1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * X.509 certificate parsing and verification 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The ITU-T X.509 standard defines a certificate format for PKI. 23 * 24 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 25 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 26 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 27 * 28 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 30 * 31 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf 32 */ 33 34 #if !defined(MBEDTLS_CONFIG_FILE) 35 #include "mbedtls/config.h" 36 #else 37 #include MBEDTLS_CONFIG_FILE 38 #endif 39 40 #if defined(MBEDTLS_X509_CRT_PARSE_C) 41 42 #include "mbedtls/x509_crt.h" 43 #include "mbedtls/error.h" 44 #include "mbedtls/oid.h" 45 #include "mbedtls/platform_util.h" 46 47 #include <string.h> 48 49 #if defined(MBEDTLS_PEM_PARSE_C) 50 #include "mbedtls/pem.h" 51 #endif 52 53 #if defined(MBEDTLS_USE_PSA_CRYPTO) 54 #include "psa/crypto.h" 55 #include "mbedtls/psa_util.h" 56 #endif 57 58 #if defined(MBEDTLS_PLATFORM_C) 59 #include "mbedtls/platform.h" 60 #else 61 #include <stdio.h> 62 #include <stdlib.h> 63 #define mbedtls_free free 64 #define mbedtls_calloc calloc 65 #define mbedtls_snprintf snprintf 66 #endif 67 68 #if defined(MBEDTLS_THREADING_C) 69 #include "mbedtls/threading.h" 70 #endif 71 72 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 73 #include <windows.h> 74 #else 75 #include <time.h> 76 #endif 77 78 #if defined(MBEDTLS_FS_IO) 79 #include <stdio.h> 80 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32) 81 #include <sys/types.h> 82 #include <sys/stat.h> 83 #include <dirent.h> 84 #endif /* !_WIN32 || EFIX64 || EFI32 */ 85 #endif 86 87 /* 88 * Item in a verification chain: cert and flags for it 89 */ 90 typedef struct { 91 mbedtls_x509_crt *crt; 92 uint32_t flags; 93 } x509_crt_verify_chain_item; 94 95 /* 96 * Max size of verification chain: end-entity + intermediates + trusted root 97 */ 98 #define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 ) 99 100 /* 101 * Default profile 102 */ 103 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = 104 { 105 #if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES) 106 /* Allow SHA-1 (weak, but still safe in controlled environments) */ 107 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | 108 #endif 109 /* Only SHA-2 hashes */ 110 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | 111 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | 112 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | 113 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 114 0xFFFFFFF, /* Any PK alg */ 115 0xFFFFFFF, /* Any curve */ 116 2048, 117 }; 118 119 /* 120 * Next-default profile 121 */ 122 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next = 123 { 124 /* Hashes from SHA-256 and above */ 125 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | 126 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | 127 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 128 0xFFFFFFF, /* Any PK alg */ 129 #if defined(MBEDTLS_ECP_C) 130 /* Curves at or above 128-bit security level */ 131 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) | 132 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) | 133 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) | 134 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) | 135 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) | 136 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) | 137 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ), 138 #else 139 0, 140 #endif 141 2048, 142 }; 143 144 /* 145 * NSA Suite B Profile 146 */ 147 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb = 148 { 149 /* Only SHA-256 and 384 */ 150 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | 151 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ), 152 /* Only ECDSA */ 153 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) | 154 MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ), 155 #if defined(MBEDTLS_ECP_C) 156 /* Only NIST P-256 and P-384 */ 157 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) | 158 MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ), 159 #else 160 0, 161 #endif 162 0, 163 }; 164 165 /* 166 * Check md_alg against profile 167 * Return 0 if md_alg is acceptable for this profile, -1 otherwise 168 */ 169 static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile, 170 mbedtls_md_type_t md_alg ) 171 { 172 if( md_alg == MBEDTLS_MD_NONE ) 173 return( -1 ); 174 175 if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 ) 176 return( 0 ); 177 178 return( -1 ); 179 } 180 181 /* 182 * Check pk_alg against profile 183 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise 184 */ 185 static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile, 186 mbedtls_pk_type_t pk_alg ) 187 { 188 if( pk_alg == MBEDTLS_PK_NONE ) 189 return( -1 ); 190 191 if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 ) 192 return( 0 ); 193 194 return( -1 ); 195 } 196 197 /* 198 * Check key against profile 199 * Return 0 if pk is acceptable for this profile, -1 otherwise 200 */ 201 static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile, 202 const mbedtls_pk_context *pk ) 203 { 204 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk ); 205 206 #if defined(MBEDTLS_RSA_C) 207 if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS ) 208 { 209 if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen ) 210 return( 0 ); 211 212 return( -1 ); 213 } 214 #endif 215 216 #if defined(MBEDTLS_ECP_C) 217 if( pk_alg == MBEDTLS_PK_ECDSA || 218 pk_alg == MBEDTLS_PK_ECKEY || 219 pk_alg == MBEDTLS_PK_ECKEY_DH ) 220 { 221 const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id; 222 223 if( gid == MBEDTLS_ECP_DP_NONE ) 224 return( -1 ); 225 226 if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 ) 227 return( 0 ); 228 229 return( -1 ); 230 } 231 #endif 232 233 return( -1 ); 234 } 235 236 /* 237 * Like memcmp, but case-insensitive and always returns -1 if different 238 */ 239 static int x509_memcasecmp( const void *s1, const void *s2, size_t len ) 240 { 241 size_t i; 242 unsigned char diff; 243 const unsigned char *n1 = s1, *n2 = s2; 244 245 for( i = 0; i < len; i++ ) 246 { 247 diff = n1[i] ^ n2[i]; 248 249 if( diff == 0 ) 250 continue; 251 252 if( diff == 32 && 253 ( ( n1[i] >= 'a' && n1[i] <= 'z' ) || 254 ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) ) 255 { 256 continue; 257 } 258 259 return( -1 ); 260 } 261 262 return( 0 ); 263 } 264 265 /* 266 * Return 0 if name matches wildcard, -1 otherwise 267 */ 268 static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name ) 269 { 270 size_t i; 271 size_t cn_idx = 0, cn_len = strlen( cn ); 272 273 /* We can't have a match if there is no wildcard to match */ 274 if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' ) 275 return( -1 ); 276 277 for( i = 0; i < cn_len; ++i ) 278 { 279 if( cn[i] == '.' ) 280 { 281 cn_idx = i; 282 break; 283 } 284 } 285 286 if( cn_idx == 0 ) 287 return( -1 ); 288 289 if( cn_len - cn_idx == name->len - 1 && 290 x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 ) 291 { 292 return( 0 ); 293 } 294 295 return( -1 ); 296 } 297 298 /* 299 * Compare two X.509 strings, case-insensitive, and allowing for some encoding 300 * variations (but not all). 301 * 302 * Return 0 if equal, -1 otherwise. 303 */ 304 static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b ) 305 { 306 if( a->tag == b->tag && 307 a->len == b->len && 308 memcmp( a->p, b->p, b->len ) == 0 ) 309 { 310 return( 0 ); 311 } 312 313 if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && 314 ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) && 315 a->len == b->len && 316 x509_memcasecmp( a->p, b->p, b->len ) == 0 ) 317 { 318 return( 0 ); 319 } 320 321 return( -1 ); 322 } 323 324 /* 325 * Compare two X.509 Names (aka rdnSequence). 326 * 327 * See RFC 5280 section 7.1, though we don't implement the whole algorithm: 328 * we sometimes return unequal when the full algorithm would return equal, 329 * but never the other way. (In particular, we don't do Unicode normalisation 330 * or space folding.) 331 * 332 * Return 0 if equal, -1 otherwise. 333 */ 334 static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b ) 335 { 336 /* Avoid recursion, it might not be optimised by the compiler */ 337 while( a != NULL || b != NULL ) 338 { 339 if( a == NULL || b == NULL ) 340 return( -1 ); 341 342 /* type */ 343 if( a->oid.tag != b->oid.tag || 344 a->oid.len != b->oid.len || 345 memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 ) 346 { 347 return( -1 ); 348 } 349 350 /* value */ 351 if( x509_string_cmp( &a->val, &b->val ) != 0 ) 352 return( -1 ); 353 354 /* structure of the list of sets */ 355 if( a->next_merged != b->next_merged ) 356 return( -1 ); 357 358 a = a->next; 359 b = b->next; 360 } 361 362 /* a == NULL == b */ 363 return( 0 ); 364 } 365 366 /* 367 * Reset (init or clear) a verify_chain 368 */ 369 static void x509_crt_verify_chain_reset( 370 mbedtls_x509_crt_verify_chain *ver_chain ) 371 { 372 size_t i; 373 374 for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ ) 375 { 376 ver_chain->items[i].crt = NULL; 377 ver_chain->items[i].flags = (uint32_t) -1; 378 } 379 380 ver_chain->len = 0; 381 382 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 383 ver_chain->trust_ca_cb_result = NULL; 384 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 385 } 386 387 /* 388 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 389 */ 390 static int x509_get_version( unsigned char **p, 391 const unsigned char *end, 392 int *ver ) 393 { 394 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 395 size_t len; 396 397 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 398 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 ) 399 { 400 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 401 { 402 *ver = 0; 403 return( 0 ); 404 } 405 406 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 407 } 408 409 end = *p + len; 410 411 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) 412 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret ); 413 414 if( *p != end ) 415 return( MBEDTLS_ERR_X509_INVALID_VERSION + 416 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 417 418 return( 0 ); 419 } 420 421 /* 422 * Validity ::= SEQUENCE { 423 * notBefore Time, 424 * notAfter Time } 425 */ 426 static int x509_get_dates( unsigned char **p, 427 const unsigned char *end, 428 mbedtls_x509_time *from, 429 mbedtls_x509_time *to ) 430 { 431 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 432 size_t len; 433 434 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 435 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 436 return( MBEDTLS_ERR_X509_INVALID_DATE + ret ); 437 438 end = *p + len; 439 440 if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 ) 441 return( ret ); 442 443 if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 ) 444 return( ret ); 445 446 if( *p != end ) 447 return( MBEDTLS_ERR_X509_INVALID_DATE + 448 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 449 450 return( 0 ); 451 } 452 453 /* 454 * X.509 v2/v3 unique identifier (not parsed) 455 */ 456 static int x509_get_uid( unsigned char **p, 457 const unsigned char *end, 458 mbedtls_x509_buf *uid, int n ) 459 { 460 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 461 462 if( *p == end ) 463 return( 0 ); 464 465 uid->tag = **p; 466 467 if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len, 468 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 ) 469 { 470 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 471 return( 0 ); 472 473 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 474 } 475 476 uid->p = *p; 477 *p += uid->len; 478 479 return( 0 ); 480 } 481 482 static int x509_get_basic_constraints( unsigned char **p, 483 const unsigned char *end, 484 int *ca_istrue, 485 int *max_pathlen ) 486 { 487 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 488 size_t len; 489 490 /* 491 * BasicConstraints ::= SEQUENCE { 492 * cA BOOLEAN DEFAULT FALSE, 493 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 494 */ 495 *ca_istrue = 0; /* DEFAULT FALSE */ 496 *max_pathlen = 0; /* endless */ 497 498 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 499 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 500 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 501 502 if( *p == end ) 503 return( 0 ); 504 505 if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 ) 506 { 507 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 508 ret = mbedtls_asn1_get_int( p, end, ca_istrue ); 509 510 if( ret != 0 ) 511 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 512 513 if( *ca_istrue != 0 ) 514 *ca_istrue = 1; 515 } 516 517 if( *p == end ) 518 return( 0 ); 519 520 if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 ) 521 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 522 523 if( *p != end ) 524 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 525 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 526 527 (*max_pathlen)++; 528 529 return( 0 ); 530 } 531 532 static int x509_get_ns_cert_type( unsigned char **p, 533 const unsigned char *end, 534 unsigned char *ns_cert_type) 535 { 536 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 537 mbedtls_x509_bitstring bs = { 0, 0, NULL }; 538 539 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 ) 540 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 541 542 if( bs.len != 1 ) 543 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 544 MBEDTLS_ERR_ASN1_INVALID_LENGTH ); 545 546 /* Get actual bitstring */ 547 *ns_cert_type = *bs.p; 548 return( 0 ); 549 } 550 551 static int x509_get_key_usage( unsigned char **p, 552 const unsigned char *end, 553 unsigned int *key_usage) 554 { 555 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 556 size_t i; 557 mbedtls_x509_bitstring bs = { 0, 0, NULL }; 558 559 if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 ) 560 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 561 562 if( bs.len < 1 ) 563 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 564 MBEDTLS_ERR_ASN1_INVALID_LENGTH ); 565 566 /* Get actual bitstring */ 567 *key_usage = 0; 568 for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ ) 569 { 570 *key_usage |= (unsigned int) bs.p[i] << (8*i); 571 } 572 573 return( 0 ); 574 } 575 576 /* 577 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 578 * 579 * KeyPurposeId ::= OBJECT IDENTIFIER 580 */ 581 static int x509_get_ext_key_usage( unsigned char **p, 582 const unsigned char *end, 583 mbedtls_x509_sequence *ext_key_usage) 584 { 585 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 586 587 if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 ) 588 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 589 590 /* Sequence length must be >= 1 */ 591 if( ext_key_usage->buf.p == NULL ) 592 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 593 MBEDTLS_ERR_ASN1_INVALID_LENGTH ); 594 595 return( 0 ); 596 } 597 598 /* 599 * SubjectAltName ::= GeneralNames 600 * 601 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 602 * 603 * GeneralName ::= CHOICE { 604 * otherName [0] OtherName, 605 * rfc822Name [1] IA5String, 606 * dNSName [2] IA5String, 607 * x400Address [3] ORAddress, 608 * directoryName [4] Name, 609 * ediPartyName [5] EDIPartyName, 610 * uniformResourceIdentifier [6] IA5String, 611 * iPAddress [7] OCTET STRING, 612 * registeredID [8] OBJECT IDENTIFIER } 613 * 614 * OtherName ::= SEQUENCE { 615 * type-id OBJECT IDENTIFIER, 616 * value [0] EXPLICIT ANY DEFINED BY type-id } 617 * 618 * EDIPartyName ::= SEQUENCE { 619 * nameAssigner [0] DirectoryString OPTIONAL, 620 * partyName [1] DirectoryString } 621 * 622 * NOTE: we list all types, but only use dNSName and otherName 623 * of type HwModuleName, as defined in RFC 4108, at this point. 624 */ 625 static int x509_get_subject_alt_name( unsigned char **p, 626 const unsigned char *end, 627 mbedtls_x509_sequence *subject_alt_name ) 628 { 629 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 630 size_t len, tag_len; 631 mbedtls_asn1_buf *buf; 632 unsigned char tag; 633 mbedtls_asn1_sequence *cur = subject_alt_name; 634 635 /* Get main sequence tag */ 636 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 637 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 638 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 639 640 if( *p + len != end ) 641 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 642 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 643 644 while( *p < end ) 645 { 646 mbedtls_x509_subject_alternative_name dummy_san_buf; 647 memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) ); 648 649 if( ( end - *p ) < 1 ) 650 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 651 MBEDTLS_ERR_ASN1_OUT_OF_DATA ); 652 653 tag = **p; 654 (*p)++; 655 if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 ) 656 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 657 658 if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) != 659 MBEDTLS_ASN1_CONTEXT_SPECIFIC ) 660 { 661 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 662 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 663 } 664 665 /* 666 * Check that the SAN are structured correct. 667 */ 668 ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf ); 669 /* 670 * In case the extension is malformed, return an error, 671 * and clear the allocated sequences. 672 */ 673 if( ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) 674 { 675 mbedtls_x509_sequence *seq_cur = subject_alt_name->next; 676 mbedtls_x509_sequence *seq_prv; 677 while( seq_cur != NULL ) 678 { 679 seq_prv = seq_cur; 680 seq_cur = seq_cur->next; 681 mbedtls_platform_zeroize( seq_prv, 682 sizeof( mbedtls_x509_sequence ) ); 683 mbedtls_free( seq_prv ); 684 } 685 subject_alt_name->next = NULL; 686 return( ret ); 687 } 688 689 /* Allocate and assign next pointer */ 690 if( cur->buf.p != NULL ) 691 { 692 if( cur->next != NULL ) 693 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS ); 694 695 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) ); 696 697 if( cur->next == NULL ) 698 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 699 MBEDTLS_ERR_ASN1_ALLOC_FAILED ); 700 701 cur = cur->next; 702 } 703 704 buf = &(cur->buf); 705 buf->tag = tag; 706 buf->p = *p; 707 buf->len = tag_len; 708 *p += buf->len; 709 } 710 711 /* Set final sequence entry's next pointer to NULL */ 712 cur->next = NULL; 713 714 if( *p != end ) 715 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 716 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 717 718 return( 0 ); 719 } 720 721 /* 722 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 723 * 724 * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } 725 * 726 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 727 * 728 * PolicyInformation ::= SEQUENCE { 729 * policyIdentifier CertPolicyId, 730 * policyQualifiers SEQUENCE SIZE (1..MAX) OF 731 * PolicyQualifierInfo OPTIONAL } 732 * 733 * CertPolicyId ::= OBJECT IDENTIFIER 734 * 735 * PolicyQualifierInfo ::= SEQUENCE { 736 * policyQualifierId PolicyQualifierId, 737 * qualifier ANY DEFINED BY policyQualifierId } 738 * 739 * -- policyQualifierIds for Internet policy qualifiers 740 * 741 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 742 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 743 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 744 * 745 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) 746 * 747 * Qualifier ::= CHOICE { 748 * cPSuri CPSuri, 749 * userNotice UserNotice } 750 * 751 * CPSuri ::= IA5String 752 * 753 * UserNotice ::= SEQUENCE { 754 * noticeRef NoticeReference OPTIONAL, 755 * explicitText DisplayText OPTIONAL } 756 * 757 * NoticeReference ::= SEQUENCE { 758 * organization DisplayText, 759 * noticeNumbers SEQUENCE OF INTEGER } 760 * 761 * DisplayText ::= CHOICE { 762 * ia5String IA5String (SIZE (1..200)), 763 * visibleString VisibleString (SIZE (1..200)), 764 * bmpString BMPString (SIZE (1..200)), 765 * utf8String UTF8String (SIZE (1..200)) } 766 * 767 * NOTE: we only parse and use anyPolicy without qualifiers at this point 768 * as defined in RFC 5280. 769 */ 770 static int x509_get_certificate_policies( unsigned char **p, 771 const unsigned char *end, 772 mbedtls_x509_sequence *certificate_policies ) 773 { 774 int ret, parse_ret = 0; 775 size_t len; 776 mbedtls_asn1_buf *buf; 777 mbedtls_asn1_sequence *cur = certificate_policies; 778 779 /* Get main sequence tag */ 780 ret = mbedtls_asn1_get_tag( p, end, &len, 781 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); 782 if( ret != 0 ) 783 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 784 785 if( *p + len != end ) 786 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 787 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 788 789 /* 790 * Cannot be an empty sequence. 791 */ 792 if( len == 0 ) 793 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 794 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 795 796 while( *p < end ) 797 { 798 mbedtls_x509_buf policy_oid; 799 const unsigned char *policy_end; 800 801 /* 802 * Get the policy sequence 803 */ 804 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 805 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 806 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 807 808 policy_end = *p + len; 809 810 if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len, 811 MBEDTLS_ASN1_OID ) ) != 0 ) 812 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 813 814 policy_oid.tag = MBEDTLS_ASN1_OID; 815 policy_oid.len = len; 816 policy_oid.p = *p; 817 818 /* 819 * Only AnyPolicy is currently supported when enforcing policy. 820 */ 821 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_POLICY, &policy_oid ) != 0 ) 822 { 823 /* 824 * Set the parsing return code but continue parsing, in case this 825 * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 826 * is configured. 827 */ 828 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 829 } 830 831 /* Allocate and assign next pointer */ 832 if( cur->buf.p != NULL ) 833 { 834 if( cur->next != NULL ) 835 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS ); 836 837 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) ); 838 839 if( cur->next == NULL ) 840 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 841 MBEDTLS_ERR_ASN1_ALLOC_FAILED ); 842 843 cur = cur->next; 844 } 845 846 buf = &( cur->buf ); 847 buf->tag = policy_oid.tag; 848 buf->p = policy_oid.p; 849 buf->len = policy_oid.len; 850 851 *p += len; 852 853 /* 854 * If there is an optional qualifier, then *p < policy_end 855 * Check the Qualifier len to verify it doesn't exceed policy_end. 856 */ 857 if( *p < policy_end ) 858 { 859 if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len, 860 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 861 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 862 /* 863 * Skip the optional policy qualifiers. 864 */ 865 *p += len; 866 } 867 868 if( *p != policy_end ) 869 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 870 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 871 } 872 873 /* Set final sequence entry's next pointer to NULL */ 874 cur->next = NULL; 875 876 if( *p != end ) 877 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 878 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 879 880 return( parse_ret ); 881 } 882 883 /* 884 * X.509 v3 extensions 885 * 886 */ 887 static int x509_get_crt_ext( unsigned char **p, 888 const unsigned char *end, 889 mbedtls_x509_crt *crt ) 890 { 891 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 892 size_t len; 893 unsigned char *end_ext_data, *end_ext_octet; 894 895 if( *p == end ) 896 return( 0 ); 897 898 if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 ) 899 return( ret ); 900 901 end = crt->v3_ext.p + crt->v3_ext.len; 902 while( *p < end ) 903 { 904 /* 905 * Extension ::= SEQUENCE { 906 * extnID OBJECT IDENTIFIER, 907 * critical BOOLEAN DEFAULT FALSE, 908 * extnValue OCTET STRING } 909 */ 910 mbedtls_x509_buf extn_oid = {0, 0, NULL}; 911 int is_critical = 0; /* DEFAULT FALSE */ 912 int ext_type = 0; 913 914 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 915 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 916 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 917 918 end_ext_data = *p + len; 919 920 /* Get extension ID */ 921 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len, 922 MBEDTLS_ASN1_OID ) ) != 0 ) 923 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 924 925 extn_oid.tag = MBEDTLS_ASN1_OID; 926 extn_oid.p = *p; 927 *p += extn_oid.len; 928 929 /* Get optional critical */ 930 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 && 931 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 932 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 933 934 /* Data should be octet string type */ 935 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 936 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 937 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 938 939 end_ext_octet = *p + len; 940 941 if( end_ext_octet != end_ext_data ) 942 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 943 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 944 945 /* 946 * Detect supported extensions 947 */ 948 ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type ); 949 950 if( ret != 0 ) 951 { 952 /* No parser found, skip extension */ 953 *p = end_ext_octet; 954 955 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) 956 if( is_critical ) 957 { 958 /* Data is marked as critical: fail */ 959 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 960 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 961 } 962 #endif 963 continue; 964 } 965 966 /* Forbid repeated extensions */ 967 if( ( crt->ext_types & ext_type ) != 0 ) 968 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS ); 969 970 crt->ext_types |= ext_type; 971 972 switch( ext_type ) 973 { 974 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS: 975 /* Parse basic constraints */ 976 if( ( ret = x509_get_basic_constraints( p, end_ext_octet, 977 &crt->ca_istrue, &crt->max_pathlen ) ) != 0 ) 978 return( ret ); 979 break; 980 981 case MBEDTLS_X509_EXT_KEY_USAGE: 982 /* Parse key usage */ 983 if( ( ret = x509_get_key_usage( p, end_ext_octet, 984 &crt->key_usage ) ) != 0 ) 985 return( ret ); 986 break; 987 988 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: 989 /* Parse extended key usage */ 990 if( ( ret = x509_get_ext_key_usage( p, end_ext_octet, 991 &crt->ext_key_usage ) ) != 0 ) 992 return( ret ); 993 break; 994 995 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: 996 /* Parse subject alt name */ 997 if( ( ret = x509_get_subject_alt_name( p, end_ext_octet, 998 &crt->subject_alt_names ) ) != 0 ) 999 return( ret ); 1000 break; 1001 1002 case MBEDTLS_X509_EXT_NS_CERT_TYPE: 1003 /* Parse netscape certificate type */ 1004 if( ( ret = x509_get_ns_cert_type( p, end_ext_octet, 1005 &crt->ns_cert_type ) ) != 0 ) 1006 return( ret ); 1007 break; 1008 1009 case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES: 1010 /* Parse certificate policies type */ 1011 if( ( ret = x509_get_certificate_policies( p, end_ext_octet, 1012 &crt->certificate_policies ) ) != 0 ) 1013 { 1014 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) 1015 if( is_critical ) 1016 return( ret ); 1017 else 1018 #endif 1019 /* 1020 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we 1021 * cannot interpret or enforce the policy. However, it is up to 1022 * the user to choose how to enforce the policies, 1023 * unless the extension is critical. 1024 */ 1025 if( ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) 1026 return( ret ); 1027 } 1028 break; 1029 1030 default: 1031 /* 1032 * If this is a non-critical extension, which the oid layer 1033 * supports, but there isn't an x509 parser for it, 1034 * skip the extension. 1035 */ 1036 #if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION) 1037 if( is_critical ) 1038 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); 1039 else 1040 #endif 1041 *p = end_ext_octet; 1042 } 1043 } 1044 1045 if( *p != end ) 1046 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 1047 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1048 1049 return( 0 ); 1050 } 1051 1052 /* 1053 * Parse and fill a single X.509 certificate in DER format 1054 */ 1055 static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, 1056 const unsigned char *buf, 1057 size_t buflen, 1058 int make_copy ) 1059 { 1060 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1061 size_t len; 1062 unsigned char *p, *end, *crt_end; 1063 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 1064 1065 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) ); 1066 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) ); 1067 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) ); 1068 1069 /* 1070 * Check for valid input 1071 */ 1072 if( crt == NULL || buf == NULL ) 1073 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1074 1075 /* Use the original buffer until we figure out actual length. */ 1076 p = (unsigned char*) buf; 1077 len = buflen; 1078 end = p + len; 1079 1080 /* 1081 * Certificate ::= SEQUENCE { 1082 * tbsCertificate TBSCertificate, 1083 * signatureAlgorithm AlgorithmIdentifier, 1084 * signatureValue BIT STRING } 1085 */ 1086 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1087 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1088 { 1089 mbedtls_x509_crt_free( crt ); 1090 return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 1091 } 1092 1093 end = crt_end = p + len; 1094 crt->raw.len = crt_end - buf; 1095 if( make_copy != 0 ) 1096 { 1097 /* Create and populate a new buffer for the raw field. */ 1098 crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len ); 1099 if( crt->raw.p == NULL ) 1100 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 1101 1102 memcpy( crt->raw.p, buf, crt->raw.len ); 1103 crt->own_buffer = 1; 1104 1105 p += crt->raw.len - len; 1106 end = crt_end = p + len; 1107 } 1108 else 1109 { 1110 crt->raw.p = (unsigned char*) buf; 1111 crt->own_buffer = 0; 1112 } 1113 1114 /* 1115 * TBSCertificate ::= SEQUENCE { 1116 */ 1117 crt->tbs.p = p; 1118 1119 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1120 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1121 { 1122 mbedtls_x509_crt_free( crt ); 1123 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 1124 } 1125 1126 end = p + len; 1127 crt->tbs.len = end - crt->tbs.p; 1128 1129 /* 1130 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 1131 * 1132 * CertificateSerialNumber ::= INTEGER 1133 * 1134 * signature AlgorithmIdentifier 1135 */ 1136 if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 || 1137 ( ret = mbedtls_x509_get_serial( &p, end, &crt->serial ) ) != 0 || 1138 ( ret = mbedtls_x509_get_alg( &p, end, &crt->sig_oid, 1139 &sig_params1 ) ) != 0 ) 1140 { 1141 mbedtls_x509_crt_free( crt ); 1142 return( ret ); 1143 } 1144 1145 if( crt->version < 0 || crt->version > 2 ) 1146 { 1147 mbedtls_x509_crt_free( crt ); 1148 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION ); 1149 } 1150 1151 crt->version++; 1152 1153 if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1, 1154 &crt->sig_md, &crt->sig_pk, 1155 &crt->sig_opts ) ) != 0 ) 1156 { 1157 mbedtls_x509_crt_free( crt ); 1158 return( ret ); 1159 } 1160 1161 /* 1162 * issuer Name 1163 */ 1164 crt->issuer_raw.p = p; 1165 1166 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1167 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1168 { 1169 mbedtls_x509_crt_free( crt ); 1170 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 1171 } 1172 1173 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 ) 1174 { 1175 mbedtls_x509_crt_free( crt ); 1176 return( ret ); 1177 } 1178 1179 crt->issuer_raw.len = p - crt->issuer_raw.p; 1180 1181 /* 1182 * Validity ::= SEQUENCE { 1183 * notBefore Time, 1184 * notAfter Time } 1185 * 1186 */ 1187 if( ( ret = x509_get_dates( &p, end, &crt->valid_from, 1188 &crt->valid_to ) ) != 0 ) 1189 { 1190 mbedtls_x509_crt_free( crt ); 1191 return( ret ); 1192 } 1193 1194 /* 1195 * subject Name 1196 */ 1197 crt->subject_raw.p = p; 1198 1199 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1200 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1201 { 1202 mbedtls_x509_crt_free( crt ); 1203 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 1204 } 1205 1206 if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 ) 1207 { 1208 mbedtls_x509_crt_free( crt ); 1209 return( ret ); 1210 } 1211 1212 crt->subject_raw.len = p - crt->subject_raw.p; 1213 1214 /* 1215 * SubjectPublicKeyInfo 1216 */ 1217 crt->pk_raw.p = p; 1218 if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 ) 1219 { 1220 mbedtls_x509_crt_free( crt ); 1221 return( ret ); 1222 } 1223 crt->pk_raw.len = p - crt->pk_raw.p; 1224 1225 /* 1226 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 1227 * -- If present, version shall be v2 or v3 1228 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 1229 * -- If present, version shall be v2 or v3 1230 * extensions [3] EXPLICIT Extensions OPTIONAL 1231 * -- If present, version shall be v3 1232 */ 1233 if( crt->version == 2 || crt->version == 3 ) 1234 { 1235 ret = x509_get_uid( &p, end, &crt->issuer_id, 1 ); 1236 if( ret != 0 ) 1237 { 1238 mbedtls_x509_crt_free( crt ); 1239 return( ret ); 1240 } 1241 } 1242 1243 if( crt->version == 2 || crt->version == 3 ) 1244 { 1245 ret = x509_get_uid( &p, end, &crt->subject_id, 2 ); 1246 if( ret != 0 ) 1247 { 1248 mbedtls_x509_crt_free( crt ); 1249 return( ret ); 1250 } 1251 } 1252 1253 #if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3) 1254 if( crt->version == 3 ) 1255 #endif 1256 { 1257 ret = x509_get_crt_ext( &p, end, crt ); 1258 if( ret != 0 ) 1259 { 1260 mbedtls_x509_crt_free( crt ); 1261 return( ret ); 1262 } 1263 } 1264 1265 if( p != end ) 1266 { 1267 mbedtls_x509_crt_free( crt ); 1268 return( MBEDTLS_ERR_X509_INVALID_FORMAT + 1269 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1270 } 1271 1272 end = crt_end; 1273 1274 /* 1275 * } 1276 * -- end of TBSCertificate 1277 * 1278 * signatureAlgorithm AlgorithmIdentifier, 1279 * signatureValue BIT STRING 1280 */ 1281 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) 1282 { 1283 mbedtls_x509_crt_free( crt ); 1284 return( ret ); 1285 } 1286 1287 if( crt->sig_oid.len != sig_oid2.len || 1288 memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 || 1289 sig_params1.len != sig_params2.len || 1290 ( sig_params1.len != 0 && 1291 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) 1292 { 1293 mbedtls_x509_crt_free( crt ); 1294 return( MBEDTLS_ERR_X509_SIG_MISMATCH ); 1295 } 1296 1297 if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 ) 1298 { 1299 mbedtls_x509_crt_free( crt ); 1300 return( ret ); 1301 } 1302 1303 if( p != end ) 1304 { 1305 mbedtls_x509_crt_free( crt ); 1306 return( MBEDTLS_ERR_X509_INVALID_FORMAT + 1307 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1308 } 1309 1310 return( 0 ); 1311 } 1312 1313 /* 1314 * Parse one X.509 certificate in DER format from a buffer and add them to a 1315 * chained list 1316 */ 1317 static int mbedtls_x509_crt_parse_der_internal( mbedtls_x509_crt *chain, 1318 const unsigned char *buf, 1319 size_t buflen, 1320 int make_copy ) 1321 { 1322 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1323 mbedtls_x509_crt *crt = chain, *prev = NULL; 1324 1325 /* 1326 * Check for valid input 1327 */ 1328 if( crt == NULL || buf == NULL ) 1329 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1330 1331 while( crt->version != 0 && crt->next != NULL ) 1332 { 1333 prev = crt; 1334 crt = crt->next; 1335 } 1336 1337 /* 1338 * Add new certificate on the end of the chain if needed. 1339 */ 1340 if( crt->version != 0 && crt->next == NULL ) 1341 { 1342 crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ); 1343 1344 if( crt->next == NULL ) 1345 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 1346 1347 prev = crt; 1348 mbedtls_x509_crt_init( crt->next ); 1349 crt = crt->next; 1350 } 1351 1352 if( ( ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy ) ) != 0 ) 1353 { 1354 if( prev ) 1355 prev->next = NULL; 1356 1357 if( crt != chain ) 1358 mbedtls_free( crt ); 1359 1360 return( ret ); 1361 } 1362 1363 return( 0 ); 1364 } 1365 1366 int mbedtls_x509_crt_parse_der_nocopy( mbedtls_x509_crt *chain, 1367 const unsigned char *buf, 1368 size_t buflen ) 1369 { 1370 return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0 ) ); 1371 } 1372 1373 int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, 1374 const unsigned char *buf, 1375 size_t buflen ) 1376 { 1377 return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1 ) ); 1378 } 1379 1380 /* 1381 * Parse one or more PEM certificates from a buffer and add them to the chained 1382 * list 1383 */ 1384 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, 1385 const unsigned char *buf, 1386 size_t buflen ) 1387 { 1388 #if defined(MBEDTLS_PEM_PARSE_C) 1389 int success = 0, first_error = 0, total_failed = 0; 1390 int buf_format = MBEDTLS_X509_FORMAT_DER; 1391 #endif 1392 1393 /* 1394 * Check for valid input 1395 */ 1396 if( chain == NULL || buf == NULL ) 1397 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1398 1399 /* 1400 * Determine buffer content. Buffer contains either one DER certificate or 1401 * one or more PEM certificates. 1402 */ 1403 #if defined(MBEDTLS_PEM_PARSE_C) 1404 if( buflen != 0 && buf[buflen - 1] == '\0' && 1405 strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) 1406 { 1407 buf_format = MBEDTLS_X509_FORMAT_PEM; 1408 } 1409 1410 if( buf_format == MBEDTLS_X509_FORMAT_DER ) 1411 return mbedtls_x509_crt_parse_der( chain, buf, buflen ); 1412 #else 1413 return mbedtls_x509_crt_parse_der( chain, buf, buflen ); 1414 #endif 1415 1416 #if defined(MBEDTLS_PEM_PARSE_C) 1417 if( buf_format == MBEDTLS_X509_FORMAT_PEM ) 1418 { 1419 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1420 mbedtls_pem_context pem; 1421 1422 /* 1 rather than 0 since the terminating NULL byte is counted in */ 1423 while( buflen > 1 ) 1424 { 1425 size_t use_len; 1426 mbedtls_pem_init( &pem ); 1427 1428 /* If we get there, we know the string is null-terminated */ 1429 ret = mbedtls_pem_read_buffer( &pem, 1430 "-----BEGIN CERTIFICATE-----", 1431 "-----END CERTIFICATE-----", 1432 buf, NULL, 0, &use_len ); 1433 1434 if( ret == 0 ) 1435 { 1436 /* 1437 * Was PEM encoded 1438 */ 1439 buflen -= use_len; 1440 buf += use_len; 1441 } 1442 else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA ) 1443 { 1444 return( ret ); 1445 } 1446 else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) 1447 { 1448 mbedtls_pem_free( &pem ); 1449 1450 /* 1451 * PEM header and footer were found 1452 */ 1453 buflen -= use_len; 1454 buf += use_len; 1455 1456 if( first_error == 0 ) 1457 first_error = ret; 1458 1459 total_failed++; 1460 continue; 1461 } 1462 else 1463 break; 1464 1465 ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen ); 1466 1467 mbedtls_pem_free( &pem ); 1468 1469 if( ret != 0 ) 1470 { 1471 /* 1472 * Quit parsing on a memory error 1473 */ 1474 if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED ) 1475 return( ret ); 1476 1477 if( first_error == 0 ) 1478 first_error = ret; 1479 1480 total_failed++; 1481 continue; 1482 } 1483 1484 success = 1; 1485 } 1486 } 1487 1488 if( success ) 1489 return( total_failed ); 1490 else if( first_error ) 1491 return( first_error ); 1492 else 1493 return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT ); 1494 #endif /* MBEDTLS_PEM_PARSE_C */ 1495 } 1496 1497 #if defined(MBEDTLS_FS_IO) 1498 /* 1499 * Load one or more certificates and add them to the chained list 1500 */ 1501 int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path ) 1502 { 1503 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1504 size_t n; 1505 unsigned char *buf; 1506 1507 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 1508 return( ret ); 1509 1510 ret = mbedtls_x509_crt_parse( chain, buf, n ); 1511 1512 mbedtls_platform_zeroize( buf, n ); 1513 mbedtls_free( buf ); 1514 1515 return( ret ); 1516 } 1517 1518 int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path ) 1519 { 1520 int ret = 0; 1521 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 1522 int w_ret; 1523 WCHAR szDir[MAX_PATH]; 1524 char filename[MAX_PATH]; 1525 char *p; 1526 size_t len = strlen( path ); 1527 1528 WIN32_FIND_DATAW file_data; 1529 HANDLE hFind; 1530 1531 if( len > MAX_PATH - 3 ) 1532 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1533 1534 memset( szDir, 0, sizeof(szDir) ); 1535 memset( filename, 0, MAX_PATH ); 1536 memcpy( filename, path, len ); 1537 filename[len++] = '\\'; 1538 p = filename + len; 1539 filename[len++] = '*'; 1540 1541 w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir, 1542 MAX_PATH - 3 ); 1543 if( w_ret == 0 ) 1544 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1545 1546 hFind = FindFirstFileW( szDir, &file_data ); 1547 if( hFind == INVALID_HANDLE_VALUE ) 1548 return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); 1549 1550 len = MAX_PATH - len; 1551 do 1552 { 1553 memset( p, 0, len ); 1554 1555 if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY ) 1556 continue; 1557 1558 w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, 1559 lstrlenW( file_data.cFileName ), 1560 p, (int) len - 1, 1561 NULL, NULL ); 1562 if( w_ret == 0 ) 1563 { 1564 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1565 goto cleanup; 1566 } 1567 1568 w_ret = mbedtls_x509_crt_parse_file( chain, filename ); 1569 if( w_ret < 0 ) 1570 ret++; 1571 else 1572 ret += w_ret; 1573 } 1574 while( FindNextFileW( hFind, &file_data ) != 0 ); 1575 1576 if( GetLastError() != ERROR_NO_MORE_FILES ) 1577 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1578 1579 cleanup: 1580 FindClose( hFind ); 1581 #else /* _WIN32 */ 1582 int t_ret; 1583 int snp_ret; 1584 struct stat sb; 1585 struct dirent *entry; 1586 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN]; 1587 DIR *dir = opendir( path ); 1588 1589 if( dir == NULL ) 1590 return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); 1591 1592 #if defined(MBEDTLS_THREADING_C) 1593 if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 ) 1594 { 1595 closedir( dir ); 1596 return( ret ); 1597 } 1598 #endif /* MBEDTLS_THREADING_C */ 1599 1600 while( ( entry = readdir( dir ) ) != NULL ) 1601 { 1602 snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name, 1603 "%s/%s", path, entry->d_name ); 1604 1605 if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name ) 1606 { 1607 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 1608 goto cleanup; 1609 } 1610 else if( stat( entry_name, &sb ) == -1 ) 1611 { 1612 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1613 goto cleanup; 1614 } 1615 1616 if( !S_ISREG( sb.st_mode ) ) 1617 continue; 1618 1619 // Ignore parse errors 1620 // 1621 t_ret = mbedtls_x509_crt_parse_file( chain, entry_name ); 1622 if( t_ret < 0 ) 1623 ret++; 1624 else 1625 ret += t_ret; 1626 } 1627 1628 cleanup: 1629 closedir( dir ); 1630 1631 #if defined(MBEDTLS_THREADING_C) 1632 if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 ) 1633 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; 1634 #endif /* MBEDTLS_THREADING_C */ 1635 1636 #endif /* _WIN32 */ 1637 1638 return( ret ); 1639 } 1640 #endif /* MBEDTLS_FS_IO */ 1641 1642 /* 1643 * OtherName ::= SEQUENCE { 1644 * type-id OBJECT IDENTIFIER, 1645 * value [0] EXPLICIT ANY DEFINED BY type-id } 1646 * 1647 * HardwareModuleName ::= SEQUENCE { 1648 * hwType OBJECT IDENTIFIER, 1649 * hwSerialNum OCTET STRING } 1650 * 1651 * NOTE: we currently only parse and use otherName of type HwModuleName, 1652 * as defined in RFC 4108. 1653 */ 1654 static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, 1655 mbedtls_x509_san_other_name *other_name ) 1656 { 1657 int ret = 0; 1658 size_t len; 1659 unsigned char *p = subject_alt_name->p; 1660 const unsigned char *end = p + subject_alt_name->len; 1661 mbedtls_x509_buf cur_oid; 1662 1663 if( ( subject_alt_name->tag & 1664 ( MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK ) ) != 1665 ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ) ) 1666 { 1667 /* 1668 * The given subject alternative name is not of type "othername". 1669 */ 1670 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 1671 } 1672 1673 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1674 MBEDTLS_ASN1_OID ) ) != 0 ) 1675 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 1676 1677 cur_oid.tag = MBEDTLS_ASN1_OID; 1678 cur_oid.p = p; 1679 cur_oid.len = len; 1680 1681 /* 1682 * Only HwModuleName is currently supported. 1683 */ 1684 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid ) != 0 ) 1685 { 1686 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); 1687 } 1688 1689 if( p + len >= end ) 1690 { 1691 mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); 1692 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 1693 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1694 } 1695 p += len; 1696 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1697 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) 1698 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 1699 1700 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1701 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1702 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 1703 1704 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OID ) ) != 0 ) 1705 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 1706 1707 other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID; 1708 other_name->value.hardware_module_name.oid.p = p; 1709 other_name->value.hardware_module_name.oid.len = len; 1710 1711 if( p + len >= end ) 1712 { 1713 mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); 1714 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 1715 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1716 } 1717 p += len; 1718 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 1719 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1720 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 1721 1722 other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING; 1723 other_name->value.hardware_module_name.val.p = p; 1724 other_name->value.hardware_module_name.val.len = len; 1725 p += len; 1726 if( p != end ) 1727 { 1728 mbedtls_platform_zeroize( other_name, 1729 sizeof( *other_name ) ); 1730 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 1731 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 1732 } 1733 return( 0 ); 1734 } 1735 1736 static int x509_info_subject_alt_name( char **buf, size_t *size, 1737 const mbedtls_x509_sequence 1738 *subject_alt_name, 1739 const char *prefix ) 1740 { 1741 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1742 size_t n = *size; 1743 char *p = *buf; 1744 const mbedtls_x509_sequence *cur = subject_alt_name; 1745 mbedtls_x509_subject_alternative_name san; 1746 int parse_ret; 1747 1748 while( cur != NULL ) 1749 { 1750 memset( &san, 0, sizeof( san ) ); 1751 parse_ret = mbedtls_x509_parse_subject_alt_name( &cur->buf, &san ); 1752 if( parse_ret != 0 ) 1753 { 1754 if( parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ) 1755 { 1756 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix ); 1757 MBEDTLS_X509_SAFE_SNPRINTF; 1758 } 1759 else 1760 { 1761 ret = mbedtls_snprintf( p, n, "\n%s <malformed>", prefix ); 1762 MBEDTLS_X509_SAFE_SNPRINTF; 1763 } 1764 cur = cur->next; 1765 continue; 1766 } 1767 1768 switch( san.type ) 1769 { 1770 /* 1771 * otherName 1772 */ 1773 case MBEDTLS_X509_SAN_OTHER_NAME: 1774 { 1775 mbedtls_x509_san_other_name *other_name = &san.san.other_name; 1776 1777 ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix ); 1778 MBEDTLS_X509_SAFE_SNPRINTF; 1779 1780 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, 1781 &other_name->value.hardware_module_name.oid ) != 0 ) 1782 { 1783 ret = mbedtls_snprintf( p, n, "\n%s hardware module name :", prefix ); 1784 MBEDTLS_X509_SAFE_SNPRINTF; 1785 ret = mbedtls_snprintf( p, n, "\n%s hardware type : ", prefix ); 1786 MBEDTLS_X509_SAFE_SNPRINTF; 1787 1788 ret = mbedtls_oid_get_numeric_string( p, n, &other_name->value.hardware_module_name.oid ); 1789 MBEDTLS_X509_SAFE_SNPRINTF; 1790 1791 ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); 1792 MBEDTLS_X509_SAFE_SNPRINTF; 1793 1794 if( other_name->value.hardware_module_name.val.len >= n ) 1795 { 1796 *p = '\0'; 1797 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); 1798 } 1799 1800 memcpy( p, other_name->value.hardware_module_name.val.p, 1801 other_name->value.hardware_module_name.val.len ); 1802 p += other_name->value.hardware_module_name.val.len; 1803 1804 n -= other_name->value.hardware_module_name.val.len; 1805 1806 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ 1807 } 1808 break; 1809 1810 /* 1811 * dNSName 1812 */ 1813 case MBEDTLS_X509_SAN_DNS_NAME: 1814 { 1815 ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix ); 1816 MBEDTLS_X509_SAFE_SNPRINTF; 1817 if( san.san.unstructured_name.len >= n ) 1818 { 1819 *p = '\0'; 1820 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); 1821 } 1822 1823 memcpy( p, san.san.unstructured_name.p, san.san.unstructured_name.len ); 1824 p += san.san.unstructured_name.len; 1825 n -= san.san.unstructured_name.len; 1826 } 1827 break; 1828 1829 /* 1830 * Type not supported, skip item. 1831 */ 1832 default: 1833 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix ); 1834 MBEDTLS_X509_SAFE_SNPRINTF; 1835 break; 1836 } 1837 1838 cur = cur->next; 1839 } 1840 1841 *p = '\0'; 1842 1843 *size = n; 1844 *buf = p; 1845 1846 return( 0 ); 1847 } 1848 1849 int mbedtls_x509_parse_subject_alt_name( const mbedtls_x509_buf *san_buf, 1850 mbedtls_x509_subject_alternative_name *san ) 1851 { 1852 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1853 switch( san_buf->tag & 1854 ( MBEDTLS_ASN1_TAG_CLASS_MASK | 1855 MBEDTLS_ASN1_TAG_VALUE_MASK ) ) 1856 { 1857 /* 1858 * otherName 1859 */ 1860 case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME ): 1861 { 1862 mbedtls_x509_san_other_name other_name; 1863 1864 ret = x509_get_other_name( san_buf, &other_name ); 1865 if( ret != 0 ) 1866 return( ret ); 1867 1868 memset( san, 0, sizeof( mbedtls_x509_subject_alternative_name ) ); 1869 san->type = MBEDTLS_X509_SAN_OTHER_NAME; 1870 memcpy( &san->san.other_name, 1871 &other_name, sizeof( other_name ) ); 1872 1873 } 1874 break; 1875 1876 /* 1877 * dNSName 1878 */ 1879 case( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME ): 1880 { 1881 memset( san, 0, sizeof( mbedtls_x509_subject_alternative_name ) ); 1882 san->type = MBEDTLS_X509_SAN_DNS_NAME; 1883 1884 memcpy( &san->san.unstructured_name, 1885 san_buf, sizeof( *san_buf ) ); 1886 1887 } 1888 break; 1889 1890 /* 1891 * Type not supported 1892 */ 1893 default: 1894 return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE ); 1895 } 1896 return( 0 ); 1897 } 1898 1899 #define PRINT_ITEM(i) \ 1900 { \ 1901 ret = mbedtls_snprintf( p, n, "%s" i, sep ); \ 1902 MBEDTLS_X509_SAFE_SNPRINTF; \ 1903 sep = ", "; \ 1904 } 1905 1906 #define CERT_TYPE(type,name) \ 1907 if( ns_cert_type & (type) ) \ 1908 PRINT_ITEM( name ); 1909 1910 static int x509_info_cert_type( char **buf, size_t *size, 1911 unsigned char ns_cert_type ) 1912 { 1913 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1914 size_t n = *size; 1915 char *p = *buf; 1916 const char *sep = ""; 1917 1918 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client" ); 1919 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server" ); 1920 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email" ); 1921 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" ); 1922 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved" ); 1923 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA" ); 1924 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA" ); 1925 CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" ); 1926 1927 *size = n; 1928 *buf = p; 1929 1930 return( 0 ); 1931 } 1932 1933 #define KEY_USAGE(code,name) \ 1934 if( key_usage & (code) ) \ 1935 PRINT_ITEM( name ); 1936 1937 static int x509_info_key_usage( char **buf, size_t *size, 1938 unsigned int key_usage ) 1939 { 1940 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1941 size_t n = *size; 1942 char *p = *buf; 1943 const char *sep = ""; 1944 1945 KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature" ); 1946 KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation" ); 1947 KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment" ); 1948 KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment" ); 1949 KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement" ); 1950 KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign" ); 1951 KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign" ); 1952 KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only" ); 1953 KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only" ); 1954 1955 *size = n; 1956 *buf = p; 1957 1958 return( 0 ); 1959 } 1960 1961 static int x509_info_ext_key_usage( char **buf, size_t *size, 1962 const mbedtls_x509_sequence *extended_key_usage ) 1963 { 1964 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1965 const char *desc; 1966 size_t n = *size; 1967 char *p = *buf; 1968 const mbedtls_x509_sequence *cur = extended_key_usage; 1969 const char *sep = ""; 1970 1971 while( cur != NULL ) 1972 { 1973 if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 ) 1974 desc = "???"; 1975 1976 ret = mbedtls_snprintf( p, n, "%s%s", sep, desc ); 1977 MBEDTLS_X509_SAFE_SNPRINTF; 1978 1979 sep = ", "; 1980 1981 cur = cur->next; 1982 } 1983 1984 *size = n; 1985 *buf = p; 1986 1987 return( 0 ); 1988 } 1989 1990 static int x509_info_cert_policies( char **buf, size_t *size, 1991 const mbedtls_x509_sequence *certificate_policies ) 1992 { 1993 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1994 const char *desc; 1995 size_t n = *size; 1996 char *p = *buf; 1997 const mbedtls_x509_sequence *cur = certificate_policies; 1998 const char *sep = ""; 1999 2000 while( cur != NULL ) 2001 { 2002 if( mbedtls_oid_get_certificate_policies( &cur->buf, &desc ) != 0 ) 2003 desc = "???"; 2004 2005 ret = mbedtls_snprintf( p, n, "%s%s", sep, desc ); 2006 MBEDTLS_X509_SAFE_SNPRINTF; 2007 2008 sep = ", "; 2009 2010 cur = cur->next; 2011 } 2012 2013 *size = n; 2014 *buf = p; 2015 2016 return( 0 ); 2017 } 2018 2019 /* 2020 * Return an informational string about the certificate. 2021 */ 2022 #define BEFORE_COLON 18 2023 #define BC "18" 2024 int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, 2025 const mbedtls_x509_crt *crt ) 2026 { 2027 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2028 size_t n; 2029 char *p; 2030 char key_size_str[BEFORE_COLON]; 2031 2032 p = buf; 2033 n = size; 2034 2035 if( NULL == crt ) 2036 { 2037 ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" ); 2038 MBEDTLS_X509_SAFE_SNPRINTF; 2039 2040 return( (int) ( size - n ) ); 2041 } 2042 2043 ret = mbedtls_snprintf( p, n, "%scert. version : %d\n", 2044 prefix, crt->version ); 2045 MBEDTLS_X509_SAFE_SNPRINTF; 2046 ret = mbedtls_snprintf( p, n, "%sserial number : ", 2047 prefix ); 2048 MBEDTLS_X509_SAFE_SNPRINTF; 2049 2050 ret = mbedtls_x509_serial_gets( p, n, &crt->serial ); 2051 MBEDTLS_X509_SAFE_SNPRINTF; 2052 2053 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix ); 2054 MBEDTLS_X509_SAFE_SNPRINTF; 2055 ret = mbedtls_x509_dn_gets( p, n, &crt->issuer ); 2056 MBEDTLS_X509_SAFE_SNPRINTF; 2057 2058 ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix ); 2059 MBEDTLS_X509_SAFE_SNPRINTF; 2060 ret = mbedtls_x509_dn_gets( p, n, &crt->subject ); 2061 MBEDTLS_X509_SAFE_SNPRINTF; 2062 2063 ret = mbedtls_snprintf( p, n, "\n%sissued on : " \ 2064 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 2065 crt->valid_from.year, crt->valid_from.mon, 2066 crt->valid_from.day, crt->valid_from.hour, 2067 crt->valid_from.min, crt->valid_from.sec ); 2068 MBEDTLS_X509_SAFE_SNPRINTF; 2069 2070 ret = mbedtls_snprintf( p, n, "\n%sexpires on : " \ 2071 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 2072 crt->valid_to.year, crt->valid_to.mon, 2073 crt->valid_to.day, crt->valid_to.hour, 2074 crt->valid_to.min, crt->valid_to.sec ); 2075 MBEDTLS_X509_SAFE_SNPRINTF; 2076 2077 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); 2078 MBEDTLS_X509_SAFE_SNPRINTF; 2079 2080 ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk, 2081 crt->sig_md, crt->sig_opts ); 2082 MBEDTLS_X509_SAFE_SNPRINTF; 2083 2084 /* Key size */ 2085 if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON, 2086 mbedtls_pk_get_name( &crt->pk ) ) ) != 0 ) 2087 { 2088 return( ret ); 2089 } 2090 2091 ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str, 2092 (int) mbedtls_pk_get_bitlen( &crt->pk ) ); 2093 MBEDTLS_X509_SAFE_SNPRINTF; 2094 2095 /* 2096 * Optional extensions 2097 */ 2098 2099 if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS ) 2100 { 2101 ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix, 2102 crt->ca_istrue ? "true" : "false" ); 2103 MBEDTLS_X509_SAFE_SNPRINTF; 2104 2105 if( crt->max_pathlen > 0 ) 2106 { 2107 ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 ); 2108 MBEDTLS_X509_SAFE_SNPRINTF; 2109 } 2110 } 2111 2112 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) 2113 { 2114 ret = mbedtls_snprintf( p, n, "\n%ssubject alt name :", prefix ); 2115 MBEDTLS_X509_SAFE_SNPRINTF; 2116 2117 if( ( ret = x509_info_subject_alt_name( &p, &n, 2118 &crt->subject_alt_names, 2119 prefix ) ) != 0 ) 2120 return( ret ); 2121 } 2122 2123 if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE ) 2124 { 2125 ret = mbedtls_snprintf( p, n, "\n%scert. type : ", prefix ); 2126 MBEDTLS_X509_SAFE_SNPRINTF; 2127 2128 if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 ) 2129 return( ret ); 2130 } 2131 2132 if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) 2133 { 2134 ret = mbedtls_snprintf( p, n, "\n%skey usage : ", prefix ); 2135 MBEDTLS_X509_SAFE_SNPRINTF; 2136 2137 if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 ) 2138 return( ret ); 2139 } 2140 2141 if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) 2142 { 2143 ret = mbedtls_snprintf( p, n, "\n%sext key usage : ", prefix ); 2144 MBEDTLS_X509_SAFE_SNPRINTF; 2145 2146 if( ( ret = x509_info_ext_key_usage( &p, &n, 2147 &crt->ext_key_usage ) ) != 0 ) 2148 return( ret ); 2149 } 2150 2151 if( crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES ) 2152 { 2153 ret = mbedtls_snprintf( p, n, "\n%scertificate policies : ", prefix ); 2154 MBEDTLS_X509_SAFE_SNPRINTF; 2155 2156 if( ( ret = x509_info_cert_policies( &p, &n, 2157 &crt->certificate_policies ) ) != 0 ) 2158 return( ret ); 2159 } 2160 2161 ret = mbedtls_snprintf( p, n, "\n" ); 2162 MBEDTLS_X509_SAFE_SNPRINTF; 2163 2164 return( (int) ( size - n ) ); 2165 } 2166 2167 struct x509_crt_verify_string { 2168 int code; 2169 const char *string; 2170 }; 2171 2172 static const struct x509_crt_verify_string x509_crt_verify_strings[] = { 2173 { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" }, 2174 { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" }, 2175 { MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" }, 2176 { MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" }, 2177 { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" }, 2178 { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" }, 2179 { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" }, 2180 { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" }, 2181 { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" }, 2182 { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" }, 2183 { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" }, 2184 { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" }, 2185 { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" }, 2186 { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" }, 2187 { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." }, 2188 { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, 2189 { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." }, 2190 { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." }, 2191 { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, 2192 { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." }, 2193 { 0, NULL } 2194 }; 2195 2196 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, 2197 uint32_t flags ) 2198 { 2199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2200 const struct x509_crt_verify_string *cur; 2201 char *p = buf; 2202 size_t n = size; 2203 2204 for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ ) 2205 { 2206 if( ( flags & cur->code ) == 0 ) 2207 continue; 2208 2209 ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string ); 2210 MBEDTLS_X509_SAFE_SNPRINTF; 2211 flags ^= cur->code; 2212 } 2213 2214 if( flags != 0 ) 2215 { 2216 ret = mbedtls_snprintf( p, n, "%sUnknown reason " 2217 "(this should not happen)\n", prefix ); 2218 MBEDTLS_X509_SAFE_SNPRINTF; 2219 } 2220 2221 return( (int) ( size - n ) ); 2222 } 2223 2224 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 2225 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, 2226 unsigned int usage ) 2227 { 2228 unsigned int usage_must, usage_may; 2229 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY 2230 | MBEDTLS_X509_KU_DECIPHER_ONLY; 2231 2232 if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 ) 2233 return( 0 ); 2234 2235 usage_must = usage & ~may_mask; 2236 2237 if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must ) 2238 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 2239 2240 usage_may = usage & may_mask; 2241 2242 if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may ) 2243 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 2244 2245 return( 0 ); 2246 } 2247 #endif 2248 2249 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 2250 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, 2251 const char *usage_oid, 2252 size_t usage_len ) 2253 { 2254 const mbedtls_x509_sequence *cur; 2255 2256 /* Extension is not mandatory, absent means no restriction */ 2257 if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 ) 2258 return( 0 ); 2259 2260 /* 2261 * Look for the requested usage (or wildcard ANY) in our list 2262 */ 2263 for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next ) 2264 { 2265 const mbedtls_x509_buf *cur_oid = &cur->buf; 2266 2267 if( cur_oid->len == usage_len && 2268 memcmp( cur_oid->p, usage_oid, usage_len ) == 0 ) 2269 { 2270 return( 0 ); 2271 } 2272 2273 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 ) 2274 return( 0 ); 2275 } 2276 2277 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 2278 } 2279 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 2280 2281 #if defined(MBEDTLS_X509_CRL_PARSE_C) 2282 /* 2283 * Return 1 if the certificate is revoked, or 0 otherwise. 2284 */ 2285 int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl ) 2286 { 2287 const mbedtls_x509_crl_entry *cur = &crl->entry; 2288 2289 while( cur != NULL && cur->serial.len != 0 ) 2290 { 2291 if( crt->serial.len == cur->serial.len && 2292 memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 ) 2293 { 2294 if( mbedtls_x509_time_is_past( &cur->revocation_date ) ) 2295 return( 1 ); 2296 } 2297 2298 cur = cur->next; 2299 } 2300 2301 return( 0 ); 2302 } 2303 2304 /* 2305 * Check that the given certificate is not revoked according to the CRL. 2306 * Skip validation if no CRL for the given CA is present. 2307 */ 2308 static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, 2309 mbedtls_x509_crl *crl_list, 2310 const mbedtls_x509_crt_profile *profile ) 2311 { 2312 int flags = 0; 2313 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 2314 const mbedtls_md_info_t *md_info; 2315 2316 if( ca == NULL ) 2317 return( flags ); 2318 2319 while( crl_list != NULL ) 2320 { 2321 if( crl_list->version == 0 || 2322 x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 ) 2323 { 2324 crl_list = crl_list->next; 2325 continue; 2326 } 2327 2328 /* 2329 * Check if the CA is configured to sign CRLs 2330 */ 2331 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 2332 if( mbedtls_x509_crt_check_key_usage( ca, 2333 MBEDTLS_X509_KU_CRL_SIGN ) != 0 ) 2334 { 2335 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 2336 break; 2337 } 2338 #endif 2339 2340 /* 2341 * Check if CRL is correctly signed by the trusted CA 2342 */ 2343 if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 ) 2344 flags |= MBEDTLS_X509_BADCRL_BAD_MD; 2345 2346 if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 ) 2347 flags |= MBEDTLS_X509_BADCRL_BAD_PK; 2348 2349 md_info = mbedtls_md_info_from_type( crl_list->sig_md ); 2350 if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 ) 2351 { 2352 /* Note: this can't happen except after an internal error */ 2353 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 2354 break; 2355 } 2356 2357 if( x509_profile_check_key( profile, &ca->pk ) != 0 ) 2358 flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 2359 2360 if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk, 2361 crl_list->sig_md, hash, mbedtls_md_get_size( md_info ), 2362 crl_list->sig.p, crl_list->sig.len ) != 0 ) 2363 { 2364 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 2365 break; 2366 } 2367 2368 /* 2369 * Check for validity of CRL (Do not drop out) 2370 */ 2371 if( mbedtls_x509_time_is_past( &crl_list->next_update ) ) 2372 flags |= MBEDTLS_X509_BADCRL_EXPIRED; 2373 2374 if( mbedtls_x509_time_is_future( &crl_list->this_update ) ) 2375 flags |= MBEDTLS_X509_BADCRL_FUTURE; 2376 2377 /* 2378 * Check if certificate is revoked 2379 */ 2380 if( mbedtls_x509_crt_is_revoked( crt, crl_list ) ) 2381 { 2382 flags |= MBEDTLS_X509_BADCERT_REVOKED; 2383 break; 2384 } 2385 2386 crl_list = crl_list->next; 2387 } 2388 2389 return( flags ); 2390 } 2391 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 2392 2393 /* 2394 * Check the signature of a certificate by its parent 2395 */ 2396 static int x509_crt_check_signature( const mbedtls_x509_crt *child, 2397 mbedtls_x509_crt *parent, 2398 mbedtls_x509_crt_restart_ctx *rs_ctx ) 2399 { 2400 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 2401 size_t hash_len; 2402 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 2403 const mbedtls_md_info_t *md_info; 2404 md_info = mbedtls_md_info_from_type( child->sig_md ); 2405 hash_len = mbedtls_md_get_size( md_info ); 2406 2407 /* Note: hash errors can happen only after an internal error */ 2408 if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 ) 2409 return( -1 ); 2410 #else 2411 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; 2412 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md ); 2413 2414 if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS ) 2415 return( -1 ); 2416 2417 if( psa_hash_update( &hash_operation, child->tbs.p, child->tbs.len ) 2418 != PSA_SUCCESS ) 2419 { 2420 return( -1 ); 2421 } 2422 2423 if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len ) 2424 != PSA_SUCCESS ) 2425 { 2426 return( -1 ); 2427 } 2428 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2429 /* Skip expensive computation on obvious mismatch */ 2430 if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) ) 2431 return( -1 ); 2432 2433 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2434 if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA ) 2435 { 2436 return( mbedtls_pk_verify_restartable( &parent->pk, 2437 child->sig_md, hash, hash_len, 2438 child->sig.p, child->sig.len, &rs_ctx->pk ) ); 2439 } 2440 #else 2441 (void) rs_ctx; 2442 #endif 2443 2444 return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk, 2445 child->sig_md, hash, hash_len, 2446 child->sig.p, child->sig.len ) ); 2447 } 2448 2449 /* 2450 * Check if 'parent' is a suitable parent (signing CA) for 'child'. 2451 * Return 0 if yes, -1 if not. 2452 * 2453 * top means parent is a locally-trusted certificate 2454 */ 2455 static int x509_crt_check_parent( const mbedtls_x509_crt *child, 2456 const mbedtls_x509_crt *parent, 2457 int top ) 2458 { 2459 int need_ca_bit; 2460 2461 /* Parent must be the issuer */ 2462 if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 ) 2463 return( -1 ); 2464 2465 /* Parent must have the basicConstraints CA bit set as a general rule */ 2466 need_ca_bit = 1; 2467 2468 /* Exception: v1/v2 certificates that are locally trusted. */ 2469 if( top && parent->version < 3 ) 2470 need_ca_bit = 0; 2471 2472 if( need_ca_bit && ! parent->ca_istrue ) 2473 return( -1 ); 2474 2475 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 2476 if( need_ca_bit && 2477 mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 ) 2478 { 2479 return( -1 ); 2480 } 2481 #endif 2482 2483 return( 0 ); 2484 } 2485 2486 /* 2487 * Find a suitable parent for child in candidates, or return NULL. 2488 * 2489 * Here suitable is defined as: 2490 * 1. subject name matches child's issuer 2491 * 2. if necessary, the CA bit is set and key usage allows signing certs 2492 * 3. for trusted roots, the signature is correct 2493 * (for intermediates, the signature is checked and the result reported) 2494 * 4. pathlen constraints are satisfied 2495 * 2496 * If there's a suitable candidate which is also time-valid, return the first 2497 * such. Otherwise, return the first suitable candidate (or NULL if there is 2498 * none). 2499 * 2500 * The rationale for this rule is that someone could have a list of trusted 2501 * roots with two versions on the same root with different validity periods. 2502 * (At least one user reported having such a list and wanted it to just work.) 2503 * The reason we don't just require time-validity is that generally there is 2504 * only one version, and if it's expired we want the flags to state that 2505 * rather than NOT_TRUSTED, as would be the case if we required it here. 2506 * 2507 * The rationale for rule 3 (signature for trusted roots) is that users might 2508 * have two versions of the same CA with different keys in their list, and the 2509 * way we select the correct one is by checking the signature (as we don't 2510 * rely on key identifier extensions). (This is one way users might choose to 2511 * handle key rollover, another relies on self-issued certs, see [SIRO].) 2512 * 2513 * Arguments: 2514 * - [in] child: certificate for which we're looking for a parent 2515 * - [in] candidates: chained list of potential parents 2516 * - [out] r_parent: parent found (or NULL) 2517 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0 2518 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top 2519 * of the chain, 0 otherwise 2520 * - [in] path_cnt: number of intermediates seen so far 2521 * - [in] self_cnt: number of self-signed intermediates seen so far 2522 * (will never be greater than path_cnt) 2523 * - [in-out] rs_ctx: context for restarting operations 2524 * 2525 * Return value: 2526 * - 0 on success 2527 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise 2528 */ 2529 static int x509_crt_find_parent_in( 2530 mbedtls_x509_crt *child, 2531 mbedtls_x509_crt *candidates, 2532 mbedtls_x509_crt **r_parent, 2533 int *r_signature_is_good, 2534 int top, 2535 unsigned path_cnt, 2536 unsigned self_cnt, 2537 mbedtls_x509_crt_restart_ctx *rs_ctx ) 2538 { 2539 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2540 mbedtls_x509_crt *parent, *fallback_parent; 2541 int signature_is_good = 0, fallback_signature_is_good; 2542 2543 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2544 /* did we have something in progress? */ 2545 if( rs_ctx != NULL && rs_ctx->parent != NULL ) 2546 { 2547 /* restore saved state */ 2548 parent = rs_ctx->parent; 2549 fallback_parent = rs_ctx->fallback_parent; 2550 fallback_signature_is_good = rs_ctx->fallback_signature_is_good; 2551 2552 /* clear saved state */ 2553 rs_ctx->parent = NULL; 2554 rs_ctx->fallback_parent = NULL; 2555 rs_ctx->fallback_signature_is_good = 0; 2556 2557 /* resume where we left */ 2558 goto check_signature; 2559 } 2560 #endif 2561 2562 fallback_parent = NULL; 2563 fallback_signature_is_good = 0; 2564 2565 for( parent = candidates; parent != NULL; parent = parent->next ) 2566 { 2567 /* basic parenting skills (name, CA bit, key usage) */ 2568 if( x509_crt_check_parent( child, parent, top ) != 0 ) 2569 continue; 2570 2571 /* +1 because stored max_pathlen is 1 higher that the actual value */ 2572 if( parent->max_pathlen > 0 && 2573 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt ) 2574 { 2575 continue; 2576 } 2577 2578 /* Signature */ 2579 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2580 check_signature: 2581 #endif 2582 ret = x509_crt_check_signature( child, parent, rs_ctx ); 2583 2584 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2585 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 2586 { 2587 /* save state */ 2588 rs_ctx->parent = parent; 2589 rs_ctx->fallback_parent = fallback_parent; 2590 rs_ctx->fallback_signature_is_good = fallback_signature_is_good; 2591 2592 return( ret ); 2593 } 2594 #else 2595 (void) ret; 2596 #endif 2597 2598 signature_is_good = ret == 0; 2599 if( top && ! signature_is_good ) 2600 continue; 2601 2602 /* optional time check */ 2603 if( mbedtls_x509_time_is_past( &parent->valid_to ) || 2604 mbedtls_x509_time_is_future( &parent->valid_from ) ) 2605 { 2606 if( fallback_parent == NULL ) 2607 { 2608 fallback_parent = parent; 2609 fallback_signature_is_good = signature_is_good; 2610 } 2611 2612 continue; 2613 } 2614 2615 *r_parent = parent; 2616 *r_signature_is_good = signature_is_good; 2617 2618 break; 2619 } 2620 2621 if( parent == NULL ) 2622 { 2623 *r_parent = fallback_parent; 2624 *r_signature_is_good = fallback_signature_is_good; 2625 } 2626 2627 return( 0 ); 2628 } 2629 2630 /* 2631 * Find a parent in trusted CAs or the provided chain, or return NULL. 2632 * 2633 * Searches in trusted CAs first, and return the first suitable parent found 2634 * (see find_parent_in() for definition of suitable). 2635 * 2636 * Arguments: 2637 * - [in] child: certificate for which we're looking for a parent, followed 2638 * by a chain of possible intermediates 2639 * - [in] trust_ca: list of locally trusted certificates 2640 * - [out] parent: parent found (or NULL) 2641 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0 2642 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0 2643 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child) 2644 * - [in] self_cnt: number of self-signed certs in the chain so far 2645 * (will always be no greater than path_cnt) 2646 * - [in-out] rs_ctx: context for restarting operations 2647 * 2648 * Return value: 2649 * - 0 on success 2650 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise 2651 */ 2652 static int x509_crt_find_parent( 2653 mbedtls_x509_crt *child, 2654 mbedtls_x509_crt *trust_ca, 2655 mbedtls_x509_crt **parent, 2656 int *parent_is_trusted, 2657 int *signature_is_good, 2658 unsigned path_cnt, 2659 unsigned self_cnt, 2660 mbedtls_x509_crt_restart_ctx *rs_ctx ) 2661 { 2662 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2663 mbedtls_x509_crt *search_list; 2664 2665 *parent_is_trusted = 1; 2666 2667 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2668 /* restore then clear saved state if we have some stored */ 2669 if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 ) 2670 { 2671 *parent_is_trusted = rs_ctx->parent_is_trusted; 2672 rs_ctx->parent_is_trusted = -1; 2673 } 2674 #endif 2675 2676 while( 1 ) { 2677 search_list = *parent_is_trusted ? trust_ca : child->next; 2678 2679 ret = x509_crt_find_parent_in( child, search_list, 2680 parent, signature_is_good, 2681 *parent_is_trusted, 2682 path_cnt, self_cnt, rs_ctx ); 2683 2684 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2685 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 2686 { 2687 /* save state */ 2688 rs_ctx->parent_is_trusted = *parent_is_trusted; 2689 return( ret ); 2690 } 2691 #else 2692 (void) ret; 2693 #endif 2694 2695 /* stop here if found or already in second iteration */ 2696 if( *parent != NULL || *parent_is_trusted == 0 ) 2697 break; 2698 2699 /* prepare second iteration */ 2700 *parent_is_trusted = 0; 2701 } 2702 2703 /* extra precaution against mistakes in the caller */ 2704 if( *parent == NULL ) 2705 { 2706 *parent_is_trusted = 0; 2707 *signature_is_good = 0; 2708 } 2709 2710 return( 0 ); 2711 } 2712 2713 /* 2714 * Check if an end-entity certificate is locally trusted 2715 * 2716 * Currently we require such certificates to be self-signed (actually only 2717 * check for self-issued as self-signatures are not checked) 2718 */ 2719 static int x509_crt_check_ee_locally_trusted( 2720 mbedtls_x509_crt *crt, 2721 mbedtls_x509_crt *trust_ca ) 2722 { 2723 mbedtls_x509_crt *cur; 2724 2725 /* must be self-issued */ 2726 if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 ) 2727 return( -1 ); 2728 2729 /* look for an exact match with trusted cert */ 2730 for( cur = trust_ca; cur != NULL; cur = cur->next ) 2731 { 2732 if( crt->raw.len == cur->raw.len && 2733 memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 ) 2734 { 2735 return( 0 ); 2736 } 2737 } 2738 2739 /* too bad */ 2740 return( -1 ); 2741 } 2742 2743 /* 2744 * Build and verify a certificate chain 2745 * 2746 * Given a peer-provided list of certificates EE, C1, ..., Cn and 2747 * a list of trusted certs R1, ... Rp, try to build and verify a chain 2748 * EE, Ci1, ... Ciq [, Rj] 2749 * such that every cert in the chain is a child of the next one, 2750 * jumping to a trusted root as early as possible. 2751 * 2752 * Verify that chain and return it with flags for all issues found. 2753 * 2754 * Special cases: 2755 * - EE == Rj -> return a one-element list containing it 2756 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root 2757 * -> return that chain with NOT_TRUSTED set on Ciq 2758 * 2759 * Tests for (aspects of) this function should include at least: 2760 * - trusted EE 2761 * - EE -> trusted root 2762 * - EE -> intermediate CA -> trusted root 2763 * - if relevant: EE untrusted 2764 * - if relevant: EE -> intermediate, untrusted 2765 * with the aspect under test checked at each relevant level (EE, int, root). 2766 * For some aspects longer chains are required, but usually length 2 is 2767 * enough (but length 1 is not in general). 2768 * 2769 * Arguments: 2770 * - [in] crt: the cert list EE, C1, ..., Cn 2771 * - [in] trust_ca: the trusted list R1, ..., Rp 2772 * - [in] ca_crl, profile: as in verify_with_profile() 2773 * - [out] ver_chain: the built and verified chain 2774 * Only valid when return value is 0, may contain garbage otherwise! 2775 * Restart note: need not be the same when calling again to resume. 2776 * - [in-out] rs_ctx: context for restarting operations 2777 * 2778 * Return value: 2779 * - non-zero if the chain could not be fully built and examined 2780 * - 0 is the chain was successfully built and examined, 2781 * even if it was found to be invalid 2782 */ 2783 static int x509_crt_verify_chain( 2784 mbedtls_x509_crt *crt, 2785 mbedtls_x509_crt *trust_ca, 2786 mbedtls_x509_crl *ca_crl, 2787 mbedtls_x509_crt_ca_cb_t f_ca_cb, 2788 void *p_ca_cb, 2789 const mbedtls_x509_crt_profile *profile, 2790 mbedtls_x509_crt_verify_chain *ver_chain, 2791 mbedtls_x509_crt_restart_ctx *rs_ctx ) 2792 { 2793 /* Don't initialize any of those variables here, so that the compiler can 2794 * catch potential issues with jumping ahead when restarting */ 2795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2796 uint32_t *flags; 2797 mbedtls_x509_crt_verify_chain_item *cur; 2798 mbedtls_x509_crt *child; 2799 mbedtls_x509_crt *parent; 2800 int parent_is_trusted; 2801 int child_is_trusted; 2802 int signature_is_good; 2803 unsigned self_cnt; 2804 mbedtls_x509_crt *cur_trust_ca = NULL; 2805 2806 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2807 /* resume if we had an operation in progress */ 2808 if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent ) 2809 { 2810 /* restore saved state */ 2811 *ver_chain = rs_ctx->ver_chain; /* struct copy */ 2812 self_cnt = rs_ctx->self_cnt; 2813 2814 /* restore derived state */ 2815 cur = &ver_chain->items[ver_chain->len - 1]; 2816 child = cur->crt; 2817 flags = &cur->flags; 2818 2819 goto find_parent; 2820 } 2821 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 2822 2823 child = crt; 2824 self_cnt = 0; 2825 parent_is_trusted = 0; 2826 child_is_trusted = 0; 2827 2828 while( 1 ) { 2829 /* Add certificate to the verification chain */ 2830 cur = &ver_chain->items[ver_chain->len]; 2831 cur->crt = child; 2832 cur->flags = 0; 2833 ver_chain->len++; 2834 flags = &cur->flags; 2835 2836 /* Check time-validity (all certificates) */ 2837 if( mbedtls_x509_time_is_past( &child->valid_to ) ) 2838 *flags |= MBEDTLS_X509_BADCERT_EXPIRED; 2839 2840 if( mbedtls_x509_time_is_future( &child->valid_from ) ) 2841 *flags |= MBEDTLS_X509_BADCERT_FUTURE; 2842 2843 /* Stop here for trusted roots (but not for trusted EE certs) */ 2844 if( child_is_trusted ) 2845 return( 0 ); 2846 2847 /* Check signature algorithm: MD & PK algs */ 2848 if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 ) 2849 *flags |= MBEDTLS_X509_BADCERT_BAD_MD; 2850 2851 if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 ) 2852 *flags |= MBEDTLS_X509_BADCERT_BAD_PK; 2853 2854 /* Special case: EE certs that are locally trusted */ 2855 if( ver_chain->len == 1 && 2856 x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 ) 2857 { 2858 return( 0 ); 2859 } 2860 2861 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2862 find_parent: 2863 #endif 2864 2865 /* Obtain list of potential trusted signers from CA callback, 2866 * or use statically provided list. */ 2867 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 2868 if( f_ca_cb != NULL ) 2869 { 2870 mbedtls_x509_crt_free( ver_chain->trust_ca_cb_result ); 2871 mbedtls_free( ver_chain->trust_ca_cb_result ); 2872 ver_chain->trust_ca_cb_result = NULL; 2873 2874 ret = f_ca_cb( p_ca_cb, child, &ver_chain->trust_ca_cb_result ); 2875 if( ret != 0 ) 2876 return( MBEDTLS_ERR_X509_FATAL_ERROR ); 2877 2878 cur_trust_ca = ver_chain->trust_ca_cb_result; 2879 } 2880 else 2881 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 2882 { 2883 ((void) f_ca_cb); 2884 ((void) p_ca_cb); 2885 cur_trust_ca = trust_ca; 2886 } 2887 2888 /* Look for a parent in trusted CAs or up the chain */ 2889 ret = x509_crt_find_parent( child, cur_trust_ca, &parent, 2890 &parent_is_trusted, &signature_is_good, 2891 ver_chain->len - 1, self_cnt, rs_ctx ); 2892 2893 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2894 if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 2895 { 2896 /* save state */ 2897 rs_ctx->in_progress = x509_crt_rs_find_parent; 2898 rs_ctx->self_cnt = self_cnt; 2899 rs_ctx->ver_chain = *ver_chain; /* struct copy */ 2900 2901 return( ret ); 2902 } 2903 #else 2904 (void) ret; 2905 #endif 2906 2907 /* No parent? We're done here */ 2908 if( parent == NULL ) 2909 { 2910 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; 2911 return( 0 ); 2912 } 2913 2914 /* Count intermediate self-issued (not necessarily self-signed) certs. 2915 * These can occur with some strategies for key rollover, see [SIRO], 2916 * and should be excluded from max_pathlen checks. */ 2917 if( ver_chain->len != 1 && 2918 x509_name_cmp( &child->issuer, &child->subject ) == 0 ) 2919 { 2920 self_cnt++; 2921 } 2922 2923 /* path_cnt is 0 for the first intermediate CA, 2924 * and if parent is trusted it's not an intermediate CA */ 2925 if( ! parent_is_trusted && 2926 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) 2927 { 2928 /* return immediately to avoid overflow the chain array */ 2929 return( MBEDTLS_ERR_X509_FATAL_ERROR ); 2930 } 2931 2932 /* signature was checked while searching parent */ 2933 if( ! signature_is_good ) 2934 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; 2935 2936 /* check size of signing key */ 2937 if( x509_profile_check_key( profile, &parent->pk ) != 0 ) 2938 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 2939 2940 #if defined(MBEDTLS_X509_CRL_PARSE_C) 2941 /* Check trusted CA's CRL for the given crt */ 2942 *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile ); 2943 #else 2944 (void) ca_crl; 2945 #endif 2946 2947 /* prepare for next iteration */ 2948 child = parent; 2949 parent = NULL; 2950 child_is_trusted = parent_is_trusted; 2951 signature_is_good = 0; 2952 } 2953 } 2954 2955 /* 2956 * Check for CN match 2957 */ 2958 static int x509_crt_check_cn( const mbedtls_x509_buf *name, 2959 const char *cn, size_t cn_len ) 2960 { 2961 /* try exact match */ 2962 if( name->len == cn_len && 2963 x509_memcasecmp( cn, name->p, cn_len ) == 0 ) 2964 { 2965 return( 0 ); 2966 } 2967 2968 /* try wildcard match */ 2969 if( x509_check_wildcard( cn, name ) == 0 ) 2970 { 2971 return( 0 ); 2972 } 2973 2974 return( -1 ); 2975 } 2976 2977 /* 2978 * Verify the requested CN - only call this if cn is not NULL! 2979 */ 2980 static void x509_crt_verify_name( const mbedtls_x509_crt *crt, 2981 const char *cn, 2982 uint32_t *flags ) 2983 { 2984 const mbedtls_x509_name *name; 2985 const mbedtls_x509_sequence *cur; 2986 size_t cn_len = strlen( cn ); 2987 2988 if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) 2989 { 2990 for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) 2991 { 2992 if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) 2993 break; 2994 } 2995 2996 if( cur == NULL ) 2997 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; 2998 } 2999 else 3000 { 3001 for( name = &crt->subject; name != NULL; name = name->next ) 3002 { 3003 if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && 3004 x509_crt_check_cn( &name->val, cn, cn_len ) == 0 ) 3005 { 3006 break; 3007 } 3008 } 3009 3010 if( name == NULL ) 3011 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; 3012 } 3013 } 3014 3015 /* 3016 * Merge the flags for all certs in the chain, after calling callback 3017 */ 3018 static int x509_crt_merge_flags_with_cb( 3019 uint32_t *flags, 3020 const mbedtls_x509_crt_verify_chain *ver_chain, 3021 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3022 void *p_vrfy ) 3023 { 3024 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3025 unsigned i; 3026 uint32_t cur_flags; 3027 const mbedtls_x509_crt_verify_chain_item *cur; 3028 3029 for( i = ver_chain->len; i != 0; --i ) 3030 { 3031 cur = &ver_chain->items[i-1]; 3032 cur_flags = cur->flags; 3033 3034 if( NULL != f_vrfy ) 3035 if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 ) 3036 return( ret ); 3037 3038 *flags |= cur_flags; 3039 } 3040 3041 return( 0 ); 3042 } 3043 3044 /* 3045 * Verify the certificate validity, with profile, restartable version 3046 * 3047 * This function: 3048 * - checks the requested CN (if any) 3049 * - checks the type and size of the EE cert's key, 3050 * as that isn't done as part of chain building/verification currently 3051 * - builds and verifies the chain 3052 * - then calls the callback and merges the flags 3053 * 3054 * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb` 3055 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the 3056 * verification routine to search for trusted signers, and CRLs will 3057 * be disabled. Otherwise, `trust_ca` will be used as the static list 3058 * of trusted signers, and `ca_crl` will be use as the static list 3059 * of CRLs. 3060 */ 3061 static int x509_crt_verify_restartable_ca_cb( mbedtls_x509_crt *crt, 3062 mbedtls_x509_crt *trust_ca, 3063 mbedtls_x509_crl *ca_crl, 3064 mbedtls_x509_crt_ca_cb_t f_ca_cb, 3065 void *p_ca_cb, 3066 const mbedtls_x509_crt_profile *profile, 3067 const char *cn, uint32_t *flags, 3068 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3069 void *p_vrfy, 3070 mbedtls_x509_crt_restart_ctx *rs_ctx ) 3071 { 3072 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3073 mbedtls_pk_type_t pk_type; 3074 mbedtls_x509_crt_verify_chain ver_chain; 3075 uint32_t ee_flags; 3076 3077 *flags = 0; 3078 ee_flags = 0; 3079 x509_crt_verify_chain_reset( &ver_chain ); 3080 3081 if( profile == NULL ) 3082 { 3083 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 3084 goto exit; 3085 } 3086 3087 /* check name if requested */ 3088 if( cn != NULL ) 3089 x509_crt_verify_name( crt, cn, &ee_flags ); 3090 3091 /* Check the type and size of the key */ 3092 pk_type = mbedtls_pk_get_type( &crt->pk ); 3093 3094 if( x509_profile_check_pk_alg( profile, pk_type ) != 0 ) 3095 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; 3096 3097 if( x509_profile_check_key( profile, &crt->pk ) != 0 ) 3098 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 3099 3100 /* Check the chain */ 3101 ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, 3102 f_ca_cb, p_ca_cb, profile, 3103 &ver_chain, rs_ctx ); 3104 3105 if( ret != 0 ) 3106 goto exit; 3107 3108 /* Merge end-entity flags */ 3109 ver_chain.items[0].flags |= ee_flags; 3110 3111 /* Build final flags, calling callback on the way if any */ 3112 ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); 3113 3114 exit: 3115 3116 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 3117 mbedtls_x509_crt_free( ver_chain.trust_ca_cb_result ); 3118 mbedtls_free( ver_chain.trust_ca_cb_result ); 3119 ver_chain.trust_ca_cb_result = NULL; 3120 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 3121 3122 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 3123 if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) 3124 mbedtls_x509_crt_restart_free( rs_ctx ); 3125 #endif 3126 3127 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by 3128 * the SSL module for authmode optional, but non-zero return from the 3129 * callback means a fatal error so it shouldn't be ignored */ 3130 if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) 3131 ret = MBEDTLS_ERR_X509_FATAL_ERROR; 3132 3133 if( ret != 0 ) 3134 { 3135 *flags = (uint32_t) -1; 3136 return( ret ); 3137 } 3138 3139 if( *flags != 0 ) 3140 return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); 3141 3142 return( 0 ); 3143 } 3144 3145 3146 /* 3147 * Verify the certificate validity (default profile, not restartable) 3148 */ 3149 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, 3150 mbedtls_x509_crt *trust_ca, 3151 mbedtls_x509_crl *ca_crl, 3152 const char *cn, uint32_t *flags, 3153 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3154 void *p_vrfy ) 3155 { 3156 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl, 3157 NULL, NULL, 3158 &mbedtls_x509_crt_profile_default, 3159 cn, flags, 3160 f_vrfy, p_vrfy, NULL ) ); 3161 } 3162 3163 /* 3164 * Verify the certificate validity (user-chosen profile, not restartable) 3165 */ 3166 int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, 3167 mbedtls_x509_crt *trust_ca, 3168 mbedtls_x509_crl *ca_crl, 3169 const mbedtls_x509_crt_profile *profile, 3170 const char *cn, uint32_t *flags, 3171 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3172 void *p_vrfy ) 3173 { 3174 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl, 3175 NULL, NULL, 3176 profile, cn, flags, 3177 f_vrfy, p_vrfy, NULL ) ); 3178 } 3179 3180 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 3181 /* 3182 * Verify the certificate validity (user-chosen profile, CA callback, 3183 * not restartable). 3184 */ 3185 int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt, 3186 mbedtls_x509_crt_ca_cb_t f_ca_cb, 3187 void *p_ca_cb, 3188 const mbedtls_x509_crt_profile *profile, 3189 const char *cn, uint32_t *flags, 3190 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3191 void *p_vrfy ) 3192 { 3193 return( x509_crt_verify_restartable_ca_cb( crt, NULL, NULL, 3194 f_ca_cb, p_ca_cb, 3195 profile, cn, flags, 3196 f_vrfy, p_vrfy, NULL ) ); 3197 } 3198 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 3199 3200 int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, 3201 mbedtls_x509_crt *trust_ca, 3202 mbedtls_x509_crl *ca_crl, 3203 const mbedtls_x509_crt_profile *profile, 3204 const char *cn, uint32_t *flags, 3205 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 3206 void *p_vrfy, 3207 mbedtls_x509_crt_restart_ctx *rs_ctx ) 3208 { 3209 return( x509_crt_verify_restartable_ca_cb( crt, trust_ca, ca_crl, 3210 NULL, NULL, 3211 profile, cn, flags, 3212 f_vrfy, p_vrfy, rs_ctx ) ); 3213 } 3214 3215 3216 /* 3217 * Initialize a certificate chain 3218 */ 3219 void mbedtls_x509_crt_init( mbedtls_x509_crt *crt ) 3220 { 3221 memset( crt, 0, sizeof(mbedtls_x509_crt) ); 3222 } 3223 3224 /* 3225 * Unallocate all certificate data 3226 */ 3227 void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) 3228 { 3229 mbedtls_x509_crt *cert_cur = crt; 3230 mbedtls_x509_crt *cert_prv; 3231 mbedtls_x509_name *name_cur; 3232 mbedtls_x509_name *name_prv; 3233 mbedtls_x509_sequence *seq_cur; 3234 mbedtls_x509_sequence *seq_prv; 3235 3236 if( crt == NULL ) 3237 return; 3238 3239 do 3240 { 3241 mbedtls_pk_free( &cert_cur->pk ); 3242 3243 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 3244 mbedtls_free( cert_cur->sig_opts ); 3245 #endif 3246 3247 name_cur = cert_cur->issuer.next; 3248 while( name_cur != NULL ) 3249 { 3250 name_prv = name_cur; 3251 name_cur = name_cur->next; 3252 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); 3253 mbedtls_free( name_prv ); 3254 } 3255 3256 name_cur = cert_cur->subject.next; 3257 while( name_cur != NULL ) 3258 { 3259 name_prv = name_cur; 3260 name_cur = name_cur->next; 3261 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); 3262 mbedtls_free( name_prv ); 3263 } 3264 3265 seq_cur = cert_cur->ext_key_usage.next; 3266 while( seq_cur != NULL ) 3267 { 3268 seq_prv = seq_cur; 3269 seq_cur = seq_cur->next; 3270 mbedtls_platform_zeroize( seq_prv, 3271 sizeof( mbedtls_x509_sequence ) ); 3272 mbedtls_free( seq_prv ); 3273 } 3274 3275 seq_cur = cert_cur->subject_alt_names.next; 3276 while( seq_cur != NULL ) 3277 { 3278 seq_prv = seq_cur; 3279 seq_cur = seq_cur->next; 3280 mbedtls_platform_zeroize( seq_prv, 3281 sizeof( mbedtls_x509_sequence ) ); 3282 mbedtls_free( seq_prv ); 3283 } 3284 3285 seq_cur = cert_cur->certificate_policies.next; 3286 while( seq_cur != NULL ) 3287 { 3288 seq_prv = seq_cur; 3289 seq_cur = seq_cur->next; 3290 mbedtls_platform_zeroize( seq_prv, 3291 sizeof( mbedtls_x509_sequence ) ); 3292 mbedtls_free( seq_prv ); 3293 } 3294 3295 if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) 3296 { 3297 mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len ); 3298 mbedtls_free( cert_cur->raw.p ); 3299 } 3300 3301 cert_cur = cert_cur->next; 3302 } 3303 while( cert_cur != NULL ); 3304 3305 cert_cur = crt; 3306 do 3307 { 3308 cert_prv = cert_cur; 3309 cert_cur = cert_cur->next; 3310 3311 mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) ); 3312 if( cert_prv != crt ) 3313 mbedtls_free( cert_prv ); 3314 } 3315 while( cert_cur != NULL ); 3316 } 3317 3318 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 3319 /* 3320 * Initialize a restart context 3321 */ 3322 void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx ) 3323 { 3324 mbedtls_pk_restart_init( &ctx->pk ); 3325 3326 ctx->parent = NULL; 3327 ctx->fallback_parent = NULL; 3328 ctx->fallback_signature_is_good = 0; 3329 3330 ctx->parent_is_trusted = -1; 3331 3332 ctx->in_progress = x509_crt_rs_none; 3333 ctx->self_cnt = 0; 3334 x509_crt_verify_chain_reset( &ctx->ver_chain ); 3335 } 3336 3337 /* 3338 * Free the components of a restart context 3339 */ 3340 void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx ) 3341 { 3342 if( ctx == NULL ) 3343 return; 3344 3345 mbedtls_pk_restart_free( &ctx->pk ); 3346 mbedtls_x509_crt_restart_init( ctx ); 3347 } 3348 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 3349 3350 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3351