36 #if !defined(POLARSSL_CONFIG_FILE)
39 #include POLARSSL_CONFIG_FILE
42 #if defined(POLARSSL_X509_CRT_PARSE_C)
46 #if defined(POLARSSL_PEM_PARSE_C)
50 #if defined(POLARSSL_PLATFORM_C)
53 #define polarssl_malloc malloc
54 #define polarssl_free free
57 #if defined(POLARSSL_THREADING_C)
63 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
69 #if defined(EFIX64) || defined(EFI32)
73 #if defined(POLARSSL_FS_IO)
75 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
76 #include <sys/types.h>
83 static void polarssl_zeroize(
void *v,
size_t n ) {
84 volatile unsigned char *p = v;
while( n-- ) *p++ = 0;
90 static int x509_get_version(
unsigned char **p,
91 const unsigned char *end,
126 static int x509_get_dates(
unsigned char **p,
127 const unsigned char *end,
156 static int x509_get_uid(
unsigned char **p,
157 const unsigned char *end,
182 static int x509_get_basic_constraints(
unsigned char **p,
183 const unsigned char *end,
213 if( *ca_istrue != 0 )
220 if( ( ret =
asn1_get_int( p, end, max_pathlen ) ) != 0 )
232 static int x509_get_ns_cert_type(
unsigned char **p,
233 const unsigned char *end,
234 unsigned char *ns_cert_type)
247 *ns_cert_type = *bs.
p;
251 static int x509_get_key_usage(
unsigned char **p,
252 const unsigned char *end,
253 unsigned char *key_usage)
275 static int x509_get_ext_key_usage(
unsigned char **p,
276 const unsigned char *end,
285 if( ext_key_usage->
buf.
p == NULL )
318 static int x509_get_subject_alt_name(
unsigned char **p,
319 const unsigned char *end,
333 if( *p + len != end )
339 if( ( end - *p ) < 1 )
353 if( tag != ( ASN1_CONTEXT_SPECIFIC | 2 ) )
360 if( cur->
buf.
p != NULL )
365 if( cur->
next == NULL )
397 static int x509_get_crt_ext(
unsigned char **p,
398 const unsigned char *end,
403 unsigned char *end_ext_data, *end_ext_octet;
429 end_ext_data = *p + len;
440 if( ( end - *p ) < 1 )
445 if( ( ret =
asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
454 end_ext_octet = *p + len;
456 if( end_ext_octet != end_ext_data )
470 #if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
487 if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
494 if( ( ret = x509_get_key_usage( p, end_ext_octet,
501 if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
508 if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
515 if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
535 static int x509_crt_parse_der_core(
x509_crt *crt,
const unsigned char *buf,
540 unsigned char *p, *end, *crt_end;
543 memset( &sig_params1, 0,
sizeof(
x509_buf ) );
544 memset( &sig_params2, 0,
sizeof(
x509_buf ) );
549 if( crt == NULL || buf == NULL )
557 memcpy( p, buf, buflen );
576 if( len > (
size_t) ( end - p ) )
606 if( ( ret = x509_get_version( &p, end, &crt->
version ) ) != 0 ||
609 &sig_params1 ) ) != 0 )
657 if( ( ret = x509_get_dates( &p, end, &crt->
valid_from,
703 ret = x509_get_uid( &p, end, &crt->
issuer_id, 1 );
713 ret = x509_get_uid( &p, end, &crt->
subject_id, 2 );
721 #if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
725 ret = x509_get_crt_ext( &p, end, crt );
731 #if !defined(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
759 sig_params1.
len != sig_params2.
len ||
760 memcmp( sig_params1.
p, sig_params2.
p, sig_params1.
len ) != 0 )
790 x509_crt *crt = chain, *prev = NULL;
795 if( crt == NULL || buf == NULL )
811 if( crt->
next == NULL )
819 if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
839 int success = 0, first_error = 0, total_failed = 0;
845 if( chain == NULL || buf == NULL )
852 #if defined(POLARSSL_PEM_PARSE_C)
853 if( strstr( (
const char *) buf,
"-----BEGIN CERTIFICATE-----" ) != NULL )
860 #if defined(POLARSSL_PEM_PARSE_C)
871 ret = pem_read_buffer( &pem,
872 "-----BEGIN CERTIFICATE-----",
873 "-----END CERTIFICATE-----",
874 buf, NULL, 0, &use_len );
898 if( first_error == 0 )
919 if( first_error == 0 )
932 return( total_failed );
933 else if( first_error )
934 return( first_error );
939 #if defined(POLARSSL_FS_IO)
954 polarssl_zeroize( buf, n + 1 );
960 #if defined(POLARSSL_THREADING_PTHREAD)
961 static threading_mutex_t readdir_mutex = PTHREAD_MUTEX_INITIALIZER;
967 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
969 WCHAR szDir[MAX_PATH];
970 char filename[MAX_PATH];
972 int len = (int) strlen( path );
974 WIN32_FIND_DATAW file_data;
977 if( len > MAX_PATH - 3 )
980 memset( szDir, 0,
sizeof(szDir) );
981 memset( filename, 0, MAX_PATH );
982 memcpy( filename, path, len );
983 filename[len++] =
'\\';
985 filename[len++] =
'*';
987 w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir,
990 hFind = FindFirstFileW( szDir, &file_data );
991 if( hFind == INVALID_HANDLE_VALUE )
994 len = MAX_PATH - len;
999 if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
1002 w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
1003 lstrlenW( file_data.cFileName ),
1013 while( FindNextFileW( hFind, &file_data ) != 0 );
1015 if( GetLastError() != ERROR_NO_MORE_FILES )
1022 struct dirent *entry;
1023 char entry_name[255];
1024 DIR *dir = opendir( path );
1029 #if defined(POLARSSL_THREADING_PTHREAD)
1034 while( ( entry = readdir( dir ) ) != NULL )
1036 snprintf( entry_name,
sizeof entry_name,
"%s/%s", path, entry->d_name );
1038 if( stat( entry_name, &sb ) == -1 )
1045 if( !S_ISREG( sb.st_mode ) )
1059 #if defined(POLARSSL_THREADING_PTHREAD)
1070 #if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
1074 #if !defined vsnprintf
1075 #define vsnprintf _vsnprintf
1085 static int compat_snprintf(
char *str,
size_t size,
const char *format, ... )
1090 va_start( ap, format );
1092 res = vsnprintf( str, size, format, ap );
1098 return( (
int) size + 20 );
1103 #define snprintf compat_snprintf
1106 #define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL -2
1108 #define SAFE_SNPRINTF() \
1113 if( (unsigned int) ret > n ) { \
1115 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL ); \
1118 n -= (unsigned int) ret; \
1119 p += (unsigned int) ret; \
1122 static int x509_info_subject_alt_name(
char **buf,
size_t *size,
1129 const char *sep =
"";
1132 while( cur != NULL )
1134 if( cur->
buf.
len + sep_len >= n )
1137 return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
1140 n -= cur->
buf.
len + sep_len;
1141 for( i = 0; i < sep_len; i++ )
1143 for( i = 0; i < cur->
buf.
len; i++ )
1144 *p++ = cur->
buf.
p[i];
1160 #define PRINT_ITEM(i) \
1162 ret = snprintf( p, n, "%s" i, sep ); \
1167 #define CERT_TYPE(type,name) \
1168 if( ns_cert_type & type ) \
1171 static int x509_info_cert_type(
char **buf,
size_t *size,
1172 unsigned char ns_cert_type )
1177 const char *sep =
"";
1194 #define KEY_USAGE(code,name) \
1195 if( key_usage & code ) \
1198 static int x509_info_key_usage(
char **buf,
size_t *size,
1199 unsigned char key_usage )
1204 const char *sep =
"";
1220 static int x509_info_ext_key_usage(
char **buf,
size_t *size,
1228 const char *sep =
"";
1230 while( cur != NULL )
1235 ret = snprintf( p, n,
"%s%s", sep, desc );
1252 #define BEFORE_COLON 18
1254 int x509_crt_info(
char *buf,
size_t size,
const char *prefix,
1260 char key_size_str[BEFORE_COLON];
1265 ret = snprintf( p, n,
"%scert. version : %d\n",
1268 ret = snprintf( p, n,
"%sserial number : ",
1275 ret = snprintf( p, n,
"\n%sissuer name : ", prefix );
1280 ret = snprintf( p, n,
"\n%ssubject name : ", prefix );
1285 ret = snprintf( p, n,
"\n%sissued on : " \
1286 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1292 ret = snprintf( p, n,
"\n%sexpires on : " \
1293 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1299 ret = snprintf( p, n,
"\n%ssigned using : ", prefix );
1313 ret = snprintf( p, n,
"\n%s%-" BC
"s: %d bits", prefix, key_size_str,
1323 ret = snprintf( p, n,
"\n%sbasic constraints : CA=%s", prefix,
1329 ret = snprintf( p, n,
", max_pathlen=%d", crt->
max_pathlen - 1 );
1336 ret = snprintf( p, n,
"\n%ssubject alt name : ", prefix );
1339 if( ( ret = x509_info_subject_alt_name( &p, &n,
1346 ret = snprintf( p, n,
"\n%scert. type : ", prefix );
1349 if( ( ret = x509_info_cert_type( &p, &n, crt->
ns_cert_type ) ) != 0 )
1355 ret = snprintf( p, n,
"\n%skey usage : ", prefix );
1358 if( ( ret = x509_info_key_usage( &p, &n, crt->
key_usage ) ) != 0 )
1364 ret = snprintf( p, n,
"\n%sext key usage : ", prefix );
1367 if( ( ret = x509_info_ext_key_usage( &p, &n,
1372 ret = snprintf( p, n,
"\n" );
1375 return( (
int) ( size - n ) );
1378 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
1389 #if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
1391 const char *usage_oid,
1407 if( cur_oid->
len == usage_len &&
1408 memcmp( cur_oid->
p, usage_oid, usage_len ) == 0 )
1421 #if defined(POLARSSL_X509_CRL_PARSE_C)
1429 while( cur != NULL && cur->
serial.
len != 0 )
1463 while( crl_list != NULL )
1470 crl_list = crl_list->
next;
1477 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
1489 if( md_info == NULL )
1498 md( md_info, crl_list->
tbs.
p, crl_list->
tbs.
len, hash );
1526 crl_list = crl_list->
next;
1535 static int x509_memcasecmp(
const void *s1,
const void *s2,
size_t len )
1539 const unsigned char *n1 = s1, *n2 = s2;
1541 for( i = 0; i < len; i++ )
1543 diff = n1[i] ^ n2[i];
1549 ( ( n1[i] >=
'a' && n1[i] <=
'z' ) ||
1550 ( n1[i] >=
'A' && n1[i] <=
'Z' ) ) )
1565 static int x509_wildcard_verify(
const char *cn,
x509_buf *name )
1568 size_t cn_idx = 0, cn_len = strlen( cn );
1570 if( name->
len < 3 || name->
p[0] !=
'*' || name->
p[1] !=
'.' )
1573 for( i = 0; i < cn_len; ++i )
1585 if( cn_len - cn_idx == name->
len - 1 &&
1586 x509_memcasecmp( name->
p + 1, cn + cn_idx, name->
len - 1 ) == 0 )
1604 memcmp( a->
p, b->
p, b->
len ) == 0 )
1612 x509_memcasecmp( a->
p, b->
p, b->
len ) == 0 )
1632 if( a == NULL && b == NULL )
1635 if( a == NULL || b == NULL )
1647 if( x509_string_cmp( &a->
val, &b->
val ) != 0 )
1650 return( x509_name_cmp( a->
next, b->
next ) );
1660 static int x509_crt_check_parent(
const x509_crt *child,
1662 int top,
int bottom )
1667 if( x509_name_cmp( &child->
issuer, &parent->
subject ) != 0 )
1674 if( top && parent->
version < 3 )
1678 if( top && bottom &&
1685 if( need_ca_bit && ! parent->
ca_istrue )
1688 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
1699 static int x509_crt_verify_top(
1701 x509_crl *ca_crl,
int path_cnt,
int *flags,
1702 int (*f_vrfy)(
void *,
x509_crt *,
int,
int *),
1706 int ca_flags = 0, check_path_cnt = path_cnt + 1;
1722 if( md_info == NULL )
1732 for( ; trust_ca != NULL; trust_ca = trust_ca->
next )
1734 if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
1773 if( trust_ca != NULL &&
1778 #if defined(POLARSSL_X509_CRL_PARSE_C)
1780 *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl );
1791 if( NULL != f_vrfy )
1793 if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
1794 &ca_flags ) ) != 0 )
1802 if( NULL != f_vrfy )
1804 if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
1813 static int x509_crt_verify_child(
1815 x509_crl *ca_crl,
int path_cnt,
int *flags,
1816 int (*f_vrfy)(
void *,
x509_crt *,
int,
int *),
1820 int parent_flags = 0;
1832 if( md_info == NULL )
1851 #if defined(POLARSSL_X509_CRL_PARSE_C)
1853 *flags |= x509_crt_verifycrl(child, parent, ca_crl);
1857 for( grandparent = parent->
next;
1858 grandparent != NULL;
1859 grandparent = grandparent->
next )
1861 if( x509_crt_check_parent( parent, grandparent,
1862 0, path_cnt == 0 ) == 0 )
1867 if( grandparent != NULL )
1869 ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl,
1870 path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
1876 ret = x509_crt_verify_top( parent, trust_ca, ca_crl,
1877 path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
1883 if( NULL != f_vrfy )
1884 if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
1887 *flags |= parent_flags;
1898 const char *cn,
int *flags,
1899 int (*f_vrfy)(
void *,
x509_crt *,
int,
int *),
1914 cn_len = strlen( cn );
1920 while( cur != NULL )
1922 if( cur->
buf.
len == cn_len &&
1923 x509_memcasecmp( cn, cur->
buf.
p, cn_len ) == 0 )
1927 memcmp( cur->
buf.
p,
"*.", 2 ) == 0 &&
1928 x509_wildcard_verify( cn, &cur->
buf ) )
1939 while( name != NULL )
1943 if( name->
val.
len == cn_len &&
1944 x509_memcasecmp( name->
val.
p, cn, cn_len ) == 0 )
1948 memcmp( name->
val.
p,
"*.", 2 ) == 0 &&
1949 x509_wildcard_verify( cn, &name->
val ) )
1962 for( parent = crt->
next; parent != NULL; parent = parent->
next )
1964 if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 )
1969 if( parent != NULL )
1971 ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl,
1972 pathlen, flags, f_vrfy, p_vrfy );
1978 ret = x509_crt_verify_top( crt, trust_ca, ca_crl,
1979 pathlen, flags, f_vrfy, p_vrfy );
1995 memset( crt, 0,
sizeof(
x509_crt) );
2017 #if defined(POLARSSL_X509_RSASSA_PSS_SUPPORT)
2022 while( name_cur != NULL )
2024 name_prv = name_cur;
2025 name_cur = name_cur->
next;
2026 polarssl_zeroize( name_prv,
sizeof(
x509_name ) );
2031 while( name_cur != NULL )
2033 name_prv = name_cur;
2034 name_cur = name_cur->
next;
2035 polarssl_zeroize( name_prv,
sizeof(
x509_name ) );
2040 while( seq_cur != NULL )
2043 seq_cur = seq_cur->
next;
2049 while( seq_cur != NULL )
2052 seq_cur = seq_cur->
next;
2057 if( cert_cur->
raw.
p != NULL )
2059 polarssl_zeroize( cert_cur->
raw.
p, cert_cur->
raw.
len );
2063 cert_cur = cert_cur->
next;
2065 while( cert_cur != NULL );
2070 cert_prv = cert_cur;
2071 cert_cur = cert_cur->
next;
2073 polarssl_zeroize( cert_prv,
sizeof(
x509_crt ) );
2074 if( cert_prv != crt )
2077 while( cert_cur != NULL );