• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  X.509 certificate parsing and verification
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  The ITU-T X.509 standard defines a certificate format for PKI.
21  *
22  *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
23  *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
24  *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
25  *
26  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
27  *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
28  *
29  *  [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
30  */
31 
32 #include "common.h"
33 
34 #if defined(MBEDTLS_X509_CRT_PARSE_C)
35 
36 #include "mbedtls/x509_crt.h"
37 #include "mbedtls/error.h"
38 #include "mbedtls/oid.h"
39 #include "mbedtls/platform_util.h"
40 
41 #include <string.h>
42 
43 #if defined(MBEDTLS_PEM_PARSE_C)
44 #include "mbedtls/pem.h"
45 #endif
46 
47 #if defined(MBEDTLS_USE_PSA_CRYPTO)
48 #include "psa/crypto.h"
49 #include "mbedtls/psa_util.h"
50 #endif /* MBEDTLS_USE_PSA_CRYPTO */
51 #include "hash_info.h"
52 
53 #include "mbedtls/platform.h"
54 
55 #if defined(MBEDTLS_THREADING_C)
56 #include "mbedtls/threading.h"
57 #endif
58 
59 #if defined(MBEDTLS_HAVE_TIME)
60 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
61 #include <windows.h>
62 #else
63 #include <time.h>
64 #endif
65 #endif
66 
67 #if defined(MBEDTLS_FS_IO)
68 #include <stdio.h>
69 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
70 #include <sys/types.h>
71 #include <sys/stat.h>
72 #if defined(__MBED__)
73 #include <platform/mbed_retarget.h>
74 #else
75 #include <dirent.h>
76 #endif /* __MBED__ */
77 #include <errno.h>
78 #endif /* !_WIN32 || EFIX64 || EFI32 */
79 #endif
80 
81 /*
82  * Item in a verification chain: cert and flags for it
83  */
84 typedef struct {
85     mbedtls_x509_crt *crt;
86     uint32_t flags;
87 } x509_crt_verify_chain_item;
88 
89 /*
90  * Max size of verification chain: end-entity + intermediates + trusted root
91  */
92 #define X509_MAX_VERIFY_CHAIN_SIZE    (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
93 
94 /* Default profile. Do not remove items unless there are serious security
95  * concerns. */
96 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
97 {
98     /* Hashes from SHA-256 and above. Note that this selection
99      * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */
100     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
101     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
102     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
103     0xFFFFFFF, /* Any PK alg    */
104 #if defined(MBEDTLS_ECP_C)
105     /* Curves at or above 128-bit security level. Note that this selection
106      * should be aligned with ssl_preset_default_curves in ssl_tls.c. */
107     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
108     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
109     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
110     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
111     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
112     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
113     0,
114 #else
115     0,
116 #endif
117     2048,
118 };
119 
120 /* Next-generation profile. Currently identical to the default, but may
121  * be tightened at any time. */
122 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
123 {
124     /* Hashes from SHA-256 and above. */
125     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
126     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
127     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
128     0xFFFFFFF, /* Any PK alg    */
129 #if defined(MBEDTLS_ECP_C)
130     /* Curves at or above 128-bit security level. */
131     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
132     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
133     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
134     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
135     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
136     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
137     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256K1),
138 #else
139     0,
140 #endif
141     2048,
142 };
143 
144 /*
145  * NSA Suite B Profile
146  */
147 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
148 {
149     /* Only SHA-256 and 384 */
150     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
151     MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384),
152     /* Only ECDSA */
153     MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
154     MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
155 #if defined(MBEDTLS_ECP_C)
156     /* Only NIST P-256 and P-384 */
157     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
158     MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
159 #else
160     0,
161 #endif
162     0,
163 };
164 
165 /*
166  * Empty / all-forbidden profile
167  */
168 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none =
169 {
170     0,
171     0,
172     0,
173     (uint32_t) -1,
174 };
175 
176 /*
177  * Check md_alg against profile
178  * Return 0 if md_alg is acceptable for this profile, -1 otherwise
179  */
x509_profile_check_md_alg(const mbedtls_x509_crt_profile * profile,mbedtls_md_type_t md_alg)180 static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile,
181                                      mbedtls_md_type_t md_alg)
182 {
183     if (md_alg == MBEDTLS_MD_NONE) {
184         return -1;
185     }
186 
187     if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) {
188         return 0;
189     }
190 
191     return -1;
192 }
193 
194 /*
195  * Check pk_alg against profile
196  * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
197  */
x509_profile_check_pk_alg(const mbedtls_x509_crt_profile * profile,mbedtls_pk_type_t pk_alg)198 static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile,
199                                      mbedtls_pk_type_t pk_alg)
200 {
201     if (pk_alg == MBEDTLS_PK_NONE) {
202         return -1;
203     }
204 
205     if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) {
206         return 0;
207     }
208 
209     return -1;
210 }
211 
212 /*
213  * Check key against profile
214  * Return 0 if pk is acceptable for this profile, -1 otherwise
215  */
x509_profile_check_key(const mbedtls_x509_crt_profile * profile,const mbedtls_pk_context * pk)216 static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
217                                   const mbedtls_pk_context *pk)
218 {
219     const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk);
220 
221 #if defined(MBEDTLS_RSA_C)
222     if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) {
223         if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) {
224             return 0;
225         }
226 
227         return -1;
228     }
229 #endif
230 
231 #if defined(MBEDTLS_ECP_C)
232     if (pk_alg == MBEDTLS_PK_ECDSA ||
233         pk_alg == MBEDTLS_PK_ECKEY ||
234         pk_alg == MBEDTLS_PK_ECKEY_DH) {
235         const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id;
236 
237         if (gid == MBEDTLS_ECP_DP_NONE) {
238             return -1;
239         }
240 
241         if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) {
242             return 0;
243         }
244 
245         return -1;
246     }
247 #endif
248 
249     return -1;
250 }
251 
252 /*
253  * Like memcmp, but case-insensitive and always returns -1 if different
254  */
x509_memcasecmp(const void * s1,const void * s2,size_t len)255 static int x509_memcasecmp(const void *s1, const void *s2, size_t len)
256 {
257     size_t i;
258     unsigned char diff;
259     const unsigned char *n1 = s1, *n2 = s2;
260 
261     for (i = 0; i < len; i++) {
262         diff = n1[i] ^ n2[i];
263 
264         if (diff == 0) {
265             continue;
266         }
267 
268         if (diff == 32 &&
269             ((n1[i] >= 'a' && n1[i] <= 'z') ||
270              (n1[i] >= 'A' && n1[i] <= 'Z'))) {
271             continue;
272         }
273 
274         return -1;
275     }
276 
277     return 0;
278 }
279 
280 /*
281  * Return 0 if name matches wildcard, -1 otherwise
282  */
x509_check_wildcard(const char * cn,const mbedtls_x509_buf * name)283 static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name)
284 {
285     size_t i;
286     size_t cn_idx = 0, cn_len = strlen(cn);
287 
288     /* We can't have a match if there is no wildcard to match */
289     if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') {
290         return -1;
291     }
292 
293     for (i = 0; i < cn_len; ++i) {
294         if (cn[i] == '.') {
295             cn_idx = i;
296             break;
297         }
298     }
299 
300     if (cn_idx == 0) {
301         return -1;
302     }
303 
304     if (cn_len - cn_idx == name->len - 1 &&
305         x509_memcasecmp(name->p + 1, cn + cn_idx, name->len - 1) == 0) {
306         return 0;
307     }
308 
309     return -1;
310 }
311 
312 /*
313  * Compare two X.509 strings, case-insensitive, and allowing for some encoding
314  * variations (but not all).
315  *
316  * Return 0 if equal, -1 otherwise.
317  */
x509_string_cmp(const mbedtls_x509_buf * a,const mbedtls_x509_buf * b)318 static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b)
319 {
320     if (a->tag == b->tag &&
321         a->len == b->len &&
322         memcmp(a->p, b->p, b->len) == 0) {
323         return 0;
324     }
325 
326     if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
327         (b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
328         a->len == b->len &&
329         x509_memcasecmp(a->p, b->p, b->len) == 0) {
330         return 0;
331     }
332 
333     return -1;
334 }
335 
336 /*
337  * Compare two X.509 Names (aka rdnSequence).
338  *
339  * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
340  * we sometimes return unequal when the full algorithm would return equal,
341  * but never the other way. (In particular, we don't do Unicode normalisation
342  * or space folding.)
343  *
344  * Return 0 if equal, -1 otherwise.
345  */
x509_name_cmp(const mbedtls_x509_name * a,const mbedtls_x509_name * b)346 static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b)
347 {
348     /* Avoid recursion, it might not be optimised by the compiler */
349     while (a != NULL || b != NULL) {
350         if (a == NULL || b == NULL) {
351             return -1;
352         }
353 
354         /* type */
355         if (a->oid.tag != b->oid.tag ||
356             a->oid.len != b->oid.len ||
357             memcmp(a->oid.p, b->oid.p, b->oid.len) != 0) {
358             return -1;
359         }
360 
361         /* value */
362         if (x509_string_cmp(&a->val, &b->val) != 0) {
363             return -1;
364         }
365 
366         /* structure of the list of sets */
367         if (a->next_merged != b->next_merged) {
368             return -1;
369         }
370 
371         a = a->next;
372         b = b->next;
373     }
374 
375     /* a == NULL == b */
376     return 0;
377 }
378 
379 /*
380  * Reset (init or clear) a verify_chain
381  */
x509_crt_verify_chain_reset(mbedtls_x509_crt_verify_chain * ver_chain)382 static void x509_crt_verify_chain_reset(
383     mbedtls_x509_crt_verify_chain *ver_chain)
384 {
385     size_t i;
386 
387     for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) {
388         ver_chain->items[i].crt = NULL;
389         ver_chain->items[i].flags = (uint32_t) -1;
390     }
391 
392     ver_chain->len = 0;
393 
394 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
395     ver_chain->trust_ca_cb_result = NULL;
396 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
397 }
398 
399 /*
400  *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
401  */
x509_get_version(unsigned char ** p,const unsigned char * end,int * ver)402 static int x509_get_version(unsigned char **p,
403                             const unsigned char *end,
404                             int *ver)
405 {
406     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
407     size_t len;
408 
409     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
410                                     MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
411                                     0)) != 0) {
412         if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
413             *ver = 0;
414             return 0;
415         }
416 
417         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
418     }
419 
420     end = *p + len;
421 
422     if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
423         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
424     }
425 
426     if (*p != end) {
427         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION,
428                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
429     }
430 
431     return 0;
432 }
433 
434 /*
435  *  Validity ::= SEQUENCE {
436  *       notBefore      Time,
437  *       notAfter       Time }
438  */
x509_get_dates(unsigned char ** p,const unsigned char * end,mbedtls_x509_time * from,mbedtls_x509_time * to)439 static int x509_get_dates(unsigned char **p,
440                           const unsigned char *end,
441                           mbedtls_x509_time *from,
442                           mbedtls_x509_time *to)
443 {
444     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
445     size_t len;
446 
447     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
448                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
449         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
450     }
451 
452     end = *p + len;
453 
454     if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) {
455         return ret;
456     }
457 
458     if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) {
459         return ret;
460     }
461 
462     if (*p != end) {
463         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
464                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
465     }
466 
467     return 0;
468 }
469 
470 /*
471  * X.509 v2/v3 unique identifier (not parsed)
472  */
x509_get_uid(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * uid,int n)473 static int x509_get_uid(unsigned char **p,
474                         const unsigned char *end,
475                         mbedtls_x509_buf *uid, int n)
476 {
477     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
478 
479     if (*p == end) {
480         return 0;
481     }
482 
483     uid->tag = **p;
484 
485     if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
486                                     MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
487                                     n)) != 0) {
488         if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
489             return 0;
490         }
491 
492         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
493     }
494 
495     uid->p = *p;
496     *p += uid->len;
497 
498     return 0;
499 }
500 
x509_get_basic_constraints(unsigned char ** p,const unsigned char * end,int * ca_istrue,int * max_pathlen)501 static int x509_get_basic_constraints(unsigned char **p,
502                                       const unsigned char *end,
503                                       int *ca_istrue,
504                                       int *max_pathlen)
505 {
506     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
507     size_t len;
508 
509     /*
510      * BasicConstraints ::= SEQUENCE {
511      *      cA                      BOOLEAN DEFAULT FALSE,
512      *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
513      */
514     *ca_istrue = 0; /* DEFAULT FALSE */
515     *max_pathlen = 0; /* endless */
516 
517     if ((ret = mbedtls_asn1_get_tag(p, end, &len,
518                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
519         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
520     }
521 
522     if (*p == end) {
523         return 0;
524     }
525 
526     if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
527         if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
528             ret = mbedtls_asn1_get_int(p, end, ca_istrue);
529         }
530 
531         if (ret != 0) {
532             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
533         }
534 
535         if (*ca_istrue != 0) {
536             *ca_istrue = 1;
537         }
538     }
539 
540     if (*p == end) {
541         return 0;
542     }
543 
544     if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) {
545         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
546     }
547 
548     if (*p != end) {
549         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
550                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
551     }
552 
553     /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
554      * overflow, which is an undefined behavior. */
555     if (*max_pathlen == INT_MAX) {
556         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
557                                  MBEDTLS_ERR_ASN1_INVALID_LENGTH);
558     }
559 
560     (*max_pathlen)++;
561 
562     return 0;
563 }
564 
565 /*
566  * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
567  *
568  * KeyPurposeId ::= OBJECT IDENTIFIER
569  */
x509_get_ext_key_usage(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * ext_key_usage)570 static int x509_get_ext_key_usage(unsigned char **p,
571                                   const unsigned char *end,
572                                   mbedtls_x509_sequence *ext_key_usage)
573 {
574     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
575 
576     if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) {
577         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
578     }
579 
580     /* Sequence length must be >= 1 */
581     if (ext_key_usage->buf.p == NULL) {
582         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
583                                  MBEDTLS_ERR_ASN1_INVALID_LENGTH);
584     }
585 
586     return 0;
587 }
588 
589 /*
590  * id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
591  *
592  * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
593  *
594  * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
595  *
596  * PolicyInformation ::= SEQUENCE {
597  *     policyIdentifier   CertPolicyId,
598  *     policyQualifiers   SEQUENCE SIZE (1..MAX) OF
599  *                             PolicyQualifierInfo OPTIONAL }
600  *
601  * CertPolicyId ::= OBJECT IDENTIFIER
602  *
603  * PolicyQualifierInfo ::= SEQUENCE {
604  *      policyQualifierId  PolicyQualifierId,
605  *      qualifier          ANY DEFINED BY policyQualifierId }
606  *
607  * -- policyQualifierIds for Internet policy qualifiers
608  *
609  * id-qt          OBJECT IDENTIFIER ::=  { id-pkix 2 }
610  * id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
611  * id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
612  *
613  * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
614  *
615  * Qualifier ::= CHOICE {
616  *      cPSuri           CPSuri,
617  *      userNotice       UserNotice }
618  *
619  * CPSuri ::= IA5String
620  *
621  * UserNotice ::= SEQUENCE {
622  *      noticeRef        NoticeReference OPTIONAL,
623  *      explicitText     DisplayText OPTIONAL }
624  *
625  * NoticeReference ::= SEQUENCE {
626  *      organization     DisplayText,
627  *      noticeNumbers    SEQUENCE OF INTEGER }
628  *
629  * DisplayText ::= CHOICE {
630  *      ia5String        IA5String      (SIZE (1..200)),
631  *      visibleString    VisibleString  (SIZE (1..200)),
632  *      bmpString        BMPString      (SIZE (1..200)),
633  *      utf8String       UTF8String     (SIZE (1..200)) }
634  *
635  * NOTE: we only parse and use anyPolicy without qualifiers at this point
636  * as defined in RFC 5280.
637  */
x509_get_certificate_policies(unsigned char ** p,const unsigned char * end,mbedtls_x509_sequence * certificate_policies)638 static int x509_get_certificate_policies(unsigned char **p,
639                                          const unsigned char *end,
640                                          mbedtls_x509_sequence *certificate_policies)
641 {
642     int ret, parse_ret = 0;
643     size_t len;
644     mbedtls_asn1_buf *buf;
645     mbedtls_asn1_sequence *cur = certificate_policies;
646 
647     /* Get main sequence tag */
648     ret = mbedtls_asn1_get_tag(p, end, &len,
649                                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
650     if (ret != 0) {
651         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
652     }
653 
654     if (*p + len != end) {
655         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
656                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
657     }
658 
659     /*
660      * Cannot be an empty sequence.
661      */
662     if (len == 0) {
663         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
664                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
665     }
666 
667     while (*p < end) {
668         mbedtls_x509_buf policy_oid;
669         const unsigned char *policy_end;
670 
671         /*
672          * Get the policy sequence
673          */
674         if ((ret = mbedtls_asn1_get_tag(p, end, &len,
675                                         MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
676             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
677         }
678 
679         policy_end = *p + len;
680 
681         if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
682                                         MBEDTLS_ASN1_OID)) != 0) {
683             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
684         }
685 
686         policy_oid.tag = MBEDTLS_ASN1_OID;
687         policy_oid.len = len;
688         policy_oid.p = *p;
689 
690         /*
691          * Only AnyPolicy is currently supported when enforcing policy.
692          */
693         if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) {
694             /*
695              * Set the parsing return code but continue parsing, in case this
696              * extension is critical.
697              */
698             parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
699         }
700 
701         /* Allocate and assign next pointer */
702         if (cur->buf.p != NULL) {
703             if (cur->next != NULL) {
704                 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
705             }
706 
707             cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
708 
709             if (cur->next == NULL) {
710                 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
711                                          MBEDTLS_ERR_ASN1_ALLOC_FAILED);
712             }
713 
714             cur = cur->next;
715         }
716 
717         buf = &(cur->buf);
718         buf->tag = policy_oid.tag;
719         buf->p = policy_oid.p;
720         buf->len = policy_oid.len;
721 
722         *p += len;
723 
724         /*
725          * If there is an optional qualifier, then *p < policy_end
726          * Check the Qualifier len to verify it doesn't exceed policy_end.
727          */
728         if (*p < policy_end) {
729             if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
730                                             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
731                 0) {
732                 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
733             }
734             /*
735              * Skip the optional policy qualifiers.
736              */
737             *p += len;
738         }
739 
740         if (*p != policy_end) {
741             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
742                                      MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
743         }
744     }
745 
746     /* Set final sequence entry's next pointer to NULL */
747     cur->next = NULL;
748 
749     if (*p != end) {
750         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
751                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
752     }
753 
754     return parse_ret;
755 }
756 
757 /*
758  * X.509 v3 extensions
759  *
760  */
x509_get_crt_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_crt * crt,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)761 static int x509_get_crt_ext(unsigned char **p,
762                             const unsigned char *end,
763                             mbedtls_x509_crt *crt,
764                             mbedtls_x509_crt_ext_cb_t cb,
765                             void *p_ctx)
766 {
767     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
768     size_t len;
769     unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
770 
771     if (*p == end) {
772         return 0;
773     }
774 
775     if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) {
776         return ret;
777     }
778 
779     end = crt->v3_ext.p + crt->v3_ext.len;
780     while (*p < end) {
781         /*
782          * Extension  ::=  SEQUENCE  {
783          *      extnID      OBJECT IDENTIFIER,
784          *      critical    BOOLEAN DEFAULT FALSE,
785          *      extnValue   OCTET STRING  }
786          */
787         mbedtls_x509_buf extn_oid = { 0, 0, NULL };
788         int is_critical = 0; /* DEFAULT FALSE */
789         int ext_type = 0;
790 
791         if ((ret = mbedtls_asn1_get_tag(p, end, &len,
792                                         MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
793             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
794         }
795 
796         end_ext_data = *p + len;
797 
798         /* Get extension ID */
799         if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
800                                         MBEDTLS_ASN1_OID)) != 0) {
801             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
802         }
803 
804         extn_oid.tag = MBEDTLS_ASN1_OID;
805         extn_oid.p = *p;
806         *p += extn_oid.len;
807 
808         /* Get optional critical */
809         if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
810             (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
811             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
812         }
813 
814         /* Data should be octet string type */
815         if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
816                                         MBEDTLS_ASN1_OCTET_STRING)) != 0) {
817             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
818         }
819 
820         start_ext_octet = *p;
821         end_ext_octet = *p + len;
822 
823         if (end_ext_octet != end_ext_data) {
824             return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
825                                      MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
826         }
827 
828         /*
829          * Detect supported extensions
830          */
831         ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
832 
833         if (ret != 0) {
834             /* Give the callback (if any) a chance to handle the extension */
835             if (cb != NULL) {
836                 ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet);
837                 if (ret != 0 && is_critical) {
838                     return ret;
839                 }
840                 *p = end_ext_octet;
841                 continue;
842             }
843 
844             /* No parser found, skip extension */
845             *p = end_ext_octet;
846 
847             if (is_critical) {
848                 /* Data is marked as critical: fail */
849                 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
850                                          MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
851             }
852             continue;
853         }
854 
855         /* Forbid repeated extensions */
856         if ((crt->ext_types & ext_type) != 0) {
857             return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
858         }
859 
860         crt->ext_types |= ext_type;
861 
862         switch (ext_type) {
863             case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
864                 /* Parse basic constraints */
865                 if ((ret = x509_get_basic_constraints(p, end_ext_octet,
866                                                       &crt->ca_istrue, &crt->max_pathlen)) != 0) {
867                     return ret;
868                 }
869                 break;
870 
871             case MBEDTLS_X509_EXT_KEY_USAGE:
872                 /* Parse key usage */
873                 if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet,
874                                                       &crt->key_usage)) != 0) {
875                     return ret;
876                 }
877                 break;
878 
879             case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
880                 /* Parse extended key usage */
881                 if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
882                                                   &crt->ext_key_usage)) != 0) {
883                     return ret;
884                 }
885                 break;
886 
887             case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
888                 /* Parse subject alt name */
889                 if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
890                                                              &crt->subject_alt_names)) != 0) {
891                     return ret;
892                 }
893                 break;
894 
895             case MBEDTLS_X509_EXT_NS_CERT_TYPE:
896                 /* Parse netscape certificate type */
897                 if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet,
898                                                          &crt->ns_cert_type)) != 0) {
899                     return ret;
900                 }
901                 break;
902 
903             case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
904                 /* Parse certificate policies type */
905                 if ((ret = x509_get_certificate_policies(p, end_ext_octet,
906                                                          &crt->certificate_policies)) != 0) {
907                     /* Give the callback (if any) a chance to handle the extension
908                      * if it contains unsupported policies */
909                     if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
910                         cb(p_ctx, crt, &extn_oid, is_critical,
911                            start_ext_octet, end_ext_octet) == 0) {
912                         break;
913                     }
914 
915                     if (is_critical) {
916                         return ret;
917                     } else
918                     /*
919                      * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
920                      * cannot interpret or enforce the policy. However, it is up to
921                      * the user to choose how to enforce the policies,
922                      * unless the extension is critical.
923                      */
924                     if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
925                         return ret;
926                     }
927                 }
928                 break;
929 
930             default:
931                 /*
932                  * If this is a non-critical extension, which the oid layer
933                  * supports, but there isn't an x509 parser for it,
934                  * skip the extension.
935                  */
936                 if (is_critical) {
937                     return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
938                 } else {
939                     *p = end_ext_octet;
940                 }
941         }
942     }
943 
944     if (*p != end) {
945         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
946                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
947     }
948 
949     return 0;
950 }
951 
952 /*
953  * Parse and fill a single X.509 certificate in DER format
954  */
x509_crt_parse_der_core(mbedtls_x509_crt * crt,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)955 static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
956                                    const unsigned char *buf,
957                                    size_t buflen,
958                                    int make_copy,
959                                    mbedtls_x509_crt_ext_cb_t cb,
960                                    void *p_ctx)
961 {
962     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
963     size_t len;
964     unsigned char *p, *end, *crt_end;
965     mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
966 
967     memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
968     memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
969     memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
970 
971     /*
972      * Check for valid input
973      */
974     if (crt == NULL || buf == NULL) {
975         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
976     }
977 
978     /* Use the original buffer until we figure out actual length. */
979     p = (unsigned char *) buf;
980     len = buflen;
981     end = p + len;
982 
983     /*
984      * Certificate  ::=  SEQUENCE  {
985      *      tbsCertificate       TBSCertificate,
986      *      signatureAlgorithm   AlgorithmIdentifier,
987      *      signatureValue       BIT STRING  }
988      */
989     if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
990                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
991         mbedtls_x509_crt_free(crt);
992         return MBEDTLS_ERR_X509_INVALID_FORMAT;
993     }
994 
995     end = crt_end = p + len;
996     crt->raw.len = crt_end - buf;
997     if (make_copy != 0) {
998         /* Create and populate a new buffer for the raw field. */
999         crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
1000         if (crt->raw.p == NULL) {
1001             return MBEDTLS_ERR_X509_ALLOC_FAILED;
1002         }
1003 
1004         memcpy(crt->raw.p, buf, crt->raw.len);
1005         crt->own_buffer = 1;
1006 
1007         p += crt->raw.len - len;
1008         end = crt_end = p + len;
1009     } else {
1010         crt->raw.p = (unsigned char *) buf;
1011         crt->own_buffer = 0;
1012     }
1013 
1014     /*
1015      * TBSCertificate  ::=  SEQUENCE  {
1016      */
1017     crt->tbs.p = p;
1018 
1019     if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1020                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1021         mbedtls_x509_crt_free(crt);
1022         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1023     }
1024 
1025     end = p + len;
1026     crt->tbs.len = end - crt->tbs.p;
1027 
1028     /*
1029      * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
1030      *
1031      * CertificateSerialNumber  ::=  INTEGER
1032      *
1033      * signature            AlgorithmIdentifier
1034      */
1035     if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
1036         (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
1037         (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
1038                                     &sig_params1)) != 0) {
1039         mbedtls_x509_crt_free(crt);
1040         return ret;
1041     }
1042 
1043     if (crt->version < 0 || crt->version > 2) {
1044         mbedtls_x509_crt_free(crt);
1045         return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
1046     }
1047 
1048     crt->version++;
1049 
1050     if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
1051                                         &crt->sig_md, &crt->sig_pk,
1052                                         &crt->sig_opts)) != 0) {
1053         mbedtls_x509_crt_free(crt);
1054         return ret;
1055     }
1056 
1057     /*
1058      * issuer               Name
1059      */
1060     crt->issuer_raw.p = p;
1061 
1062     if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1063                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1064         mbedtls_x509_crt_free(crt);
1065         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1066     }
1067 
1068     if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
1069         mbedtls_x509_crt_free(crt);
1070         return ret;
1071     }
1072 
1073     crt->issuer_raw.len = p - crt->issuer_raw.p;
1074 
1075     /*
1076      * Validity ::= SEQUENCE {
1077      *      notBefore      Time,
1078      *      notAfter       Time }
1079      *
1080      */
1081     if ((ret = x509_get_dates(&p, end, &crt->valid_from,
1082                               &crt->valid_to)) != 0) {
1083         mbedtls_x509_crt_free(crt);
1084         return ret;
1085     }
1086 
1087     /*
1088      * subject              Name
1089      */
1090     crt->subject_raw.p = p;
1091 
1092     if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1093                                     MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1094         mbedtls_x509_crt_free(crt);
1095         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1096     }
1097 
1098     if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
1099         mbedtls_x509_crt_free(crt);
1100         return ret;
1101     }
1102 
1103     crt->subject_raw.len = p - crt->subject_raw.p;
1104 
1105     /*
1106      * SubjectPublicKeyInfo
1107      */
1108     crt->pk_raw.p = p;
1109     if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
1110         mbedtls_x509_crt_free(crt);
1111         return ret;
1112     }
1113     crt->pk_raw.len = p - crt->pk_raw.p;
1114 
1115     /*
1116      *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
1117      *                       -- If present, version shall be v2 or v3
1118      *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
1119      *                       -- If present, version shall be v2 or v3
1120      *  extensions      [3]  EXPLICIT Extensions OPTIONAL
1121      *                       -- If present, version shall be v3
1122      */
1123     if (crt->version == 2 || crt->version == 3) {
1124         ret = x509_get_uid(&p, end, &crt->issuer_id,  1);
1125         if (ret != 0) {
1126             mbedtls_x509_crt_free(crt);
1127             return ret;
1128         }
1129     }
1130 
1131     if (crt->version == 2 || crt->version == 3) {
1132         ret = x509_get_uid(&p, end, &crt->subject_id,  2);
1133         if (ret != 0) {
1134             mbedtls_x509_crt_free(crt);
1135             return ret;
1136         }
1137     }
1138 
1139     if (crt->version == 3) {
1140         ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx);
1141         if (ret != 0) {
1142             mbedtls_x509_crt_free(crt);
1143             return ret;
1144         }
1145     }
1146 
1147     if (p != end) {
1148         mbedtls_x509_crt_free(crt);
1149         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1150                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1151     }
1152 
1153     end = crt_end;
1154 
1155     /*
1156      *  }
1157      *  -- end of TBSCertificate
1158      *
1159      *  signatureAlgorithm   AlgorithmIdentifier,
1160      *  signatureValue       BIT STRING
1161      */
1162     if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
1163         mbedtls_x509_crt_free(crt);
1164         return ret;
1165     }
1166 
1167     if (crt->sig_oid.len != sig_oid2.len ||
1168         memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
1169         sig_params1.tag != sig_params2.tag ||
1170         sig_params1.len != sig_params2.len ||
1171         (sig_params1.len != 0 &&
1172          memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
1173         mbedtls_x509_crt_free(crt);
1174         return MBEDTLS_ERR_X509_SIG_MISMATCH;
1175     }
1176 
1177     if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
1178         mbedtls_x509_crt_free(crt);
1179         return ret;
1180     }
1181 
1182     if (p != end) {
1183         mbedtls_x509_crt_free(crt);
1184         return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1185                                  MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1186     }
1187 
1188     return 0;
1189 }
1190 
1191 /*
1192  * Parse one X.509 certificate in DER format from a buffer and add them to a
1193  * chained list
1194  */
mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1195 static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain,
1196                                                const unsigned char *buf,
1197                                                size_t buflen,
1198                                                int make_copy,
1199                                                mbedtls_x509_crt_ext_cb_t cb,
1200                                                void *p_ctx)
1201 {
1202     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1203     mbedtls_x509_crt *crt = chain, *prev = NULL;
1204 
1205     /*
1206      * Check for valid input
1207      */
1208     if (crt == NULL || buf == NULL) {
1209         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1210     }
1211 
1212     while (crt->version != 0 && crt->next != NULL) {
1213         prev = crt;
1214         crt = crt->next;
1215     }
1216 
1217     /*
1218      * Add new certificate on the end of the chain if needed.
1219      */
1220     if (crt->version != 0 && crt->next == NULL) {
1221         crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
1222 
1223         if (crt->next == NULL) {
1224             return MBEDTLS_ERR_X509_ALLOC_FAILED;
1225         }
1226 
1227         prev = crt;
1228         mbedtls_x509_crt_init(crt->next);
1229         crt = crt->next;
1230     }
1231 
1232     ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx);
1233     if (ret != 0) {
1234         if (prev) {
1235             prev->next = NULL;
1236         }
1237 
1238         if (crt != chain) {
1239             mbedtls_free(crt);
1240         }
1241 
1242         return ret;
1243     }
1244 
1245     return 0;
1246 }
1247 
mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1248 int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
1249                                       const unsigned char *buf,
1250                                       size_t buflen)
1251 {
1252     return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL);
1253 }
1254 
mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen,int make_copy,mbedtls_x509_crt_ext_cb_t cb,void * p_ctx)1255 int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
1256                                            const unsigned char *buf,
1257                                            size_t buflen,
1258                                            int make_copy,
1259                                            mbedtls_x509_crt_ext_cb_t cb,
1260                                            void *p_ctx)
1261 {
1262     return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx);
1263 }
1264 
mbedtls_x509_crt_parse_der(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1265 int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
1266                                const unsigned char *buf,
1267                                size_t buflen)
1268 {
1269     return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL);
1270 }
1271 
1272 /*
1273  * Parse one or more PEM certificates from a buffer and add them to the chained
1274  * list
1275  */
mbedtls_x509_crt_parse(mbedtls_x509_crt * chain,const unsigned char * buf,size_t buflen)1276 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain,
1277                            const unsigned char *buf,
1278                            size_t buflen)
1279 {
1280 #if defined(MBEDTLS_PEM_PARSE_C)
1281     int success = 0, first_error = 0, total_failed = 0;
1282     int buf_format = MBEDTLS_X509_FORMAT_DER;
1283 #endif
1284 
1285     /*
1286      * Check for valid input
1287      */
1288     if (chain == NULL || buf == NULL) {
1289         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1290     }
1291 
1292     /*
1293      * Determine buffer content. Buffer contains either one DER certificate or
1294      * one or more PEM certificates.
1295      */
1296 #if defined(MBEDTLS_PEM_PARSE_C)
1297     if (buflen != 0 && buf[buflen - 1] == '\0' &&
1298         strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
1299         buf_format = MBEDTLS_X509_FORMAT_PEM;
1300     }
1301 
1302     if (buf_format == MBEDTLS_X509_FORMAT_DER) {
1303         return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1304     }
1305 #else
1306     return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1307 #endif
1308 
1309 #if defined(MBEDTLS_PEM_PARSE_C)
1310     if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
1311         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1312         mbedtls_pem_context pem;
1313 
1314         /* 1 rather than 0 since the terminating NULL byte is counted in */
1315         while (buflen > 1) {
1316             size_t use_len;
1317             mbedtls_pem_init(&pem);
1318 
1319             /* If we get there, we know the string is null-terminated */
1320             ret = mbedtls_pem_read_buffer(&pem,
1321                                           "-----BEGIN CERTIFICATE-----",
1322                                           "-----END CERTIFICATE-----",
1323                                           buf, NULL, 0, &use_len);
1324 
1325             if (ret == 0) {
1326                 /*
1327                  * Was PEM encoded
1328                  */
1329                 buflen -= use_len;
1330                 buf += use_len;
1331             } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
1332                 return ret;
1333             } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1334                 mbedtls_pem_free(&pem);
1335 
1336                 /*
1337                  * PEM header and footer were found
1338                  */
1339                 buflen -= use_len;
1340                 buf += use_len;
1341 
1342                 if (first_error == 0) {
1343                     first_error = ret;
1344                 }
1345 
1346                 total_failed++;
1347                 continue;
1348             } else {
1349                 break;
1350             }
1351 
1352             ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
1353 
1354             mbedtls_pem_free(&pem);
1355 
1356             if (ret != 0) {
1357                 /*
1358                  * Quit parsing on a memory error
1359                  */
1360                 if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) {
1361                     return ret;
1362                 }
1363 
1364                 if (first_error == 0) {
1365                     first_error = ret;
1366                 }
1367 
1368                 total_failed++;
1369                 continue;
1370             }
1371 
1372             success = 1;
1373         }
1374     }
1375 
1376     if (success) {
1377         return total_failed;
1378     } else if (first_error) {
1379         return first_error;
1380     } else {
1381         return MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT;
1382     }
1383 #endif /* MBEDTLS_PEM_PARSE_C */
1384 }
1385 
1386 #if defined(MBEDTLS_FS_IO)
1387 /*
1388  * Load one or more certificates and add them to the chained list
1389  */
mbedtls_x509_crt_parse_file(mbedtls_x509_crt * chain,const char * path)1390 int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
1391 {
1392     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1393     size_t n;
1394     unsigned char *buf;
1395 
1396     if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
1397         return ret;
1398     }
1399 
1400     ret = mbedtls_x509_crt_parse(chain, buf, n);
1401 
1402     mbedtls_platform_zeroize(buf, n);
1403     mbedtls_free(buf);
1404 
1405     return ret;
1406 }
1407 
mbedtls_x509_crt_parse_path(mbedtls_x509_crt * chain,const char * path)1408 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
1409 {
1410     int ret = 0;
1411 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
1412     int w_ret;
1413     WCHAR szDir[MAX_PATH];
1414     char filename[MAX_PATH];
1415     char *p;
1416     size_t len = strlen(path);
1417 
1418     WIN32_FIND_DATAW file_data;
1419     HANDLE hFind;
1420 
1421     if (len > MAX_PATH - 3) {
1422         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1423     }
1424 
1425     memset(szDir, 0, sizeof(szDir));
1426     memset(filename, 0, MAX_PATH);
1427     memcpy(filename, path, len);
1428     filename[len++] = '\\';
1429     p = filename + len;
1430     filename[len++] = '*';
1431 
1432     w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int) len, szDir,
1433                                 MAX_PATH - 3);
1434     if (w_ret == 0) {
1435         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1436     }
1437 
1438     hFind = FindFirstFileW(szDir, &file_data);
1439     if (hFind == INVALID_HANDLE_VALUE) {
1440         return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1441     }
1442 
1443     len = MAX_PATH - len;
1444     do {
1445         memset(p, 0, len);
1446 
1447         if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
1448             continue;
1449         }
1450 
1451         w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
1452                                     -1,
1453                                     p, (int) len,
1454                                     NULL, NULL);
1455         if (w_ret == 0) {
1456             ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1457             goto cleanup;
1458         }
1459 
1460         w_ret = mbedtls_x509_crt_parse_file(chain, filename);
1461         if (w_ret < 0) {
1462             ret++;
1463         } else {
1464             ret += w_ret;
1465         }
1466     } while (FindNextFileW(hFind, &file_data) != 0);
1467 
1468     if (GetLastError() != ERROR_NO_MORE_FILES) {
1469         ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1470     }
1471 
1472 cleanup:
1473     FindClose(hFind);
1474 #else /* _WIN32 */
1475     int t_ret;
1476     int snp_ret;
1477     struct stat sb;
1478     struct dirent *entry;
1479     char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
1480     DIR *dir = opendir(path);
1481 
1482     if (dir == NULL) {
1483         return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1484     }
1485 
1486 #if defined(MBEDTLS_THREADING_C)
1487     if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
1488         closedir(dir);
1489         return ret;
1490     }
1491 #endif /* MBEDTLS_THREADING_C */
1492 
1493     memset(&sb, 0, sizeof(sb));
1494 
1495     while ((entry = readdir(dir)) != NULL) {
1496         snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name),
1497                                    "%s/%s", path, entry->d_name);
1498 
1499         if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) {
1500             ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1501             goto cleanup;
1502         } else if (stat(entry_name, &sb) == -1) {
1503             if (errno == ENOENT) {
1504                 /* Broken symbolic link - ignore this entry.
1505                     stat(2) will return this error for either (a) a dangling
1506                     symlink or (b) a missing file.
1507                     Given that we have just obtained the filename from readdir,
1508                     assume that it does exist and therefore treat this as a
1509                     dangling symlink. */
1510                 continue;
1511             } else {
1512                 /* Some other file error; report the error. */
1513                 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1514                 goto cleanup;
1515             }
1516         }
1517 
1518         if (!S_ISREG(sb.st_mode)) {
1519             continue;
1520         }
1521 
1522         // Ignore parse errors
1523         //
1524         t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
1525         if (t_ret < 0) {
1526             ret++;
1527         } else {
1528             ret += t_ret;
1529         }
1530     }
1531 
1532 cleanup:
1533     closedir(dir);
1534 
1535 #if defined(MBEDTLS_THREADING_C)
1536     if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) {
1537         ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1538     }
1539 #endif /* MBEDTLS_THREADING_C */
1540 
1541 #endif /* _WIN32 */
1542 
1543     return ret;
1544 }
1545 #endif /* MBEDTLS_FS_IO */
1546 
1547 #if !defined(MBEDTLS_X509_REMOVE_INFO)
x509_info_ext_key_usage(char ** buf,size_t * size,const mbedtls_x509_sequence * extended_key_usage)1548 static int x509_info_ext_key_usage(char **buf, size_t *size,
1549                                    const mbedtls_x509_sequence *extended_key_usage)
1550 {
1551     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1552     const char *desc;
1553     size_t n = *size;
1554     char *p = *buf;
1555     const mbedtls_x509_sequence *cur = extended_key_usage;
1556     const char *sep = "";
1557 
1558     while (cur != NULL) {
1559         if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) {
1560             desc = "???";
1561         }
1562 
1563         ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
1564         MBEDTLS_X509_SAFE_SNPRINTF;
1565 
1566         sep = ", ";
1567 
1568         cur = cur->next;
1569     }
1570 
1571     *size = n;
1572     *buf = p;
1573 
1574     return 0;
1575 }
1576 
x509_info_cert_policies(char ** buf,size_t * size,const mbedtls_x509_sequence * certificate_policies)1577 static int x509_info_cert_policies(char **buf, size_t *size,
1578                                    const mbedtls_x509_sequence *certificate_policies)
1579 {
1580     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1581     const char *desc;
1582     size_t n = *size;
1583     char *p = *buf;
1584     const mbedtls_x509_sequence *cur = certificate_policies;
1585     const char *sep = "";
1586 
1587     while (cur != NULL) {
1588         if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) {
1589             desc = "???";
1590         }
1591 
1592         ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
1593         MBEDTLS_X509_SAFE_SNPRINTF;
1594 
1595         sep = ", ";
1596 
1597         cur = cur->next;
1598     }
1599 
1600     *size = n;
1601     *buf = p;
1602 
1603     return 0;
1604 }
1605 
1606 /*
1607  * Return an informational string about the certificate.
1608  */
1609 #define BEFORE_COLON    18
1610 #define BC              "18"
mbedtls_x509_crt_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crt * crt)1611 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
1612                           const mbedtls_x509_crt *crt)
1613 {
1614     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1615     size_t n;
1616     char *p;
1617     char key_size_str[BEFORE_COLON];
1618 
1619     p = buf;
1620     n = size;
1621 
1622     if (NULL == crt) {
1623         ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
1624         MBEDTLS_X509_SAFE_SNPRINTF;
1625 
1626         return (int) (size - n);
1627     }
1628 
1629     ret = mbedtls_snprintf(p, n, "%scert. version     : %d\n",
1630                            prefix, crt->version);
1631     MBEDTLS_X509_SAFE_SNPRINTF;
1632     ret = mbedtls_snprintf(p, n, "%sserial number     : ",
1633                            prefix);
1634     MBEDTLS_X509_SAFE_SNPRINTF;
1635 
1636     ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
1637     MBEDTLS_X509_SAFE_SNPRINTF;
1638 
1639     ret = mbedtls_snprintf(p, n, "\n%sissuer name       : ", prefix);
1640     MBEDTLS_X509_SAFE_SNPRINTF;
1641     ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
1642     MBEDTLS_X509_SAFE_SNPRINTF;
1643 
1644     ret = mbedtls_snprintf(p, n, "\n%ssubject name      : ", prefix);
1645     MBEDTLS_X509_SAFE_SNPRINTF;
1646     ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
1647     MBEDTLS_X509_SAFE_SNPRINTF;
1648 
1649     ret = mbedtls_snprintf(p, n, "\n%sissued  on        : " \
1650                                  "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1651                            crt->valid_from.year, crt->valid_from.mon,
1652                            crt->valid_from.day,  crt->valid_from.hour,
1653                            crt->valid_from.min,  crt->valid_from.sec);
1654     MBEDTLS_X509_SAFE_SNPRINTF;
1655 
1656     ret = mbedtls_snprintf(p, n, "\n%sexpires on        : " \
1657                                  "%04d-%02d-%02d %02d:%02d:%02d", prefix,
1658                            crt->valid_to.year, crt->valid_to.mon,
1659                            crt->valid_to.day,  crt->valid_to.hour,
1660                            crt->valid_to.min,  crt->valid_to.sec);
1661     MBEDTLS_X509_SAFE_SNPRINTF;
1662 
1663     ret = mbedtls_snprintf(p, n, "\n%ssigned using      : ", prefix);
1664     MBEDTLS_X509_SAFE_SNPRINTF;
1665 
1666     ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
1667                                     crt->sig_md, crt->sig_opts);
1668     MBEDTLS_X509_SAFE_SNPRINTF;
1669 
1670     /* Key size */
1671     if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
1672                                             mbedtls_pk_get_name(&crt->pk))) != 0) {
1673         return ret;
1674     }
1675 
1676     ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
1677                            (int) mbedtls_pk_get_bitlen(&crt->pk));
1678     MBEDTLS_X509_SAFE_SNPRINTF;
1679 
1680     /*
1681      * Optional extensions
1682      */
1683 
1684     if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
1685         ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
1686                                crt->ca_istrue ? "true" : "false");
1687         MBEDTLS_X509_SAFE_SNPRINTF;
1688 
1689         if (crt->max_pathlen > 0) {
1690             ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
1691             MBEDTLS_X509_SAFE_SNPRINTF;
1692         }
1693     }
1694 
1695     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
1696         ret = mbedtls_snprintf(p, n, "\n%ssubject alt name  :", prefix);
1697         MBEDTLS_X509_SAFE_SNPRINTF;
1698 
1699         if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
1700                                                       &crt->subject_alt_names,
1701                                                       prefix)) != 0) {
1702             return ret;
1703         }
1704     }
1705 
1706     if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
1707         ret = mbedtls_snprintf(p, n, "\n%scert. type        : ", prefix);
1708         MBEDTLS_X509_SAFE_SNPRINTF;
1709 
1710         if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
1711             return ret;
1712         }
1713     }
1714 
1715     if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
1716         ret = mbedtls_snprintf(p, n, "\n%skey usage         : ", prefix);
1717         MBEDTLS_X509_SAFE_SNPRINTF;
1718 
1719         if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
1720             return ret;
1721         }
1722     }
1723 
1724     if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
1725         ret = mbedtls_snprintf(p, n, "\n%sext key usage     : ", prefix);
1726         MBEDTLS_X509_SAFE_SNPRINTF;
1727 
1728         if ((ret = x509_info_ext_key_usage(&p, &n,
1729                                            &crt->ext_key_usage)) != 0) {
1730             return ret;
1731         }
1732     }
1733 
1734     if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) {
1735         ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix);
1736         MBEDTLS_X509_SAFE_SNPRINTF;
1737 
1738         if ((ret = x509_info_cert_policies(&p, &n,
1739                                            &crt->certificate_policies)) != 0) {
1740             return ret;
1741         }
1742     }
1743 
1744     ret = mbedtls_snprintf(p, n, "\n");
1745     MBEDTLS_X509_SAFE_SNPRINTF;
1746 
1747     return (int) (size - n);
1748 }
1749 
1750 struct x509_crt_verify_string {
1751     int code;
1752     const char *string;
1753 };
1754 
1755 #define X509_CRT_ERROR_INFO(err, err_str, info) { err, info },
1756 static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
1757     MBEDTLS_X509_CRT_ERROR_INFO_LIST
1758     { 0, NULL }
1759 };
1760 #undef X509_CRT_ERROR_INFO
1761 
mbedtls_x509_crt_verify_info(char * buf,size_t size,const char * prefix,uint32_t flags)1762 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
1763                                  uint32_t flags)
1764 {
1765     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1766     const struct x509_crt_verify_string *cur;
1767     char *p = buf;
1768     size_t n = size;
1769 
1770     for (cur = x509_crt_verify_strings; cur->string != NULL; cur++) {
1771         if ((flags & cur->code) == 0) {
1772             continue;
1773         }
1774 
1775         ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
1776         MBEDTLS_X509_SAFE_SNPRINTF;
1777         flags ^= cur->code;
1778     }
1779 
1780     if (flags != 0) {
1781         ret = mbedtls_snprintf(p, n, "%sUnknown reason "
1782                                      "(this should not happen)\n", prefix);
1783         MBEDTLS_X509_SAFE_SNPRINTF;
1784     }
1785 
1786     return (int) (size - n);
1787 }
1788 #endif /* MBEDTLS_X509_REMOVE_INFO */
1789 
mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt * crt,unsigned int usage)1790 int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
1791                                      unsigned int usage)
1792 {
1793     unsigned int usage_must, usage_may;
1794     unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
1795                             | MBEDTLS_X509_KU_DECIPHER_ONLY;
1796 
1797     if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) {
1798         return 0;
1799     }
1800 
1801     usage_must = usage & ~may_mask;
1802 
1803     if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) {
1804         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1805     }
1806 
1807     usage_may = usage & may_mask;
1808 
1809     if (((crt->key_usage & may_mask) | usage_may) != usage_may) {
1810         return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1811     }
1812 
1813     return 0;
1814 }
1815 
mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt * crt,const char * usage_oid,size_t usage_len)1816 int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
1817                                               const char *usage_oid,
1818                                               size_t usage_len)
1819 {
1820     const mbedtls_x509_sequence *cur;
1821 
1822     /* Extension is not mandatory, absent means no restriction */
1823     if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) {
1824         return 0;
1825     }
1826 
1827     /*
1828      * Look for the requested usage (or wildcard ANY) in our list
1829      */
1830     for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
1831         const mbedtls_x509_buf *cur_oid = &cur->buf;
1832 
1833         if (cur_oid->len == usage_len &&
1834             memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
1835             return 0;
1836         }
1837 
1838         if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) {
1839             return 0;
1840         }
1841     }
1842 
1843     return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1844 }
1845 
1846 #if defined(MBEDTLS_X509_CRL_PARSE_C)
1847 /*
1848  * Return 1 if the certificate is revoked, or 0 otherwise.
1849  */
mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt * crt,const mbedtls_x509_crl * crl)1850 int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
1851 {
1852     const mbedtls_x509_crl_entry *cur = &crl->entry;
1853 
1854     while (cur != NULL && cur->serial.len != 0) {
1855         if (crt->serial.len == cur->serial.len &&
1856             memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
1857             return 1;
1858         }
1859 
1860         cur = cur->next;
1861     }
1862 
1863     return 0;
1864 }
1865 
1866 /*
1867  * Check that the given certificate is not revoked according to the CRL.
1868  * Skip validation if no CRL for the given CA is present.
1869  */
x509_crt_verifycrl(mbedtls_x509_crt * crt,mbedtls_x509_crt * ca,mbedtls_x509_crl * crl_list,const mbedtls_x509_crt_profile * profile)1870 static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
1871                               mbedtls_x509_crl *crl_list,
1872                               const mbedtls_x509_crt_profile *profile)
1873 {
1874     int flags = 0;
1875     unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
1876 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1877     psa_algorithm_t psa_algorithm;
1878 #else
1879     const mbedtls_md_info_t *md_info;
1880 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1881     size_t hash_length;
1882 
1883     if (ca == NULL) {
1884         return flags;
1885     }
1886 
1887     while (crl_list != NULL) {
1888         if (crl_list->version == 0 ||
1889             x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) {
1890             crl_list = crl_list->next;
1891             continue;
1892         }
1893 
1894         /*
1895          * Check if the CA is configured to sign CRLs
1896          */
1897         if (mbedtls_x509_crt_check_key_usage(ca,
1898                                              MBEDTLS_X509_KU_CRL_SIGN) != 0) {
1899             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1900             break;
1901         }
1902 
1903         /*
1904          * Check if CRL is correctly signed by the trusted CA
1905          */
1906         if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) {
1907             flags |= MBEDTLS_X509_BADCRL_BAD_MD;
1908         }
1909 
1910         if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) {
1911             flags |= MBEDTLS_X509_BADCRL_BAD_PK;
1912         }
1913 
1914 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1915         psa_algorithm = mbedtls_hash_info_psa_from_md(crl_list->sig_md);
1916         if (psa_hash_compute(psa_algorithm,
1917                              crl_list->tbs.p,
1918                              crl_list->tbs.len,
1919                              hash,
1920                              sizeof(hash),
1921                              &hash_length) != PSA_SUCCESS) {
1922             /* Note: this can't happen except after an internal error */
1923             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1924             break;
1925         }
1926 #else
1927         md_info = mbedtls_md_info_from_type(crl_list->sig_md);
1928         hash_length = mbedtls_md_get_size(md_info);
1929         if (mbedtls_md(md_info,
1930                        crl_list->tbs.p,
1931                        crl_list->tbs.len,
1932                        hash) != 0) {
1933             /* Note: this can't happen except after an internal error */
1934             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1935             break;
1936         }
1937 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1938 
1939         if (x509_profile_check_key(profile, &ca->pk) != 0) {
1940             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
1941         }
1942 
1943         if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
1944                                   crl_list->sig_md, hash, hash_length,
1945                                   crl_list->sig.p, crl_list->sig.len) != 0) {
1946             flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
1947             break;
1948         }
1949 
1950         /*
1951          * Check for validity of CRL (Do not drop out)
1952          */
1953         if (mbedtls_x509_time_is_past(&crl_list->next_update)) {
1954             flags |= MBEDTLS_X509_BADCRL_EXPIRED;
1955         }
1956 
1957         if (mbedtls_x509_time_is_future(&crl_list->this_update)) {
1958             flags |= MBEDTLS_X509_BADCRL_FUTURE;
1959         }
1960 
1961         /*
1962          * Check if certificate is revoked
1963          */
1964         if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
1965             flags |= MBEDTLS_X509_BADCERT_REVOKED;
1966             break;
1967         }
1968 
1969         crl_list = crl_list->next;
1970     }
1971 
1972     return flags;
1973 }
1974 #endif /* MBEDTLS_X509_CRL_PARSE_C */
1975 
1976 /*
1977  * Check the signature of a certificate by its parent
1978  */
x509_crt_check_signature(const mbedtls_x509_crt * child,mbedtls_x509_crt * parent,mbedtls_x509_crt_restart_ctx * rs_ctx)1979 static int x509_crt_check_signature(const mbedtls_x509_crt *child,
1980                                     mbedtls_x509_crt *parent,
1981                                     mbedtls_x509_crt_restart_ctx *rs_ctx)
1982 {
1983     size_t hash_len;
1984     unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
1985 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1986     const mbedtls_md_info_t *md_info;
1987     md_info = mbedtls_md_info_from_type(child->sig_md);
1988     hash_len = mbedtls_md_get_size(md_info);
1989 
1990     /* Note: hash errors can happen only after an internal error */
1991     if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
1992         return -1;
1993     }
1994 #else
1995     psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(child->sig_md);
1996     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1997 
1998     status = psa_hash_compute(hash_alg,
1999                               child->tbs.p,
2000                               child->tbs.len,
2001                               hash,
2002                               sizeof(hash),
2003                               &hash_len);
2004     if (status != PSA_SUCCESS) {
2005         return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2006     }
2007 
2008 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2009     /* Skip expensive computation on obvious mismatch */
2010     if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
2011         return -1;
2012     }
2013 
2014 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2015     if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
2016         return mbedtls_pk_verify_restartable(&parent->pk,
2017                                              child->sig_md, hash, hash_len,
2018                                              child->sig.p, child->sig.len, &rs_ctx->pk);
2019     }
2020 #else
2021     (void) rs_ctx;
2022 #endif
2023 
2024     return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
2025                                  child->sig_md, hash, hash_len,
2026                                  child->sig.p, child->sig.len);
2027 }
2028 
2029 /*
2030  * Check if 'parent' is a suitable parent (signing CA) for 'child'.
2031  * Return 0 if yes, -1 if not.
2032  *
2033  * top means parent is a locally-trusted certificate
2034  */
x509_crt_check_parent(const mbedtls_x509_crt * child,const mbedtls_x509_crt * parent,int top)2035 static int x509_crt_check_parent(const mbedtls_x509_crt *child,
2036                                  const mbedtls_x509_crt *parent,
2037                                  int top)
2038 {
2039     int need_ca_bit;
2040 
2041     /* Parent must be the issuer */
2042     if (x509_name_cmp(&child->issuer, &parent->subject) != 0) {
2043         return -1;
2044     }
2045 
2046     /* Parent must have the basicConstraints CA bit set as a general rule */
2047     need_ca_bit = 1;
2048 
2049     /* Exception: v1/v2 certificates that are locally trusted. */
2050     if (top && parent->version < 3) {
2051         need_ca_bit = 0;
2052     }
2053 
2054     if (need_ca_bit && !parent->ca_istrue) {
2055         return -1;
2056     }
2057 
2058     if (need_ca_bit &&
2059         mbedtls_x509_crt_check_key_usage(parent, MBEDTLS_X509_KU_KEY_CERT_SIGN) != 0) {
2060         return -1;
2061     }
2062 
2063     return 0;
2064 }
2065 
2066 /*
2067  * Find a suitable parent for child in candidates, or return NULL.
2068  *
2069  * Here suitable is defined as:
2070  *  1. subject name matches child's issuer
2071  *  2. if necessary, the CA bit is set and key usage allows signing certs
2072  *  3. for trusted roots, the signature is correct
2073  *     (for intermediates, the signature is checked and the result reported)
2074  *  4. pathlen constraints are satisfied
2075  *
2076  * If there's a suitable candidate which is also time-valid, return the first
2077  * such. Otherwise, return the first suitable candidate (or NULL if there is
2078  * none).
2079  *
2080  * The rationale for this rule is that someone could have a list of trusted
2081  * roots with two versions on the same root with different validity periods.
2082  * (At least one user reported having such a list and wanted it to just work.)
2083  * The reason we don't just require time-validity is that generally there is
2084  * only one version, and if it's expired we want the flags to state that
2085  * rather than NOT_TRUSTED, as would be the case if we required it here.
2086  *
2087  * The rationale for rule 3 (signature for trusted roots) is that users might
2088  * have two versions of the same CA with different keys in their list, and the
2089  * way we select the correct one is by checking the signature (as we don't
2090  * rely on key identifier extensions). (This is one way users might choose to
2091  * handle key rollover, another relies on self-issued certs, see [SIRO].)
2092  *
2093  * Arguments:
2094  *  - [in] child: certificate for which we're looking for a parent
2095  *  - [in] candidates: chained list of potential parents
2096  *  - [out] r_parent: parent found (or NULL)
2097  *  - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2098  *  - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2099  *         of the chain, 0 otherwise
2100  *  - [in] path_cnt: number of intermediates seen so far
2101  *  - [in] self_cnt: number of self-signed intermediates seen so far
2102  *         (will never be greater than path_cnt)
2103  *  - [in-out] rs_ctx: context for restarting operations
2104  *
2105  * Return value:
2106  *  - 0 on success
2107  *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2108  */
x509_crt_find_parent_in(mbedtls_x509_crt * child,mbedtls_x509_crt * candidates,mbedtls_x509_crt ** r_parent,int * r_signature_is_good,int top,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2109 static int x509_crt_find_parent_in(
2110     mbedtls_x509_crt *child,
2111     mbedtls_x509_crt *candidates,
2112     mbedtls_x509_crt **r_parent,
2113     int *r_signature_is_good,
2114     int top,
2115     unsigned path_cnt,
2116     unsigned self_cnt,
2117     mbedtls_x509_crt_restart_ctx *rs_ctx)
2118 {
2119     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2120     mbedtls_x509_crt *parent, *fallback_parent;
2121     int signature_is_good = 0, fallback_signature_is_good;
2122 
2123 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2124     /* did we have something in progress? */
2125     if (rs_ctx != NULL && rs_ctx->parent != NULL) {
2126         /* restore saved state */
2127         parent = rs_ctx->parent;
2128         fallback_parent = rs_ctx->fallback_parent;
2129         fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
2130 
2131         /* clear saved state */
2132         rs_ctx->parent = NULL;
2133         rs_ctx->fallback_parent = NULL;
2134         rs_ctx->fallback_signature_is_good = 0;
2135 
2136         /* resume where we left */
2137         goto check_signature;
2138     }
2139 #endif
2140 
2141     fallback_parent = NULL;
2142     fallback_signature_is_good = 0;
2143 
2144     for (parent = candidates; parent != NULL; parent = parent->next) {
2145         /* basic parenting skills (name, CA bit, key usage) */
2146         if (x509_crt_check_parent(child, parent, top) != 0) {
2147             continue;
2148         }
2149 
2150         /* +1 because stored max_pathlen is 1 higher that the actual value */
2151         if (parent->max_pathlen > 0 &&
2152             (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt) {
2153             continue;
2154         }
2155 
2156         /* Signature */
2157 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2158 check_signature:
2159 #endif
2160         ret = x509_crt_check_signature(child, parent, rs_ctx);
2161 
2162 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2163         if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2164             /* save state */
2165             rs_ctx->parent = parent;
2166             rs_ctx->fallback_parent = fallback_parent;
2167             rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
2168 
2169             return ret;
2170         }
2171 #else
2172         (void) ret;
2173 #endif
2174 
2175         signature_is_good = ret == 0;
2176         if (top && !signature_is_good) {
2177             continue;
2178         }
2179 
2180         /* optional time check */
2181         if (mbedtls_x509_time_is_past(&parent->valid_to) ||
2182             mbedtls_x509_time_is_future(&parent->valid_from)) {
2183             if (fallback_parent == NULL) {
2184                 fallback_parent = parent;
2185                 fallback_signature_is_good = signature_is_good;
2186             }
2187 
2188             continue;
2189         }
2190 
2191         *r_parent = parent;
2192         *r_signature_is_good = signature_is_good;
2193 
2194         break;
2195     }
2196 
2197     if (parent == NULL) {
2198         *r_parent = fallback_parent;
2199         *r_signature_is_good = fallback_signature_is_good;
2200     }
2201 
2202     return 0;
2203 }
2204 
2205 /*
2206  * Find a parent in trusted CAs or the provided chain, or return NULL.
2207  *
2208  * Searches in trusted CAs first, and return the first suitable parent found
2209  * (see find_parent_in() for definition of suitable).
2210  *
2211  * Arguments:
2212  *  - [in] child: certificate for which we're looking for a parent, followed
2213  *         by a chain of possible intermediates
2214  *  - [in] trust_ca: list of locally trusted certificates
2215  *  - [out] parent: parent found (or NULL)
2216  *  - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2217  *  - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2218  *  - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
2219  *  - [in] self_cnt: number of self-signed certs in the chain so far
2220  *         (will always be no greater than path_cnt)
2221  *  - [in-out] rs_ctx: context for restarting operations
2222  *
2223  * Return value:
2224  *  - 0 on success
2225  *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2226  */
x509_crt_find_parent(mbedtls_x509_crt * child,mbedtls_x509_crt * trust_ca,mbedtls_x509_crt ** parent,int * parent_is_trusted,int * signature_is_good,unsigned path_cnt,unsigned self_cnt,mbedtls_x509_crt_restart_ctx * rs_ctx)2227 static int x509_crt_find_parent(
2228     mbedtls_x509_crt *child,
2229     mbedtls_x509_crt *trust_ca,
2230     mbedtls_x509_crt **parent,
2231     int *parent_is_trusted,
2232     int *signature_is_good,
2233     unsigned path_cnt,
2234     unsigned self_cnt,
2235     mbedtls_x509_crt_restart_ctx *rs_ctx)
2236 {
2237     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2238     mbedtls_x509_crt *search_list;
2239 
2240     *parent_is_trusted = 1;
2241 
2242 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2243     /* restore then clear saved state if we have some stored */
2244     if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
2245         *parent_is_trusted = rs_ctx->parent_is_trusted;
2246         rs_ctx->parent_is_trusted = -1;
2247     }
2248 #endif
2249 
2250     while (1) {
2251         search_list = *parent_is_trusted ? trust_ca : child->next;
2252 
2253         ret = x509_crt_find_parent_in(child, search_list,
2254                                       parent, signature_is_good,
2255                                       *parent_is_trusted,
2256                                       path_cnt, self_cnt, rs_ctx);
2257 
2258 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2259         if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2260             /* save state */
2261             rs_ctx->parent_is_trusted = *parent_is_trusted;
2262             return ret;
2263         }
2264 #else
2265         (void) ret;
2266 #endif
2267 
2268         /* stop here if found or already in second iteration */
2269         if (*parent != NULL || *parent_is_trusted == 0) {
2270             break;
2271         }
2272 
2273         /* prepare second iteration */
2274         *parent_is_trusted = 0;
2275     }
2276 
2277     /* extra precaution against mistakes in the caller */
2278     if (*parent == NULL) {
2279         *parent_is_trusted = 0;
2280         *signature_is_good = 0;
2281     }
2282 
2283     return 0;
2284 }
2285 
2286 /*
2287  * Check if an end-entity certificate is locally trusted
2288  *
2289  * Currently we require such certificates to be self-signed (actually only
2290  * check for self-issued as self-signatures are not checked)
2291  */
x509_crt_check_ee_locally_trusted(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca)2292 static int x509_crt_check_ee_locally_trusted(
2293     mbedtls_x509_crt *crt,
2294     mbedtls_x509_crt *trust_ca)
2295 {
2296     mbedtls_x509_crt *cur;
2297 
2298     /* must be self-issued */
2299     if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) {
2300         return -1;
2301     }
2302 
2303     /* look for an exact match with trusted cert */
2304     for (cur = trust_ca; cur != NULL; cur = cur->next) {
2305         if (crt->raw.len == cur->raw.len &&
2306             memcmp(crt->raw.p, cur->raw.p, crt->raw.len) == 0) {
2307             return 0;
2308         }
2309     }
2310 
2311     /* too bad */
2312     return -1;
2313 }
2314 
2315 /*
2316  * Build and verify a certificate chain
2317  *
2318  * Given a peer-provided list of certificates EE, C1, ..., Cn and
2319  * a list of trusted certs R1, ... Rp, try to build and verify a chain
2320  *      EE, Ci1, ... Ciq [, Rj]
2321  * such that every cert in the chain is a child of the next one,
2322  * jumping to a trusted root as early as possible.
2323  *
2324  * Verify that chain and return it with flags for all issues found.
2325  *
2326  * Special cases:
2327  * - EE == Rj -> return a one-element list containing it
2328  * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
2329  *   -> return that chain with NOT_TRUSTED set on Ciq
2330  *
2331  * Tests for (aspects of) this function should include at least:
2332  * - trusted EE
2333  * - EE -> trusted root
2334  * - EE -> intermediate CA -> trusted root
2335  * - if relevant: EE untrusted
2336  * - if relevant: EE -> intermediate, untrusted
2337  * with the aspect under test checked at each relevant level (EE, int, root).
2338  * For some aspects longer chains are required, but usually length 2 is
2339  * enough (but length 1 is not in general).
2340  *
2341  * Arguments:
2342  *  - [in] crt: the cert list EE, C1, ..., Cn
2343  *  - [in] trust_ca: the trusted list R1, ..., Rp
2344  *  - [in] ca_crl, profile: as in verify_with_profile()
2345  *  - [out] ver_chain: the built and verified chain
2346  *      Only valid when return value is 0, may contain garbage otherwise!
2347  *      Restart note: need not be the same when calling again to resume.
2348  *  - [in-out] rs_ctx: context for restarting operations
2349  *
2350  * Return value:
2351  *  - non-zero if the chain could not be fully built and examined
2352  *  - 0 is the chain was successfully built and examined,
2353  *      even if it was found to be invalid
2354  */
x509_crt_verify_chain(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,mbedtls_x509_crt_verify_chain * ver_chain,mbedtls_x509_crt_restart_ctx * rs_ctx)2355 static int x509_crt_verify_chain(
2356     mbedtls_x509_crt *crt,
2357     mbedtls_x509_crt *trust_ca,
2358     mbedtls_x509_crl *ca_crl,
2359     mbedtls_x509_crt_ca_cb_t f_ca_cb,
2360     void *p_ca_cb,
2361     const mbedtls_x509_crt_profile *profile,
2362     mbedtls_x509_crt_verify_chain *ver_chain,
2363     mbedtls_x509_crt_restart_ctx *rs_ctx)
2364 {
2365     /* Don't initialize any of those variables here, so that the compiler can
2366      * catch potential issues with jumping ahead when restarting */
2367     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2368     uint32_t *flags;
2369     mbedtls_x509_crt_verify_chain_item *cur;
2370     mbedtls_x509_crt *child;
2371     mbedtls_x509_crt *parent;
2372     int parent_is_trusted;
2373     int child_is_trusted;
2374     int signature_is_good;
2375     unsigned self_cnt;
2376     mbedtls_x509_crt *cur_trust_ca = NULL;
2377 
2378 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2379     /* resume if we had an operation in progress */
2380     if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
2381         /* restore saved state */
2382         *ver_chain = rs_ctx->ver_chain; /* struct copy */
2383         self_cnt = rs_ctx->self_cnt;
2384 
2385         /* restore derived state */
2386         cur = &ver_chain->items[ver_chain->len - 1];
2387         child = cur->crt;
2388         flags = &cur->flags;
2389 
2390         goto find_parent;
2391     }
2392 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2393 
2394     child = crt;
2395     self_cnt = 0;
2396     parent_is_trusted = 0;
2397     child_is_trusted = 0;
2398 
2399     while (1) {
2400         /* Add certificate to the verification chain */
2401         cur = &ver_chain->items[ver_chain->len];
2402         cur->crt = child;
2403         cur->flags = 0;
2404         ver_chain->len++;
2405         flags = &cur->flags;
2406 
2407         /* Check time-validity (all certificates) */
2408         if (mbedtls_x509_time_is_past(&child->valid_to)) {
2409             *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
2410         }
2411 
2412         if (mbedtls_x509_time_is_future(&child->valid_from)) {
2413             *flags |= MBEDTLS_X509_BADCERT_FUTURE;
2414         }
2415 
2416         /* Stop here for trusted roots (but not for trusted EE certs) */
2417         if (child_is_trusted) {
2418             return 0;
2419         }
2420 
2421         /* Check signature algorithm: MD & PK algs */
2422         if (x509_profile_check_md_alg(profile, child->sig_md) != 0) {
2423             *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
2424         }
2425 
2426         if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) {
2427             *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2428         }
2429 
2430         /* Special case: EE certs that are locally trusted */
2431         if (ver_chain->len == 1 &&
2432             x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
2433             return 0;
2434         }
2435 
2436 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2437 find_parent:
2438 #endif
2439 
2440         /* Obtain list of potential trusted signers from CA callback,
2441          * or use statically provided list. */
2442 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2443         if (f_ca_cb != NULL) {
2444             mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result);
2445             mbedtls_free(ver_chain->trust_ca_cb_result);
2446             ver_chain->trust_ca_cb_result = NULL;
2447 
2448             ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result);
2449             if (ret != 0) {
2450                 return MBEDTLS_ERR_X509_FATAL_ERROR;
2451             }
2452 
2453             cur_trust_ca = ver_chain->trust_ca_cb_result;
2454         } else
2455 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2456         {
2457             ((void) f_ca_cb);
2458             ((void) p_ca_cb);
2459             cur_trust_ca = trust_ca;
2460         }
2461 
2462         /* Look for a parent in trusted CAs or up the chain */
2463         ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
2464                                    &parent_is_trusted, &signature_is_good,
2465                                    ver_chain->len - 1, self_cnt, rs_ctx);
2466 
2467 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2468         if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2469             /* save state */
2470             rs_ctx->in_progress = x509_crt_rs_find_parent;
2471             rs_ctx->self_cnt = self_cnt;
2472             rs_ctx->ver_chain = *ver_chain; /* struct copy */
2473 
2474             return ret;
2475         }
2476 #else
2477         (void) ret;
2478 #endif
2479 
2480         /* No parent? We're done here */
2481         if (parent == NULL) {
2482             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2483             return 0;
2484         }
2485 
2486         /* Count intermediate self-issued (not necessarily self-signed) certs.
2487          * These can occur with some strategies for key rollover, see [SIRO],
2488          * and should be excluded from max_pathlen checks. */
2489         if (ver_chain->len != 1 &&
2490             x509_name_cmp(&child->issuer, &child->subject) == 0) {
2491             self_cnt++;
2492         }
2493 
2494         /* path_cnt is 0 for the first intermediate CA,
2495          * and if parent is trusted it's not an intermediate CA */
2496         if (!parent_is_trusted &&
2497             ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
2498             /* return immediately to avoid overflow the chain array */
2499             return MBEDTLS_ERR_X509_FATAL_ERROR;
2500         }
2501 
2502         /* signature was checked while searching parent */
2503         if (!signature_is_good) {
2504             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2505         }
2506 
2507         /* check size of signing key */
2508         if (x509_profile_check_key(profile, &parent->pk) != 0) {
2509             *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2510         }
2511 
2512 #if defined(MBEDTLS_X509_CRL_PARSE_C)
2513         /* Check trusted CA's CRL for the given crt */
2514         *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile);
2515 #else
2516         (void) ca_crl;
2517 #endif
2518 
2519         /* prepare for next iteration */
2520         child = parent;
2521         parent = NULL;
2522         child_is_trusted = parent_is_trusted;
2523         signature_is_good = 0;
2524     }
2525 }
2526 
2527 /*
2528  * Check for CN match
2529  */
x509_crt_check_cn(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)2530 static int x509_crt_check_cn(const mbedtls_x509_buf *name,
2531                              const char *cn, size_t cn_len)
2532 {
2533     /* try exact match */
2534     if (name->len == cn_len &&
2535         x509_memcasecmp(cn, name->p, cn_len) == 0) {
2536         return 0;
2537     }
2538 
2539     /* try wildcard match */
2540     if (x509_check_wildcard(cn, name) == 0) {
2541         return 0;
2542     }
2543 
2544     return -1;
2545 }
2546 
2547 /*
2548  * Check for SAN match, see RFC 5280 Section 4.2.1.6
2549  */
x509_crt_check_san(const mbedtls_x509_buf * name,const char * cn,size_t cn_len)2550 static int x509_crt_check_san(const mbedtls_x509_buf *name,
2551                               const char *cn, size_t cn_len)
2552 {
2553     const unsigned char san_type = (unsigned char) name->tag &
2554                                    MBEDTLS_ASN1_TAG_VALUE_MASK;
2555 
2556     /* dNSName */
2557     if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
2558         return x509_crt_check_cn(name, cn, cn_len);
2559     }
2560 
2561     /* (We may handle other types here later.) */
2562 
2563     /* Unrecognized type */
2564     return -1;
2565 }
2566 
2567 /*
2568  * Verify the requested CN - only call this if cn is not NULL!
2569  */
x509_crt_verify_name(const mbedtls_x509_crt * crt,const char * cn,uint32_t * flags)2570 static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
2571                                  const char *cn,
2572                                  uint32_t *flags)
2573 {
2574     const mbedtls_x509_name *name;
2575     const mbedtls_x509_sequence *cur;
2576     size_t cn_len = strlen(cn);
2577 
2578     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
2579         for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
2580             if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
2581                 break;
2582             }
2583         }
2584 
2585         if (cur == NULL) {
2586             *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
2587         }
2588     } else {
2589         for (name = &crt->subject; name != NULL; name = name->next) {
2590             if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
2591                 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
2592                 break;
2593             }
2594         }
2595 
2596         if (name == NULL) {
2597             *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
2598         }
2599     }
2600 }
2601 
2602 /*
2603  * Merge the flags for all certs in the chain, after calling callback
2604  */
x509_crt_merge_flags_with_cb(uint32_t * flags,const mbedtls_x509_crt_verify_chain * ver_chain,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2605 static int x509_crt_merge_flags_with_cb(
2606     uint32_t *flags,
2607     const mbedtls_x509_crt_verify_chain *ver_chain,
2608     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2609     void *p_vrfy)
2610 {
2611     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2612     unsigned i;
2613     uint32_t cur_flags;
2614     const mbedtls_x509_crt_verify_chain_item *cur;
2615 
2616     for (i = ver_chain->len; i != 0; --i) {
2617         cur = &ver_chain->items[i-1];
2618         cur_flags = cur->flags;
2619 
2620         if (NULL != f_vrfy) {
2621             if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) {
2622                 return ret;
2623             }
2624         }
2625 
2626         *flags |= cur_flags;
2627     }
2628 
2629     return 0;
2630 }
2631 
2632 /*
2633  * Verify the certificate validity, with profile, restartable version
2634  *
2635  * This function:
2636  *  - checks the requested CN (if any)
2637  *  - checks the type and size of the EE cert's key,
2638  *    as that isn't done as part of chain building/verification currently
2639  *  - builds and verifies the chain
2640  *  - then calls the callback and merges the flags
2641  *
2642  * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
2643  * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
2644  * verification routine to search for trusted signers, and CRLs will
2645  * be disabled. Otherwise, `trust_ca` will be used as the static list
2646  * of trusted signers, and `ca_crl` will be use as the static list
2647  * of CRLs.
2648  */
x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)2649 static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt,
2650                                              mbedtls_x509_crt *trust_ca,
2651                                              mbedtls_x509_crl *ca_crl,
2652                                              mbedtls_x509_crt_ca_cb_t f_ca_cb,
2653                                              void *p_ca_cb,
2654                                              const mbedtls_x509_crt_profile *profile,
2655                                              const char *cn, uint32_t *flags,
2656                                              int (*f_vrfy)(void *,
2657                                                            mbedtls_x509_crt *,
2658                                                            int,
2659                                                            uint32_t *),
2660                                              void *p_vrfy,
2661                                              mbedtls_x509_crt_restart_ctx *rs_ctx)
2662 {
2663     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2664     mbedtls_pk_type_t pk_type;
2665     mbedtls_x509_crt_verify_chain ver_chain;
2666     uint32_t ee_flags;
2667 
2668     *flags = 0;
2669     ee_flags = 0;
2670     x509_crt_verify_chain_reset(&ver_chain);
2671 
2672     if (profile == NULL) {
2673         ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2674         goto exit;
2675     }
2676 
2677     /* check name if requested */
2678     if (cn != NULL) {
2679         x509_crt_verify_name(crt, cn, &ee_flags);
2680     }
2681 
2682     /* Check the type and size of the key */
2683     pk_type = mbedtls_pk_get_type(&crt->pk);
2684 
2685     if (x509_profile_check_pk_alg(profile, pk_type) != 0) {
2686         ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2687     }
2688 
2689     if (x509_profile_check_key(profile, &crt->pk) != 0) {
2690         ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2691     }
2692 
2693     /* Check the chain */
2694     ret = x509_crt_verify_chain(crt, trust_ca, ca_crl,
2695                                 f_ca_cb, p_ca_cb, profile,
2696                                 &ver_chain, rs_ctx);
2697 
2698     if (ret != 0) {
2699         goto exit;
2700     }
2701 
2702     /* Merge end-entity flags */
2703     ver_chain.items[0].flags |= ee_flags;
2704 
2705     /* Build final flags, calling callback on the way if any */
2706     ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy);
2707 
2708 exit:
2709 
2710 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2711     mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result);
2712     mbedtls_free(ver_chain.trust_ca_cb_result);
2713     ver_chain.trust_ca_cb_result = NULL;
2714 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2715 
2716 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2717     if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
2718         mbedtls_x509_crt_restart_free(rs_ctx);
2719     }
2720 #endif
2721 
2722     /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
2723      * the SSL module for authmode optional, but non-zero return from the
2724      * callback means a fatal error so it shouldn't be ignored */
2725     if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
2726         ret = MBEDTLS_ERR_X509_FATAL_ERROR;
2727     }
2728 
2729     if (ret != 0) {
2730         *flags = (uint32_t) -1;
2731         return ret;
2732     }
2733 
2734     if (*flags != 0) {
2735         return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
2736     }
2737 
2738     return 0;
2739 }
2740 
2741 
2742 /*
2743  * Verify the certificate validity (default profile, not restartable)
2744  */
mbedtls_x509_crt_verify(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2745 int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
2746                             mbedtls_x509_crt *trust_ca,
2747                             mbedtls_x509_crl *ca_crl,
2748                             const char *cn, uint32_t *flags,
2749                             int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2750                             void *p_vrfy)
2751 {
2752     return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
2753                                              NULL, NULL,
2754                                              &mbedtls_x509_crt_profile_default,
2755                                              cn, flags,
2756                                              f_vrfy, p_vrfy, NULL);
2757 }
2758 
2759 /*
2760  * Verify the certificate validity (user-chosen profile, not restartable)
2761  */
mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2762 int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
2763                                          mbedtls_x509_crt *trust_ca,
2764                                          mbedtls_x509_crl *ca_crl,
2765                                          const mbedtls_x509_crt_profile *profile,
2766                                          const char *cn, uint32_t *flags,
2767                                          int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2768                                          void *p_vrfy)
2769 {
2770     return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
2771                                              NULL, NULL,
2772                                              profile, cn, flags,
2773                                              f_vrfy, p_vrfy, NULL);
2774 }
2775 
2776 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2777 /*
2778  * Verify the certificate validity (user-chosen profile, CA callback,
2779  *                                  not restartable).
2780  */
mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt * crt,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)2781 int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
2782                                        mbedtls_x509_crt_ca_cb_t f_ca_cb,
2783                                        void *p_ca_cb,
2784                                        const mbedtls_x509_crt_profile *profile,
2785                                        const char *cn, uint32_t *flags,
2786                                        int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2787                                        void *p_vrfy)
2788 {
2789     return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL,
2790                                              f_ca_cb, p_ca_cb,
2791                                              profile, cn, flags,
2792                                              f_vrfy, p_vrfy, NULL);
2793 }
2794 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2795 
mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt * crt,mbedtls_x509_crt * trust_ca,mbedtls_x509_crl * ca_crl,const mbedtls_x509_crt_profile * profile,const char * cn,uint32_t * flags,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy,mbedtls_x509_crt_restart_ctx * rs_ctx)2796 int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
2797                                         mbedtls_x509_crt *trust_ca,
2798                                         mbedtls_x509_crl *ca_crl,
2799                                         const mbedtls_x509_crt_profile *profile,
2800                                         const char *cn, uint32_t *flags,
2801                                         int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
2802                                         void *p_vrfy,
2803                                         mbedtls_x509_crt_restart_ctx *rs_ctx)
2804 {
2805     return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
2806                                              NULL, NULL,
2807                                              profile, cn, flags,
2808                                              f_vrfy, p_vrfy, rs_ctx);
2809 }
2810 
2811 
2812 /*
2813  * Initialize a certificate chain
2814  */
mbedtls_x509_crt_init(mbedtls_x509_crt * crt)2815 void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
2816 {
2817     memset(crt, 0, sizeof(mbedtls_x509_crt));
2818 }
2819 
2820 /*
2821  * Unallocate all certificate data
2822  */
mbedtls_x509_crt_free(mbedtls_x509_crt * crt)2823 void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
2824 {
2825     mbedtls_x509_crt *cert_cur = crt;
2826     mbedtls_x509_crt *cert_prv;
2827 
2828     while (cert_cur != NULL) {
2829         mbedtls_pk_free(&cert_cur->pk);
2830 
2831 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
2832         mbedtls_free(cert_cur->sig_opts);
2833 #endif
2834 
2835         mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next);
2836         mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next);
2837         mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
2838         mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next);
2839         mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
2840 
2841         if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
2842             mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);
2843             mbedtls_free(cert_cur->raw.p);
2844         }
2845 
2846         cert_prv = cert_cur;
2847         cert_cur = cert_cur->next;
2848 
2849         mbedtls_platform_zeroize(cert_prv, sizeof(mbedtls_x509_crt));
2850         if (cert_prv != crt) {
2851             mbedtls_free(cert_prv);
2852         }
2853     }
2854 }
2855 
2856 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2857 /*
2858  * Initialize a restart context
2859  */
mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx * ctx)2860 void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
2861 {
2862     mbedtls_pk_restart_init(&ctx->pk);
2863 
2864     ctx->parent = NULL;
2865     ctx->fallback_parent = NULL;
2866     ctx->fallback_signature_is_good = 0;
2867 
2868     ctx->parent_is_trusted = -1;
2869 
2870     ctx->in_progress = x509_crt_rs_none;
2871     ctx->self_cnt = 0;
2872     x509_crt_verify_chain_reset(&ctx->ver_chain);
2873 }
2874 
2875 /*
2876  * Free the components of a restart context
2877  */
mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx * ctx)2878 void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
2879 {
2880     if (ctx == NULL) {
2881         return;
2882     }
2883 
2884     mbedtls_pk_restart_free(&ctx->pk);
2885     mbedtls_x509_crt_restart_init(ctx);
2886 }
2887 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2888 
2889 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2890