1 /*
2 * X.509 certificate parsing and verification
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The ITU-T X.509 standard defines a certificate format for PKI.
48 *
49 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
50 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
51 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
52 *
53 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
54 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
55 *
56 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
57 */
58
59 #if !defined(MBEDTLS_CONFIG_FILE)
60 #include "mbedtls/config.h"
61 #else
62 #include MBEDTLS_CONFIG_FILE
63 #endif
64
65 #if defined(MBEDTLS_X509_CRT_PARSE_C)
66
67 #include "mbedtls/x509_crt.h"
68 #include "mbedtls/oid.h"
69 #include "mbedtls/platform_util.h"
70
71 #include <string.h>
72
73 #if defined(MBEDTLS_PEM_PARSE_C)
74 #include "mbedtls/pem.h"
75 #endif
76
77 #if defined(MBEDTLS_PLATFORM_C)
78 #include "mbedtls/platform.h"
79 #else
80 #include <stdio.h>
81 #include <stdlib.h>
82 #define mbedtls_free free
83 #define mbedtls_calloc calloc
84 #define mbedtls_snprintf snprintf
85 #endif
86
87 #if defined(MBEDTLS_THREADING_C)
88 #include "mbedtls/threading.h"
89 #endif
90
91 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
92 #include <windows.h>
93 #else
94 #include <time.h>
95 #endif
96
97 #if defined(MBEDTLS_FS_IO)
98 #include <stdio.h>
99 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
100 #include <sys/types.h>
101 #include <sys/stat.h>
102 #include <dirent.h>
103 #endif /* !_WIN32 || EFIX64 || EFI32 */
104 #endif
105
106 /*
107 * Item in a verification chain: cert and flags for it
108 */
109 typedef struct {
110 mbedtls_x509_crt *crt;
111 uint32_t flags;
112 } x509_crt_verify_chain_item;
113
114 /*
115 * Max size of verification chain: end-entity + intermediates + trusted root
116 */
117 #define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
118
119 /*
120 * Default profile
121 */
122 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
123 {
124 #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
125 /* Allow SHA-1 (weak, but still safe in controlled environments) */
126 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
127 #endif
128 /* Only SHA-2 hashes */
129 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
130 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
131 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
132 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
133 0xFFFFFFF, /* Any PK alg */
134 0xFFFFFFF, /* Any curve */
135 2048,
136 };
137
138 /*
139 * Next-default profile
140 */
141 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
142 {
143 /* Hashes from SHA-256 and above */
144 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
145 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
146 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
147 0xFFFFFFF, /* Any PK alg */
148 #if defined(MBEDTLS_ECP_C)
149 /* Curves at or above 128-bit security level */
150 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
151 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
152 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
153 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
154 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
155 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
156 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
157 #else
158 0,
159 #endif
160 2048,
161 };
162
163 /*
164 * NSA Suite B Profile
165 */
166 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
167 {
168 /* Only SHA-256 and 384 */
169 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
170 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
171 /* Only ECDSA */
172 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) |
173 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ),
174 #if defined(MBEDTLS_ECP_C)
175 /* Only NIST P-256 and P-384 */
176 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
177 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
178 #else
179 0,
180 #endif
181 0,
182 };
183
184 /*
185 * Check md_alg against profile
186 * Return 0 if md_alg is acceptable for this profile, -1 otherwise
187 */
x509_profile_check_md_alg(const mbedtls_x509_crt_profile * profile,mbedtls_md_type_t md_alg)188 static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
189 mbedtls_md_type_t md_alg )
190 {
191 if( md_alg == MBEDTLS_MD_NONE )
192 return( -1 );
193
194 if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
195 return( 0 );
196
197 return( -1 );
198 }
199
200 /*
201 * Check pk_alg against profile
202 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
203 */
x509_profile_check_pk_alg(const mbedtls_x509_crt_profile * profile,mbedtls_pk_type_t pk_alg)204 static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
205 mbedtls_pk_type_t pk_alg )
206 {
207 if( pk_alg == MBEDTLS_PK_NONE )
208 return( -1 );
209
210 if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
211 return( 0 );
212
213 return( -1 );
214 }
215
216 /*
217 * Check key against profile
218 * Return 0 if pk is acceptable for this profile, -1 otherwise
219 */
x509_profile_check_key(const mbedtls_x509_crt_profile * profile,const mbedtls_pk_context * pk)220 static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
221 const mbedtls_pk_context *pk )
222 {
223 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
224
225 #if defined(MBEDTLS_RSA_C)
226 if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
227 {
228 if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
229 return( 0 );
230
231 return( -1 );
232 }
233 #endif
234
235 #if defined(MBEDTLS_ECP_C)
236 if( pk_alg == MBEDTLS_PK_ECDSA ||
237 pk_alg == MBEDTLS_PK_ECKEY ||
238 pk_alg == MBEDTLS_PK_ECKEY_DH )
239 {
240 const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
241
242 if( gid == MBEDTLS_ECP_DP_NONE )
243 return( -1 );
244
245 if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
246 return( 0 );
247
248 return( -1 );
249 }
250 #endif
251
252 return( -1 );
253 }
254
255 /*
256 * Like memcmp, but case-insensitive and always returns -1 if different
257 */
x509_memcasecmp(const void * s1,const void * s2,size_t len)258 static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
259 {
260 size_t i;
261 unsigned char diff;
262 const unsigned char *n1 = s1, *n2 = s2;
263
264 for( i = 0; i < len; i++ )
265 {
266 diff = n1[i] ^ n2[i];
267
268 if( diff == 0 )
269 continue;
270
271 if( diff == 32 &&
272 ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
273 ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
274 {
275 continue;
276 }
277
278 return( -1 );
279 }
280
281 return( 0 );
282 }
283
284 /*
285 * Return 0 if name matches wildcard, -1 otherwise
286 */
x509_check_wildcard(const char * cn,const mbedtls_x509_buf * name)287 static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name )
288 {
289 size_t i;
290 size_t cn_idx = 0, cn_len = strlen( cn );
291
292 /* We can't have a match if there is no wildcard to match */
293 if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
294 return( -1 );
295
296 for( i = 0; i < cn_len; ++i )
297 {
298 if( cn[i] == '.' )
299 {
300 cn_idx = i;
301 break;
302 }
303 }
304
305 if( cn_idx == 0 )
306 return( -1 );
307
308 if( cn_len - cn_idx == name->len - 1 &&
309 x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
310 {
311 return( 0 );
312 }
313
314 return( -1 );
315 }
316
317 /*
318 * Compare two X.509 strings, case-insensitive, and allowing for some encoding
319 * variations (but not all).
320 *
321 * Return 0 if equal, -1 otherwise.
322 */
x509_string_cmp(const mbedtls_x509_buf * a,const mbedtls_x509_buf * b)323 static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
324 {
325 if( a->tag == b->tag &&
326 a->len == b->len &&
327 memcmp( a->p, b->p, b->len ) == 0 )
328 {
329 return( 0 );
330 }
331
332 if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
333 ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
334 a->len == b->len &&
335 x509_memcasecmp( a->p, b->p, b->len ) == 0 )
336 {
337 return( 0 );
338 }
339
340 return( -1 );
341 }
342
343 /*
344 * Compare two X.509 Names (aka rdnSequence).
345 *
346 * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
347 * we sometimes return unequal when the full algorithm would return equal,
348 * but never the other way. (In particular, we don't do Unicode normalisation
349 * or space folding.)
350 *
351 * Return 0 if equal, -1 otherwise.
352 */
x509_name_cmp(const mbedtls_x509_name * a,const mbedtls_x509_name * b)353 static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
354 {
355 /* Avoid recursion, it might not be optimised by the compiler */
356 while( a != NULL || b != NULL )
357 {
358 if( a == NULL || b == NULL )
359 return( -1 );
360
361 /* type */
362 if( a->oid.tag != b->oid.tag ||
363 a->oid.len != b->oid.len ||
364 memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
365 {
366 return( -1 );
367 }
368
369 /* value */
370 if( x509_string_cmp( &a->val, &b->val ) != 0 )
371 return( -1 );
372
373 /* structure of the list of sets */
374 if( a->next_merged != b->next_merged )
375 return( -1 );
376
377 a = a->next;
378 b = b->next;
379 }
380
381 /* a == NULL == b */
382 return( 0 );
383 }
384
385 /*
386 * Reset (init or clear) a verify_chain
387 */
x509_crt_verify_chain_reset(mbedtls_x509_crt_verify_chain * ver_chain)388 static void x509_crt_verify_chain_reset(
389 mbedtls_x509_crt_verify_chain *ver_chain )
390 {
391 size_t i;
392
393 for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
394 {
395 ver_chain->items[i].crt = NULL;
396 ver_chain->items[i].flags = (uint32_t) -1;
397 }
398
399 ver_chain->len = 0;
400 }
401
402 /*
403 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
404 */
x509_get_version(unsigned char ** p,const unsigned char * end,int * ver)405 static int x509_get_version( unsigned char **p,
406 const unsigned char *end,
407 int *ver )
408 {
409 int ret;
410 size_t len;
411
412 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
413 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 )
414 {
415 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
416 {
417 *ver = 0;
418 return( 0 );
419 }
420
421 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
422 }
423
424 end = *p + len;
425
426 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
427 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
428
429 if( *p != end )
430 return( MBEDTLS_ERR_X509_INVALID_VERSION +
431 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
432
433 return( 0 );
434 }
435
436 /*
437 * Validity ::= SEQUENCE {
438 * notBefore Time,
439 * notAfter Time }
440 */
x509_get_dates(unsigned char ** p,const unsigned char * end,mbedtls_x509_time * from,mbedtls_x509_time * to)441 static int x509_get_dates( unsigned char **p,
442 const unsigned char *end,
443 mbedtls_x509_time *from,
444 mbedtls_x509_time *to )
445 {
446 int ret;
447 size_t len;
448
449 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
450 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
451 return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
452
453 end = *p + len;
454
455 if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
456 return( ret );
457
458 if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
459 return( ret );
460
461 if( *p != end )
462 return( MBEDTLS_ERR_X509_INVALID_DATE +
463 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
464
465 return( 0 );
466 }
467
468 /*
469 * X.509 v2/v3 unique identifier (not parsed)
470 */
x509_get_uid(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * uid,int n)471 static int x509_get_uid( unsigned char **p,
472 const unsigned char *end,
473 mbedtls_x509_buf *uid, int n )
474 {
475 int ret;
476
477 if( *p == end )
478 return( 0 );
479
480 uid->tag = **p;
481
482 if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
483 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
484 {
485 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
486 return( 0 );
487
488 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
489 }
490
491 uid->p = *p;
492 *p += uid->len;
493
494 return( 0 );
495 }
496
x509_get_basic_constraints(unsigned char ** p,const unsigned char * end,int * ca_istrue,int * max_pathlen)497 static int x509_get_basic_constraints( unsigned char **p,
498 const unsigned char *end,
499 int *ca_istrue,
500 int *max_pathlen )
501 {
502 int ret;
503 size_t len;
504
505 /*
506 * BasicConstraints ::= SEQUENCE {
507 * cA BOOLEAN DEFAULT FALSE,
508 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
509 */
510 *ca_istrue = 0; /* DEFAULT FALSE */
511 *max_pathlen = 0; /* endless */
512
513 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
514 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
515 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
516
517 if( *p == end )
518 return( 0 );
519
520 if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
521 {
522 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
523 ret = mbedtls_asn1_get_int( p, end, ca_istrue );
524
525 if( ret != 0 )
526 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
527
528 if( *ca_istrue != 0 )
529 *ca_istrue = 1;
530 }
531
532 if( *p == end )
533 return( 0 );
534
535 if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
536 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
537
538 if( *p != end )
539 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
540 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
541
542 /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
543 * overflow, which is an undefined behavior. */
544 if( *max_pathlen == INT_MAX )
545 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
546 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
547
548 (*max_pathlen)++;
549
550 return( 0 );
551 }
552
x509_get_ns_cert_type(unsigned char ** p,const unsigned char * end,unsigned char * ns_cert_type)553 static int x509_get_ns_cert_type( unsigned char **p,
554 const unsigned char *end,
555 unsigned char *ns_cert_type)
556 {
557 int ret;
558 mbedtls_x509_bitstring bs = { 0, 0, NULL };
559
560 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
561 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
562
563 if( bs.len != 1 )
564 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
565 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
566
567 /* Get actual bitstring */
568 *ns_cert_type = *bs.p;
569 return( 0 );
570 }
571
x509_get_key_usage(unsigned char ** p,const unsigned char * end,unsigned int * key_usage)572 static int x509_get_key_usage( unsigned char **p,
573 const unsigned char *end,
574 unsigned int *key_usage)
575 {
576 int ret;
577 size_t i;
578 mbedtls_x509_bitstring bs = { 0, 0, NULL };
579
580 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
581 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
582
583 if( bs.len < 1 )
584 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
585 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
586
587 /* Get actual bitstring */
588 *key_usage = 0;
589 for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
590 {
591 *key_usage |= (unsigned int) bs.p[i] << (8*i);
592 }
593
594 return( 0 );
595 }
596
597 /*
598 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
599 *
600 * KeyPurposeId ::= OBJECT IDENTIFIER
601 */
x509_get_ext_key_usage(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * ext_key_usage)602 static int x509_get_ext_key_usage( unsigned char **p,
603 const unsigned char *end,
604 mbedtls_x509_sequence *ext_key_usage)
605 {
606 int ret;
607
608 if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
609 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
610
611 /* Sequence length must be >= 1 */
612 if( ext_key_usage->buf.p == NULL )
613 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
614 MBEDTLS_ERR_ASN1_INVALID_LENGTH );
615
616 return( 0 );
617 }
618
619 /*
620 * SubjectAltName ::= GeneralNames
621 *
622 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
623 *
624 * GeneralName ::= CHOICE {
625 * otherName [0] OtherName,
626 * rfc822Name [1] IA5String,
627 * dNSName [2] IA5String,
628 * x400Address [3] ORAddress,
629 * directoryName [4] Name,
630 * ediPartyName [5] EDIPartyName,
631 * uniformResourceIdentifier [6] IA5String,
632 * iPAddress [7] OCTET STRING,
633 * registeredID [8] OBJECT IDENTIFIER }
634 *
635 * OtherName ::= SEQUENCE {
636 * type-id OBJECT IDENTIFIER,
637 * value [0] EXPLICIT ANY DEFINED BY type-id }
638 *
639 * EDIPartyName ::= SEQUENCE {
640 * nameAssigner [0] DirectoryString OPTIONAL,
641 * partyName [1] DirectoryString }
642 *
643 * NOTE: we only parse and use dNSName at this point.
644 */
x509_get_subject_alt_name(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * subject_alt_name)645 static int x509_get_subject_alt_name( unsigned char **p,
646 const unsigned char *end,
647 mbedtls_x509_sequence *subject_alt_name )
648 {
649 int ret;
650 size_t len, tag_len;
651 mbedtls_asn1_buf *buf;
652 unsigned char tag;
653 mbedtls_asn1_sequence *cur = subject_alt_name;
654
655 /* Get main sequence tag */
656 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
657 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
658 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
659
660 if( *p + len != end )
661 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
662 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
663
664 while( *p < end )
665 {
666 if( ( end - *p ) < 1 )
667 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
668 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
669
670 tag = **p;
671 (*p)++;
672 if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
673 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
674
675 if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
676 MBEDTLS_ASN1_CONTEXT_SPECIFIC )
677 {
678 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
679 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
680 }
681
682 /* Skip everything but DNS name */
683 if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
684 {
685 *p += tag_len;
686 continue;
687 }
688
689 /* Allocate and assign next pointer */
690 if( cur->buf.p != NULL )
691 {
692 if( cur->next != NULL )
693 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
694
695 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
696
697 if( cur->next == NULL )
698 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
699 MBEDTLS_ERR_ASN1_ALLOC_FAILED );
700
701 cur = cur->next;
702 }
703
704 buf = &(cur->buf);
705 buf->tag = tag;
706 buf->p = *p;
707 buf->len = tag_len;
708 *p += buf->len;
709 }
710
711 /* Set final sequence entry's next pointer to NULL */
712 cur->next = NULL;
713
714 if( *p != end )
715 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
716 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
717
718 return( 0 );
719 }
720
721 /*
722 * X.509 v3 extensions
723 *
724 */
x509_get_crt_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_crt * crt)725 static int x509_get_crt_ext( unsigned char **p,
726 const unsigned char *end,
727 mbedtls_x509_crt *crt )
728 {
729 int ret;
730 size_t len;
731 unsigned char *end_ext_data, *end_ext_octet;
732
733 if( *p == end )
734 return( 0 );
735
736 if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
737 return( ret );
738
739 end = crt->v3_ext.p + crt->v3_ext.len;
740 while( *p < end )
741 {
742 /*
743 * Extension ::= SEQUENCE {
744 * extnID OBJECT IDENTIFIER,
745 * critical BOOLEAN DEFAULT FALSE,
746 * extnValue OCTET STRING }
747 */
748 mbedtls_x509_buf extn_oid = {0, 0, NULL};
749 int is_critical = 0; /* DEFAULT FALSE */
750 int ext_type = 0;
751
752 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
753 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
754 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
755
756 end_ext_data = *p + len;
757
758 /* Get extension ID */
759 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
760 MBEDTLS_ASN1_OID ) ) != 0 )
761 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
762
763 extn_oid.tag = MBEDTLS_ASN1_OID;
764 extn_oid.p = *p;
765 *p += extn_oid.len;
766
767 /* Get optional critical */
768 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
769 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
770 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
771
772 /* Data should be octet string type */
773 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
774 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
775 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
776
777 end_ext_octet = *p + len;
778
779 if( end_ext_octet != end_ext_data )
780 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
781 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
782
783 /*
784 * Detect supported extensions
785 */
786 ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
787
788 if( ret != 0 )
789 {
790 /* No parser found, skip extension */
791 *p = end_ext_octet;
792
793 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
794 if( is_critical )
795 {
796 /* Data is marked as critical: fail */
797 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
798 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
799 }
800 #endif
801 continue;
802 }
803
804 /* Forbid repeated extensions */
805 if( ( crt->ext_types & ext_type ) != 0 )
806 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
807
808 crt->ext_types |= ext_type;
809
810 switch( ext_type )
811 {
812 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
813 /* Parse basic constraints */
814 if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
815 &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
816 return( ret );
817 break;
818
819 case MBEDTLS_X509_EXT_KEY_USAGE:
820 /* Parse key usage */
821 if( ( ret = x509_get_key_usage( p, end_ext_octet,
822 &crt->key_usage ) ) != 0 )
823 return( ret );
824 break;
825
826 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
827 /* Parse extended key usage */
828 if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
829 &crt->ext_key_usage ) ) != 0 )
830 return( ret );
831 break;
832
833 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
834 /* Parse subject alt name */
835 if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
836 &crt->subject_alt_names ) ) != 0 )
837 return( ret );
838 break;
839
840 case MBEDTLS_X509_EXT_NS_CERT_TYPE:
841 /* Parse netscape certificate type */
842 if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
843 &crt->ns_cert_type ) ) != 0 )
844 return( ret );
845 break;
846
847 default:
848 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
849 }
850 }
851
852 if( *p != end )
853 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
854 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
855
856 return( 0 );
857 }
858
859 /*
860 * Parse and fill a single X.509 certificate in DER format
861 */
x509_crt_parse_der_core(mbedtls_x509_crt * crt,const unsigned char * buf,size_t buflen)862 static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *buf,
863 size_t buflen )
864 {
865 int ret;
866 size_t len;
867 unsigned char *p, *end, *crt_end;
868 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
869
870 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
871 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
872 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
873
874 /*
875 * Check for valid input
876 */
877 if( crt == NULL || buf == NULL )
878 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
879
880 // Use the original buffer until we figure out actual length
881 p = (unsigned char*) buf;
882 len = buflen;
883 end = p + len;
884
885 /*
886 * Certificate ::= SEQUENCE {
887 * tbsCertificate TBSCertificate,
888 * signatureAlgorithm AlgorithmIdentifier,
889 * signatureValue BIT STRING }
890 */
891 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
892 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
893 {
894 mbedtls_x509_crt_free( crt );
895 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
896 }
897
898 if( len > (size_t) ( end - p ) )
899 {
900 mbedtls_x509_crt_free( crt );
901 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
902 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
903 }
904 crt_end = p + len;
905
906 // Create and populate a new buffer for the raw field
907 crt->raw.len = crt_end - buf;
908 crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
909 if( p == NULL )
910 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
911
912 memcpy( p, buf, crt->raw.len );
913
914 // Direct pointers to the new buffer
915 p += crt->raw.len - len;
916 end = crt_end = p + len;
917
918 /*
919 * TBSCertificate ::= SEQUENCE {
920 */
921 crt->tbs.p = p;
922
923 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
924 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
925 {
926 mbedtls_x509_crt_free( crt );
927 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
928 }
929
930 end = p + len;
931 crt->tbs.len = end - crt->tbs.p;
932
933 /*
934 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
935 *
936 * CertificateSerialNumber ::= INTEGER
937 *
938 * signature AlgorithmIdentifier
939 */
940 if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 ||
941 ( ret = mbedtls_x509_get_serial( &p, end, &crt->serial ) ) != 0 ||
942 ( ret = mbedtls_x509_get_alg( &p, end, &crt->sig_oid,
943 &sig_params1 ) ) != 0 )
944 {
945 mbedtls_x509_crt_free( crt );
946 return( ret );
947 }
948
949 if( crt->version < 0 || crt->version > 2 )
950 {
951 mbedtls_x509_crt_free( crt );
952 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
953 }
954
955 crt->version++;
956
957 if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
958 &crt->sig_md, &crt->sig_pk,
959 &crt->sig_opts ) ) != 0 )
960 {
961 mbedtls_x509_crt_free( crt );
962 return( ret );
963 }
964
965 /*
966 * issuer Name
967 */
968 crt->issuer_raw.p = p;
969
970 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
971 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
972 {
973 mbedtls_x509_crt_free( crt );
974 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
975 }
976
977 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
978 {
979 mbedtls_x509_crt_free( crt );
980 return( ret );
981 }
982
983 crt->issuer_raw.len = p - crt->issuer_raw.p;
984
985 /*
986 * Validity ::= SEQUENCE {
987 * notBefore Time,
988 * notAfter Time }
989 *
990 */
991 if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
992 &crt->valid_to ) ) != 0 )
993 {
994 mbedtls_x509_crt_free( crt );
995 return( ret );
996 }
997
998 /*
999 * subject Name
1000 */
1001 crt->subject_raw.p = p;
1002
1003 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
1004 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
1005 {
1006 mbedtls_x509_crt_free( crt );
1007 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
1008 }
1009
1010 if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
1011 {
1012 mbedtls_x509_crt_free( crt );
1013 return( ret );
1014 }
1015
1016 crt->subject_raw.len = p - crt->subject_raw.p;
1017
1018 /*
1019 * SubjectPublicKeyInfo
1020 */
1021 if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
1022 {
1023 mbedtls_x509_crt_free( crt );
1024 return( ret );
1025 }
1026
1027 /*
1028 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1029 * -- If present, version shall be v2 or v3
1030 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1031 * -- If present, version shall be v2 or v3
1032 * extensions [3] EXPLICIT Extensions OPTIONAL
1033 * -- If present, version shall be v3
1034 */
1035 if( crt->version == 2 || crt->version == 3 )
1036 {
1037 ret = x509_get_uid( &p, end, &crt->issuer_id, 1 );
1038 if( ret != 0 )
1039 {
1040 mbedtls_x509_crt_free( crt );
1041 return( ret );
1042 }
1043 }
1044
1045 if( crt->version == 2 || crt->version == 3 )
1046 {
1047 ret = x509_get_uid( &p, end, &crt->subject_id, 2 );
1048 if( ret != 0 )
1049 {
1050 mbedtls_x509_crt_free( crt );
1051 return( ret );
1052 }
1053 }
1054
1055 #if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
1056 if( crt->version == 3 )
1057 #endif
1058 {
1059 ret = x509_get_crt_ext( &p, end, crt );
1060 if( ret != 0 )
1061 {
1062 mbedtls_x509_crt_free( crt );
1063 return( ret );
1064 }
1065 }
1066
1067 if( p != end )
1068 {
1069 mbedtls_x509_crt_free( crt );
1070 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
1071 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1072 }
1073
1074 end = crt_end;
1075
1076 /*
1077 * }
1078 * -- end of TBSCertificate
1079 *
1080 * signatureAlgorithm AlgorithmIdentifier,
1081 * signatureValue BIT STRING
1082 */
1083 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
1084 {
1085 mbedtls_x509_crt_free( crt );
1086 return( ret );
1087 }
1088
1089 if( crt->sig_oid.len != sig_oid2.len ||
1090 memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
1091 sig_params1.tag != sig_params2.tag ||
1092 sig_params1.len != sig_params2.len ||
1093 ( sig_params1.len != 0 &&
1094 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
1095 {
1096 mbedtls_x509_crt_free( crt );
1097 return( MBEDTLS_ERR_X509_SIG_MISMATCH );
1098 }
1099
1100 if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
1101 {
1102 mbedtls_x509_crt_free( crt );
1103 return( ret );
1104 }
1105
1106 if( p != end )
1107 {
1108 mbedtls_x509_crt_free( crt );
1109 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
1110 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
1111 }
1112
1113 return( 0 );
1114 }
1115
1116 /*
1117 * Parse one X.509 certificate in DER format from a buffer and add them to a
1118 * chained list
1119 */
mbedtls_x509_crt_parse_der(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1120 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
1121 size_t buflen )
1122 {
1123 int ret;
1124 mbedtls_x509_crt *crt = chain, *prev = NULL;
1125
1126 /*
1127 * Check for valid input
1128 */
1129 if( crt == NULL || buf == NULL )
1130 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1131
1132 while( crt->version != 0 && crt->next != NULL )
1133 {
1134 prev = crt;
1135 crt = crt->next;
1136 }
1137
1138 /*
1139 * Add new certificate on the end of the chain if needed.
1140 */
1141 if( crt->version != 0 && crt->next == NULL )
1142 {
1143 crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
1144
1145 if( crt->next == NULL )
1146 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
1147
1148 prev = crt;
1149 mbedtls_x509_crt_init( crt->next );
1150 crt = crt->next;
1151 }
1152
1153 if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
1154 {
1155 if( prev )
1156 prev->next = NULL;
1157
1158 if( crt != chain )
1159 mbedtls_free( crt );
1160
1161 return( ret );
1162 }
1163
1164 return( 0 );
1165 }
1166
1167 /*
1168 * Parse one or more PEM certificates from a buffer and add them to the chained
1169 * list
1170 */
mbedtls_x509_crt_parse(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1171 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen )
1172 {
1173 #if defined(MBEDTLS_PEM_PARSE_C)
1174 int success = 0, first_error = 0, total_failed = 0;
1175 int buf_format = MBEDTLS_X509_FORMAT_DER;
1176 #endif
1177
1178 /*
1179 * Check for valid input
1180 */
1181 if( chain == NULL || buf == NULL )
1182 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1183
1184 /*
1185 * Determine buffer content. Buffer contains either one DER certificate or
1186 * one or more PEM certificates.
1187 */
1188 #if defined(MBEDTLS_PEM_PARSE_C)
1189 if( buflen != 0 && buf[buflen - 1] == '\0' &&
1190 strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
1191 {
1192 buf_format = MBEDTLS_X509_FORMAT_PEM;
1193 }
1194
1195 if( buf_format == MBEDTLS_X509_FORMAT_DER )
1196 return mbedtls_x509_crt_parse_der( chain, buf, buflen );
1197 #else
1198 return mbedtls_x509_crt_parse_der( chain, buf, buflen );
1199 #endif
1200
1201 #if defined(MBEDTLS_PEM_PARSE_C)
1202 if( buf_format == MBEDTLS_X509_FORMAT_PEM )
1203 {
1204 int ret;
1205 mbedtls_pem_context pem;
1206
1207 /* 1 rather than 0 since the terminating NULL byte is counted in */
1208 while( buflen > 1 )
1209 {
1210 size_t use_len;
1211 mbedtls_pem_init( &pem );
1212
1213 /* If we get there, we know the string is null-terminated */
1214 ret = mbedtls_pem_read_buffer( &pem,
1215 "-----BEGIN CERTIFICATE-----",
1216 "-----END CERTIFICATE-----",
1217 buf, NULL, 0, &use_len );
1218
1219 if( ret == 0 )
1220 {
1221 /*
1222 * Was PEM encoded
1223 */
1224 buflen -= use_len;
1225 buf += use_len;
1226 }
1227 else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
1228 {
1229 return( ret );
1230 }
1231 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
1232 {
1233 mbedtls_pem_free( &pem );
1234
1235 /*
1236 * PEM header and footer were found
1237 */
1238 buflen -= use_len;
1239 buf += use_len;
1240
1241 if( first_error == 0 )
1242 first_error = ret;
1243
1244 total_failed++;
1245 continue;
1246 }
1247 else
1248 break;
1249
1250 ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
1251
1252 mbedtls_pem_free( &pem );
1253
1254 if( ret != 0 )
1255 {
1256 /*
1257 * Quit parsing on a memory error
1258 */
1259 if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
1260 return( ret );
1261
1262 if( first_error == 0 )
1263 first_error = ret;
1264
1265 total_failed++;
1266 continue;
1267 }
1268
1269 success = 1;
1270 }
1271 }
1272
1273 if( success )
1274 return( total_failed );
1275 else if( first_error )
1276 return( first_error );
1277 else
1278 return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
1279 #endif /* MBEDTLS_PEM_PARSE_C */
1280 }
1281
1282 #if defined(MBEDTLS_FS_IO)
1283 /*
1284 * Load one or more certificates and add them to the chained list
1285 */
mbedtls_x509_crt_parse_file(mbedtls_x509_crt * chain,const char * path)1286 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
1287 {
1288 int ret;
1289 size_t n;
1290 unsigned char *buf;
1291
1292 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
1293 return( ret );
1294
1295 ret = mbedtls_x509_crt_parse( chain, buf, n );
1296
1297 mbedtls_platform_zeroize( buf, n );
1298 mbedtls_free( buf );
1299
1300 return( ret );
1301 }
1302
mbedtls_x509_crt_parse_path(mbedtls_x509_crt * chain,const char * path)1303 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
1304 {
1305 int ret = 0;
1306 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
1307 int w_ret;
1308 WCHAR szDir[MAX_PATH];
1309 char filename[MAX_PATH];
1310 char *p;
1311 size_t len = strlen( path );
1312
1313 WIN32_FIND_DATAW file_data;
1314 HANDLE hFind;
1315
1316 if( len > MAX_PATH - 3 )
1317 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1318
1319 memset( szDir, 0, sizeof(szDir) );
1320 memset( filename, 0, MAX_PATH );
1321 memcpy( filename, path, len );
1322 filename[len++] = '\\';
1323 p = filename + len;
1324 filename[len++] = '*';
1325
1326 w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
1327 MAX_PATH - 3 );
1328 if( w_ret == 0 )
1329 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1330
1331 hFind = FindFirstFileW( szDir, &file_data );
1332 if( hFind == INVALID_HANDLE_VALUE )
1333 return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
1334
1335 len = MAX_PATH - len;
1336 do
1337 {
1338 memset( p, 0, len );
1339
1340 if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
1341 continue;
1342
1343 w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
1344 lstrlenW( file_data.cFileName ),
1345 p, (int) len - 1,
1346 NULL, NULL );
1347 if( w_ret == 0 )
1348 {
1349 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1350 goto cleanup;
1351 }
1352
1353 w_ret = mbedtls_x509_crt_parse_file( chain, filename );
1354 if( w_ret < 0 )
1355 ret++;
1356 else
1357 ret += w_ret;
1358 }
1359 while( FindNextFileW( hFind, &file_data ) != 0 );
1360
1361 if( GetLastError() != ERROR_NO_MORE_FILES )
1362 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1363
1364 cleanup:
1365 FindClose( hFind );
1366 #else /* _WIN32 */
1367 int t_ret;
1368 int snp_ret;
1369 struct stat sb;
1370 struct dirent *entry;
1371 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
1372 DIR *dir = opendir( path );
1373
1374 if( dir == NULL )
1375 return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
1376
1377 #if defined(MBEDTLS_THREADING_C)
1378 if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
1379 {
1380 closedir( dir );
1381 return( ret );
1382 }
1383 #endif /* MBEDTLS_THREADING_C */
1384
1385 while( ( entry = readdir( dir ) ) != NULL )
1386 {
1387 snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
1388 "%s/%s", path, entry->d_name );
1389
1390 if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name )
1391 {
1392 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1393 goto cleanup;
1394 }
1395 else if( stat( entry_name, &sb ) == -1 )
1396 {
1397 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1398 goto cleanup;
1399 }
1400
1401 if( !S_ISREG( sb.st_mode ) )
1402 continue;
1403
1404 // Ignore parse errors
1405 //
1406 t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
1407 if( t_ret < 0 )
1408 ret++;
1409 else
1410 ret += t_ret;
1411 }
1412
1413 cleanup:
1414 closedir( dir );
1415
1416 #if defined(MBEDTLS_THREADING_C)
1417 if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
1418 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1419 #endif /* MBEDTLS_THREADING_C */
1420
1421 #endif /* _WIN32 */
1422
1423 return( ret );
1424 }
1425 #endif /* MBEDTLS_FS_IO */
1426
x509_info_subject_alt_name(char ** buf,size_t * size,const mbedtls_x509_sequence * subject_alt_name)1427 static int x509_info_subject_alt_name( char **buf, size_t *size,
1428 const mbedtls_x509_sequence *subject_alt_name )
1429 {
1430 size_t i;
1431 size_t n = *size;
1432 char *p = *buf;
1433 const mbedtls_x509_sequence *cur = subject_alt_name;
1434 const char *sep = "";
1435 size_t sep_len = 0;
1436
1437 while( cur != NULL )
1438 {
1439 if( cur->buf.len + sep_len >= n )
1440 {
1441 *p = '\0';
1442 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
1443 }
1444
1445 n -= cur->buf.len + sep_len;
1446 for( i = 0; i < sep_len; i++ )
1447 *p++ = sep[i];
1448 for( i = 0; i < cur->buf.len; i++ )
1449 *p++ = cur->buf.p[i];
1450
1451 sep = ", ";
1452 sep_len = 2;
1453
1454 cur = cur->next;
1455 }
1456
1457 *p = '\0';
1458
1459 *size = n;
1460 *buf = p;
1461
1462 return( 0 );
1463 }
1464
1465 #define PRINT_ITEM(i) \
1466 { \
1467 ret = mbedtls_snprintf( p, n, "%s" i, sep ); \
1468 MBEDTLS_X509_SAFE_SNPRINTF; \
1469 sep = ", "; \
1470 }
1471
1472 #define CERT_TYPE(type,name) \
1473 if( ns_cert_type & (type) ) \
1474 PRINT_ITEM( name );
1475
x509_info_cert_type(char ** buf,size_t * size,unsigned char ns_cert_type)1476 static int x509_info_cert_type( char **buf, size_t *size,
1477 unsigned char ns_cert_type )
1478 {
1479 int ret;
1480 size_t n = *size;
1481 char *p = *buf;
1482 const char *sep = "";
1483
1484 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client" );
1485 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server" );
1486 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email" );
1487 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" );
1488 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved" );
1489 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA" );
1490 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA" );
1491 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" );
1492
1493 *size = n;
1494 *buf = p;
1495
1496 return( 0 );
1497 }
1498
1499 #define KEY_USAGE(code,name) \
1500 if( key_usage & (code) ) \
1501 PRINT_ITEM( name );
1502
x509_info_key_usage(char ** buf,size_t * size,unsigned int key_usage)1503 static int x509_info_key_usage( char **buf, size_t *size,
1504 unsigned int key_usage )
1505 {
1506 int ret;
1507 size_t n = *size;
1508 char *p = *buf;
1509 const char *sep = "";
1510
1511 KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature" );
1512 KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation" );
1513 KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment" );
1514 KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment" );
1515 KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" );
1516 KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" );
1517 KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" );
1518 KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" );
1519 KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" );
1520
1521 *size = n;
1522 *buf = p;
1523
1524 return( 0 );
1525 }
1526
x509_info_ext_key_usage(char ** buf,size_t * size,const mbedtls_x509_sequence * extended_key_usage)1527 static int x509_info_ext_key_usage( char **buf, size_t *size,
1528 const mbedtls_x509_sequence *extended_key_usage )
1529 {
1530 int ret;
1531 const char *desc;
1532 size_t n = *size;
1533 char *p = *buf;
1534 const mbedtls_x509_sequence *cur = extended_key_usage;
1535 const char *sep = "";
1536
1537 while( cur != NULL )
1538 {
1539 if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
1540 desc = "???";
1541
1542 ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
1543 MBEDTLS_X509_SAFE_SNPRINTF;
1544
1545 sep = ", ";
1546
1547 cur = cur->next;
1548 }
1549
1550 *size = n;
1551 *buf = p;
1552
1553 return( 0 );
1554 }
1555
1556 /*
1557 * Return an informational string about the certificate.
1558 */
1559 #define BEFORE_COLON 18
1560 #define BC "18"
mbedtls_x509_crt_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crt * crt)1561 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
1562 const mbedtls_x509_crt *crt )
1563 {
1564 int ret;
1565 size_t n;
1566 char *p;
1567 char key_size_str[BEFORE_COLON];
1568
1569 p = buf;
1570 n = size;
1571
1572 if( NULL == crt )
1573 {
1574 ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
1575 MBEDTLS_X509_SAFE_SNPRINTF;
1576
1577 return( (int) ( size - n ) );
1578 }
1579
1580 ret = mbedtls_snprintf( p, n, "%scert. version : %d\n",
1581 prefix, crt->version );
1582 MBEDTLS_X509_SAFE_SNPRINTF;
1583 ret = mbedtls_snprintf( p, n, "%sserial number : ",
1584 prefix );
1585 MBEDTLS_X509_SAFE_SNPRINTF;
1586
1587 ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
1588 MBEDTLS_X509_SAFE_SNPRINTF;
1589
1590 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
1591 MBEDTLS_X509_SAFE_SNPRINTF;
1592 ret = mbedtls_x509_dn_gets( p, n, &crt->issuer );
1593 MBEDTLS_X509_SAFE_SNPRINTF;
1594
1595 ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix );
1596 MBEDTLS_X509_SAFE_SNPRINTF;
1597 ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
1598 MBEDTLS_X509_SAFE_SNPRINTF;
1599
1600 ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
1601 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1602 crt->valid_from.year, crt->valid_from.mon,
1603 crt->valid_from.day, crt->valid_from.hour,
1604 crt->valid_from.min, crt->valid_from.sec );
1605 MBEDTLS_X509_SAFE_SNPRINTF;
1606
1607 ret = mbedtls_snprintf( p, n, "\n%sexpires on : " \
1608 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1609 crt->valid_to.year, crt->valid_to.mon,
1610 crt->valid_to.day, crt->valid_to.hour,
1611 crt->valid_to.min, crt->valid_to.sec );
1612 MBEDTLS_X509_SAFE_SNPRINTF;
1613
1614 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
1615 MBEDTLS_X509_SAFE_SNPRINTF;
1616
1617 ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
1618 crt->sig_md, crt->sig_opts );
1619 MBEDTLS_X509_SAFE_SNPRINTF;
1620
1621 /* Key size */
1622 if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
1623 mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
1624 {
1625 return( ret );
1626 }
1627
1628 ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
1629 (int) mbedtls_pk_get_bitlen( &crt->pk ) );
1630 MBEDTLS_X509_SAFE_SNPRINTF;
1631
1632 /*
1633 * Optional extensions
1634 */
1635
1636 if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
1637 {
1638 ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
1639 crt->ca_istrue ? "true" : "false" );
1640 MBEDTLS_X509_SAFE_SNPRINTF;
1641
1642 if( crt->max_pathlen > 0 )
1643 {
1644 ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
1645 MBEDTLS_X509_SAFE_SNPRINTF;
1646 }
1647 }
1648
1649 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
1650 {
1651 ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix );
1652 MBEDTLS_X509_SAFE_SNPRINTF;
1653
1654 if( ( ret = x509_info_subject_alt_name( &p, &n,
1655 &crt->subject_alt_names ) ) != 0 )
1656 return( ret );
1657 }
1658
1659 if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
1660 {
1661 ret = mbedtls_snprintf( p, n, "\n%scert. type : ", prefix );
1662 MBEDTLS_X509_SAFE_SNPRINTF;
1663
1664 if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
1665 return( ret );
1666 }
1667
1668 if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
1669 {
1670 ret = mbedtls_snprintf( p, n, "\n%skey usage : ", prefix );
1671 MBEDTLS_X509_SAFE_SNPRINTF;
1672
1673 if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
1674 return( ret );
1675 }
1676
1677 if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
1678 {
1679 ret = mbedtls_snprintf( p, n, "\n%sext key usage : ", prefix );
1680 MBEDTLS_X509_SAFE_SNPRINTF;
1681
1682 if( ( ret = x509_info_ext_key_usage( &p, &n,
1683 &crt->ext_key_usage ) ) != 0 )
1684 return( ret );
1685 }
1686
1687 ret = mbedtls_snprintf( p, n, "\n" );
1688 MBEDTLS_X509_SAFE_SNPRINTF;
1689
1690 return( (int) ( size - n ) );
1691 }
1692
1693 struct x509_crt_verify_string {
1694 int code;
1695 const char *string;
1696 };
1697
1698 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
1699 { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" },
1700 { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" },
1701 { MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" },
1702 { MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" },
1703 { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" },
1704 { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" },
1705 { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" },
1706 { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" },
1707 { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" },
1708 { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" },
1709 { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" },
1710 { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
1711 { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
1712 { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
1713 { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
1714 { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
1715 { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
1716 { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
1717 { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
1718 { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
1719 { 0, NULL }
1720 };
1721
mbedtls_x509_crt_verify_info(char * buf,size_t size,const char * prefix,uint32_t flags)1722 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
1723 uint32_t flags )
1724 {
1725 int ret;
1726 const struct x509_crt_verify_string *cur;
1727 char *p = buf;
1728 size_t n = size;
1729
1730 for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
1731 {
1732 if( ( flags & cur->code ) == 0 )
1733 continue;
1734
1735 ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
1736 MBEDTLS_X509_SAFE_SNPRINTF;
1737 flags ^= cur->code;
1738 }
1739
1740 if( flags != 0 )
1741 {
1742 ret = mbedtls_snprintf( p, n, "%sUnknown reason "
1743 "(this should not happen)\n", prefix );
1744 MBEDTLS_X509_SAFE_SNPRINTF;
1745 }
1746
1747 return( (int) ( size - n ) );
1748 }
1749
1750 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt * crt,unsigned int usage)1751 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
1752 unsigned int usage )
1753 {
1754 unsigned int usage_must, usage_may;
1755 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
1756 | MBEDTLS_X509_KU_DECIPHER_ONLY;
1757
1758 if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
1759 return( 0 );
1760
1761 usage_must = usage & ~may_mask;
1762
1763 if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
1764 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1765
1766 usage_may = usage & may_mask;
1767
1768 if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
1769 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1770
1771 return( 0 );
1772 }
1773 #endif
1774
1775 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt * crt,const char * usage_oid,size_t usage_len)1776 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
1777 const char *usage_oid,
1778 size_t usage_len )
1779 {
1780 const mbedtls_x509_sequence *cur;
1781
1782 /* Extension is not mandatory, absent means no restriction */
1783 if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
1784 return( 0 );
1785
1786 /*
1787 * Look for the requested usage (or wildcard ANY) in our list
1788 */
1789 for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
1790 {
1791 const mbedtls_x509_buf *cur_oid = &cur->buf;
1792
1793 if( cur_oid->len == usage_len &&
1794 memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
1795 {
1796 return( 0 );
1797 }
1798
1799 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
1800 return( 0 );
1801 }
1802
1803 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
1804 }
1805 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
1806
1807 #if defined(MBEDTLS_X509_CRL_PARSE_C)
1808 /*
1809 * Return 1 if the certificate is revoked, or 0 otherwise.
1810 */
mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt * crt,const mbedtls_x509_crl * crl)1811 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
1812 {
1813 const mbedtls_x509_crl_entry *cur = &crl->entry;
1814
1815 while( cur != NULL && cur->serial.len != 0 )
1816 {
1817 if( crt->serial.len == cur->serial.len &&
1818 memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
1819 {
1820 return( 1 );
1821 }
1822
1823 cur = cur->next;
1824 }
1825
1826 return( 0 );
1827 }
1828
1829 /*
1830 * Check that the given certificate is not revoked according to the CRL.
1831 * Skip validation if no CRL for the given CA is present.
1832 */
x509_crt_verifycrl(mbedtls_x509_crt * crt,mbedtls_x509_crt * ca,mbedtls_x509_crl * crl_list,const mbedtls_x509_crt_profile * profile)1833 static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
1834 mbedtls_x509_crl *crl_list,
1835 const mbedtls_x509_crt_profile *profile )
1836 {
1837 int flags = 0;
1838 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
1839 const mbedtls_md_info_t *md_info;
1840
1841 if( ca == NULL )
1842 return( flags );
1843
1844 while( crl_list != NULL )
1845 {
1846 if( crl_list->version == 0 ||
1847 x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
1848 {
1849 crl_list = crl_list->next;
1850 continue;
1851 }
1852
1853 /*
1854 * Check if the CA is configured to sign CRLs
1855 */
1856 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
1857 if( mbedtls_x509_crt_check_key_usage( ca,
1858 MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
1859 {
1860 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1861 break;
1862 }
1863 #endif
1864
1865 /*
1866 * Check if CRL is correctly signed by the trusted CA
1867 */
1868 if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
1869 flags |= MBEDTLS_X509_BADCRL_BAD_MD;
1870
1871 if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
1872 flags |= MBEDTLS_X509_BADCRL_BAD_PK;
1873
1874 md_info = mbedtls_md_info_from_type( crl_list->sig_md );
1875 if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
1876 {
1877 /* Note: this can't happen except after an internal error */
1878 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1879 break;
1880 }
1881
1882 if( x509_profile_check_key( profile, &ca->pk ) != 0 )
1883 flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
1884
1885 if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
1886 crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
1887 crl_list->sig.p, crl_list->sig.len ) != 0 )
1888 {
1889 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1890 break;
1891 }
1892
1893 /*
1894 * Check for validity of CRL (Do not drop out)
1895 */
1896 if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
1897 flags |= MBEDTLS_X509_BADCRL_EXPIRED;
1898
1899 if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
1900 flags |= MBEDTLS_X509_BADCRL_FUTURE;
1901
1902 /*
1903 * Check if certificate is revoked
1904 */
1905 if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
1906 {
1907 flags |= MBEDTLS_X509_BADCERT_REVOKED;
1908 break;
1909 }
1910
1911 crl_list = crl_list->next;
1912 }
1913
1914 return( flags );
1915 }
1916 #endif /* MBEDTLS_X509_CRL_PARSE_C */
1917
1918 /*
1919 * Check the signature of a certificate by its parent
1920 */
x509_crt_check_signature(const mbedtls_x509_crt * child,mbedtls_x509_crt * parent,mbedtls_x509_crt_restart_ctx * rs_ctx)1921 static int x509_crt_check_signature( const mbedtls_x509_crt *child,
1922 mbedtls_x509_crt *parent,
1923 mbedtls_x509_crt_restart_ctx *rs_ctx )
1924 {
1925 const mbedtls_md_info_t *md_info;
1926 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
1927
1928 md_info = mbedtls_md_info_from_type( child->sig_md );
1929 if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
1930 {
1931 /* Note: this can't happen except after an internal error */
1932 return( -1 );
1933 }
1934
1935 /* Skip expensive computation on obvious mismatch */
1936 if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
1937 return( -1 );
1938
1939 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
1940 if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
1941 {
1942 return( mbedtls_pk_verify_restartable( &parent->pk,
1943 child->sig_md, hash, mbedtls_md_get_size( md_info ),
1944 child->sig.p, child->sig.len, &rs_ctx->pk ) );
1945 }
1946 #else
1947 (void) rs_ctx;
1948 #endif
1949
1950 return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
1951 child->sig_md, hash, mbedtls_md_get_size( md_info ),
1952 child->sig.p, child->sig.len ) );
1953 }
1954
1955 /*
1956 * Check if 'parent' is a suitable parent (signing CA) for 'child'.
1957 * Return 0 if yes, -1 if not.
1958 *
1959 * top means parent is a locally-trusted certificate
1960 */
x509_crt_check_parent(const mbedtls_x509_crt * child,const mbedtls_x509_crt * parent,int top)1961 static int x509_crt_check_parent( const mbedtls_x509_crt *child,
1962 const mbedtls_x509_crt *parent,
1963 int top )
1964 {
1965 int need_ca_bit;
1966
1967 /* Parent must be the issuer */
1968 if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
1969 return( -1 );
1970
1971 /* Parent must have the basicConstraints CA bit set as a general rule */
1972 need_ca_bit = 1;
1973
1974 /* Exception: v1/v2 certificates that are locally trusted. */
1975 if( top && parent->version < 3 )
1976 need_ca_bit = 0;
1977
1978 if( need_ca_bit && ! parent->ca_istrue )
1979 return( -1 );
1980
1981 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
1982 if( need_ca_bit &&
1983 mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
1984 {
1985 return( -1 );
1986 }
1987 #endif
1988
1989 return( 0 );
1990 }
1991
1992 /*
1993 * Find a suitable parent for child in candidates, or return NULL.
1994 *
1995 * Here suitable is defined as:
1996 * 1. subject name matches child's issuer
1997 * 2. if necessary, the CA bit is set and key usage allows signing certs
1998 * 3. for trusted roots, the signature is correct
1999 * (for intermediates, the signature is checked and the result reported)
2000 * 4. pathlen constraints are satisfied
2001 *
2002 * If there's a suitable candidate which is also time-valid, return the first
2003 * such. Otherwise, return the first suitable candidate (or NULL if there is
2004 * none).
2005 *
2006 * The rationale for this rule is that someone could have a list of trusted
2007 * roots with two versions on the same root with different validity periods.
2008 * (At least one user reported having such a list and wanted it to just work.)
2009 * The reason we don't just require time-validity is that generally there is
2010 * only one version, and if it's expired we want the flags to state that
2011 * rather than NOT_TRUSTED, as would be the case if we required it here.
2012 *
2013 * The rationale for rule 3 (signature for trusted roots) is that users might
2014 * have two versions of the same CA with different keys in their list, and the
2015 * way we select the correct one is by checking the signature (as we don't
2016 * rely on key identifier extensions). (This is one way users might choose to
2017 * handle key rollover, another relies on self-issued certs, see [SIRO].)
2018 *
2019 * Arguments:
2020 * - [in] child: certificate for which we're looking for a parent
2021 * - [in] candidates: chained list of potential parents
2022 * - [out] r_parent: parent found (or NULL)
2023 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2024 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2025 * of the chain, 0 otherwise
2026 * - [in] path_cnt: number of intermediates seen so far
2027 * - [in] self_cnt: number of self-signed intermediates seen so far
2028 * (will never be greater than path_cnt)
2029 * - [in-out] rs_ctx: context for restarting operations
2030 *
2031 * Return value:
2032 * - 0 on success
2033 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2034 */
x509_crt_find_parent_in(mbedtls_x509_crt * child,mbedtls_x509_crt * candidates,mbedtls_x509_crt ** r_parent,int * r_signature_is_good,int top,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2035 static int x509_crt_find_parent_in(
2036 mbedtls_x509_crt *child,
2037 mbedtls_x509_crt *candidates,
2038 mbedtls_x509_crt **r_parent,
2039 int *r_signature_is_good,
2040 int top,
2041 unsigned path_cnt,
2042 unsigned self_cnt,
2043 mbedtls_x509_crt_restart_ctx *rs_ctx )
2044 {
2045 int ret;
2046 mbedtls_x509_crt *parent, *fallback_parent;
2047 int signature_is_good, fallback_signature_is_good;
2048
2049 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2050 /* did we have something in progress? */
2051 if( rs_ctx != NULL && rs_ctx->parent != NULL )
2052 {
2053 /* restore saved state */
2054 parent = rs_ctx->parent;
2055 fallback_parent = rs_ctx->fallback_parent;
2056 fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
2057
2058 /* clear saved state */
2059 rs_ctx->parent = NULL;
2060 rs_ctx->fallback_parent = NULL;
2061 rs_ctx->fallback_signature_is_good = 0;
2062
2063 /* resume where we left */
2064 goto check_signature;
2065 }
2066 #endif
2067
2068 fallback_parent = NULL;
2069 fallback_signature_is_good = 0;
2070
2071 for( parent = candidates; parent != NULL; parent = parent->next )
2072 {
2073 /* basic parenting skills (name, CA bit, key usage) */
2074 if( x509_crt_check_parent( child, parent, top ) != 0 )
2075 continue;
2076
2077 /* +1 because stored max_pathlen is 1 higher that the actual value */
2078 if( parent->max_pathlen > 0 &&
2079 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt )
2080 {
2081 continue;
2082 }
2083
2084 /* Signature */
2085 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2086 check_signature:
2087 #endif
2088 ret = x509_crt_check_signature( child, parent, rs_ctx );
2089
2090 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2091 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2092 {
2093 /* save state */
2094 rs_ctx->parent = parent;
2095 rs_ctx->fallback_parent = fallback_parent;
2096 rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
2097
2098 return( ret );
2099 }
2100 #else
2101 (void) ret;
2102 #endif
2103
2104 signature_is_good = ret == 0;
2105 if( top && ! signature_is_good )
2106 continue;
2107
2108 /* optional time check */
2109 if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
2110 mbedtls_x509_time_is_future( &parent->valid_from ) )
2111 {
2112 if( fallback_parent == NULL )
2113 {
2114 fallback_parent = parent;
2115 fallback_signature_is_good = signature_is_good;
2116 }
2117
2118 continue;
2119 }
2120
2121 *r_parent = parent;
2122 *r_signature_is_good = signature_is_good;
2123
2124 break;
2125 }
2126
2127 if( parent == NULL )
2128 {
2129 *r_parent = fallback_parent;
2130 *r_signature_is_good = fallback_signature_is_good;
2131 }
2132
2133 return( 0 );
2134 }
2135
2136 /*
2137 * Find a parent in trusted CAs or the provided chain, or return NULL.
2138 *
2139 * Searches in trusted CAs first, and return the first suitable parent found
2140 * (see find_parent_in() for definition of suitable).
2141 *
2142 * Arguments:
2143 * - [in] child: certificate for which we're looking for a parent, followed
2144 * by a chain of possible intermediates
2145 * - [in] trust_ca: list of locally trusted certificates
2146 * - [out] parent: parent found (or NULL)
2147 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2148 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2149 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
2150 * - [in] self_cnt: number of self-signed certs in the chain so far
2151 * (will always be no greater than path_cnt)
2152 * - [in-out] rs_ctx: context for restarting operations
2153 *
2154 * Return value:
2155 * - 0 on success
2156 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2157 */
x509_crt_find_parent(mbedtls_x509_crt * child,mbedtls_x509_crt * trust_ca,mbedtls_x509_crt ** parent,int * parent_is_trusted,int * signature_is_good,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2158 static int x509_crt_find_parent(
2159 mbedtls_x509_crt *child,
2160 mbedtls_x509_crt *trust_ca,
2161 mbedtls_x509_crt **parent,
2162 int *parent_is_trusted,
2163 int *signature_is_good,
2164 unsigned path_cnt,
2165 unsigned self_cnt,
2166 mbedtls_x509_crt_restart_ctx *rs_ctx )
2167 {
2168 int ret;
2169 mbedtls_x509_crt *search_list;
2170
2171 *parent_is_trusted = 1;
2172
2173 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2174 /* restore then clear saved state if we have some stored */
2175 if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 )
2176 {
2177 *parent_is_trusted = rs_ctx->parent_is_trusted;
2178 rs_ctx->parent_is_trusted = -1;
2179 }
2180 #endif
2181
2182 while( 1 ) {
2183 search_list = *parent_is_trusted ? trust_ca : child->next;
2184
2185 ret = x509_crt_find_parent_in( child, search_list,
2186 parent, signature_is_good,
2187 *parent_is_trusted,
2188 path_cnt, self_cnt, rs_ctx );
2189
2190 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2191 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2192 {
2193 /* save state */
2194 rs_ctx->parent_is_trusted = *parent_is_trusted;
2195 return( ret );
2196 }
2197 #else
2198 (void) ret;
2199 #endif
2200
2201 /* stop here if found or already in second iteration */
2202 if( *parent != NULL || *parent_is_trusted == 0 )
2203 break;
2204
2205 /* prepare second iteration */
2206 *parent_is_trusted = 0;
2207 }
2208
2209 /* extra precaution against mistakes in the caller */
2210 if( *parent == NULL )
2211 {
2212 *parent_is_trusted = 0;
2213 *signature_is_good = 0;
2214 }
2215
2216 return( 0 );
2217 }
2218
2219 /*
2220 * Check if an end-entity certificate is locally trusted
2221 *
2222 * Currently we require such certificates to be self-signed (actually only
2223 * check for self-issued as self-signatures are not checked)
2224 */
x509_crt_check_ee_locally_trusted(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca)2225 static int x509_crt_check_ee_locally_trusted(
2226 mbedtls_x509_crt *crt,
2227 mbedtls_x509_crt *trust_ca )
2228 {
2229 mbedtls_x509_crt *cur;
2230
2231 /* must be self-issued */
2232 if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 )
2233 return( -1 );
2234
2235 /* look for an exact match with trusted cert */
2236 for( cur = trust_ca; cur != NULL; cur = cur->next )
2237 {
2238 if( crt->raw.len == cur->raw.len &&
2239 memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
2240 {
2241 return( 0 );
2242 }
2243 }
2244
2245 /* too bad */
2246 return( -1 );
2247 }
2248
2249 /*
2250 * Build and verify a certificate chain
2251 *
2252 * Given a peer-provided list of certificates EE, C1, ..., Cn and
2253 * a list of trusted certs R1, ... Rp, try to build and verify a chain
2254 * EE, Ci1, ... Ciq [, Rj]
2255 * such that every cert in the chain is a child of the next one,
2256 * jumping to a trusted root as early as possible.
2257 *
2258 * Verify that chain and return it with flags for all issues found.
2259 *
2260 * Special cases:
2261 * - EE == Rj -> return a one-element list containing it
2262 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
2263 * -> return that chain with NOT_TRUSTED set on Ciq
2264 *
2265 * Tests for (aspects of) this function should include at least:
2266 * - trusted EE
2267 * - EE -> trusted root
2268 * - EE -> intermediate CA -> trusted root
2269 * - if relevant: EE untrusted
2270 * - if relevant: EE -> intermediate, untrusted
2271 * with the aspect under test checked at each relevant level (EE, int, root).
2272 * For some aspects longer chains are required, but usually length 2 is
2273 * enough (but length 1 is not in general).
2274 *
2275 * Arguments:
2276 * - [in] crt: the cert list EE, C1, ..., Cn
2277 * - [in] trust_ca: the trusted list R1, ..., Rp
2278 * - [in] ca_crl, profile: as in verify_with_profile()
2279 * - [out] ver_chain: the built and verified chain
2280 * Only valid when return value is 0, may contain garbage otherwise!
2281 * Restart note: need not be the same when calling again to resume.
2282 * - [in-out] rs_ctx: context for restarting operations
2283 *
2284 * Return value:
2285 * - non-zero if the chain could not be fully built and examined
2286 * - 0 is the chain was successfully built and examined,
2287 * even if it was found to be invalid
2288 */
x509_crt_verify_chain(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,mbedtls_x509_crt_verify_chain * ver_chain,mbedtls_x509_crt_restart_ctx * rs_ctx)2289 static int x509_crt_verify_chain(
2290 mbedtls_x509_crt *crt,
2291 mbedtls_x509_crt *trust_ca,
2292 mbedtls_x509_crl *ca_crl,
2293 const mbedtls_x509_crt_profile *profile,
2294 mbedtls_x509_crt_verify_chain *ver_chain,
2295 mbedtls_x509_crt_restart_ctx *rs_ctx )
2296 {
2297 /* Don't initialize any of those variables here, so that the compiler can
2298 * catch potential issues with jumping ahead when restarting */
2299 int ret;
2300 uint32_t *flags;
2301 mbedtls_x509_crt_verify_chain_item *cur;
2302 mbedtls_x509_crt *child;
2303 mbedtls_x509_crt *parent;
2304 int parent_is_trusted;
2305 int child_is_trusted;
2306 int signature_is_good;
2307 unsigned self_cnt;
2308
2309 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2310 /* resume if we had an operation in progress */
2311 if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
2312 {
2313 /* restore saved state */
2314 *ver_chain = rs_ctx->ver_chain; /* struct copy */
2315 self_cnt = rs_ctx->self_cnt;
2316
2317 /* restore derived state */
2318 cur = &ver_chain->items[ver_chain->len - 1];
2319 child = cur->crt;
2320 flags = &cur->flags;
2321
2322 goto find_parent;
2323 }
2324 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2325
2326 child = crt;
2327 self_cnt = 0;
2328 parent_is_trusted = 0;
2329 child_is_trusted = 0;
2330
2331 while( 1 ) {
2332 /* Add certificate to the verification chain */
2333 cur = &ver_chain->items[ver_chain->len];
2334 cur->crt = child;
2335 cur->flags = 0;
2336 ver_chain->len++;
2337 flags = &cur->flags;
2338
2339 /* Check time-validity (all certificates) */
2340 if( mbedtls_x509_time_is_past( &child->valid_to ) )
2341 *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
2342
2343 if( mbedtls_x509_time_is_future( &child->valid_from ) )
2344 *flags |= MBEDTLS_X509_BADCERT_FUTURE;
2345
2346 /* Stop here for trusted roots (but not for trusted EE certs) */
2347 if( child_is_trusted )
2348 return( 0 );
2349
2350 /* Check signature algorithm: MD & PK algs */
2351 if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
2352 *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
2353
2354 if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
2355 *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2356
2357 /* Special case: EE certs that are locally trusted */
2358 if( ver_chain->len == 1 &&
2359 x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
2360 {
2361 return( 0 );
2362 }
2363
2364 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2365 find_parent:
2366 #endif
2367 /* Look for a parent in trusted CAs or up the chain */
2368 ret = x509_crt_find_parent( child, trust_ca, &parent,
2369 &parent_is_trusted, &signature_is_good,
2370 ver_chain->len - 1, self_cnt, rs_ctx );
2371
2372 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2373 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2374 {
2375 /* save state */
2376 rs_ctx->in_progress = x509_crt_rs_find_parent;
2377 rs_ctx->self_cnt = self_cnt;
2378 rs_ctx->ver_chain = *ver_chain; /* struct copy */
2379
2380 return( ret );
2381 }
2382 #else
2383 (void) ret;
2384 #endif
2385
2386 /* No parent? We're done here */
2387 if( parent == NULL )
2388 {
2389 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2390 return( 0 );
2391 }
2392
2393 /* Count intermediate self-issued (not necessarily self-signed) certs.
2394 * These can occur with some strategies for key rollover, see [SIRO],
2395 * and should be excluded from max_pathlen checks. */
2396 if( ver_chain->len != 1 &&
2397 x509_name_cmp( &child->issuer, &child->subject ) == 0 )
2398 {
2399 self_cnt++;
2400 }
2401
2402 /* path_cnt is 0 for the first intermediate CA,
2403 * and if parent is trusted it's not an intermediate CA */
2404 if( ! parent_is_trusted &&
2405 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
2406 {
2407 /* return immediately to avoid overflow the chain array */
2408 return( MBEDTLS_ERR_X509_FATAL_ERROR );
2409 }
2410
2411 /* signature was checked while searching parent */
2412 if( ! signature_is_good )
2413 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2414
2415 /* check size of signing key */
2416 if( x509_profile_check_key( profile, &parent->pk ) != 0 )
2417 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2418
2419 #if defined(MBEDTLS_X509_CRL_PARSE_C)
2420 /* Check trusted CA's CRL for the given crt */
2421 *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
2422 #else
2423 (void) ca_crl;
2424 #endif
2425
2426 /* prepare for next iteration */
2427 child = parent;
2428 parent = NULL;
2429 child_is_trusted = parent_is_trusted;
2430 signature_is_good = 0;
2431 }
2432 }
2433
2434 /*
2435 * Check for CN match
2436 */
x509_crt_check_cn(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)2437 static int x509_crt_check_cn( const mbedtls_x509_buf *name,
2438 const char *cn, size_t cn_len )
2439 {
2440 /* try exact match */
2441 if( name->len == cn_len &&
2442 x509_memcasecmp( cn, name->p, cn_len ) == 0 )
2443 {
2444 return( 0 );
2445 }
2446
2447 /* try wildcard match */
2448 if( x509_check_wildcard( cn, name ) == 0 )
2449 {
2450 return( 0 );
2451 }
2452
2453 return( -1 );
2454 }
2455
2456 /*
2457 * Verify the requested CN - only call this if cn is not NULL!
2458 */
x509_crt_verify_name(const mbedtls_x509_crt * crt,const char * cn,uint32_t * flags)2459 static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
2460 const char *cn,
2461 uint32_t *flags )
2462 {
2463 const mbedtls_x509_name *name;
2464 const mbedtls_x509_sequence *cur;
2465 size_t cn_len = strlen( cn );
2466
2467 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
2468 {
2469 for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
2470 {
2471 if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
2472 break;
2473 }
2474
2475 if( cur == NULL )
2476 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
2477 }
2478 else
2479 {
2480 for( name = &crt->subject; name != NULL; name = name->next )
2481 {
2482 if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
2483 x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
2484 {
2485 break;
2486 }
2487 }
2488
2489 if( name == NULL )
2490 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
2491 }
2492 }
2493
2494 /*
2495 * Merge the flags for all certs in the chain, after calling callback
2496 */
x509_crt_merge_flags_with_cb(uint32_t * flags,const mbedtls_x509_crt_verify_chain * ver_chain,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2497 static int x509_crt_merge_flags_with_cb(
2498 uint32_t *flags,
2499 const mbedtls_x509_crt_verify_chain *ver_chain,
2500 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2501 void *p_vrfy )
2502 {
2503 int ret;
2504 unsigned i;
2505 uint32_t cur_flags;
2506 const mbedtls_x509_crt_verify_chain_item *cur;
2507
2508 for( i = ver_chain->len; i != 0; --i )
2509 {
2510 cur = &ver_chain->items[i-1];
2511 cur_flags = cur->flags;
2512
2513 if( NULL != f_vrfy )
2514 if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 )
2515 return( ret );
2516
2517 *flags |= cur_flags;
2518 }
2519
2520 return( 0 );
2521 }
2522
2523 /*
2524 * Verify the certificate validity (default profile, not restartable)
2525 */
mbedtls_x509_crt_verify(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2526 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
2527 mbedtls_x509_crt *trust_ca,
2528 mbedtls_x509_crl *ca_crl,
2529 const char *cn, uint32_t *flags,
2530 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2531 void *p_vrfy )
2532 {
2533 return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
2534 &mbedtls_x509_crt_profile_default, cn, flags,
2535 f_vrfy, p_vrfy, NULL ) );
2536 }
2537
2538 /*
2539 * Verify the certificate validity (user-chosen profile, not restartable)
2540 */
mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2541 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
2542 mbedtls_x509_crt *trust_ca,
2543 mbedtls_x509_crl *ca_crl,
2544 const mbedtls_x509_crt_profile *profile,
2545 const char *cn, uint32_t *flags,
2546 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2547 void *p_vrfy )
2548 {
2549 return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
2550 profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
2551 }
2552
2553 /*
2554 * Verify the certificate validity, with profile, restartable version
2555 *
2556 * This function:
2557 * - checks the requested CN (if any)
2558 * - checks the type and size of the EE cert's key,
2559 * as that isn't done as part of chain building/verification currently
2560 * - builds and verifies the chain
2561 * - then calls the callback and merges the flags
2562 */
mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)2563 int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
2564 mbedtls_x509_crt *trust_ca,
2565 mbedtls_x509_crl *ca_crl,
2566 const mbedtls_x509_crt_profile *profile,
2567 const char *cn, uint32_t *flags,
2568 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2569 void *p_vrfy,
2570 mbedtls_x509_crt_restart_ctx *rs_ctx )
2571 {
2572 int ret;
2573 mbedtls_pk_type_t pk_type;
2574 mbedtls_x509_crt_verify_chain ver_chain;
2575 uint32_t ee_flags;
2576
2577 *flags = 0;
2578 ee_flags = 0;
2579 x509_crt_verify_chain_reset( &ver_chain );
2580
2581 if( profile == NULL )
2582 {
2583 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2584 goto exit;
2585 }
2586
2587 /* check name if requested */
2588 if( cn != NULL )
2589 x509_crt_verify_name( crt, cn, &ee_flags );
2590
2591 /* Check the type and size of the key */
2592 pk_type = mbedtls_pk_get_type( &crt->pk );
2593
2594 if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
2595 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2596
2597 if( x509_profile_check_key( profile, &crt->pk ) != 0 )
2598 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2599
2600 /* Check the chain */
2601 ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
2602 &ver_chain, rs_ctx );
2603
2604 if( ret != 0 )
2605 goto exit;
2606
2607 /* Merge end-entity flags */
2608 ver_chain.items[0].flags |= ee_flags;
2609
2610 /* Build final flags, calling callback on the way if any */
2611 ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
2612
2613 exit:
2614 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2615 if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2616 mbedtls_x509_crt_restart_free( rs_ctx );
2617 #endif
2618
2619 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
2620 * the SSL module for authmode optional, but non-zero return from the
2621 * callback means a fatal error so it shouldn't be ignored */
2622 if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
2623 ret = MBEDTLS_ERR_X509_FATAL_ERROR;
2624
2625 if( ret != 0 )
2626 {
2627 *flags = (uint32_t) -1;
2628 return( ret );
2629 }
2630
2631 if( *flags != 0 )
2632 return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
2633
2634 return( 0 );
2635 }
2636
2637 /*
2638 * Initialize a certificate chain
2639 */
mbedtls_x509_crt_init(mbedtls_x509_crt * crt)2640 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
2641 {
2642 memset( crt, 0, sizeof(mbedtls_x509_crt) );
2643 }
2644
2645 /*
2646 * Unallocate all certificate data
2647 */
mbedtls_x509_crt_free(mbedtls_x509_crt * crt)2648 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
2649 {
2650 mbedtls_x509_crt *cert_cur = crt;
2651 mbedtls_x509_crt *cert_prv;
2652 mbedtls_x509_name *name_cur;
2653 mbedtls_x509_name *name_prv;
2654 mbedtls_x509_sequence *seq_cur;
2655 mbedtls_x509_sequence *seq_prv;
2656
2657 if( crt == NULL )
2658 return;
2659
2660 do
2661 {
2662 mbedtls_pk_free( &cert_cur->pk );
2663
2664 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2665 mbedtls_free( cert_cur->sig_opts );
2666 #endif
2667
2668 name_cur = cert_cur->issuer.next;
2669 while( name_cur != NULL )
2670 {
2671 name_prv = name_cur;
2672 name_cur = name_cur->next;
2673 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
2674 mbedtls_free( name_prv );
2675 }
2676
2677 name_cur = cert_cur->subject.next;
2678 while( name_cur != NULL )
2679 {
2680 name_prv = name_cur;
2681 name_cur = name_cur->next;
2682 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
2683 mbedtls_free( name_prv );
2684 }
2685
2686 seq_cur = cert_cur->ext_key_usage.next;
2687 while( seq_cur != NULL )
2688 {
2689 seq_prv = seq_cur;
2690 seq_cur = seq_cur->next;
2691 mbedtls_platform_zeroize( seq_prv,
2692 sizeof( mbedtls_x509_sequence ) );
2693 mbedtls_free( seq_prv );
2694 }
2695
2696 seq_cur = cert_cur->subject_alt_names.next;
2697 while( seq_cur != NULL )
2698 {
2699 seq_prv = seq_cur;
2700 seq_cur = seq_cur->next;
2701 mbedtls_platform_zeroize( seq_prv,
2702 sizeof( mbedtls_x509_sequence ) );
2703 mbedtls_free( seq_prv );
2704 }
2705
2706 if( cert_cur->raw.p != NULL )
2707 {
2708 mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
2709 mbedtls_free( cert_cur->raw.p );
2710 }
2711
2712 cert_cur = cert_cur->next;
2713 }
2714 while( cert_cur != NULL );
2715
2716 cert_cur = crt;
2717 do
2718 {
2719 cert_prv = cert_cur;
2720 cert_cur = cert_cur->next;
2721
2722 mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
2723 if( cert_prv != crt )
2724 mbedtls_free( cert_prv );
2725 }
2726 while( cert_cur != NULL );
2727 }
2728
2729 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2730 /*
2731 * Initialize a restart context
2732 */
mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx * ctx)2733 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
2734 {
2735 mbedtls_pk_restart_init( &ctx->pk );
2736
2737 ctx->parent = NULL;
2738 ctx->fallback_parent = NULL;
2739 ctx->fallback_signature_is_good = 0;
2740
2741 ctx->parent_is_trusted = -1;
2742
2743 ctx->in_progress = x509_crt_rs_none;
2744 ctx->self_cnt = 0;
2745 x509_crt_verify_chain_reset( &ctx->ver_chain );
2746 }
2747
2748 /*
2749 * Free the components of a restart context
2750 */
mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx * ctx)2751 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
2752 {
2753 if( ctx == NULL )
2754 return;
2755
2756 mbedtls_pk_restart_free( &ctx->pk );
2757 mbedtls_x509_crt_restart_init( ctx );
2758 }
2759 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2760
2761 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2762