..200)),
760 * bmpString BMPString (SIZE (1..200)),
761 * utf8String UTF8String (SIZE (1..200)) }
762 *
763 * NOTE: we only parse and use anyPolicy without qualifiers at this point
764 * as defined in RFC 5280.
765 */
x509_get_certificate_policies(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * certificate_policies)766 static int x509_get_certificate_policies( unsigned char **p,
767 const unsigned char *end,
768 mbedtls_x509_sequence *certificate_policies )
769 {
770 int ret, parse_ret = 0;
771 size_t len;
772 mbedtls_asn1_buf *buf;
773 mbedtls_asn1_sequence *cur = certificate_policies;
774
775 /* Get main sequence tag */
776 ret = mbedtls_asn1_get_tag( p, end, &len,
777 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
778 if( ret != 0 )
779 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
780
781 if( *p + len != end )
782 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
783 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
784
785 /*
786 * Cannot be an empty sequence.
787 */
788 if( len == 0 )
789 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
790 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
791
792 while( *p < end )
793 {
794 mbedtls_x509_buf policy_oid;
795 const unsigned char *policy_end;
796
797 /*
798 * Get the policy sequence
799 */
800 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
801 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
802 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
803
804 policy_end = *p + len;
805
806 if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
807 MBEDTLS_ASN1_OID ) ) != 0 )
808 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
809
810 policy_oid.tag = MBEDTLS_ASN1_OID;
811 policy_oid.len = len;
812 policy_oid.p = *p;
813
814 /*
815 * Only AnyPolicy is currently supported when enforcing policy.
816 */
817 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_POLICY, &policy_oid ) != 0 )
818 {
819 /*
820 * Set the parsing return code but continue parsing, in case this
821 * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
822 * is configured.
823 */
824 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
825 }
826
827 /* Allocate and assign next pointer */
828 if( cur->buf.p != NULL )
829 {
830 if( cur->next != NULL )
831 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
832
833 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
834
835 if( cur->next == NULL )
836 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
837 MBEDTLS_ERR_ASN1_ALLOC_FAILED );
838
839 cur = cur->next;
840 }
841
842 buf = &( cur->buf );
843 buf->tag = policy_oid.tag;
844 buf->p = policy_oid.p;
845 buf->len = policy_oid.len;
846
847 *p += len;
848
849 /*
850 * If there is an optional qualifier, then *p < policy_end
851 * Check the Qualifier len to verify it doesn't exceed policy_end.
852 */
853 if( *p < policy_end )
854 {
855 if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
856 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
857 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
858 /*
859 * Skip the optional policy qualifiers.
860 */
861 *p += len;
862 }
863
864 if( *p != policy_end )
865 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
866 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
867 }
868
869 /* Set final sequence entry's next pointer to NULL */
870 cur->next = NULL;
871
872 if( *p != end )
873 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
874 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
875
876 return( parse_ret );
877 }
878
879 /*
880 * X.509 v3 extensions
881 *
882 */
x509_get_crt_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_crt * crt,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)883 static int x509_get_crt_ext( unsigned char **p,
884 const unsigned char *end,
885 mbedtls_x509_crt *crt,
886 mbedtls_x509_crt_ext_cb_t cb,
887 void *p_ctx )
888 {
889 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
890 size_t len;
891 unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
892
893 if( *p == end )
894 return( 0 );
895
896 if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
897 return( ret );
898
899 end = crt->v3_ext.p + crt->v3_ext.len;
900 while( *p < end )
901 {
902 /*
903 * Extension ::= SEQUENCE {
904 * extnID OBJECT IDENTIFIER,
905 * critical BOOLEAN DEFAULT FALSE,
906 * extnValue OCTET STRING }
907 */
908 mbedtls_x509_buf extn_oid = {0, 0, NULL};
909 int is_critical = 0; /* DEFAULT FALSE */
910 int ext_type = 0;
911
912 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
913 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
914 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
915
916 end_ext_data = *p + len;
917
918 /* Get extension ID */
919 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
920 MBEDTLS_ASN1_OID ) ) != 0 )
921 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
922
923 extn_oid.tag = MBEDTLS_ASN1_OID;
924 extn_oid.p = *p;
925 *p += extn_oid.len;
926
927 /* Get optional critical */
928 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
929 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
930 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
931
932 /* Data should be octet string type */
933 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
934 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
935 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
936
937 start_ext_octet = *p;
938 end_ext_octet = *p + len;
939
940 if( end_ext_octet != end_ext_data )
941 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
942 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
943
944 /*
945 * Detect supported extensions
946 */
947 ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
948
949 if( ret != 0 )
950 {
951 /* Give the callback (if any) a chance to handle the extension */
952 if( cb != NULL )
953 {
954 ret = cb( p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet );
955 if( ret != 0 && is_critical )
956 return( ret );
957 *p = end_ext_octet;
958 continue;
959 }
960
961 /* No parser found, skip extension */
962 *p = end_ext_octet;
963
964 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
965 if( is_critical )
966 {
967 /* Data is marked as critical: fail */
968 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
969 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
970 }
971 #endif
972 continue;
973 }
974
975 /* Forbid repeated extensions */
976 if( ( crt->ext_types & ext_type ) != 0 )
977 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
978
979 crt->ext_types |= ext_type;
980
981 switch( ext_type )
982 {
983 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
984 /* Parse basic constraints */
985 if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
986 &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
987 return( ret );
988 break;
989
990 case MBEDTLS_X509_EXT_KEY_USAGE:
991 /* Parse key usage */
992 if( ( ret = x509_get_key_usage( p, end_ext_octet,
993 &crt->key_usage ) ) != 0 )
994 return( ret );
995 break;
996
997 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
998 /* Parse extended key usage */
999 if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
1000 &crt->ext_key_usage ) ) != 0 )
1001 return( ret );
1002 break;
1003
1004 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
1005 /* Parse subject alt name */
1006 if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
1007 &crt->subject_alt_names ) ) != 0 )
1008 return( ret );
1009 break;
1010
1011 case MBEDTLS_X509_EXT_NS_CERT_TYPE:
1012 /* Parse netscape certificate type */
1013 if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
1014 &crt->ns_cert_type ) ) != 0 )
1015 return( ret );
1016 break;
1017
1018 case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
1019 /* Parse certificate policies type */
1020 if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
1021 &crt->certificate_policies ) ) != 0 )
1022 {
1023 /* Give the callback (if any) a chance to handle the extension
1024 * if it contains unsupported policies */
1025 if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
1026 cb( p_ctx, crt, &extn_oid, is_critical,
1027 start_ext_octet, end_ext_octet ) == 0 )
1028 break;
1029
1030 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
1031 if( is_critical )
1032 return( ret );
1033 else
1034 #endif
1035 /*
1036 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
1037 * cannot interpret or enforce the policy. However, it is up to
1038 * the user to choose how to enforce the policies,
1039 * unless the extension is critical.
1040 */
1041 if( ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
1042 return( ret );
1043 }
1044 break;
1045
1046 default:
1047 /*
1048 * If this is a non-critical extension, which the oid layer
1049 * supports, but there isn't an x509 parser for it,
1050 * skip the extension.
1051 */
1052 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
1053 if( is_critical )
1054 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
1055 else
1056 #endif
1057 *p = end_ext_octet;
1058 }
1059 }
1060
1061 if( *p != end )
1062 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
1063 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1064
1065 return( 0 );
1066 }
1067
1068 /*
1069 * Parse and fill a single X.509 certificate in DER format
1070 */
x509_crt_parse_der_core(mbedtls_x509_crt * crt,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1071 static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
1072 const unsigned char *buf,
1073 size_t buflen,
1074 int make_copy,
1075 mbedtls_x509_crt_ext_cb_t cb,
1076 void *p_ctx )
1077 {
1078 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1079 size_t len;
1080 unsigned char *p, *end, *crt_end;
1081 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
1082
1083 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
1084 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
1085 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
1086
1087 /*
1088 * Check for valid input
1089 */
1090 if( crt == NULL || buf == NULL )
1091 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1092
1093 /* Use the original buffer until we figure out actual length. */
1094 p = (unsigned char*) buf;
1095 len = buflen;
1096 end = p + len;
1097
1098 /*
1099 * Certificate ::= SEQUENCE {
1100 * tbsCertificate TBSCertificate,
1101 * signatureAlgorithm AlgorithmIdentifier,
1102 * signatureValue BIT STRING }
1103 */
1104 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1105 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1106 {
1107 mbedtls_x509_crt_free( crt );
1108 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
1109 }
1110
1111 end = crt_end = p + len;
1112 crt->raw.len = crt_end - buf;
1113 if( make_copy != 0 )
1114 {
1115 /* Create and populate a new buffer for the raw field. */
1116 crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
1117 if( crt->raw.p == NULL )
1118 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
1119
1120 memcpy( crt->raw.p, buf, crt->raw.len );
1121 crt->own_buffer = 1;
1122
1123 p += crt->raw.len - len;
1124 end = crt_end = p + len;
1125 }
1126 else
1127 {
1128 crt->raw.p = (unsigned char*) buf;
1129 crt->own_buffer = 0;
1130 }
1131
1132 /*
1133 * TBSCertificate ::= SEQUENCE {
1134 */
1135 crt->tbs.p = p;
1136
1137 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1138 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1139 {
1140 mbedtls_x509_crt_free( crt );
1141 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
1142 }
1143
1144 end = p + len;
1145 crt->tbs.len = end - crt->tbs.p;
1146
1147 /*
1148 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1149 *
1150 * CertificateSerialNumber ::= INTEGER
1151 *
1152 * signature AlgorithmIdentifier
1153 */
1154 if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 ||
1155 ( ret = mbedtls_x509_get_serial( &p, end, &crt->serial ) ) != 0 ||
1156 ( ret = mbedtls_x509_get_alg( &p, end, &crt->sig_oid,
1157 &sig_params1 ) ) != 0 )
1158 {
1159 mbedtls_x509_crt_free( crt );
1160 return( ret );
1161 }
1162
1163 if( crt->version < 0 || crt->version > 2 )
1164 {
1165 mbedtls_x509_crt_free( crt );
1166 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
1167 }
1168
1169 crt->version++;
1170
1171 if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
1172 &crt->sig_md, &crt->sig_pk,
1173 &crt->sig_opts ) ) != 0 )
1174 {
1175 mbedtls_x509_crt_free( crt );
1176 return( ret );
1177 }
1178
1179 /*
1180 * issuer Name
1181 */
1182 crt->issuer_raw.p = p;
1183
1184 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1185 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1186 {
1187 mbedtls_x509_crt_free( crt );
1188 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
1189 }
1190
1191 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
1192 {
1193 mbedtls_x509_crt_free( crt );
1194 return( ret );
1195 }
1196
1197 crt->issuer_raw.len = p - crt->issuer_raw.p;
1198
1199 /*
1200 * Validity ::= SEQUENCE {
1201 * notBefore Time,
1202 * notAfter Time }
1203 *
1204 */
1205 if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
1206 &crt->valid_to ) ) != 0 )
1207 {
1208 mbedtls_x509_crt_free( crt );
1209 return( ret );
1210 }
1211
1212 /*
1213 * subject Name
1214 */
1215 crt->subject_raw.p = p;
1216
1217 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1218 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1219 {
1220 mbedtls_x509_crt_free( crt );
1221 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
1222 }
1223
1224 if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
1225 {
1226 mbedtls_x509_crt_free( crt );
1227 return( ret );
1228 }
1229
1230 crt->subject_raw.len = p - crt->subject_raw.p;
1231
1232 /*
1233 * SubjectPublicKeyInfo
1234 */
1235 crt->pk_raw.p = p;
1236 if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
1237 {
1238 mbedtls_x509_crt_free( crt );
1239 return( ret );
1240 }
1241 crt->pk_raw.len = p - crt->pk_raw.p;
1242
1243 /*
1244 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1245 * -- If present, version shall be v2 or v3
1246 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1247 * -- If present, version shall be v2 or v3
1248 * extensions [3] EXPLICIT Extensions OPTIONAL
1249 * -- If present, version shall be v3
1250 */
1251 if( crt->version == 2 || crt->version == 3 )
1252 {
1253 ret = x509_get_uid( &p, end, &crt->issuer_id, 1 );
1254 if( ret != 0 )
1255 {
1256 mbedtls_x509_crt_free( crt );
1257 return( ret );
1258 }
1259 }
1260
1261 if( crt->version == 2 || crt->version == 3 )
1262 {
1263 ret = x509_get_uid( &p, end, &crt->subject_id, 2 );
1264 if( ret != 0 )
1265 {
1266 mbedtls_x509_crt_free( crt );
1267 return( ret );
1268 }
1269 }
1270
1271 #if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
1272 if( crt->version == 3 )
1273 #endif
1274 {
1275 ret = x509_get_crt_ext( &p, end, crt, cb, p_ctx );
1276 if( ret != 0 )
1277 {
1278 mbedtls_x509_crt_free( crt );
1279 return( ret );
1280 }
1281 }
1282
1283 if( p != end )
1284 {
1285 mbedtls_x509_crt_free( crt );
1286 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
1287 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1288 }
1289
1290 end = crt_end;
1291
1292 /*
1293 * }
1294 * -- end of TBSCertificate
1295 *
1296 * signatureAlgorithm AlgorithmIdentifier,
1297 * signatureValue BIT STRING
1298 */
1299 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
1300 {
1301 mbedtls_x509_crt_free( crt );
1302 return( ret );
1303 }
1304
1305 if( crt->sig_oid.len != sig_oid2.len ||
1306 memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
1307 sig_params1.tag != sig_params2.tag ||
1308 sig_params1.len != sig_params2.len ||
1309 ( sig_params1.len != 0 &&
1310 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
1311 {
1312 mbedtls_x509_crt_free( crt );
1313 return( MBEDTLS_ERR_X509_SIG_MISMATCH );
1314 }
1315
1316 if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
1317 {
1318 mbedtls_x509_crt_free( crt );
1319 return( ret );
1320 }
1321
1322 if( p != end )
1323 {
1324 mbedtls_x509_crt_free( crt );
1325 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
1326 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1327 }
1328
1329 return( 0 );
1330 }
1331
1332 /*
1333 * Parse one X.509 certificate in DER format from a buffer and add them to a
1334 * chained list
1335 */
mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1336 static int mbedtls_x509_crt_parse_der_internal( mbedtls_x509_crt *chain,
1337 const unsigned char *buf,
1338 size_t buflen,
1339 int make_copy,
1340 mbedtls_x509_crt_ext_cb_t cb,
1341 void *p_ctx )
1342 {
1343 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1344 mbedtls_x509_crt *crt = chain, *prev = NULL;
1345
1346 /*
1347 * Check for valid input
1348 */
1349 if( crt == NULL || buf == NULL )
1350 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1351
1352 while( crt->version != 0 && crt->next != NULL )
1353 {
1354 prev = crt;
1355 crt = crt->next;
1356 }
1357
1358 /*
1359 * Add new certificate on the end of the chain if needed.
1360 */
1361 if( crt->version != 0 && crt->next == NULL )
1362 {
1363 crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
1364
1365 if( crt->next == NULL )
1366 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
1367
1368 prev = crt;
1369 mbedtls_x509_crt_init( crt->next );
1370 crt = crt->next;
1371 }
1372
1373 ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy, cb, p_ctx );
1374 if( ret != 0 )
1375 {
1376 if( prev )
1377 prev->next = NULL;
1378
1379 if( crt != chain )
1380 mbedtls_free( crt );
1381
1382 return( ret );
1383 }
1384
1385 return( 0 );
1386 }
1387
mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1388 int mbedtls_x509_crt_parse_der_nocopy( mbedtls_x509_crt *chain,
1389 const unsigned char *buf,
1390 size_t buflen )
1391 {
1392 return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0, NULL, NULL ) );
1393 }
1394
mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1395 int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
1396 const unsigned char *buf,
1397 size_t buflen,
1398 int make_copy,
1399 mbedtls_x509_crt_ext_cb_t cb,
1400 void *p_ctx )
1401 {
1402 return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, make_copy, cb, p_ctx ) );
1403 }
1404
mbedtls_x509_crt_parse_der(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1405 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
1406 const unsigned char *buf,
1407 size_t buflen )
1408 {
1409 return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1, NULL, NULL ) );
1410 }
1411
1412 /*
1413 * Parse one or more PEM certificates from a buffer and add them to the chained
1414 * list
1415 */
mbedtls_x509_crt_parse(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1416 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain,
1417 const unsigned char *buf,
1418 size_t buflen )
1419 {
1420 #if defined(MBEDTLS_PEM_PARSE_C)
1421 int success = 0, first_error = 0, total_failed = 0;
1422 int buf_format = MBEDTLS_X509_FORMAT_DER;
1423 #endif
1424
1425 /*
1426 * Check for valid input
1427 */
1428 if( chain == NULL || buf == NULL )
1429 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1430
1431 /*
1432 * Determine buffer content. Buffer contains either one DER certificate or
1433 * one or more PEM certificates.
1434 */
1435 #if defined(MBEDTLS_PEM_PARSE_C)
1436 if( buflen != 0 && buf[buflen - 1] == '\0' &&
1437 strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
1438 {
1439 buf_format = MBEDTLS_X509_FORMAT_PEM;
1440 }
1441
1442 if( buf_format == MBEDTLS_X509_FORMAT_DER )
1443 return mbedtls_x509_crt_parse_der( chain, buf, buflen );
1444 #else
1445 return mbedtls_x509_crt_parse_der( chain, buf, buflen );
1446 #endif
1447
1448 #if defined(MBEDTLS_PEM_PARSE_C)
1449 if( buf_format == MBEDTLS_X509_FORMAT_PEM )
1450 {
1451 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1452 mbedtls_pem_context pem;
1453
1454 /* 1 rather than 0 since the terminating NULL byte is counted in */
1455 while( buflen > 1 )
1456 {
1457 size_t use_len;
1458 mbedtls_pem_init( &pem );
1459
1460 /* If we get there, we know the string is null-terminated */
1461 ret = mbedtls_pem_read_buffer( &pem,
1462 "-----BEGIN CERTIFICATE-----",
1463 "-----END CERTIFICATE-----",
1464 buf, NULL, 0, &use_len );
1465
1466 if( ret == 0 )
1467 {
1468 /*
1469 * Was PEM encoded
1470 */
1471 buflen -= use_len;
1472 buf += use_len;
1473 }
1474 else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
1475 {
1476 return( ret );
1477 }
1478 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1479 {
1480 mbedtls_pem_free( &pem );
1481
1482 /*
1483 * PEM header and footer were found
1484 */
1485 buflen -= use_len;
1486 buf += use_len;
1487
1488 if( first_error == 0 )
1489 first_error = ret;
1490
1491 total_failed++;
1492 continue;
1493 }
1494 else
1495 break;
1496
1497 ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
1498
1499 mbedtls_pem_free( &pem );
1500
1501 if( ret != 0 )
1502 {
1503 /*
1504 * Quit parsing on a memory error
1505 */
1506 if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
1507 return( ret );
1508
1509 if( first_error == 0 )
1510 first_error = ret;
1511
1512 total_failed++;
1513 continue;
1514 }
1515
1516 success = 1;
1517 }
1518 }
1519
1520 if( success )
1521 return( total_failed );
1522 else if( first_error )
1523 return( first_error );
1524 else
1525 return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
1526 #endif /* MBEDTLS_PEM_PARSE_C */
1527 }
1528
1529 #if defined(MBEDTLS_FS_IO)
1530 /*
1531 * Load one or more certificates and add them to the chained list
1532 */
mbedtls_x509_crt_parse_file(mbedtls_x509_crt * chain,const char * path)1533 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
1534 {
1535 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1536 size_t n;
1537 unsigned char *buf;
1538
1539 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
1540 return( ret );
1541
1542 ret = mbedtls_x509_crt_parse( chain, buf, n );
1543
1544 mbedtls_platform_zeroize( buf, n );
1545 mbedtls_free( buf );
1546
1547 return( ret );
1548 }
1549
mbedtls_x509_crt_parse_path(mbedtls_x509_crt * chain,const char * path)1550 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
1551 {
1552 int ret = 0;
1553 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
1554 int w_ret;
1555 WCHAR szDir[MAX_PATH];
1556 char filename[MAX_PATH];
1557 char *p;
1558 size_t len = strlen( path );
1559
1560 WIN32_FIND_DATAW file_data;
1561 HANDLE hFind;
1562
1563 if( len > MAX_PATH - 3 )
1564 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1565
1566 memset( szDir, 0, sizeof(szDir) );
1567 memset( filename, 0, MAX_PATH );
1568 memcpy( filename, path, len );
1569 filename[len++] = '\\';
1570 p = filename + len;
1571 filename[len++] = '*';
1572
1573 w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
1574 MAX_PATH - 3 );
1575 if( w_ret == 0 )
1576 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1577
1578 hFind = FindFirstFileW( szDir, &file_data );
1579 if( hFind == INVALID_HANDLE_VALUE )
1580 return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
1581
1582 len = MAX_PATH - len;
1583 do
1584 {
1585 memset( p, 0, len );
1586
1587 if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
1588 continue;
1589
1590 w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
1591 lstrlenW( file_data.cFileName ),
1592 p, (int) len - 1,
1593 NULL, NULL );
1594 if( w_ret == 0 )
1595 {
1596 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1597 goto cleanup;
1598 }
1599
1600 w_ret = mbedtls_x509_crt_parse_file( chain, filename );
1601 if( w_ret < 0 )
1602 ret++;
1603 else
1604 ret += w_ret;
1605 }
1606 while( FindNextFileW( hFind, &file_data ) != 0 );
1607
1608 if( GetLastError() != ERROR_NO_MORE_FILES )
1609 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1610
1611 cleanup:
1612 FindClose( hFind );
1613 #else /* _WIN32 */
1614 int t_ret;
1615 int snp_ret;
1616 struct stat sb;
1617 struct dirent *entry;
1618 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
1619 DIR *dir = opendir( path );
1620
1621 if( dir == NULL )
1622 return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
1623
1624 #if defined(MBEDTLS_THREADING_C)
1625 if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
1626 {
1627 closedir( dir );
1628 return( ret );
1629 }
1630 #endif /* MBEDTLS_THREADING_C */
1631
1632 while( ( entry = readdir( dir ) ) != NULL )
1633 {
1634 snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
1635 "%s/%s", path, entry->d_name );
1636
1637 if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name )
1638 {
1639 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1640 goto cleanup;
1641 }
1642 else if( stat( entry_name, &sb ) == -1 )
1643 {
1644 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1645 goto cleanup;
1646 }
1647
1648 if( !S_ISREG( sb.st_mode ) )
1649 continue;
1650
1651 // Ignore parse errors
1652 //
1653 t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
1654 if( t_ret < 0 )
1655 ret++;
1656 else
1657 ret += t_ret;
1658 }
1659
1660 cleanup:
1661 closedir( dir );
1662
1663 #if defined(MBEDTLS_THREADING_C)
1664 if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
1665 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1666 #endif /* MBEDTLS_THREADING_C */
1667
1668 #endif /* _WIN32 */
1669
1670 return( ret );
1671 }
1672 #endif /* MBEDTLS_FS_IO */
1673
1674 /*
1675 * OtherName ::= SEQUENCE {
1676 * type-id OBJECT IDENTIFIER,
1677 * value [0] EXPLICIT ANY DEFINED BY type-id }
1678 *
1679 * HardwareModuleName ::= SEQUENCE {
1680 * hwType OBJECT IDENTIFIER,
1681 * hwSerialNum OCTET STRING }
1682 *
1683 * NOTE: we currently only parse and use otherName of type HwModuleName,
1684 * as defined in RFC 4108.
1685 */
x509_get_other_name(const mbedtls_x509_buf * subject_alt_name,mbedtls_x509_san_other_name * other_name)1686 static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name,
1687 mbedtls_x509_san_other_name *other_name )
1688 {
1689 int ret = 0;
1690 size_t len;
1691 unsigned char *p = subject_alt_name->p;
1692 const unsigned char *end = p + subject_alt_name->len;
1693 mbedtls_x509_buf cur_oid;
1694
1695 if( ( subject_alt_name->tag &
1696 ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) ) !=
1697 ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ) )
1698 {
1699 /*
1700 * The given subject alternative name is not of type "othername".
1701 */
1702 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1703 }
1704
1705 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1706 MBEDTLS_ASN1_OID ) ) != 0 )
1707 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
1708
1709 cur_oid.tag = MBEDTLS_ASN1_OID;
1710 cur_oid.p = p;
1711 cur_oid.len = len;
1712
1713 /*
1714 * Only HwModuleName is currently supported.
1715 */
1716 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid ) != 0 )
1717 {
1718 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
1719 }
1720
1721 if( p + len >= end )
1722 {
1723 mbedtls_platform_zeroize( other_name, sizeof( *other_name ) );
1724 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
1725 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1726 }
1727 p += len;
1728 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1729 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
1730 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
1731
1732 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1733 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1734 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
1735
1736 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OID ) ) != 0 )
1737 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
1738
1739 other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
1740 other_name->value.hardware_module_name.oid.p = p;
1741 other_name->value.hardware_module_name.oid.len = len;
1742
1743 if( p + len >= end )
1744 {
1745 mbedtls_platform_zeroize( other_name, sizeof( *other_name ) );
1746 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
1747 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1748 }
1749 p += len;
1750 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1751 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
1752 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
1753
1754 other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
1755 other_name->value.hardware_module_name.val.p = p;
1756 other_name->value.hardware_module_name.val.len = len;
1757 p += len;
1758 if( p != end )
1759 {
1760 mbedtls_platform_zeroize( other_name,
1761 sizeof( *other_name ) );
1762 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
1763 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1764 }
1765 return( 0 );
1766 }
1767
x509_info_subject_alt_name(char ** buf,size_t * size,const mbedtls_x509_sequence * subject_alt_name,const char * prefix)1768 static int x509_info_subject_alt_name( char **buf, size_t *size,
1769 const mbedtls_x509_sequence
1770 *subject_alt_name,
1771 const char *prefix )
1772 {
1773 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1774 size_t n = *size;
1775 char *p = *buf;
1776 const mbedtls_x509_sequence *cur = subject_alt_name;
1777 mbedtls_x509_subject_alternative_name san;
1778 int parse_ret;
1779
1780 while( cur != NULL )
1781 {
1782 memset( &san, 0, sizeof( san ) );
1783 parse_ret = mbedtls_x509_parse_subject_alt_name( &cur->buf, &san );
1784 if( parse_ret != 0 )
1785 {
1786 if( parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
1787 {
1788 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix );
1789 MBEDTLS_X509_SAFE_SNPRINTF;
1790 }
1791 else
1792 {
1793 ret = mbedtls_snprintf( p, n, "\n%s <malformed>", prefix );
1794 MBEDTLS_X509_SAFE_SNPRINTF;
1795 }
1796 cur = cur->next;
1797 continue;
1798 }
1799
1800 switch( san.type )
1801 {
1802 /*
1803 * otherName
1804 */
1805 case MBEDTLS_X509_SAN_OTHER_NAME:
1806 {
1807 mbedtls_x509_san_other_name *other_name = &san.san.other_name;
1808
1809 ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix );
1810 MBEDTLS_X509_SAFE_SNPRINTF;
1811
1812 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
1813 &other_name->value.hardware_module_name.oid ) != 0 )
1814 {
1815 ret = mbedtls_snprintf( p, n, "\n%s hardware module name :", prefix );
1816 MBEDTLS_X509_SAFE_SNPRINTF;
1817 ret = mbedtls_snprintf( p, n, "\n%s hardware type : ", prefix );
1818 MBEDTLS_X509_SAFE_SNPRINTF;
1819
1820 ret = mbedtls_oid_get_numeric_string( p, n, &other_name->value.hardware_module_name.oid );
1821 MBEDTLS_X509_SAFE_SNPRINTF;
1822
1823 ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix );
1824 MBEDTLS_X509_SAFE_SNPRINTF;
1825
1826 if( other_name->value.hardware_module_name.val.len >= n )
1827 {
1828 *p = '\0';
1829 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
1830 }
1831
1832 memcpy( p, other_name->value.hardware_module_name.val.p,
1833 other_name->value.hardware_module_name.val.len );
1834 p += other_name->value.hardware_module_name.val.len;
1835
1836 n -= other_name->value.hardware_module_name.val.len;
1837
1838 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
1839 }
1840 break;
1841
1842 /*
1843 * dNSName
1844 */
1845 case MBEDTLS_X509_SAN_DNS_NAME:
1846 {
1847 ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix );
1848 MBEDTLS_X509_SAFE_SNPRINTF;
1849 if( san.san.unstructured_name.len >= n )
1850 {
1851 *p = '\0';
1852 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
1853 }
1854
1855 memcpy( p, san.san.unstructured_name.p, san.san.unstructured_name.len );
1856 p += san.san.unstructured_name.len;
1857 n -= san.san.unstructured_name.len;
1858 }
1859 break;
1860
1861 /*
1862 * Type not supported, skip item.
1863 */
1864 default:
1865 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix );
1866 MBEDTLS_X509_SAFE_SNPRINTF;
1867 break;
1868 }
1869
1870 cur = cur->next;
1871 }
1872
1873 *p = '\0';
1874
1875 *size = n;
1876 *buf = p;
1877
1878 return( 0 );
1879 }
1880
mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf * san_buf,mbedtls_x509_subject_alternative_name * san)1881 int mbedtls_x509_parse_subject_alt_name( const mbedtls_x509_buf *san_buf,
1882 mbedtls_x509_subject_alternative_name *san )
1883 {
1884 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1885 switch( san_buf->tag &
1886 ( MBEDTLS_ASN1_TAG_CLASS_MASK |
1887 MBEDTLS_ASN1_TAG_VALUE_MASK ) )
1888 {
1889 /*
1890 * otherName
1891 */
1892 case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ):
1893 {
1894 mbedtls_x509_san_other_name other_name;
1895
1896 ret = x509_get_other_name( san_buf, &other_name );
1897 if( ret != 0 )
1898 return( ret );
1899
1900 memset( san, 0, sizeof( mbedtls_x509_subject_alternative_name ) );
1901 san->type = MBEDTLS_X509_SAN_OTHER_NAME;
1902 memcpy( &san->san.other_name,
1903 &other_name, sizeof( other_name ) );
1904
1905 }
1906 break;
1907
1908 /*
1909 * dNSName
1910 */
1911 case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ):
1912 {
1913 memset( san, 0, sizeof( mbedtls_x509_subject_alternative_name ) );
1914 san->type = MBEDTLS_X509_SAN_DNS_NAME;
1915
1916 memcpy( &san->san.unstructured_name,
1917 san_buf, sizeof( *san_buf ) );
1918
1919 }
1920 break;
1921
1922 /*
1923 * Type not supported
1924 */
1925 default:
1926 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
1927 }
1928 return( 0 );
1929 }
1930
1931 #define PRINT_ITEM(i) \
1932 { \
1933 ret = mbedtls_snprintf( p, n, "%s" i, sep ); \
1934 MBEDTLS_X509_SAFE_SNPRINTF; \
1935 sep = ", "; \
1936 }
1937
1938 #define CERT_TYPE(type,name) \
1939 if( ns_cert_type & (type) ) \
1940 PRINT_ITEM( name );
1941
x509_info_cert_type(char ** buf,size_t * size,unsigned char ns_cert_type)1942 static int x509_info_cert_type( char **buf, size_t *size,
1943 unsigned char ns_cert_type )
1944 {
1945 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1946 size_t n = *size;
1947 char *p = *buf;
1948 const char *sep = "";
1949
1950 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client" );
1951 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server" );
1952 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email" );
1953 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" );
1954 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved" );
1955 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA" );
1956 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA" );
1957 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" );
1958
1959 *size = n;
1960 *buf = p;
1961
1962 return( 0 );
1963 }
1964
1965 #define KEY_USAGE(code,name) \
1966 if( key_usage & (code) ) \
1967 PRINT_ITEM( name );
1968
x509_info_key_usage(char ** buf,size_t * size,unsigned int key_usage)1969 static int x509_info_key_usage( char **buf, size_t *size,
1970 unsigned int key_usage )
1971 {
1972 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1973 size_t n = *size;
1974 char *p = *buf;
1975 const char *sep = "";
1976
1977 KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature" );
1978 KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation" );
1979 KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment" );
1980 KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment" );
1981 KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" );
1982 KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" );
1983 KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" );
1984 KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" );
1985 KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" );
1986
1987 *size = n;
1988 *buf = p;
1989
1990 return( 0 );
1991 }
1992
x509_info_ext_key_usage(char ** buf,size_t * size,const mbedtls_x509_sequence * extended_key_usage)1993 static int x509_info_ext_key_usage( char **buf, size_t *size,
1994 const mbedtls_x509_sequence *extended_key_usage )
1995 {
1996 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1997 const char *desc;
1998 size_t n = *size;
1999 char *p = *buf;
2000 const mbedtls_x509_sequence *cur = extended_key_usage;
2001 const char *sep = "";
2002
2003 while( cur != NULL )
2004 {
2005 if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
2006 desc = "???";
2007
2008 ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
2009 MBEDTLS_X509_SAFE_SNPRINTF;
2010
2011 sep = ", ";
2012
2013 cur = cur->next;
2014 }
2015
2016 *size = n;
2017 *buf = p;
2018
2019 return( 0 );
2020 }
2021
x509_info_cert_policies(char ** buf,size_t * size,const mbedtls_x509_sequence * certificate_policies)2022 static int x509_info_cert_policies( char **buf, size_t *size,
2023 const mbedtls_x509_sequence *certificate_policies )
2024 {
2025 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2026 const char *desc;
2027 size_t n = *size;
2028 char *p = *buf;
2029 const mbedtls_x509_sequence *cur = certificate_policies;
2030 const char *sep = "";
2031
2032 while( cur != NULL )
2033 {
2034 if( mbedtls_oid_get_certificate_policies( &cur->buf, &desc ) != 0 )
2035 desc = "???";
2036
2037 ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
2038 MBEDTLS_X509_SAFE_SNPRINTF;
2039
2040 sep = ", ";
2041
2042 cur = cur->next;
2043 }
2044
2045 *size = n;
2046 *buf = p;
2047
2048 return( 0 );
2049 }
2050
2051 /*
2052 * Return an informational string about the certificate.
2053 */
2054 #define BEFORE_COLON 18
2055 #define BC "18"
mbedtls_x509_crt_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crt * crt)2056 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
2057 const mbedtls_x509_crt *crt )
2058 {
2059 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2060 size_t n;
2061 char *p;
2062 char key_size_str[BEFORE_COLON];
2063
2064 p = buf;
2065 n = size;
2066
2067 if( NULL == crt )
2068 {
2069 ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
2070 MBEDTLS_X509_SAFE_SNPRINTF;
2071
2072 return( (int) ( size - n ) );
2073 }
2074
2075 ret = mbedtls_snprintf( p, n, "%scert. version : %d\n",
2076 prefix, crt->version );
2077 MBEDTLS_X509_SAFE_SNPRINTF;
2078 ret = mbedtls_snprintf( p, n, "%sserial number : ",
2079 prefix );
2080 MBEDTLS_X509_SAFE_SNPRINTF;
2081
2082 ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
2083 MBEDTLS_X509_SAFE_SNPRINTF;
2084
2085 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
2086 MBEDTLS_X509_SAFE_SNPRINTF;
2087 ret = mbedtls_x509_dn_gets( p, n, &crt->issuer );
2088 MBEDTLS_X509_SAFE_SNPRINTF;
2089
2090 ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix );
2091 MBEDTLS_X509_SAFE_SNPRINTF;
2092 ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
2093 MBEDTLS_X509_SAFE_SNPRINTF;
2094
2095 ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
2096 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
2097 crt->valid_from.year, crt->valid_from.mon,
2098 crt->valid_from.day, crt->valid_from.hour,
2099 crt->valid_from.min, crt->valid_from.sec );
2100 MBEDTLS_X509_SAFE_SNPRINTF;
2101
2102 ret = mbedtls_snprintf( p, n, "\n%sexpires on : " \
2103 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
2104 crt->valid_to.year, crt->valid_to.mon,
2105 crt->valid_to.day, crt->valid_to.hour,
2106 crt->valid_to.min, crt->valid_to.sec );
2107 MBEDTLS_X509_SAFE_SNPRINTF;
2108
2109 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
2110 MBEDTLS_X509_SAFE_SNPRINTF;
2111
2112 ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
2113 crt->sig_md, crt->sig_opts );
2114 MBEDTLS_X509_SAFE_SNPRINTF;
2115
2116 /* Key size */
2117 if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
2118 mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
2119 {
2120 return( ret );
2121 }
2122
2123 ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
2124 (int) mbedtls_pk_get_bitlen( &crt->pk ) );
2125 MBEDTLS_X509_SAFE_SNPRINTF;
2126
2127 /*
2128 * Optional extensions
2129 */
2130
2131 if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
2132 {
2133 ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
2134 crt->ca_istrue ? "true" : "false" );
2135 MBEDTLS_X509_SAFE_SNPRINTF;
2136
2137 if( crt->max_pathlen > 0 )
2138 {
2139 ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
2140 MBEDTLS_X509_SAFE_SNPRINTF;
2141 }
2142 }
2143
2144 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
2145 {
2146 ret = mbedtls_snprintf( p, n, "\n%ssubject alt name :", prefix );
2147 MBEDTLS_X509_SAFE_SNPRINTF;
2148
2149 if( ( ret = x509_info_subject_alt_name( &p, &n,
2150 &crt->subject_alt_names,
2151 prefix ) ) != 0 )
2152 return( ret );
2153 }
2154
2155 if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
2156 {
2157 ret = mbedtls_snprintf( p, n, "\n%scert. type : ", prefix );
2158 MBEDTLS_X509_SAFE_SNPRINTF;
2159
2160 if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
2161 return( ret );
2162 }
2163
2164 if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
2165 {
2166 ret = mbedtls_snprintf( p, n, "\n%skey usage : ", prefix );
2167 MBEDTLS_X509_SAFE_SNPRINTF;
2168
2169 if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
2170 return( ret );
2171 }
2172
2173 if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
2174 {
2175 ret = mbedtls_snprintf( p, n, "\n%sext key usage : ", prefix );
2176 MBEDTLS_X509_SAFE_SNPRINTF;
2177
2178 if( ( ret = x509_info_ext_key_usage( &p, &n,
2179 &crt->ext_key_usage ) ) != 0 )
2180 return( ret );
2181 }
2182
2183 if( crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES )
2184 {
2185 ret = mbedtls_snprintf( p, n, "\n%scertificate policies : ", prefix );
2186 MBEDTLS_X509_SAFE_SNPRINTF;
2187
2188 if( ( ret = x509_info_cert_policies( &p, &n,
2189 &crt->certificate_policies ) ) != 0 )
2190 return( ret );
2191 }
2192
2193 ret = mbedtls_snprintf( p, n, "\n" );
2194 MBEDTLS_X509_SAFE_SNPRINTF;
2195
2196 return( (int) ( size - n ) );
2197 }
2198
2199 struct x509_crt_verify_string {
2200 int code;
2201 const char *string;
2202 };
2203
2204 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
2205 { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" },
2206 { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" },
2207 { MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" },
2208 { MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" },
2209 { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" },
2210 { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" },
2211 { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" },
2212 { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" },
2213 { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" },
2214 { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" },
2215 { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" },
2216 { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
2217 { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
2218 { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
2219 { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
2220 { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
2221 { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
2222 { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
2223 { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
2224 { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
2225 { 0, NULL }
2226 };
2227
mbedtls_x509_crt_verify_info(char * buf,size_t size,const char * prefix,uint32_t flags)2228 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
2229 uint32_t flags )
2230 {
2231 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2232 const struct x509_crt_verify_string *cur;
2233 char *p = buf;
2234 size_t n = size;
2235
2236 for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
2237 {
2238 if( ( flags & cur->code ) == 0 )
2239 continue;
2240
2241 ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
2242 MBEDTLS_X509_SAFE_SNPRINTF;
2243 flags ^= cur->code;
2244 }
2245
2246 if( flags != 0 )
2247 {
2248 ret = mbedtls_snprintf( p, n, "%sUnknown reason "
2249 "(this should not happen)\n", prefix );
2250 MBEDTLS_X509_SAFE_SNPRINTF;
2251 }
2252
2253 return( (int) ( size - n ) );
2254 }
2255
2256 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt * crt,unsigned int usage)2257 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
2258 unsigned int usage )
2259 {
2260 unsigned int usage_must, usage_may;
2261 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
2262 | MBEDTLS_X509_KU_DECIPHER_ONLY;
2263
2264 if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
2265 return( 0 );
2266
2267 usage_must = usage & ~may_mask;
2268
2269 if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
2270 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
2271
2272 usage_may = usage & may_mask;
2273
2274 if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
2275 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
2276
2277 return( 0 );
2278 }
2279 #endif
2280
2281 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt * crt,const char * usage_oid,size_t usage_len)2282 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
2283 const char *usage_oid,
2284 size_t usage_len )
2285 {
2286 const mbedtls_x509_sequence *cur;
2287
2288 /* Extension is not mandatory, absent means no restriction */
2289 if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
2290 return( 0 );
2291
2292 /*
2293 * Look for the requested usage (or wildcard ANY) in our list
2294 */
2295 for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
2296 {
2297 const mbedtls_x509_buf *cur_oid = &cur->buf;
2298
2299 if( cur_oid->len == usage_len &&
2300 memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
2301 {
2302 return( 0 );
2303 }
2304
2305 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
2306 return( 0 );
2307 }
2308
2309 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
2310 }
2311 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
2312
2313 #if defined(MBEDTLS_X509_CRL_PARSE_C)
2314 /*
2315 * Return 1 if the certificate is revoked, or 0 otherwise.
2316 */
mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt * crt,const mbedtls_x509_crl * crl)2317 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
2318 {
2319 const mbedtls_x509_crl_entry *cur = &crl->entry;
2320
2321 while( cur != NULL && cur->serial.len != 0 )
2322 {
2323 if( crt->serial.len == cur->serial.len &&
2324 memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
2325 {
2326 return( 1 );
2327 }
2328
2329 cur = cur->next;
2330 }
2331
2332 return( 0 );
2333 }
2334
2335 /*
2336 * Check that the given certificate is not revoked according to the CRL.
2337 * Skip validation if no CRL for the given CA is present.
2338 */
x509_crt_verifycrl(mbedtls_x509_crt * crt,mbedtls_x509_crt * ca,mbedtls_x509_crl * crl_list,const mbedtls_x509_crt_profile * profile)2339 static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
2340 mbedtls_x509_crl *crl_list,
2341 const mbedtls_x509_crt_profile *profile )
2342 {
2343 int flags = 0;
2344 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2345 const mbedtls_md_info_t *md_info;
2346
2347 if( ca == NULL )
2348 return( flags );
2349
2350 while( crl_list != NULL )
2351 {
2352 if( crl_list->version == 0 ||
2353 x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
2354 {
2355 crl_list = crl_list->next;
2356 continue;
2357 }
2358
2359 /*
2360 * Check if the CA is configured to sign CRLs
2361 */
2362 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2363 if( mbedtls_x509_crt_check_key_usage( ca,
2364 MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
2365 {
2366 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2367 break;
2368 }
2369 #endif
2370
2371 /*
2372 * Check if CRL is correctly signed by the trusted CA
2373 */
2374 if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
2375 flags |= MBEDTLS_X509_BADCRL_BAD_MD;
2376
2377 if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
2378 flags |= MBEDTLS_X509_BADCRL_BAD_PK;
2379
2380 md_info = mbedtls_md_info_from_type( crl_list->sig_md );
2381 if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
2382 {
2383 /* Note: this can't happen except after an internal error */
2384 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2385 break;
2386 }
2387
2388 if( x509_profile_check_key( profile, &ca->pk ) != 0 )
2389 flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2390
2391 if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
2392 crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
2393 crl_list->sig.p, crl_list->sig.len ) != 0 )
2394 {
2395 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2396 break;
2397 }
2398
2399 /*
2400 * Check for validity of CRL (Do not drop out)
2401 */
2402 if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
2403 flags |= MBEDTLS_X509_BADCRL_EXPIRED;
2404
2405 if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
2406 flags |= MBEDTLS_X509_BADCRL_FUTURE;
2407
2408 /*
2409 * Check if certificate is revoked
2410 */
2411 if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
2412 {
2413 flags |= MBEDTLS_X509_BADCERT_REVOKED;
2414 break;
2415 }
2416
2417 crl_list = crl_list->next;
2418 }
2419
2420 return( flags );
2421 }
2422 #endif /* MBEDTLS_X509_CRL_PARSE_C */
2423
2424 /*
2425 * Check the signature of a certificate by its parent
2426 */
x509_crt_check_signature(const mbedtls_x509_crt * child,mbedtls_x509_crt * parent,mbedtls_x509_crt_restart_ctx * rs_ctx)2427 static int x509_crt_check_signature( const mbedtls_x509_crt *child,
2428 mbedtls_x509_crt *parent,
2429 mbedtls_x509_crt_restart_ctx *rs_ctx )
2430 {
2431 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2432 size_t hash_len;
2433 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
2434 const mbedtls_md_info_t *md_info;
2435 md_info = mbedtls_md_info_from_type( child->sig_md );
2436 hash_len = mbedtls_md_get_size( md_info );
2437
2438 /* Note: hash errors can happen only after an internal error */
2439 if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
2440 return( -1 );
2441 #else
2442 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
2443 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md );
2444
2445 if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
2446 return( -1 );
2447
2448 if( psa_hash_update( &hash_operation, child->tbs.p, child->tbs.len )
2449 != PSA_SUCCESS )
2450 {
2451 return( -1 );
2452 }
2453
2454 if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
2455 != PSA_SUCCESS )
2456 {
2457 return( -1 );
2458 }
2459 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2460 /* Skip expensive computation on obvious mismatch */
2461 if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
2462 return( -1 );
2463
2464 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2465 if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
2466 {
2467 return( mbedtls_pk_verify_restartable( &parent->pk,
2468 child->sig_md, hash, hash_len,
2469 child->sig.p, child->sig.len, &rs_ctx->pk ) );
2470 }
2471 #else
2472 (void) rs_ctx;
2473 #endif
2474
2475 return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
2476 child->sig_md, hash, hash_len,
2477 child->sig.p, child->sig.len ) );
2478 }
2479
2480 /*
2481 * Check if 'parent' is a suitable parent (signing CA) for 'child'.
2482 * Return 0 if yes, -1 if not.
2483 *
2484 * top means parent is a locally-trusted certificate
2485 */
x509_crt_check_parent(const mbedtls_x509_crt * child,const mbedtls_x509_crt * parent,int top)2486 static int x509_crt_check_parent( const mbedtls_x509_crt *child,
2487 const mbedtls_x509_crt *parent,
2488 int top )
2489 {
2490 int need_ca_bit;
2491
2492 /* Parent must be the issuer */
2493 if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
2494 return( -1 );
2495
2496 /* Parent must have the basicConstraints CA bit set as a general rule */
2497 need_ca_bit = 1;
2498
2499 /* Exception: v1/v2 certificates that are locally trusted. */
2500 if( top && parent->version < 3 )
2501 need_ca_bit = 0;
2502
2503 if( need_ca_bit && ! parent->ca_istrue )
2504 return( -1 );
2505
2506 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2507 if( need_ca_bit &&
2508 mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
2509 {
2510 return( -1 );
2511 }
2512 #endif
2513
2514 return( 0 );
2515 }
2516
2517 /*
2518 * Find a suitable parent for child in candidates, or return NULL.
2519 *
2520 * Here suitable is defined as:
2521 * 1. subject name matches child's issuer
2522 * 2. if necessary, the CA bit is set and key usage allows signing certs
2523 * 3. for trusted roots, the signature is correct
2524 * (for intermediates, the signature is checked and the result reported)
2525 * 4. pathlen constraints are satisfied
2526 *
2527 * If there's a suitable candidate which is also time-valid, return the first
2528 * such. Otherwise, return the first suitable candidate (or NULL if there is
2529 * none).
2530 *
2531 * The rationale for this rule is that someone could have a list of trusted
2532 * roots with two versions on the same root with different validity periods.
2533 * (At least one user reported having such a list and wanted it to just work.)
2534 * The reason we don't just require time-validity is that generally there is
2535 * only one version, and if it's expired we want the flags to state that
2536 * rather than NOT_TRUSTED, as would be the case if we required it here.
2537 *
2538 * The rationale for rule 3 (signature for trusted roots) is that users might
2539 * have two versions of the same CA with different keys in their list, and the
2540 * way we select the correct one is by checking the signature (as we don't
2541 * rely on key identifier extensions). (This is one way users might choose to
2542 * handle key rollover, another relies on self-issued certs, see [SIRO].)
2543 *
2544 * Arguments:
2545 * - [in] child: certificate for which we're looking for a parent
2546 * - [in] candidates: chained list of potential parents
2547 * - [out] r_parent: parent found (or NULL)
2548 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2549 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2550 * of the chain, 0 otherwise
2551 * - [in] path_cnt: number of intermediates seen so far
2552 * - [in] self_cnt: number of self-signed intermediates seen so far
2553 * (will never be greater than path_cnt)
2554 * - [in-out] rs_ctx: context for restarting operations
2555 *
2556 * Return value:
2557 * - 0 on success
2558 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2559 */
x509_crt_find_parent_in(mbedtls_x509_crt * child,mbedtls_x509_crt * candidates,mbedtls_x509_crt ** r_parent,int * r_signature_is_good,int top,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2560 static int x509_crt_find_parent_in(
2561 mbedtls_x509_crt *child,
2562 mbedtls_x509_crt *candidates,
2563 mbedtls_x509_crt **r_parent,
2564 int *r_signature_is_good,
2565 int top,
2566 unsigned path_cnt,
2567 unsigned self_cnt,
2568 mbedtls_x509_crt_restart_ctx *rs_ctx )
2569 {
2570 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2571 mbedtls_x509_crt *parent, *fallback_parent;
2572 int signature_is_good = 0, fallback_signature_is_good;
2573
2574 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2575 /* did we have something in progress? */
2576 if( rs_ctx != NULL && rs_ctx->parent != NULL )
2577 {
2578 /* restore saved state */
2579 parent = rs_ctx->parent;
2580 fallback_parent = rs_ctx->fallback_parent;
2581 fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
2582
2583 /* clear saved state */
2584 rs_ctx->parent = NULL;
2585 rs_ctx->fallback_parent = NULL;
2586 rs_ctx->fallback_signature_is_good = 0;
2587
2588 /* resume where we left */
2589 goto check_signature;
2590 }
2591 #endif
2592
2593 fallback_parent = NULL;
2594 fallback_signature_is_good = 0;
2595
2596 for( parent = candidates; parent != NULL; parent = parent->next )
2597 {
2598 /* basic parenting skills (name, CA bit, key usage) */
2599 if( x509_crt_check_parent( child, parent, top ) != 0 )
2600 continue;
2601
2602 /* +1 because stored max_pathlen is 1 higher that the actual value */
2603 if( parent->max_pathlen > 0 &&
2604 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt )
2605 {
2606 continue;
2607 }
2608
2609 /* Signature */
2610 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2611 check_signature:
2612 #endif
2613 ret = x509_crt_check_signature( child, parent, rs_ctx );
2614
2615 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2616 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2617 {
2618 /* save state */
2619 rs_ctx->parent = parent;
2620 rs_ctx->fallback_parent = fallback_parent;
2621 rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
2622
2623 return( ret );
2624 }
2625 #else
2626 (void) ret;
2627 #endif
2628
2629 signature_is_good = ret == 0;
2630 if( top && ! signature_is_good )
2631 continue;
2632
2633 /* optional time check */
2634 if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
2635 mbedtls_x509_time_is_future( &parent->valid_from ) )
2636 {
2637 if( fallback_parent == NULL )
2638 {
2639 fallback_parent = parent;
2640 fallback_signature_is_good = signature_is_good;
2641 }
2642
2643 continue;
2644 }
2645
2646 *r_parent = parent;
2647 *r_signature_is_good = signature_is_good;
2648
2649 break;
2650 }
2651
2652 if( parent == NULL )
2653 {
2654 *r_parent = fallback_parent;
2655 *r_signature_is_good = fallback_signature_is_good;
2656 }
2657
2658 return( 0 );
2659 }
2660
2661 /*
2662 * Find a parent in trusted CAs or the provided chain, or return NULL.
2663 *
2664 * Searches in trusted CAs first, and return the first suitable parent found
2665 * (see find_parent_in() for definition of suitable).
2666 *
2667 * Arguments:
2668 * - [in] child: certificate for which we're looking for a parent, followed
2669 * by a chain of possible intermediates
2670 * - [in] trust_ca: list of locally trusted certificates
2671 * - [out] parent: parent found (or NULL)
2672 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2673 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2674 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
2675 * - [in] self_cnt: number of self-signed certs in the chain so far
2676 * (will always be no greater than path_cnt)
2677 * - [in-out] rs_ctx: context for restarting operations
2678 *
2679 * Return value:
2680 * - 0 on success
2681 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2682 */
x509_crt_find_parent(mbedtls_x509_crt * child,mbedtls_x509_crt * trust_ca,mbedtls_x509_crt ** parent,int * parent_is_trusted,int * signature_is_good,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2683 static int x509_crt_find_parent(
2684 mbedtls_x509_crt *child,
2685 mbedtls_x509_crt *trust_ca,
2686 mbedtls_x509_crt **parent,
2687 int *parent_is_trusted,
2688 int *signature_is_good,
2689 unsigned path_cnt,
2690 unsigned self_cnt,
2691 mbedtls_x509_crt_restart_ctx *rs_ctx )
2692 {
2693 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2694 mbedtls_x509_crt *search_list;
2695
2696 *parent_is_trusted = 1;
2697
2698 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2699 /* restore then clear saved state if we have some stored */
2700 if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 )
2701 {
2702 *parent_is_trusted = rs_ctx->parent_is_trusted;
2703 rs_ctx->parent_is_trusted = -1;
2704 }
2705 #endif
2706
2707 while( 1 ) {
2708 search_list = *parent_is_trusted ? trust_ca : child->next;
2709
2710 ret = x509_crt_find_parent_in( child, search_list,
2711 parent, signature_is_good,
2712 *parent_is_trusted,
2713 path_cnt, self_cnt, rs_ctx );
2714
2715 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2716 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2717 {
2718 /* save state */
2719 rs_ctx->parent_is_trusted = *parent_is_trusted;
2720 return( ret );
2721 }
2722 #else
2723 (void) ret;
2724 #endif
2725
2726 /* stop here if found or already in second iteration */
2727 if( *parent != NULL || *parent_is_trusted == 0 )
2728 break;
2729
2730 /* prepare second iteration */
2731 *parent_is_trusted = 0;
2732 }
2733
2734 /* extra precaution against mistakes in the caller */
2735 if( *parent == NULL )
2736 {
2737 *parent_is_trusted = 0;
2738 *signature_is_good = 0;
2739 }
2740
2741 return( 0 );
2742 }
2743
2744 /*
2745 * Check if an end-entity certificate is locally trusted
2746 *
2747 * Currently we require such certificates to be self-signed (actually only
2748 * check for self-issued as self-signatures are not checked)
2749 */
x509_crt_check_ee_locally_trusted(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca)2750 static int x509_crt_check_ee_locally_trusted(
2751 mbedtls_x509_crt *crt,
2752 mbedtls_x509_crt *trust_ca )
2753 {
2754 mbedtls_x509_crt *cur;
2755
2756 /* must be self-issued */
2757 if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 )
2758 return( -1 );
2759
2760 /* look for an exact match with trusted cert */
2761 for( cur = trust_ca; cur != NULL; cur = cur->next )
2762 {
2763 if( crt->raw.len == cur->raw.len &&
2764 memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
2765 {
2766 return( 0 );
2767 }
2768 }
2769
2770 /* too bad */
2771 return( -1 );
2772 }
2773
2774 /*
2775 * Build and verify a certificate chain
2776 *
2777 * Given a peer-provided list of certificates EE, C1, ..., Cn and
2778 * a list of trusted certs R1, ... Rp, try to build and verify a chain
2779 * EE, Ci1, ... Ciq [, Rj]
2780 * such that every cert in the chain is a child of the next one,
2781 * jumping to a trusted root as early as possible.
2782 *
2783 * Verify that chain and return it with flags for all issues found.
2784 *
2785 * Special cases:
2786 * - EE == Rj -> return a one-element list containing it
2787 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
2788 * -> return that chain with NOT_TRUSTED set on Ciq
2789 *
2790 * Tests for (aspects of) this function should include at least:
2791 * - trusted EE
2792 * - EE -> trusted root
2793 * - EE -> intermediate CA -> trusted root
2794 * - if relevant: EE untrusted
2795 * - if relevant: EE -> intermediate, untrusted
2796 * with the aspect under test checked at each relevant level (EE, int, root).
2797 * For some aspects longer chains are required, but usually length 2 is
2798 * enough (but length 1 is not in general).
2799 *
2800 * Arguments:
2801 * - [in] crt: the cert list EE, C1, ..., Cn
2802 * - [in] trust_ca: the trusted list R1, ..., Rp
2803 * - [in] ca_crl, profile: as in verify_with_profile()
2804 * - [out] ver_chain: the built and verified chain
2805 * Only valid when return value is 0, may contain garbage otherwise!
2806 * Restart note: need not be the same when calling again to resume.
2807 * - [in-out] rs_ctx: context for restarting operations
2808 *
2809 * Return value:
2810 * - non-zero if the chain could not be fully built and examined
2811 * - 0 is the chain was successfully built and examined,
2812 * even if it was found to be invalid
2813 */
x509_crt_verify_chain(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,mbedtls_x509_crt_verify_chain * ver_chain,mbedtls_x509_crt_restart_ctx * rs_ctx)2814 static int x509_crt_verify_chain(
2815 mbedtls_x509_crt *crt,
2816 mbedtls_x509_crt *trust_ca,
2817 mbedtls_x509_crl *ca_crl,
2818 mbedtls_x509_crt_ca_cb_t f_ca_cb,
2819 void *p_ca_cb,
2820 const mbedtls_x509_crt_profile *profile,
2821 mbedtls_x509_crt_verify_chain *ver_chain,
2822 mbedtls_x509_crt_restart_ctx *rs_ctx )
2823 {
2824 /* Don't initialize any of those variables here, so that the compiler can
2825 * catch potential issues with jumping ahead when restarting */
2826 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2827 uint32_t *flags;
2828 mbedtls_x509_crt_verify_chain_item *cur;
2829 mbedtls_x509_crt *child;
2830 mbedtls_x509_crt *parent;
2831 int parent_is_trusted;
2832 int child_is_trusted;
2833 int signature_is_good;
2834 unsigned self_cnt;
2835 mbedtls_x509_crt *cur_trust_ca = NULL;
2836
2837 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2838 /* resume if we had an operation in progress */
2839 if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
2840 {
2841 /* restore saved state */
2842 *ver_chain = rs_ctx->ver_chain; /* struct copy */
2843 self_cnt = rs_ctx->self_cnt;
2844
2845 /* restore derived state */
2846 cur = &ver_chain->items[ver_chain->len - 1];
2847 child = cur->crt;
2848 flags = &cur->flags;
2849
2850 goto find_parent;
2851 }
2852 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2853
2854 child = crt;
2855 self_cnt = 0;
2856 parent_is_trusted = 0;
2857 child_is_trusted = 0;
2858
2859 while( 1 ) {
2860 /* Add certificate to the verification chain */
2861 cur = &ver_chain->items[ver_chain->len];
2862 cur->crt = child;
2863 cur->flags = 0;
2864 ver_chain->len++;
2865 flags = &cur->flags;
2866
2867 /* Check time-validity (all certificates) */
2868 if( mbedtls_x509_time_is_past( &child->valid_to ) )
2869 *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
2870
2871 if( mbedtls_x509_time_is_future( &child->valid_from ) )
2872 *flags |= MBEDTLS_X509_BADCERT_FUTURE;
2873
2874 /* Stop here for trusted roots (but not for trusted EE certs) */
2875 if( child_is_trusted )
2876 return( 0 );
2877
2878 /* Check signature algorithm: MD & PK algs */
2879 if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
2880 *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
2881
2882 if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
2883 *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2884
2885 /* Special case: EE certs that are locally trusted */
2886 if( ver_chain->len == 1 &&
2887 x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
2888 {
2889 return( 0 );
2890 }
2891
2892 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2893 find_parent:
2894 #endif
2895
2896 /* Obtain list of potential trusted signers from CA callback,
2897 * or use statically provided list. */
2898 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2899 if( f_ca_cb != NULL )
2900 {
2901 mbedtls_x509_crt_free( ver_chain->trust_ca_cb_result );
2902 mbedtls_free( ver_chain->trust_ca_cb_result );
2903 ver_chain->trust_ca_cb_result = NULL;
2904
2905 ret = f_ca_cb( p_ca_cb, child, &ver_chain->trust_ca_cb_result );
2906 if( ret != 0 )
2907 return( MBEDTLS_ERR_X509_FATAL_ERROR );
2908
2909 cur_trust_ca = ver_chain->trust_ca_cb_result;
2910 }
2911 else
2912 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2913 {
2914 ((void) f_ca_cb);
2915 ((void) p_ca_cb);
2916 cur_trust_ca = trust_ca;
2917 }
2918
2919 /* Look for a parent in trusted CAs or up the chain */
2920 ret = x509_crt_find_parent( child, cur_trust_ca, &parent,
2921 &parent_is_trusted, &signature_is_good,
2922 ver_chain->len - 1, self_cnt, rs_ctx );
2923
2924 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2925 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2926 {
2927 /* save state */
2928 rs_ctx->in_progress = x509_crt_rs_find_parent;
2929 rs_ctx->self_cnt = self_cnt;
2930 rs_ctx->ver_chain = *ver_chain; /* struct copy */
2931
2932 return( ret );
2933 }
2934 #else
2935 (void) ret;
2936 #endif
2937
2938 /* No parent? We're done here */
2939 if( parent == NULL )
2940 {
2941 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2942 return( 0 );
2943 }
2944
2945 /* Count intermediate self-issued (not necessarily self-signed) certs.
2946 * These can occur with some strategies for key rollover, see [SIRO],
2947 * and should be excluded from max_pathlen checks. */
2948 if( ver_chain->len != 1 &&
2949 x509_name_cmp( &child->issuer, &child->subject ) == 0 )
2950 {
2951 self_cnt++;
2952 }
2953
2954 /* path_cnt is 0 for the first intermediate CA,
2955 * and if parent is trusted it's not an intermediate CA */
2956 if( ! parent_is_trusted &&
2957 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
2958 {
2959 /* return immediately to avoid overflow the chain array */
2960 return( MBEDTLS_ERR_X509_FATAL_ERROR );
2961 }
2962
2963 /* signature was checked while searching parent */
2964 if( ! signature_is_good )
2965 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2966
2967 /* check size of signing key */
2968 if( x509_profile_check_key( profile, &parent->pk ) != 0 )
2969 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2970
2971 #if defined(MBEDTLS_X509_CRL_PARSE_C)
2972 /* Check trusted CA's CRL for the given crt */
2973 *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
2974 #else
2975 (void) ca_crl;
2976 #endif
2977
2978 /* prepare for next iteration */
2979 child = parent;
2980 parent = NULL;
2981 child_is_trusted = parent_is_trusted;
2982 signature_is_good = 0;
2983 }
2984 }
2985
2986 /*
2987 * Check for CN match
2988 */
x509_crt_check_cn(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)2989 static int x509_crt_check_cn( const mbedtls_x509_buf *name,
2990 const char *cn, size_t cn_len )
2991 {
2992 /* try exact match */
2993 if( name->len == cn_len &&
2994 x509_memcasecmp( cn, name->p, cn_len ) == 0 )
2995 {
2996 return( 0 );
2997 }
2998
2999 /* try wildcard match */
3000 if( x509_check_wildcard( cn, name ) == 0 )
3001 {
3002 return( 0 );
3003 }
3004
3005 return( -1 );
3006 }
3007
3008 /*
3009 * Check for SAN match, see RFC 5280 Section 4.2.1.6
3010 */
x509_crt_check_san(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)3011 static int x509_crt_check_san( const mbedtls_x509_buf *name,
3012 const char *cn, size_t cn_len )
3013 {
3014 const unsigned char san_type = (unsigned char) name->tag &
3015 MBEDTLS_ASN1_TAG_VALUE_MASK;
3016
3017 /* dNSName */
3018 if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
3019 return( x509_crt_check_cn( name, cn, cn_len ) );
3020
3021 /* (We may handle other types here later.) */
3022
3023 /* Unrecognized type */
3024 return( -1 );
3025 }
3026
3027 /*
3028 * Verify the requested CN - only call this if cn is not NULL!
3029 */
x509_crt_verify_name(const mbedtls_x509_crt * crt,const char * cn,uint32_t * flags)3030 static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
3031 const char *cn,
3032 uint32_t *flags )
3033 {
3034 const mbedtls_x509_name *name;
3035 const mbedtls_x509_sequence *cur;
3036 size_t cn_len = strlen( cn );
3037
3038 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
3039 {
3040 for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
3041 {
3042 if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
3043 break;
3044 }
3045
3046 if( cur == NULL )
3047 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
3048 }
3049 else
3050 {
3051 for( name = &crt->subject; name != NULL; name = name->next )
3052 {
3053 if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
3054 x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
3055 {
3056 break;
3057 }
3058 }
3059
3060 if( name == NULL )
3061 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
3062 }
3063 }
3064
3065 /*
3066 * Merge the flags for all certs in the chain, after calling callback
3067 */
x509_crt_merge_flags_with_cb(uint32_t * flags,const mbedtls_x509_crt_verify_chain * ver_chain,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3068 static int x509_crt_merge_flags_with_cb(
3069 uint32_t *flags,
3070 const mbedtls_x509_crt_verify_chain *ver_chain,
3071 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3072 void *p_vrfy )
3073 {
3074 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3075 unsigned i;
3076 uint32_t cur_flags;
3077 const mbedtls_x509_crt_verify_chain_item *cur;
3078
3079 for( i = ver_chain->len; i != 0; --i )
3080 {
3081 cur = &ver_chain->items[i-1];
3082 cur_flags = cur->flags;
3083
3084 if( NULL != f_vrfy )
3085 if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 )
3086 return( ret );
3087
3088 *flags |= cur_flags;
3089 }
3090
3091 return( 0 );
3092 }
3093
3094 /*
3095 * Verify the certificate validity, with profile, restartable version
3096 *
3097 * This function:
3098 * - checks the requested CN (if any)
3099 * - checks the type and size of the EE cert's key,
3100 * as that isn't done as part of chain building/verification currently
3101 * - builds and verifies the chain
3102 * - then calls the callback and merges the flags
3103 *
3104 * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
3105 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
3106 * verification routine to search for trusted signers, and CRLs will
3107 * be disabled. Otherwise, `trust_ca` will be used as the static list
3108 * of trusted signers, and `ca_crl` will be use as the static list
3109 * of CRLs.
3110 */
x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)3111 static int x509_crt_verify_restartable_ca_cb( mbedtls_x509_crt *crt,
3112 mbedtls_x509_crt *trust_ca,
3113 mbedtls_x509_crl *ca_crl,
3114 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3115 void *p_ca_cb,
3116 const mbedtls_x509_crt_profile *profile,
3117 const char *cn, uint32_t *flags,
3118 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3119 void *p_vrfy,
3120 mbedtls_x509_crt_restart_ctx *rs_ctx )
3121 {
3122 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3123 mbedtls_pk_type_t pk_type;
3124 mbedtls_x509_crt_verify_chain ver_chain;
3125 uint32_t ee_flags;
3126
3127 *flags = 0;
3128 ee_flags = 0;
3129 x509_crt_verify_chain_reset( &ver_chain );
3130
3131 if( profile == NULL )
3132 {
3133 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
3134 goto exit;
3135 }
3136
3137 /* check name if requested */
3138 if( cn != NULL )
3139 x509_crt_verify_name( crt, cn, &ee_flags );
3140
3141 /* Check the type and size of the key */
3142 pk_type = mbedtls_pk_get_type( &crt->pk );
3143
3144 if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
3145 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
3146
3147 if( x509_profile_check_key( profile, &crt->pk ) != 0 )
3148 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
3149
3150 /* Check the chain */
3151 ret = x509_crt_verify_chain( crt, trust_ca, ca_crl,
3152 f_ca_cb, p_ca_cb, profile,
3153 &ver_chain, rs_ctx );
3154
3155 if( ret != 0 )
3156 goto exit;
3157
3158 /* Merge end-entity flags */
3159 ver_chain.items[0].flags |= ee_flags;
3160
3161 /* Build final flags, calling callback on the way if any */
3162 ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
3163
3164 exit:
3165
3166 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3167 mbedtls_x509_crt_free( ver_chain.trust_ca_cb_result );
3168 mbedtls_free( ver_chain.trust_ca_cb_result );
3169 ver_chain.trust_ca_cb_result = NULL;
3170 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3171
3172 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3173 if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
3174 mbedtls_x509_crt_restart_free( rs_ctx );
3175 #endif
3176
3177 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
3178 * the SSL module for authmode optional, but non-zero return from the
3179 * callback means a fatal error so it shouldn't be ignored */
3180 if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
3181 ret = MBEDTLS_ERR_X509_FATAL_ERROR;
3182
3183 if( ret != 0 )
3184 {
3185 *flags = (uint32_t) -1;
3186 return( ret );
3187 }
3188
3189 if( *flags != 0 )
3190 return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
3191
3192 return( 0 );
3193 }
3194
3195
3196 /*
3197 * Verify the certificate validity (default profile, not restartable)
3198 */
mbedtls_x509_crt_verify(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3199 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
3200 mbedtls_x509_crt *trust_ca,
3201 mbedtls_x509_crl *ca_crl,
3202 const char *cn, uint32_t *flags,
3203 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3204 void *p_vrfy )
3205 {
3206 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl,
3207 NULL, NULL,
3208 &mbedtls_x509_crt_profile_default,
3209 cn, flags,
3210 f_vrfy, p_vrfy, NULL ) );
3211 }
3212
3213 /*
3214 * Verify the certificate validity (user-chosen profile, not restartable)
3215 */
mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3216 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
3217 mbedtls_x509_crt *trust_ca,
3218 mbedtls_x509_crl *ca_crl,
3219 const mbedtls_x509_crt_profile *profile,
3220 const char *cn, uint32_t *flags,
3221 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3222 void *p_vrfy )
3223 {
3224 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl,
3225 NULL, NULL,
3226 profile, cn, flags,
3227 f_vrfy, p_vrfy, NULL ) );
3228 }
3229
3230 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3231 /*
3232 * Verify the certificate validity (user-chosen profile, CA callback,
3233 * not restartable).
3234 */
mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3235 int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
3236 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3237 void *p_ca_cb,
3238 const mbedtls_x509_crt_profile *profile,
3239 const char *cn, uint32_t *flags,
3240 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3241 void *p_vrfy )
3242 {
3243 return( x509_crt_verify_restartable_ca_cb( crt, NULL, NULL,
3244 f_ca_cb, p_ca_cb,
3245 profile, cn, flags,
3246 f_vrfy, p_vrfy, NULL ) );
3247 }
3248 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3249
mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)3250 int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
3251 mbedtls_x509_crt *trust_ca,
3252 mbedtls_x509_crl *ca_crl,
3253 const mbedtls_x509_crt_profile *profile,
3254 const char *cn, uint32_t *flags,
3255 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3256 void *p_vrfy,
3257 mbedtls_x509_crt_restart_ctx *rs_ctx )
3258 {
3259 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl,
3260 NULL, NULL,
3261 profile, cn, flags,
3262 f_vrfy, p_vrfy, rs_ctx ) );
3263 }
3264
3265
3266 /*
3267 * Initialize a certificate chain
3268 */
mbedtls_x509_crt_init(mbedtls_x509_crt * crt)3269 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
3270 {
3271 memset( crt, 0, sizeof(mbedtls_x509_crt) );
3272 }
3273
3274 /*
3275 * Unallocate all certificate data
3276 */
mbedtls_x509_crt_free(mbedtls_x509_crt * crt)3277 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
3278 {
3279 mbedtls_x509_crt *cert_cur = crt;
3280 mbedtls_x509_crt *cert_prv;
3281 mbedtls_x509_name *name_cur;
3282 mbedtls_x509_name *name_prv;
3283 mbedtls_x509_sequence *seq_cur;
3284 mbedtls_x509_sequence *seq_prv;
3285
3286 if( crt == NULL )
3287 return;
3288
3289 do
3290 {
3291 mbedtls_pk_free( &cert_cur->pk );
3292
3293 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
3294 mbedtls_free( cert_cur->sig_opts );
3295 #endif
3296
3297 name_cur = cert_cur->issuer.next;
3298 while( name_cur != NULL )
3299 {
3300 name_prv = name_cur;
3301 name_cur = name_cur->next;
3302 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
3303 mbedtls_free( name_prv );
3304 }
3305
3306 name_cur = cert_cur->subject.next;
3307 while( name_cur != NULL )
3308 {
3309 name_prv = name_cur;
3310 name_cur = name_cur->next;
3311 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
3312 mbedtls_free( name_prv );
3313 }
3314
3315 seq_cur = cert_cur->ext_key_usage.next;
3316 while( seq_cur != NULL )
3317 {
3318 seq_prv = seq_cur;
3319 seq_cur = seq_cur->next;
3320 mbedtls_platform_zeroize( seq_prv,
3321 sizeof( mbedtls_x509_sequence ) );
3322 mbedtls_free( seq_prv );
3323 }
3324
3325 seq_cur = cert_cur->subject_alt_names.next;
3326 while( seq_cur != NULL )
3327 {
3328 seq_prv = seq_cur;
3329 seq_cur = seq_cur->next;
3330 mbedtls_platform_zeroize( seq_prv,
3331 sizeof( mbedtls_x509_sequence ) );
3332 mbedtls_free( seq_prv );
3333 }
3334
3335 seq_cur = cert_cur->certificate_policies.next;
3336 while( seq_cur != NULL )
3337 {
3338 seq_prv = seq_cur;
3339 seq_cur = seq_cur->next;
3340 mbedtls_platform_zeroize( seq_prv,
3341 sizeof( mbedtls_x509_sequence ) );
3342 mbedtls_free( seq_prv );
3343 }
3344
3345 if( cert_cur->raw.p != NULL && cert_cur->own_buffer )
3346 {
3347 mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
3348 mbedtls_free( cert_cur->raw.p );
3349 }
3350
3351 cert_cur = cert_cur->next;
3352 }
3353 while( cert_cur != NULL );
3354
3355 cert_cur = crt;
3356 do
3357 {
3358 cert_prv = cert_cur;
3359 cert_cur = cert_cur->next;
3360
3361 mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
3362 if( cert_prv != crt )
3363 mbedtls_free( cert_prv );
3364 }
3365 while( cert_cur != NULL );
3366 }
3367
3368 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3369 /*
3370 * Initialize a restart context
3371 */
mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx * ctx)3372 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
3373 {
3374 mbedtls_pk_restart_init( &ctx->pk );
3375
3376 ctx->parent = NULL;
3377 ctx->fallback_parent = NULL;
3378 ctx->fallback_signature_is_good = 0;
3379
3380 ctx->parent_is_trusted = -1;
3381
3382 ctx->in_progress = x509_crt_rs_none;
3383 ctx->self_cnt = 0;
3384 x509_crt_verify_chain_reset( &ctx->ver_chain );
3385 }
3386
3387 /*
3388 * Free the components of a restart context
3389 */
mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx * ctx)3390 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
3391 {
3392 if( ctx == NULL )
3393 return;
3394
3395 mbedtls_pk_restart_free( &ctx->pk );
3396 mbedtls_x509_crt_restart_init( ctx );
3397 }
3398 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
3399
3400 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3401
