1 /* 2 * X.509 certificate parsing and verification 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The ITU-T X.509 standard defines a certificate format for PKI. 21 * 22 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 23 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 24 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 25 * 26 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 27 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 28 * 29 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf 30 */ 31 32 #include "common.h" 33 34 #if defined(MBEDTLS_X509_CRT_PARSE_C) 35 36 #include "mbedtls/x509_crt.h" 37 #include "mbedtls/error.h" 38 #include "mbedtls/oid.h" 39 #include "mbedtls/platform_util.h" 40 41 #include <string.h> 42 43 #if defined(MBEDTLS_PEM_PARSE_C) 44 #include "mbedtls/pem.h" 45 #endif 46 47 #if defined(MBEDTLS_USE_PSA_CRYPTO) 48 #include "psa/crypto.h" 49 #include "mbedtls/psa_util.h" 50 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 51 #include "hash_info.h" 52 53 #include "mbedtls/platform.h" 54 55 #if defined(MBEDTLS_THREADING_C) 56 #include "mbedtls/threading.h" 57 #endif 58 59 #if defined(MBEDTLS_HAVE_TIME) 60 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 61 #include <windows.h> 62 #else 63 #include <time.h> 64 #endif 65 #endif 66 67 #if defined(MBEDTLS_FS_IO) 68 #include <stdio.h> 69 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32) 70 #include <sys/types.h> 71 #include <sys/stat.h> 72 #if defined(__MBED__) 73 #include <platform/mbed_retarget.h> 74 #else 75 #include <dirent.h> 76 #endif /* __MBED__ */ 77 #include <errno.h> 78 #endif /* !_WIN32 || EFIX64 || EFI32 */ 79 #endif 80 81 /* 82 * Item in a verification chain: cert and flags for it 83 */ 84 typedef struct { 85 mbedtls_x509_crt *crt; 86 uint32_t flags; 87 } x509_crt_verify_chain_item; 88 89 /* 90 * Max size of verification chain: end-entity + intermediates + trusted root 91 */ 92 #define X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2) 93 94 /* Default profile. Do not remove items unless there are serious security 95 * concerns. */ 96 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default = 97 { 98 /* Hashes from SHA-256 and above. Note that this selection 99 * should be aligned with ssl_preset_default_hashes in ssl_tls.c. */ 100 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 101 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 102 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 103 0xFFFFFFF, /* Any PK alg */ 104 #if defined(MBEDTLS_ECP_C) 105 /* Curves at or above 128-bit security level. Note that this selection 106 * should be aligned with ssl_preset_default_curves in ssl_tls.c. */ 107 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) | 108 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) | 109 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) | 110 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) | 111 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) | 112 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) | 113 0, 114 #else 115 0, 116 #endif 117 2048, 118 }; 119 120 /* Next-generation profile. Currently identical to the default, but may 121 * be tightened at any time. */ 122 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next = 123 { 124 /* Hashes from SHA-256 and above. */ 125 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 126 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | 127 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), 128 0xFFFFFFF, /* Any PK alg */ 129 #if defined(MBEDTLS_ECP_C) 130 /* Curves at or above 128-bit security level. */ 131 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) | 132 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) | 133 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) | 134 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) | 135 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) | 136 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) | 137 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256K1), 138 #else 139 0, 140 #endif 141 2048, 142 }; 143 144 /* 145 * NSA Suite B Profile 146 */ 147 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb = 148 { 149 /* Only SHA-256 and 384 */ 150 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | 151 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384), 152 /* Only ECDSA */ 153 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) | 154 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY), 155 #if defined(MBEDTLS_ECP_C) 156 /* Only NIST P-256 and P-384 */ 157 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) | 158 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1), 159 #else 160 0, 161 #endif 162 0, 163 }; 164 165 /* 166 * Empty / all-forbidden profile 167 */ 168 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none = 169 { 170 0, 171 0, 172 0, 173 (uint32_t) -1, 174 }; 175 176 /* 177 * Check md_alg against profile 178 * Return 0 if md_alg is acceptable for this profile, -1 otherwise 179 */ 180 static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile, 181 mbedtls_md_type_t md_alg) 182 { 183 if (md_alg == MBEDTLS_MD_NONE) { 184 return -1; 185 } 186 187 if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) { 188 return 0; 189 } 190 191 return -1; 192 } 193 194 /* 195 * Check pk_alg against profile 196 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise 197 */ 198 static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile, 199 mbedtls_pk_type_t pk_alg) 200 { 201 if (pk_alg == MBEDTLS_PK_NONE) { 202 return -1; 203 } 204 205 if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) { 206 return 0; 207 } 208 209 return -1; 210 } 211 212 /* 213 * Check key against profile 214 * Return 0 if pk is acceptable for this profile, -1 otherwise 215 */ 216 static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile, 217 const mbedtls_pk_context *pk) 218 { 219 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk); 220 221 #if defined(MBEDTLS_RSA_C) 222 if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) { 223 if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) { 224 return 0; 225 } 226 227 return -1; 228 } 229 #endif 230 231 #if defined(MBEDTLS_ECP_C) 232 if (pk_alg == MBEDTLS_PK_ECDSA || 233 pk_alg == MBEDTLS_PK_ECKEY || 234 pk_alg == MBEDTLS_PK_ECKEY_DH) { 235 const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id; 236 237 if (gid == MBEDTLS_ECP_DP_NONE) { 238 return -1; 239 } 240 241 if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) { 242 return 0; 243 } 244 245 return -1; 246 } 247 #endif 248 249 return -1; 250 } 251 252 /* 253 * Like memcmp, but case-insensitive and always returns -1 if different 254 */ 255 static int x509_memcasecmp(const void *s1, const void *s2, size_t len) 256 { 257 size_t i; 258 unsigned char diff; 259 const unsigned char *n1 = s1, *n2 = s2; 260 261 for (i = 0; i < len; i++) { 262 diff = n1[i] ^ n2[i]; 263 264 if (diff == 0) { 265 continue; 266 } 267 268 if (diff == 32 && 269 ((n1[i] >= 'a' && n1[i] <= 'z') || 270 (n1[i] >= 'A' && n1[i] <= 'Z'))) { 271 continue; 272 } 273 274 return -1; 275 } 276 277 return 0; 278 } 279 280 /* 281 * Return 0 if name matches wildcard, -1 otherwise 282 */ 283 static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name) 284 { 285 size_t i; 286 size_t cn_idx = 0, cn_len = strlen(cn); 287 288 /* We can't have a match if there is no wildcard to match */ 289 if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') { 290 return -1; 291 } 292 293 for (i = 0; i < cn_len; ++i) { 294 if (cn[i] == '.') { 295 cn_idx = i; 296 break; 297 } 298 } 299 300 if (cn_idx == 0) { 301 return -1; 302 } 303 304 if (cn_len - cn_idx == name->len - 1 && 305 x509_memcasecmp(name->p + 1, cn + cn_idx, name->len - 1) == 0) { 306 return 0; 307 } 308 309 return -1; 310 } 311 312 /* 313 * Compare two X.509 strings, case-insensitive, and allowing for some encoding 314 * variations (but not all). 315 * 316 * Return 0 if equal, -1 otherwise. 317 */ 318 static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b) 319 { 320 if (a->tag == b->tag && 321 a->len == b->len && 322 memcmp(a->p, b->p, b->len) == 0) { 323 return 0; 324 } 325 326 if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) && 327 (b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING) && 328 a->len == b->len && 329 x509_memcasecmp(a->p, b->p, b->len) == 0) { 330 return 0; 331 } 332 333 return -1; 334 } 335 336 /* 337 * Compare two X.509 Names (aka rdnSequence). 338 * 339 * See RFC 5280 section 7.1, though we don't implement the whole algorithm: 340 * we sometimes return unequal when the full algorithm would return equal, 341 * but never the other way. (In particular, we don't do Unicode normalisation 342 * or space folding.) 343 * 344 * Return 0 if equal, -1 otherwise. 345 */ 346 static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b) 347 { 348 /* Avoid recursion, it might not be optimised by the compiler */ 349 while (a != NULL || b != NULL) { 350 if (a == NULL || b == NULL) { 351 return -1; 352 } 353 354 /* type */ 355 if (a->oid.tag != b->oid.tag || 356 a->oid.len != b->oid.len || 357 memcmp(a->oid.p, b->oid.p, b->oid.len) != 0) { 358 return -1; 359 } 360 361 /* value */ 362 if (x509_string_cmp(&a->val, &b->val) != 0) { 363 return -1; 364 } 365 366 /* structure of the list of sets */ 367 if (a->next_merged != b->next_merged) { 368 return -1; 369 } 370 371 a = a->next; 372 b = b->next; 373 } 374 375 /* a == NULL == b */ 376 return 0; 377 } 378 379 /* 380 * Reset (init or clear) a verify_chain 381 */ 382 static void x509_crt_verify_chain_reset( 383 mbedtls_x509_crt_verify_chain *ver_chain) 384 { 385 size_t i; 386 387 for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) { 388 ver_chain->items[i].crt = NULL; 389 ver_chain->items[i].flags = (uint32_t) -1; 390 } 391 392 ver_chain->len = 0; 393 394 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 395 ver_chain->trust_ca_cb_result = NULL; 396 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 397 } 398 399 /* 400 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 401 */ 402 static int x509_get_version(unsigned char **p, 403 const unsigned char *end, 404 int *ver) 405 { 406 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 407 size_t len; 408 409 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 410 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 411 0)) != 0) { 412 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 413 *ver = 0; 414 return 0; 415 } 416 417 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 418 } 419 420 end = *p + len; 421 422 if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) { 423 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret); 424 } 425 426 if (*p != end) { 427 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, 428 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 429 } 430 431 return 0; 432 } 433 434 /* 435 * Validity ::= SEQUENCE { 436 * notBefore Time, 437 * notAfter Time } 438 */ 439 static int x509_get_dates(unsigned char **p, 440 const unsigned char *end, 441 mbedtls_x509_time *from, 442 mbedtls_x509_time *to) 443 { 444 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 445 size_t len; 446 447 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 448 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 449 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret); 450 } 451 452 end = *p + len; 453 454 if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) { 455 return ret; 456 } 457 458 if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) { 459 return ret; 460 } 461 462 if (*p != end) { 463 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, 464 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 465 } 466 467 return 0; 468 } 469 470 /* 471 * X.509 v2/v3 unique identifier (not parsed) 472 */ 473 static int x509_get_uid(unsigned char **p, 474 const unsigned char *end, 475 mbedtls_x509_buf *uid, int n) 476 { 477 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 478 479 if (*p == end) { 480 return 0; 481 } 482 483 uid->tag = **p; 484 485 if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len, 486 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 487 n)) != 0) { 488 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 489 return 0; 490 } 491 492 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 493 } 494 495 uid->p = *p; 496 *p += uid->len; 497 498 return 0; 499 } 500 501 static int x509_get_basic_constraints(unsigned char **p, 502 const unsigned char *end, 503 int *ca_istrue, 504 int *max_pathlen) 505 { 506 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 507 size_t len; 508 509 /* 510 * BasicConstraints ::= SEQUENCE { 511 * cA BOOLEAN DEFAULT FALSE, 512 * pathLenConstraint INTEGER (0..MAX) OPTIONAL } 513 */ 514 *ca_istrue = 0; /* DEFAULT FALSE */ 515 *max_pathlen = 0; /* endless */ 516 517 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 518 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 519 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 520 } 521 522 if (*p == end) { 523 return 0; 524 } 525 526 if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) { 527 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 528 ret = mbedtls_asn1_get_int(p, end, ca_istrue); 529 } 530 531 if (ret != 0) { 532 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 533 } 534 535 if (*ca_istrue != 0) { 536 *ca_istrue = 1; 537 } 538 } 539 540 if (*p == end) { 541 return 0; 542 } 543 544 if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) { 545 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 546 } 547 548 if (*p != end) { 549 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 550 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 551 } 552 553 /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer 554 * overflow, which is an undefined behavior. */ 555 if (*max_pathlen == INT_MAX) { 556 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 557 MBEDTLS_ERR_ASN1_INVALID_LENGTH); 558 } 559 560 (*max_pathlen)++; 561 562 return 0; 563 } 564 565 /* 566 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 567 * 568 * KeyPurposeId ::= OBJECT IDENTIFIER 569 */ 570 static int x509_get_ext_key_usage(unsigned char **p, 571 const unsigned char *end, 572 mbedtls_x509_sequence *ext_key_usage) 573 { 574 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 575 576 if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) { 577 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 578 } 579 580 /* Sequence length must be >= 1 */ 581 if (ext_key_usage->buf.p == NULL) { 582 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 583 MBEDTLS_ERR_ASN1_INVALID_LENGTH); 584 } 585 586 return 0; 587 } 588 589 /* 590 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } 591 * 592 * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } 593 * 594 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 595 * 596 * PolicyInformation ::= SEQUENCE { 597 * policyIdentifier CertPolicyId, 598 * policyQualifiers SEQUENCE SIZE (1..MAX) OF 599 * PolicyQualifierInfo OPTIONAL } 600 * 601 * CertPolicyId ::= OBJECT IDENTIFIER 602 * 603 * PolicyQualifierInfo ::= SEQUENCE { 604 * policyQualifierId PolicyQualifierId, 605 * qualifier ANY DEFINED BY policyQualifierId } 606 * 607 * -- policyQualifierIds for Internet policy qualifiers 608 * 609 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } 610 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } 611 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } 612 * 613 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) 614 * 615 * Qualifier ::= CHOICE { 616 * cPSuri CPSuri, 617 * userNotice UserNotice } 618 * 619 * CPSuri ::= IA5String 620 * 621 * UserNotice ::= SEQUENCE { 622 * noticeRef NoticeReference OPTIONAL, 623 * explicitText DisplayText OPTIONAL } 624 * 625 * NoticeReference ::= SEQUENCE { 626 * organization DisplayText, 627 * noticeNumbers SEQUENCE OF INTEGER } 628 * 629 * DisplayText ::= CHOICE { 630 * ia5String IA5String (SIZE (1..200)), 631 * visibleString VisibleString (SIZE (1..200)), 632 * bmpString BMPString (SIZE (1..200)), 633 * utf8String UTF8String (SIZE (1..200)) } 634 * 635 * NOTE: we only parse and use anyPolicy without qualifiers at this point 636 * as defined in RFC 5280. 637 */ 638 static int x509_get_certificate_policies(unsigned char **p, 639 const unsigned char *end, 640 mbedtls_x509_sequence *certificate_policies) 641 { 642 int ret, parse_ret = 0; 643 size_t len; 644 mbedtls_asn1_buf *buf; 645 mbedtls_asn1_sequence *cur = certificate_policies; 646 647 /* Get main sequence tag */ 648 ret = mbedtls_asn1_get_tag(p, end, &len, 649 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 650 if (ret != 0) { 651 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 652 } 653 654 if (*p + len != end) { 655 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 656 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 657 } 658 659 /* 660 * Cannot be an empty sequence. 661 */ 662 if (len == 0) { 663 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 664 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 665 } 666 667 while (*p < end) { 668 mbedtls_x509_buf policy_oid; 669 const unsigned char *policy_end; 670 671 /* 672 * Get the policy sequence 673 */ 674 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 675 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 676 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 677 } 678 679 policy_end = *p + len; 680 681 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 682 MBEDTLS_ASN1_OID)) != 0) { 683 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 684 } 685 686 policy_oid.tag = MBEDTLS_ASN1_OID; 687 policy_oid.len = len; 688 policy_oid.p = *p; 689 690 /* 691 * Only AnyPolicy is currently supported when enforcing policy. 692 */ 693 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) { 694 /* 695 * Set the parsing return code but continue parsing, in case this 696 * extension is critical. 697 */ 698 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 699 } 700 701 /* Allocate and assign next pointer */ 702 if (cur->buf.p != NULL) { 703 if (cur->next != NULL) { 704 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; 705 } 706 707 cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); 708 709 if (cur->next == NULL) { 710 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 711 MBEDTLS_ERR_ASN1_ALLOC_FAILED); 712 } 713 714 cur = cur->next; 715 } 716 717 buf = &(cur->buf); 718 buf->tag = policy_oid.tag; 719 buf->p = policy_oid.p; 720 buf->len = policy_oid.len; 721 722 *p += len; 723 724 /* 725 * If there is an optional qualifier, then *p < policy_end 726 * Check the Qualifier len to verify it doesn't exceed policy_end. 727 */ 728 if (*p < policy_end) { 729 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len, 730 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 731 0) { 732 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 733 } 734 /* 735 * Skip the optional policy qualifiers. 736 */ 737 *p += len; 738 } 739 740 if (*p != policy_end) { 741 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 742 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 743 } 744 } 745 746 /* Set final sequence entry's next pointer to NULL */ 747 cur->next = NULL; 748 749 if (*p != end) { 750 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 751 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 752 } 753 754 return parse_ret; 755 } 756 757 /* 758 * X.509 v3 extensions 759 * 760 */ 761 static int x509_get_crt_ext(unsigned char **p, 762 const unsigned char *end, 763 mbedtls_x509_crt *crt, 764 mbedtls_x509_crt_ext_cb_t cb, 765 void *p_ctx) 766 { 767 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 768 size_t len; 769 unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet; 770 771 if (*p == end) { 772 return 0; 773 } 774 775 if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) { 776 return ret; 777 } 778 779 end = crt->v3_ext.p + crt->v3_ext.len; 780 while (*p < end) { 781 /* 782 * Extension ::= SEQUENCE { 783 * extnID OBJECT IDENTIFIER, 784 * critical BOOLEAN DEFAULT FALSE, 785 * extnValue OCTET STRING } 786 */ 787 mbedtls_x509_buf extn_oid = { 0, 0, NULL }; 788 int is_critical = 0; /* DEFAULT FALSE */ 789 int ext_type = 0; 790 791 if ((ret = mbedtls_asn1_get_tag(p, end, &len, 792 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 793 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 794 } 795 796 end_ext_data = *p + len; 797 798 /* Get extension ID */ 799 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len, 800 MBEDTLS_ASN1_OID)) != 0) { 801 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 802 } 803 804 extn_oid.tag = MBEDTLS_ASN1_OID; 805 extn_oid.p = *p; 806 *p += extn_oid.len; 807 808 /* Get optional critical */ 809 if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 && 810 (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { 811 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 812 } 813 814 /* Data should be octet string type */ 815 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, 816 MBEDTLS_ASN1_OCTET_STRING)) != 0) { 817 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 818 } 819 820 start_ext_octet = *p; 821 end_ext_octet = *p + len; 822 823 if (end_ext_octet != end_ext_data) { 824 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 825 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 826 } 827 828 /* 829 * Detect supported extensions 830 */ 831 ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type); 832 833 if (ret != 0) { 834 /* Give the callback (if any) a chance to handle the extension */ 835 if (cb != NULL) { 836 ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet); 837 if (ret != 0 && is_critical) { 838 return ret; 839 } 840 *p = end_ext_octet; 841 continue; 842 } 843 844 /* No parser found, skip extension */ 845 *p = end_ext_octet; 846 847 if (is_critical) { 848 /* Data is marked as critical: fail */ 849 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 850 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 851 } 852 continue; 853 } 854 855 /* Forbid repeated extensions */ 856 if ((crt->ext_types & ext_type) != 0) { 857 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS; 858 } 859 860 crt->ext_types |= ext_type; 861 862 switch (ext_type) { 863 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS: 864 /* Parse basic constraints */ 865 if ((ret = x509_get_basic_constraints(p, end_ext_octet, 866 &crt->ca_istrue, &crt->max_pathlen)) != 0) { 867 return ret; 868 } 869 break; 870 871 case MBEDTLS_X509_EXT_KEY_USAGE: 872 /* Parse key usage */ 873 if ((ret = mbedtls_x509_get_key_usage(p, end_ext_octet, 874 &crt->key_usage)) != 0) { 875 return ret; 876 } 877 break; 878 879 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: 880 /* Parse extended key usage */ 881 if ((ret = x509_get_ext_key_usage(p, end_ext_octet, 882 &crt->ext_key_usage)) != 0) { 883 return ret; 884 } 885 break; 886 887 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: 888 /* Parse subject alt name */ 889 if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet, 890 &crt->subject_alt_names)) != 0) { 891 return ret; 892 } 893 break; 894 895 case MBEDTLS_X509_EXT_NS_CERT_TYPE: 896 /* Parse netscape certificate type */ 897 if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_octet, 898 &crt->ns_cert_type)) != 0) { 899 return ret; 900 } 901 break; 902 903 case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES: 904 /* Parse certificate policies type */ 905 if ((ret = x509_get_certificate_policies(p, end_ext_octet, 906 &crt->certificate_policies)) != 0) { 907 /* Give the callback (if any) a chance to handle the extension 908 * if it contains unsupported policies */ 909 if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL && 910 cb(p_ctx, crt, &extn_oid, is_critical, 911 start_ext_octet, end_ext_octet) == 0) { 912 break; 913 } 914 915 if (is_critical) { 916 return ret; 917 } else 918 /* 919 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we 920 * cannot interpret or enforce the policy. However, it is up to 921 * the user to choose how to enforce the policies, 922 * unless the extension is critical. 923 */ 924 if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) { 925 return ret; 926 } 927 } 928 break; 929 930 default: 931 /* 932 * If this is a non-critical extension, which the oid layer 933 * supports, but there isn't an x509 parser for it, 934 * skip the extension. 935 */ 936 if (is_critical) { 937 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE; 938 } else { 939 *p = end_ext_octet; 940 } 941 } 942 } 943 944 if (*p != end) { 945 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 946 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 947 } 948 949 return 0; 950 } 951 952 /* 953 * Parse and fill a single X.509 certificate in DER format 954 */ 955 static int x509_crt_parse_der_core(mbedtls_x509_crt *crt, 956 const unsigned char *buf, 957 size_t buflen, 958 int make_copy, 959 mbedtls_x509_crt_ext_cb_t cb, 960 void *p_ctx) 961 { 962 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 963 size_t len; 964 unsigned char *p, *end, *crt_end; 965 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 966 967 memset(&sig_params1, 0, sizeof(mbedtls_x509_buf)); 968 memset(&sig_params2, 0, sizeof(mbedtls_x509_buf)); 969 memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf)); 970 971 /* 972 * Check for valid input 973 */ 974 if (crt == NULL || buf == NULL) { 975 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 976 } 977 978 /* Use the original buffer until we figure out actual length. */ 979 p = (unsigned char *) buf; 980 len = buflen; 981 end = p + len; 982 983 /* 984 * Certificate ::= SEQUENCE { 985 * tbsCertificate TBSCertificate, 986 * signatureAlgorithm AlgorithmIdentifier, 987 * signatureValue BIT STRING } 988 */ 989 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 990 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 991 mbedtls_x509_crt_free(crt); 992 return MBEDTLS_ERR_X509_INVALID_FORMAT; 993 } 994 995 end = crt_end = p + len; 996 crt->raw.len = crt_end - buf; 997 if (make_copy != 0) { 998 /* Create and populate a new buffer for the raw field. */ 999 crt->raw.p = p = mbedtls_calloc(1, crt->raw.len); 1000 if (crt->raw.p == NULL) { 1001 return MBEDTLS_ERR_X509_ALLOC_FAILED; 1002 } 1003 1004 memcpy(crt->raw.p, buf, crt->raw.len); 1005 crt->own_buffer = 1; 1006 1007 p += crt->raw.len - len; 1008 end = crt_end = p + len; 1009 } else { 1010 crt->raw.p = (unsigned char *) buf; 1011 crt->own_buffer = 0; 1012 } 1013 1014 /* 1015 * TBSCertificate ::= SEQUENCE { 1016 */ 1017 crt->tbs.p = p; 1018 1019 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 1020 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 1021 mbedtls_x509_crt_free(crt); 1022 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 1023 } 1024 1025 end = p + len; 1026 crt->tbs.len = end - crt->tbs.p; 1027 1028 /* 1029 * Version ::= INTEGER { v1(0), v2(1), v3(2) } 1030 * 1031 * CertificateSerialNumber ::= INTEGER 1032 * 1033 * signature AlgorithmIdentifier 1034 */ 1035 if ((ret = x509_get_version(&p, end, &crt->version)) != 0 || 1036 (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 || 1037 (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid, 1038 &sig_params1)) != 0) { 1039 mbedtls_x509_crt_free(crt); 1040 return ret; 1041 } 1042 1043 if (crt->version < 0 || crt->version > 2) { 1044 mbedtls_x509_crt_free(crt); 1045 return MBEDTLS_ERR_X509_UNKNOWN_VERSION; 1046 } 1047 1048 crt->version++; 1049 1050 if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1, 1051 &crt->sig_md, &crt->sig_pk, 1052 &crt->sig_opts)) != 0) { 1053 mbedtls_x509_crt_free(crt); 1054 return ret; 1055 } 1056 1057 /* 1058 * issuer Name 1059 */ 1060 crt->issuer_raw.p = p; 1061 1062 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 1063 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 1064 mbedtls_x509_crt_free(crt); 1065 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 1066 } 1067 1068 if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) { 1069 mbedtls_x509_crt_free(crt); 1070 return ret; 1071 } 1072 1073 crt->issuer_raw.len = p - crt->issuer_raw.p; 1074 1075 /* 1076 * Validity ::= SEQUENCE { 1077 * notBefore Time, 1078 * notAfter Time } 1079 * 1080 */ 1081 if ((ret = x509_get_dates(&p, end, &crt->valid_from, 1082 &crt->valid_to)) != 0) { 1083 mbedtls_x509_crt_free(crt); 1084 return ret; 1085 } 1086 1087 /* 1088 * subject Name 1089 */ 1090 crt->subject_raw.p = p; 1091 1092 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 1093 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 1094 mbedtls_x509_crt_free(crt); 1095 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 1096 } 1097 1098 if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) { 1099 mbedtls_x509_crt_free(crt); 1100 return ret; 1101 } 1102 1103 crt->subject_raw.len = p - crt->subject_raw.p; 1104 1105 /* 1106 * SubjectPublicKeyInfo 1107 */ 1108 crt->pk_raw.p = p; 1109 if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) { 1110 mbedtls_x509_crt_free(crt); 1111 return ret; 1112 } 1113 crt->pk_raw.len = p - crt->pk_raw.p; 1114 1115 /* 1116 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 1117 * -- If present, version shall be v2 or v3 1118 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 1119 * -- If present, version shall be v2 or v3 1120 * extensions [3] EXPLICIT Extensions OPTIONAL 1121 * -- If present, version shall be v3 1122 */ 1123 if (crt->version == 2 || crt->version == 3) { 1124 ret = x509_get_uid(&p, end, &crt->issuer_id, 1); 1125 if (ret != 0) { 1126 mbedtls_x509_crt_free(crt); 1127 return ret; 1128 } 1129 } 1130 1131 if (crt->version == 2 || crt->version == 3) { 1132 ret = x509_get_uid(&p, end, &crt->subject_id, 2); 1133 if (ret != 0) { 1134 mbedtls_x509_crt_free(crt); 1135 return ret; 1136 } 1137 } 1138 1139 if (crt->version == 3) { 1140 ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx); 1141 if (ret != 0) { 1142 mbedtls_x509_crt_free(crt); 1143 return ret; 1144 } 1145 } 1146 1147 if (p != end) { 1148 mbedtls_x509_crt_free(crt); 1149 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, 1150 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 1151 } 1152 1153 end = crt_end; 1154 1155 /* 1156 * } 1157 * -- end of TBSCertificate 1158 * 1159 * signatureAlgorithm AlgorithmIdentifier, 1160 * signatureValue BIT STRING 1161 */ 1162 if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) { 1163 mbedtls_x509_crt_free(crt); 1164 return ret; 1165 } 1166 1167 if (crt->sig_oid.len != sig_oid2.len || 1168 memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 || 1169 sig_params1.tag != sig_params2.tag || 1170 sig_params1.len != sig_params2.len || 1171 (sig_params1.len != 0 && 1172 memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) { 1173 mbedtls_x509_crt_free(crt); 1174 return MBEDTLS_ERR_X509_SIG_MISMATCH; 1175 } 1176 1177 if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) { 1178 mbedtls_x509_crt_free(crt); 1179 return ret; 1180 } 1181 1182 if (p != end) { 1183 mbedtls_x509_crt_free(crt); 1184 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, 1185 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 1186 } 1187 1188 return 0; 1189 } 1190 1191 /* 1192 * Parse one X.509 certificate in DER format from a buffer and add them to a 1193 * chained list 1194 */ 1195 static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain, 1196 const unsigned char *buf, 1197 size_t buflen, 1198 int make_copy, 1199 mbedtls_x509_crt_ext_cb_t cb, 1200 void *p_ctx) 1201 { 1202 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1203 mbedtls_x509_crt *crt = chain, *prev = NULL; 1204 1205 /* 1206 * Check for valid input 1207 */ 1208 if (crt == NULL || buf == NULL) { 1209 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1210 } 1211 1212 while (crt->version != 0 && crt->next != NULL) { 1213 prev = crt; 1214 crt = crt->next; 1215 } 1216 1217 /* 1218 * Add new certificate on the end of the chain if needed. 1219 */ 1220 if (crt->version != 0 && crt->next == NULL) { 1221 crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 1222 1223 if (crt->next == NULL) { 1224 return MBEDTLS_ERR_X509_ALLOC_FAILED; 1225 } 1226 1227 prev = crt; 1228 mbedtls_x509_crt_init(crt->next); 1229 crt = crt->next; 1230 } 1231 1232 ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx); 1233 if (ret != 0) { 1234 if (prev) { 1235 prev->next = NULL; 1236 } 1237 1238 if (crt != chain) { 1239 mbedtls_free(crt); 1240 } 1241 1242 return ret; 1243 } 1244 1245 return 0; 1246 } 1247 1248 int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain, 1249 const unsigned char *buf, 1250 size_t buflen) 1251 { 1252 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL); 1253 } 1254 1255 int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain, 1256 const unsigned char *buf, 1257 size_t buflen, 1258 int make_copy, 1259 mbedtls_x509_crt_ext_cb_t cb, 1260 void *p_ctx) 1261 { 1262 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx); 1263 } 1264 1265 int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, 1266 const unsigned char *buf, 1267 size_t buflen) 1268 { 1269 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL); 1270 } 1271 1272 /* 1273 * Parse one or more PEM certificates from a buffer and add them to the chained 1274 * list 1275 */ 1276 int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, 1277 const unsigned char *buf, 1278 size_t buflen) 1279 { 1280 #if defined(MBEDTLS_PEM_PARSE_C) 1281 int success = 0, first_error = 0, total_failed = 0; 1282 int buf_format = MBEDTLS_X509_FORMAT_DER; 1283 #endif 1284 1285 /* 1286 * Check for valid input 1287 */ 1288 if (chain == NULL || buf == NULL) { 1289 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1290 } 1291 1292 /* 1293 * Determine buffer content. Buffer contains either one DER certificate or 1294 * one or more PEM certificates. 1295 */ 1296 #if defined(MBEDTLS_PEM_PARSE_C) 1297 if (buflen != 0 && buf[buflen - 1] == '\0' && 1298 strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) { 1299 buf_format = MBEDTLS_X509_FORMAT_PEM; 1300 } 1301 1302 if (buf_format == MBEDTLS_X509_FORMAT_DER) { 1303 return mbedtls_x509_crt_parse_der(chain, buf, buflen); 1304 } 1305 #else 1306 return mbedtls_x509_crt_parse_der(chain, buf, buflen); 1307 #endif 1308 1309 #if defined(MBEDTLS_PEM_PARSE_C) 1310 if (buf_format == MBEDTLS_X509_FORMAT_PEM) { 1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1312 mbedtls_pem_context pem; 1313 1314 /* 1 rather than 0 since the terminating NULL byte is counted in */ 1315 while (buflen > 1) { 1316 size_t use_len; 1317 mbedtls_pem_init(&pem); 1318 1319 /* If we get there, we know the string is null-terminated */ 1320 ret = mbedtls_pem_read_buffer(&pem, 1321 "-----BEGIN CERTIFICATE-----", 1322 "-----END CERTIFICATE-----", 1323 buf, NULL, 0, &use_len); 1324 1325 if (ret == 0) { 1326 /* 1327 * Was PEM encoded 1328 */ 1329 buflen -= use_len; 1330 buf += use_len; 1331 } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) { 1332 return ret; 1333 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) { 1334 mbedtls_pem_free(&pem); 1335 1336 /* 1337 * PEM header and footer were found 1338 */ 1339 buflen -= use_len; 1340 buf += use_len; 1341 1342 if (first_error == 0) { 1343 first_error = ret; 1344 } 1345 1346 total_failed++; 1347 continue; 1348 } else { 1349 break; 1350 } 1351 1352 ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen); 1353 1354 mbedtls_pem_free(&pem); 1355 1356 if (ret != 0) { 1357 /* 1358 * Quit parsing on a memory error 1359 */ 1360 if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) { 1361 return ret; 1362 } 1363 1364 if (first_error == 0) { 1365 first_error = ret; 1366 } 1367 1368 total_failed++; 1369 continue; 1370 } 1371 1372 success = 1; 1373 } 1374 } 1375 1376 if (success) { 1377 return total_failed; 1378 } else if (first_error) { 1379 return first_error; 1380 } else { 1381 return MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT; 1382 } 1383 #endif /* MBEDTLS_PEM_PARSE_C */ 1384 } 1385 1386 #if defined(MBEDTLS_FS_IO) 1387 /* 1388 * Load one or more certificates and add them to the chained list 1389 */ 1390 int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path) 1391 { 1392 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1393 size_t n; 1394 unsigned char *buf; 1395 1396 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { 1397 return ret; 1398 } 1399 1400 ret = mbedtls_x509_crt_parse(chain, buf, n); 1401 1402 mbedtls_platform_zeroize(buf, n); 1403 mbedtls_free(buf); 1404 1405 return ret; 1406 } 1407 1408 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path) 1409 { 1410 int ret = 0; 1411 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 1412 int w_ret; 1413 WCHAR szDir[MAX_PATH]; 1414 char filename[MAX_PATH]; 1415 char *p; 1416 size_t len = strlen(path); 1417 1418 WIN32_FIND_DATAW file_data; 1419 HANDLE hFind; 1420 1421 if (len > MAX_PATH - 3) { 1422 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1423 } 1424 1425 memset(szDir, 0, sizeof(szDir)); 1426 memset(filename, 0, MAX_PATH); 1427 memcpy(filename, path, len); 1428 filename[len++] = '\\'; 1429 p = filename + len; 1430 filename[len++] = '*'; 1431 1432 w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int) len, szDir, 1433 MAX_PATH - 3); 1434 if (w_ret == 0) { 1435 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1436 } 1437 1438 hFind = FindFirstFileW(szDir, &file_data); 1439 if (hFind == INVALID_HANDLE_VALUE) { 1440 return MBEDTLS_ERR_X509_FILE_IO_ERROR; 1441 } 1442 1443 len = MAX_PATH - len; 1444 do { 1445 memset(p, 0, len); 1446 1447 if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { 1448 continue; 1449 } 1450 1451 w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName, 1452 -1, 1453 p, (int) len, 1454 NULL, NULL); 1455 if (w_ret == 0) { 1456 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1457 goto cleanup; 1458 } 1459 1460 w_ret = mbedtls_x509_crt_parse_file(chain, filename); 1461 if (w_ret < 0) { 1462 ret++; 1463 } else { 1464 ret += w_ret; 1465 } 1466 } while (FindNextFileW(hFind, &file_data) != 0); 1467 1468 if (GetLastError() != ERROR_NO_MORE_FILES) { 1469 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1470 } 1471 1472 cleanup: 1473 FindClose(hFind); 1474 #else /* _WIN32 */ 1475 int t_ret; 1476 int snp_ret; 1477 struct stat sb; 1478 struct dirent *entry; 1479 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN]; 1480 DIR *dir = opendir(path); 1481 1482 if (dir == NULL) { 1483 return MBEDTLS_ERR_X509_FILE_IO_ERROR; 1484 } 1485 1486 #if defined(MBEDTLS_THREADING_C) 1487 if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) { 1488 closedir(dir); 1489 return ret; 1490 } 1491 #endif /* MBEDTLS_THREADING_C */ 1492 1493 memset(&sb, 0, sizeof(sb)); 1494 1495 while ((entry = readdir(dir)) != NULL) { 1496 snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name), 1497 "%s/%s", path, entry->d_name); 1498 1499 if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) { 1500 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL; 1501 goto cleanup; 1502 } else if (stat(entry_name, &sb) == -1) { 1503 if (errno == ENOENT) { 1504 /* Broken symbolic link - ignore this entry. 1505 stat(2) will return this error for either (a) a dangling 1506 symlink or (b) a missing file. 1507 Given that we have just obtained the filename from readdir, 1508 assume that it does exist and therefore treat this as a 1509 dangling symlink. */ 1510 continue; 1511 } else { 1512 /* Some other file error; report the error. */ 1513 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR; 1514 goto cleanup; 1515 } 1516 } 1517 1518 if (!S_ISREG(sb.st_mode)) { 1519 continue; 1520 } 1521 1522 // Ignore parse errors 1523 // 1524 t_ret = mbedtls_x509_crt_parse_file(chain, entry_name); 1525 if (t_ret < 0) { 1526 ret++; 1527 } else { 1528 ret += t_ret; 1529 } 1530 } 1531 1532 cleanup: 1533 closedir(dir); 1534 1535 #if defined(MBEDTLS_THREADING_C) 1536 if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) { 1537 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR; 1538 } 1539 #endif /* MBEDTLS_THREADING_C */ 1540 1541 #endif /* _WIN32 */ 1542 1543 return ret; 1544 } 1545 #endif /* MBEDTLS_FS_IO */ 1546 1547 #if !defined(MBEDTLS_X509_REMOVE_INFO) 1548 static int x509_info_ext_key_usage(char **buf, size_t *size, 1549 const mbedtls_x509_sequence *extended_key_usage) 1550 { 1551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1552 const char *desc; 1553 size_t n = *size; 1554 char *p = *buf; 1555 const mbedtls_x509_sequence *cur = extended_key_usage; 1556 const char *sep = ""; 1557 1558 while (cur != NULL) { 1559 if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) { 1560 desc = "???"; 1561 } 1562 1563 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc); 1564 MBEDTLS_X509_SAFE_SNPRINTF; 1565 1566 sep = ", "; 1567 1568 cur = cur->next; 1569 } 1570 1571 *size = n; 1572 *buf = p; 1573 1574 return 0; 1575 } 1576 1577 static int x509_info_cert_policies(char **buf, size_t *size, 1578 const mbedtls_x509_sequence *certificate_policies) 1579 { 1580 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1581 const char *desc; 1582 size_t n = *size; 1583 char *p = *buf; 1584 const mbedtls_x509_sequence *cur = certificate_policies; 1585 const char *sep = ""; 1586 1587 while (cur != NULL) { 1588 if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) { 1589 desc = "???"; 1590 } 1591 1592 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc); 1593 MBEDTLS_X509_SAFE_SNPRINTF; 1594 1595 sep = ", "; 1596 1597 cur = cur->next; 1598 } 1599 1600 *size = n; 1601 *buf = p; 1602 1603 return 0; 1604 } 1605 1606 /* 1607 * Return an informational string about the certificate. 1608 */ 1609 #define BEFORE_COLON 18 1610 #define BC "18" 1611 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix, 1612 const mbedtls_x509_crt *crt) 1613 { 1614 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1615 size_t n; 1616 char *p; 1617 char key_size_str[BEFORE_COLON]; 1618 1619 p = buf; 1620 n = size; 1621 1622 if (NULL == crt) { 1623 ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n"); 1624 MBEDTLS_X509_SAFE_SNPRINTF; 1625 1626 return (int) (size - n); 1627 } 1628 1629 ret = mbedtls_snprintf(p, n, "%scert. version : %d\n", 1630 prefix, crt->version); 1631 MBEDTLS_X509_SAFE_SNPRINTF; 1632 ret = mbedtls_snprintf(p, n, "%sserial number : ", 1633 prefix); 1634 MBEDTLS_X509_SAFE_SNPRINTF; 1635 1636 ret = mbedtls_x509_serial_gets(p, n, &crt->serial); 1637 MBEDTLS_X509_SAFE_SNPRINTF; 1638 1639 ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix); 1640 MBEDTLS_X509_SAFE_SNPRINTF; 1641 ret = mbedtls_x509_dn_gets(p, n, &crt->issuer); 1642 MBEDTLS_X509_SAFE_SNPRINTF; 1643 1644 ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix); 1645 MBEDTLS_X509_SAFE_SNPRINTF; 1646 ret = mbedtls_x509_dn_gets(p, n, &crt->subject); 1647 MBEDTLS_X509_SAFE_SNPRINTF; 1648 1649 ret = mbedtls_snprintf(p, n, "\n%sissued on : " \ 1650 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 1651 crt->valid_from.year, crt->valid_from.mon, 1652 crt->valid_from.day, crt->valid_from.hour, 1653 crt->valid_from.min, crt->valid_from.sec); 1654 MBEDTLS_X509_SAFE_SNPRINTF; 1655 1656 ret = mbedtls_snprintf(p, n, "\n%sexpires on : " \ 1657 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 1658 crt->valid_to.year, crt->valid_to.mon, 1659 crt->valid_to.day, crt->valid_to.hour, 1660 crt->valid_to.min, crt->valid_to.sec); 1661 MBEDTLS_X509_SAFE_SNPRINTF; 1662 1663 ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix); 1664 MBEDTLS_X509_SAFE_SNPRINTF; 1665 1666 ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk, 1667 crt->sig_md, crt->sig_opts); 1668 MBEDTLS_X509_SAFE_SNPRINTF; 1669 1670 /* Key size */ 1671 if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON, 1672 mbedtls_pk_get_name(&crt->pk))) != 0) { 1673 return ret; 1674 } 1675 1676 ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str, 1677 (int) mbedtls_pk_get_bitlen(&crt->pk)); 1678 MBEDTLS_X509_SAFE_SNPRINTF; 1679 1680 /* 1681 * Optional extensions 1682 */ 1683 1684 if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) { 1685 ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix, 1686 crt->ca_istrue ? "true" : "false"); 1687 MBEDTLS_X509_SAFE_SNPRINTF; 1688 1689 if (crt->max_pathlen > 0) { 1690 ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1); 1691 MBEDTLS_X509_SAFE_SNPRINTF; 1692 } 1693 } 1694 1695 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 1696 ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix); 1697 MBEDTLS_X509_SAFE_SNPRINTF; 1698 1699 if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n, 1700 &crt->subject_alt_names, 1701 prefix)) != 0) { 1702 return ret; 1703 } 1704 } 1705 1706 if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) { 1707 ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix); 1708 MBEDTLS_X509_SAFE_SNPRINTF; 1709 1710 if ((ret = mbedtls_x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) { 1711 return ret; 1712 } 1713 } 1714 1715 if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) { 1716 ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix); 1717 MBEDTLS_X509_SAFE_SNPRINTF; 1718 1719 if ((ret = mbedtls_x509_info_key_usage(&p, &n, crt->key_usage)) != 0) { 1720 return ret; 1721 } 1722 } 1723 1724 if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) { 1725 ret = mbedtls_snprintf(p, n, "\n%sext key usage : ", prefix); 1726 MBEDTLS_X509_SAFE_SNPRINTF; 1727 1728 if ((ret = x509_info_ext_key_usage(&p, &n, 1729 &crt->ext_key_usage)) != 0) { 1730 return ret; 1731 } 1732 } 1733 1734 if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) { 1735 ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix); 1736 MBEDTLS_X509_SAFE_SNPRINTF; 1737 1738 if ((ret = x509_info_cert_policies(&p, &n, 1739 &crt->certificate_policies)) != 0) { 1740 return ret; 1741 } 1742 } 1743 1744 ret = mbedtls_snprintf(p, n, "\n"); 1745 MBEDTLS_X509_SAFE_SNPRINTF; 1746 1747 return (int) (size - n); 1748 } 1749 1750 struct x509_crt_verify_string { 1751 int code; 1752 const char *string; 1753 }; 1754 1755 #define X509_CRT_ERROR_INFO(err, err_str, info) { err, info }, 1756 static const struct x509_crt_verify_string x509_crt_verify_strings[] = { 1757 MBEDTLS_X509_CRT_ERROR_INFO_LIST 1758 { 0, NULL } 1759 }; 1760 #undef X509_CRT_ERROR_INFO 1761 1762 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, 1763 uint32_t flags) 1764 { 1765 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1766 const struct x509_crt_verify_string *cur; 1767 char *p = buf; 1768 size_t n = size; 1769 1770 for (cur = x509_crt_verify_strings; cur->string != NULL; cur++) { 1771 if ((flags & cur->code) == 0) { 1772 continue; 1773 } 1774 1775 ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string); 1776 MBEDTLS_X509_SAFE_SNPRINTF; 1777 flags ^= cur->code; 1778 } 1779 1780 if (flags != 0) { 1781 ret = mbedtls_snprintf(p, n, "%sUnknown reason " 1782 "(this should not happen)\n", prefix); 1783 MBEDTLS_X509_SAFE_SNPRINTF; 1784 } 1785 1786 return (int) (size - n); 1787 } 1788 #endif /* MBEDTLS_X509_REMOVE_INFO */ 1789 1790 int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, 1791 unsigned int usage) 1792 { 1793 unsigned int usage_must, usage_may; 1794 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY 1795 | MBEDTLS_X509_KU_DECIPHER_ONLY; 1796 1797 if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) { 1798 return 0; 1799 } 1800 1801 usage_must = usage & ~may_mask; 1802 1803 if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) { 1804 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1805 } 1806 1807 usage_may = usage & may_mask; 1808 1809 if (((crt->key_usage & may_mask) | usage_may) != usage_may) { 1810 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1811 } 1812 1813 return 0; 1814 } 1815 1816 int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, 1817 const char *usage_oid, 1818 size_t usage_len) 1819 { 1820 const mbedtls_x509_sequence *cur; 1821 1822 /* Extension is not mandatory, absent means no restriction */ 1823 if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) { 1824 return 0; 1825 } 1826 1827 /* 1828 * Look for the requested usage (or wildcard ANY) in our list 1829 */ 1830 for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) { 1831 const mbedtls_x509_buf *cur_oid = &cur->buf; 1832 1833 if (cur_oid->len == usage_len && 1834 memcmp(cur_oid->p, usage_oid, usage_len) == 0) { 1835 return 0; 1836 } 1837 1838 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) { 1839 return 0; 1840 } 1841 } 1842 1843 return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 1844 } 1845 1846 #if defined(MBEDTLS_X509_CRL_PARSE_C) 1847 /* 1848 * Return 1 if the certificate is revoked, or 0 otherwise. 1849 */ 1850 int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl) 1851 { 1852 const mbedtls_x509_crl_entry *cur = &crl->entry; 1853 1854 while (cur != NULL && cur->serial.len != 0) { 1855 if (crt->serial.len == cur->serial.len && 1856 memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) { 1857 return 1; 1858 } 1859 1860 cur = cur->next; 1861 } 1862 1863 return 0; 1864 } 1865 1866 /* 1867 * Check that the given certificate is not revoked according to the CRL. 1868 * Skip validation if no CRL for the given CA is present. 1869 */ 1870 static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, 1871 mbedtls_x509_crl *crl_list, 1872 const mbedtls_x509_crt_profile *profile) 1873 { 1874 int flags = 0; 1875 unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; 1876 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1877 psa_algorithm_t psa_algorithm; 1878 #else 1879 const mbedtls_md_info_t *md_info; 1880 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1881 size_t hash_length; 1882 1883 if (ca == NULL) { 1884 return flags; 1885 } 1886 1887 while (crl_list != NULL) { 1888 if (crl_list->version == 0 || 1889 x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) { 1890 crl_list = crl_list->next; 1891 continue; 1892 } 1893 1894 /* 1895 * Check if the CA is configured to sign CRLs 1896 */ 1897 if (mbedtls_x509_crt_check_key_usage(ca, 1898 MBEDTLS_X509_KU_CRL_SIGN) != 0) { 1899 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 1900 break; 1901 } 1902 1903 /* 1904 * Check if CRL is correctly signed by the trusted CA 1905 */ 1906 if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) { 1907 flags |= MBEDTLS_X509_BADCRL_BAD_MD; 1908 } 1909 1910 if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) { 1911 flags |= MBEDTLS_X509_BADCRL_BAD_PK; 1912 } 1913 1914 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1915 psa_algorithm = mbedtls_hash_info_psa_from_md(crl_list->sig_md); 1916 if (psa_hash_compute(psa_algorithm, 1917 crl_list->tbs.p, 1918 crl_list->tbs.len, 1919 hash, 1920 sizeof(hash), 1921 &hash_length) != PSA_SUCCESS) { 1922 /* Note: this can't happen except after an internal error */ 1923 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 1924 break; 1925 } 1926 #else 1927 md_info = mbedtls_md_info_from_type(crl_list->sig_md); 1928 hash_length = mbedtls_md_get_size(md_info); 1929 if (mbedtls_md(md_info, 1930 crl_list->tbs.p, 1931 crl_list->tbs.len, 1932 hash) != 0) { 1933 /* Note: this can't happen except after an internal error */ 1934 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 1935 break; 1936 } 1937 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1938 1939 if (x509_profile_check_key(profile, &ca->pk) != 0) { 1940 flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 1941 } 1942 1943 if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk, 1944 crl_list->sig_md, hash, hash_length, 1945 crl_list->sig.p, crl_list->sig.len) != 0) { 1946 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; 1947 break; 1948 } 1949 1950 /* 1951 * Check for validity of CRL (Do not drop out) 1952 */ 1953 if (mbedtls_x509_time_is_past(&crl_list->next_update)) { 1954 flags |= MBEDTLS_X509_BADCRL_EXPIRED; 1955 } 1956 1957 if (mbedtls_x509_time_is_future(&crl_list->this_update)) { 1958 flags |= MBEDTLS_X509_BADCRL_FUTURE; 1959 } 1960 1961 /* 1962 * Check if certificate is revoked 1963 */ 1964 if (mbedtls_x509_crt_is_revoked(crt, crl_list)) { 1965 flags |= MBEDTLS_X509_BADCERT_REVOKED; 1966 break; 1967 } 1968 1969 crl_list = crl_list->next; 1970 } 1971 1972 return flags; 1973 } 1974 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 1975 1976 /* 1977 * Check the signature of a certificate by its parent 1978 */ 1979 static int x509_crt_check_signature(const mbedtls_x509_crt *child, 1980 mbedtls_x509_crt *parent, 1981 mbedtls_x509_crt_restart_ctx *rs_ctx) 1982 { 1983 size_t hash_len; 1984 unsigned char hash[MBEDTLS_HASH_MAX_SIZE]; 1985 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 1986 const mbedtls_md_info_t *md_info; 1987 md_info = mbedtls_md_info_from_type(child->sig_md); 1988 hash_len = mbedtls_md_get_size(md_info); 1989 1990 /* Note: hash errors can happen only after an internal error */ 1991 if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) { 1992 return -1; 1993 } 1994 #else 1995 psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(child->sig_md); 1996 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 1997 1998 status = psa_hash_compute(hash_alg, 1999 child->tbs.p, 2000 child->tbs.len, 2001 hash, 2002 sizeof(hash), 2003 &hash_len); 2004 if (status != PSA_SUCCESS) { 2005 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 2006 } 2007 2008 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2009 /* Skip expensive computation on obvious mismatch */ 2010 if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) { 2011 return -1; 2012 } 2013 2014 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2015 if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) { 2016 return mbedtls_pk_verify_restartable(&parent->pk, 2017 child->sig_md, hash, hash_len, 2018 child->sig.p, child->sig.len, &rs_ctx->pk); 2019 } 2020 #else 2021 (void) rs_ctx; 2022 #endif 2023 2024 return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk, 2025 child->sig_md, hash, hash_len, 2026 child->sig.p, child->sig.len); 2027 } 2028 2029 /* 2030 * Check if 'parent' is a suitable parent (signing CA) for 'child'. 2031 * Return 0 if yes, -1 if not. 2032 * 2033 * top means parent is a locally-trusted certificate 2034 */ 2035 static int x509_crt_check_parent(const mbedtls_x509_crt *child, 2036 const mbedtls_x509_crt *parent, 2037 int top) 2038 { 2039 int need_ca_bit; 2040 2041 /* Parent must be the issuer */ 2042 if (x509_name_cmp(&child->issuer, &parent->subject) != 0) { 2043 return -1; 2044 } 2045 2046 /* Parent must have the basicConstraints CA bit set as a general rule */ 2047 need_ca_bit = 1; 2048 2049 /* Exception: v1/v2 certificates that are locally trusted. */ 2050 if (top && parent->version < 3) { 2051 need_ca_bit = 0; 2052 } 2053 2054 if (need_ca_bit && !parent->ca_istrue) { 2055 return -1; 2056 } 2057 2058 if (need_ca_bit && 2059 mbedtls_x509_crt_check_key_usage(parent, MBEDTLS_X509_KU_KEY_CERT_SIGN) != 0) { 2060 return -1; 2061 } 2062 2063 return 0; 2064 } 2065 2066 /* 2067 * Find a suitable parent for child in candidates, or return NULL. 2068 * 2069 * Here suitable is defined as: 2070 * 1. subject name matches child's issuer 2071 * 2. if necessary, the CA bit is set and key usage allows signing certs 2072 * 3. for trusted roots, the signature is correct 2073 * (for intermediates, the signature is checked and the result reported) 2074 * 4. pathlen constraints are satisfied 2075 * 2076 * If there's a suitable candidate which is also time-valid, return the first 2077 * such. Otherwise, return the first suitable candidate (or NULL if there is 2078 * none). 2079 * 2080 * The rationale for this rule is that someone could have a list of trusted 2081 * roots with two versions on the same root with different validity periods. 2082 * (At least one user reported having such a list and wanted it to just work.) 2083 * The reason we don't just require time-validity is that generally there is 2084 * only one version, and if it's expired we want the flags to state that 2085 * rather than NOT_TRUSTED, as would be the case if we required it here. 2086 * 2087 * The rationale for rule 3 (signature for trusted roots) is that users might 2088 * have two versions of the same CA with different keys in their list, and the 2089 * way we select the correct one is by checking the signature (as we don't 2090 * rely on key identifier extensions). (This is one way users might choose to 2091 * handle key rollover, another relies on self-issued certs, see [SIRO].) 2092 * 2093 * Arguments: 2094 * - [in] child: certificate for which we're looking for a parent 2095 * - [in] candidates: chained list of potential parents 2096 * - [out] r_parent: parent found (or NULL) 2097 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0 2098 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top 2099 * of the chain, 0 otherwise 2100 * - [in] path_cnt: number of intermediates seen so far 2101 * - [in] self_cnt: number of self-signed intermediates seen so far 2102 * (will never be greater than path_cnt) 2103 * - [in-out] rs_ctx: context for restarting operations 2104 * 2105 * Return value: 2106 * - 0 on success 2107 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise 2108 */ 2109 static int x509_crt_find_parent_in( 2110 mbedtls_x509_crt *child, 2111 mbedtls_x509_crt *candidates, 2112 mbedtls_x509_crt **r_parent, 2113 int *r_signature_is_good, 2114 int top, 2115 unsigned path_cnt, 2116 unsigned self_cnt, 2117 mbedtls_x509_crt_restart_ctx *rs_ctx) 2118 { 2119 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2120 mbedtls_x509_crt *parent, *fallback_parent; 2121 int signature_is_good = 0, fallback_signature_is_good; 2122 2123 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2124 /* did we have something in progress? */ 2125 if (rs_ctx != NULL && rs_ctx->parent != NULL) { 2126 /* restore saved state */ 2127 parent = rs_ctx->parent; 2128 fallback_parent = rs_ctx->fallback_parent; 2129 fallback_signature_is_good = rs_ctx->fallback_signature_is_good; 2130 2131 /* clear saved state */ 2132 rs_ctx->parent = NULL; 2133 rs_ctx->fallback_parent = NULL; 2134 rs_ctx->fallback_signature_is_good = 0; 2135 2136 /* resume where we left */ 2137 goto check_signature; 2138 } 2139 #endif 2140 2141 fallback_parent = NULL; 2142 fallback_signature_is_good = 0; 2143 2144 for (parent = candidates; parent != NULL; parent = parent->next) { 2145 /* basic parenting skills (name, CA bit, key usage) */ 2146 if (x509_crt_check_parent(child, parent, top) != 0) { 2147 continue; 2148 } 2149 2150 /* +1 because stored max_pathlen is 1 higher that the actual value */ 2151 if (parent->max_pathlen > 0 && 2152 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt) { 2153 continue; 2154 } 2155 2156 /* Signature */ 2157 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2158 check_signature: 2159 #endif 2160 ret = x509_crt_check_signature(child, parent, rs_ctx); 2161 2162 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2163 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2164 /* save state */ 2165 rs_ctx->parent = parent; 2166 rs_ctx->fallback_parent = fallback_parent; 2167 rs_ctx->fallback_signature_is_good = fallback_signature_is_good; 2168 2169 return ret; 2170 } 2171 #else 2172 (void) ret; 2173 #endif 2174 2175 signature_is_good = ret == 0; 2176 if (top && !signature_is_good) { 2177 continue; 2178 } 2179 2180 /* optional time check */ 2181 if (mbedtls_x509_time_is_past(&parent->valid_to) || 2182 mbedtls_x509_time_is_future(&parent->valid_from)) { 2183 if (fallback_parent == NULL) { 2184 fallback_parent = parent; 2185 fallback_signature_is_good = signature_is_good; 2186 } 2187 2188 continue; 2189 } 2190 2191 *r_parent = parent; 2192 *r_signature_is_good = signature_is_good; 2193 2194 break; 2195 } 2196 2197 if (parent == NULL) { 2198 *r_parent = fallback_parent; 2199 *r_signature_is_good = fallback_signature_is_good; 2200 } 2201 2202 return 0; 2203 } 2204 2205 /* 2206 * Find a parent in trusted CAs or the provided chain, or return NULL. 2207 * 2208 * Searches in trusted CAs first, and return the first suitable parent found 2209 * (see find_parent_in() for definition of suitable). 2210 * 2211 * Arguments: 2212 * - [in] child: certificate for which we're looking for a parent, followed 2213 * by a chain of possible intermediates 2214 * - [in] trust_ca: list of locally trusted certificates 2215 * - [out] parent: parent found (or NULL) 2216 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0 2217 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0 2218 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child) 2219 * - [in] self_cnt: number of self-signed certs in the chain so far 2220 * (will always be no greater than path_cnt) 2221 * - [in-out] rs_ctx: context for restarting operations 2222 * 2223 * Return value: 2224 * - 0 on success 2225 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise 2226 */ 2227 static int x509_crt_find_parent( 2228 mbedtls_x509_crt *child, 2229 mbedtls_x509_crt *trust_ca, 2230 mbedtls_x509_crt **parent, 2231 int *parent_is_trusted, 2232 int *signature_is_good, 2233 unsigned path_cnt, 2234 unsigned self_cnt, 2235 mbedtls_x509_crt_restart_ctx *rs_ctx) 2236 { 2237 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2238 mbedtls_x509_crt *search_list; 2239 2240 *parent_is_trusted = 1; 2241 2242 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2243 /* restore then clear saved state if we have some stored */ 2244 if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) { 2245 *parent_is_trusted = rs_ctx->parent_is_trusted; 2246 rs_ctx->parent_is_trusted = -1; 2247 } 2248 #endif 2249 2250 while (1) { 2251 search_list = *parent_is_trusted ? trust_ca : child->next; 2252 2253 ret = x509_crt_find_parent_in(child, search_list, 2254 parent, signature_is_good, 2255 *parent_is_trusted, 2256 path_cnt, self_cnt, rs_ctx); 2257 2258 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2259 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2260 /* save state */ 2261 rs_ctx->parent_is_trusted = *parent_is_trusted; 2262 return ret; 2263 } 2264 #else 2265 (void) ret; 2266 #endif 2267 2268 /* stop here if found or already in second iteration */ 2269 if (*parent != NULL || *parent_is_trusted == 0) { 2270 break; 2271 } 2272 2273 /* prepare second iteration */ 2274 *parent_is_trusted = 0; 2275 } 2276 2277 /* extra precaution against mistakes in the caller */ 2278 if (*parent == NULL) { 2279 *parent_is_trusted = 0; 2280 *signature_is_good = 0; 2281 } 2282 2283 return 0; 2284 } 2285 2286 /* 2287 * Check if an end-entity certificate is locally trusted 2288 * 2289 * Currently we require such certificates to be self-signed (actually only 2290 * check for self-issued as self-signatures are not checked) 2291 */ 2292 static int x509_crt_check_ee_locally_trusted( 2293 mbedtls_x509_crt *crt, 2294 mbedtls_x509_crt *trust_ca) 2295 { 2296 mbedtls_x509_crt *cur; 2297 2298 /* must be self-issued */ 2299 if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) { 2300 return -1; 2301 } 2302 2303 /* look for an exact match with trusted cert */ 2304 for (cur = trust_ca; cur != NULL; cur = cur->next) { 2305 if (crt->raw.len == cur->raw.len && 2306 memcmp(crt->raw.p, cur->raw.p, crt->raw.len) == 0) { 2307 return 0; 2308 } 2309 } 2310 2311 /* too bad */ 2312 return -1; 2313 } 2314 2315 /* 2316 * Build and verify a certificate chain 2317 * 2318 * Given a peer-provided list of certificates EE, C1, ..., Cn and 2319 * a list of trusted certs R1, ... Rp, try to build and verify a chain 2320 * EE, Ci1, ... Ciq [, Rj] 2321 * such that every cert in the chain is a child of the next one, 2322 * jumping to a trusted root as early as possible. 2323 * 2324 * Verify that chain and return it with flags for all issues found. 2325 * 2326 * Special cases: 2327 * - EE == Rj -> return a one-element list containing it 2328 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root 2329 * -> return that chain with NOT_TRUSTED set on Ciq 2330 * 2331 * Tests for (aspects of) this function should include at least: 2332 * - trusted EE 2333 * - EE -> trusted root 2334 * - EE -> intermediate CA -> trusted root 2335 * - if relevant: EE untrusted 2336 * - if relevant: EE -> intermediate, untrusted 2337 * with the aspect under test checked at each relevant level (EE, int, root). 2338 * For some aspects longer chains are required, but usually length 2 is 2339 * enough (but length 1 is not in general). 2340 * 2341 * Arguments: 2342 * - [in] crt: the cert list EE, C1, ..., Cn 2343 * - [in] trust_ca: the trusted list R1, ..., Rp 2344 * - [in] ca_crl, profile: as in verify_with_profile() 2345 * - [out] ver_chain: the built and verified chain 2346 * Only valid when return value is 0, may contain garbage otherwise! 2347 * Restart note: need not be the same when calling again to resume. 2348 * - [in-out] rs_ctx: context for restarting operations 2349 * 2350 * Return value: 2351 * - non-zero if the chain could not be fully built and examined 2352 * - 0 is the chain was successfully built and examined, 2353 * even if it was found to be invalid 2354 */ 2355 static int x509_crt_verify_chain( 2356 mbedtls_x509_crt *crt, 2357 mbedtls_x509_crt *trust_ca, 2358 mbedtls_x509_crl *ca_crl, 2359 mbedtls_x509_crt_ca_cb_t f_ca_cb, 2360 void *p_ca_cb, 2361 const mbedtls_x509_crt_profile *profile, 2362 mbedtls_x509_crt_verify_chain *ver_chain, 2363 mbedtls_x509_crt_restart_ctx *rs_ctx) 2364 { 2365 /* Don't initialize any of those variables here, so that the compiler can 2366 * catch potential issues with jumping ahead when restarting */ 2367 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2368 uint32_t *flags; 2369 mbedtls_x509_crt_verify_chain_item *cur; 2370 mbedtls_x509_crt *child; 2371 mbedtls_x509_crt *parent; 2372 int parent_is_trusted; 2373 int child_is_trusted; 2374 int signature_is_good; 2375 unsigned self_cnt; 2376 mbedtls_x509_crt *cur_trust_ca = NULL; 2377 2378 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2379 /* resume if we had an operation in progress */ 2380 if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) { 2381 /* restore saved state */ 2382 *ver_chain = rs_ctx->ver_chain; /* struct copy */ 2383 self_cnt = rs_ctx->self_cnt; 2384 2385 /* restore derived state */ 2386 cur = &ver_chain->items[ver_chain->len - 1]; 2387 child = cur->crt; 2388 flags = &cur->flags; 2389 2390 goto find_parent; 2391 } 2392 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 2393 2394 child = crt; 2395 self_cnt = 0; 2396 parent_is_trusted = 0; 2397 child_is_trusted = 0; 2398 2399 while (1) { 2400 /* Add certificate to the verification chain */ 2401 cur = &ver_chain->items[ver_chain->len]; 2402 cur->crt = child; 2403 cur->flags = 0; 2404 ver_chain->len++; 2405 flags = &cur->flags; 2406 2407 /* Check time-validity (all certificates) */ 2408 if (mbedtls_x509_time_is_past(&child->valid_to)) { 2409 *flags |= MBEDTLS_X509_BADCERT_EXPIRED; 2410 } 2411 2412 if (mbedtls_x509_time_is_future(&child->valid_from)) { 2413 *flags |= MBEDTLS_X509_BADCERT_FUTURE; 2414 } 2415 2416 /* Stop here for trusted roots (but not for trusted EE certs) */ 2417 if (child_is_trusted) { 2418 return 0; 2419 } 2420 2421 /* Check signature algorithm: MD & PK algs */ 2422 if (x509_profile_check_md_alg(profile, child->sig_md) != 0) { 2423 *flags |= MBEDTLS_X509_BADCERT_BAD_MD; 2424 } 2425 2426 if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) { 2427 *flags |= MBEDTLS_X509_BADCERT_BAD_PK; 2428 } 2429 2430 /* Special case: EE certs that are locally trusted */ 2431 if (ver_chain->len == 1 && 2432 x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) { 2433 return 0; 2434 } 2435 2436 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2437 find_parent: 2438 #endif 2439 2440 /* Obtain list of potential trusted signers from CA callback, 2441 * or use statically provided list. */ 2442 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 2443 if (f_ca_cb != NULL) { 2444 mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result); 2445 mbedtls_free(ver_chain->trust_ca_cb_result); 2446 ver_chain->trust_ca_cb_result = NULL; 2447 2448 ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result); 2449 if (ret != 0) { 2450 return MBEDTLS_ERR_X509_FATAL_ERROR; 2451 } 2452 2453 cur_trust_ca = ver_chain->trust_ca_cb_result; 2454 } else 2455 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 2456 { 2457 ((void) f_ca_cb); 2458 ((void) p_ca_cb); 2459 cur_trust_ca = trust_ca; 2460 } 2461 2462 /* Look for a parent in trusted CAs or up the chain */ 2463 ret = x509_crt_find_parent(child, cur_trust_ca, &parent, 2464 &parent_is_trusted, &signature_is_good, 2465 ver_chain->len - 1, self_cnt, rs_ctx); 2466 2467 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2468 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 2469 /* save state */ 2470 rs_ctx->in_progress = x509_crt_rs_find_parent; 2471 rs_ctx->self_cnt = self_cnt; 2472 rs_ctx->ver_chain = *ver_chain; /* struct copy */ 2473 2474 return ret; 2475 } 2476 #else 2477 (void) ret; 2478 #endif 2479 2480 /* No parent? We're done here */ 2481 if (parent == NULL) { 2482 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; 2483 return 0; 2484 } 2485 2486 /* Count intermediate self-issued (not necessarily self-signed) certs. 2487 * These can occur with some strategies for key rollover, see [SIRO], 2488 * and should be excluded from max_pathlen checks. */ 2489 if (ver_chain->len != 1 && 2490 x509_name_cmp(&child->issuer, &child->subject) == 0) { 2491 self_cnt++; 2492 } 2493 2494 /* path_cnt is 0 for the first intermediate CA, 2495 * and if parent is trusted it's not an intermediate CA */ 2496 if (!parent_is_trusted && 2497 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) { 2498 /* return immediately to avoid overflow the chain array */ 2499 return MBEDTLS_ERR_X509_FATAL_ERROR; 2500 } 2501 2502 /* signature was checked while searching parent */ 2503 if (!signature_is_good) { 2504 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED; 2505 } 2506 2507 /* check size of signing key */ 2508 if (x509_profile_check_key(profile, &parent->pk) != 0) { 2509 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 2510 } 2511 2512 #if defined(MBEDTLS_X509_CRL_PARSE_C) 2513 /* Check trusted CA's CRL for the given crt */ 2514 *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile); 2515 #else 2516 (void) ca_crl; 2517 #endif 2518 2519 /* prepare for next iteration */ 2520 child = parent; 2521 parent = NULL; 2522 child_is_trusted = parent_is_trusted; 2523 signature_is_good = 0; 2524 } 2525 } 2526 2527 /* 2528 * Check for CN match 2529 */ 2530 static int x509_crt_check_cn(const mbedtls_x509_buf *name, 2531 const char *cn, size_t cn_len) 2532 { 2533 /* try exact match */ 2534 if (name->len == cn_len && 2535 x509_memcasecmp(cn, name->p, cn_len) == 0) { 2536 return 0; 2537 } 2538 2539 /* try wildcard match */ 2540 if (x509_check_wildcard(cn, name) == 0) { 2541 return 0; 2542 } 2543 2544 return -1; 2545 } 2546 2547 /* 2548 * Check for SAN match, see RFC 5280 Section 4.2.1.6 2549 */ 2550 static int x509_crt_check_san(const mbedtls_x509_buf *name, 2551 const char *cn, size_t cn_len) 2552 { 2553 const unsigned char san_type = (unsigned char) name->tag & 2554 MBEDTLS_ASN1_TAG_VALUE_MASK; 2555 2556 /* dNSName */ 2557 if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { 2558 return x509_crt_check_cn(name, cn, cn_len); 2559 } 2560 2561 /* (We may handle other types here later.) */ 2562 2563 /* Unrecognized type */ 2564 return -1; 2565 } 2566 2567 /* 2568 * Verify the requested CN - only call this if cn is not NULL! 2569 */ 2570 static void x509_crt_verify_name(const mbedtls_x509_crt *crt, 2571 const char *cn, 2572 uint32_t *flags) 2573 { 2574 const mbedtls_x509_name *name; 2575 const mbedtls_x509_sequence *cur; 2576 size_t cn_len = strlen(cn); 2577 2578 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { 2579 for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { 2580 if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { 2581 break; 2582 } 2583 } 2584 2585 if (cur == NULL) { 2586 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; 2587 } 2588 } else { 2589 for (name = &crt->subject; name != NULL; name = name->next) { 2590 if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && 2591 x509_crt_check_cn(&name->val, cn, cn_len) == 0) { 2592 break; 2593 } 2594 } 2595 2596 if (name == NULL) { 2597 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; 2598 } 2599 } 2600 } 2601 2602 /* 2603 * Merge the flags for all certs in the chain, after calling callback 2604 */ 2605 static int x509_crt_merge_flags_with_cb( 2606 uint32_t *flags, 2607 const mbedtls_x509_crt_verify_chain *ver_chain, 2608 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2609 void *p_vrfy) 2610 { 2611 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2612 unsigned i; 2613 uint32_t cur_flags; 2614 const mbedtls_x509_crt_verify_chain_item *cur; 2615 2616 for (i = ver_chain->len; i != 0; --i) { 2617 cur = &ver_chain->items[i-1]; 2618 cur_flags = cur->flags; 2619 2620 if (NULL != f_vrfy) { 2621 if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) { 2622 return ret; 2623 } 2624 } 2625 2626 *flags |= cur_flags; 2627 } 2628 2629 return 0; 2630 } 2631 2632 /* 2633 * Verify the certificate validity, with profile, restartable version 2634 * 2635 * This function: 2636 * - checks the requested CN (if any) 2637 * - checks the type and size of the EE cert's key, 2638 * as that isn't done as part of chain building/verification currently 2639 * - builds and verifies the chain 2640 * - then calls the callback and merges the flags 2641 * 2642 * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb` 2643 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the 2644 * verification routine to search for trusted signers, and CRLs will 2645 * be disabled. Otherwise, `trust_ca` will be used as the static list 2646 * of trusted signers, and `ca_crl` will be use as the static list 2647 * of CRLs. 2648 */ 2649 static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt, 2650 mbedtls_x509_crt *trust_ca, 2651 mbedtls_x509_crl *ca_crl, 2652 mbedtls_x509_crt_ca_cb_t f_ca_cb, 2653 void *p_ca_cb, 2654 const mbedtls_x509_crt_profile *profile, 2655 const char *cn, uint32_t *flags, 2656 int (*f_vrfy)(void *, 2657 mbedtls_x509_crt *, 2658 int, 2659 uint32_t *), 2660 void *p_vrfy, 2661 mbedtls_x509_crt_restart_ctx *rs_ctx) 2662 { 2663 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2664 mbedtls_pk_type_t pk_type; 2665 mbedtls_x509_crt_verify_chain ver_chain; 2666 uint32_t ee_flags; 2667 2668 *flags = 0; 2669 ee_flags = 0; 2670 x509_crt_verify_chain_reset(&ver_chain); 2671 2672 if (profile == NULL) { 2673 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; 2674 goto exit; 2675 } 2676 2677 /* check name if requested */ 2678 if (cn != NULL) { 2679 x509_crt_verify_name(crt, cn, &ee_flags); 2680 } 2681 2682 /* Check the type and size of the key */ 2683 pk_type = mbedtls_pk_get_type(&crt->pk); 2684 2685 if (x509_profile_check_pk_alg(profile, pk_type) != 0) { 2686 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; 2687 } 2688 2689 if (x509_profile_check_key(profile, &crt->pk) != 0) { 2690 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY; 2691 } 2692 2693 /* Check the chain */ 2694 ret = x509_crt_verify_chain(crt, trust_ca, ca_crl, 2695 f_ca_cb, p_ca_cb, profile, 2696 &ver_chain, rs_ctx); 2697 2698 if (ret != 0) { 2699 goto exit; 2700 } 2701 2702 /* Merge end-entity flags */ 2703 ver_chain.items[0].flags |= ee_flags; 2704 2705 /* Build final flags, calling callback on the way if any */ 2706 ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy); 2707 2708 exit: 2709 2710 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 2711 mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result); 2712 mbedtls_free(ver_chain.trust_ca_cb_result); 2713 ver_chain.trust_ca_cb_result = NULL; 2714 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 2715 2716 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2717 if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) { 2718 mbedtls_x509_crt_restart_free(rs_ctx); 2719 } 2720 #endif 2721 2722 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by 2723 * the SSL module for authmode optional, but non-zero return from the 2724 * callback means a fatal error so it shouldn't be ignored */ 2725 if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { 2726 ret = MBEDTLS_ERR_X509_FATAL_ERROR; 2727 } 2728 2729 if (ret != 0) { 2730 *flags = (uint32_t) -1; 2731 return ret; 2732 } 2733 2734 if (*flags != 0) { 2735 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; 2736 } 2737 2738 return 0; 2739 } 2740 2741 2742 /* 2743 * Verify the certificate validity (default profile, not restartable) 2744 */ 2745 int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, 2746 mbedtls_x509_crt *trust_ca, 2747 mbedtls_x509_crl *ca_crl, 2748 const char *cn, uint32_t *flags, 2749 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2750 void *p_vrfy) 2751 { 2752 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl, 2753 NULL, NULL, 2754 &mbedtls_x509_crt_profile_default, 2755 cn, flags, 2756 f_vrfy, p_vrfy, NULL); 2757 } 2758 2759 /* 2760 * Verify the certificate validity (user-chosen profile, not restartable) 2761 */ 2762 int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt, 2763 mbedtls_x509_crt *trust_ca, 2764 mbedtls_x509_crl *ca_crl, 2765 const mbedtls_x509_crt_profile *profile, 2766 const char *cn, uint32_t *flags, 2767 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2768 void *p_vrfy) 2769 { 2770 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl, 2771 NULL, NULL, 2772 profile, cn, flags, 2773 f_vrfy, p_vrfy, NULL); 2774 } 2775 2776 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 2777 /* 2778 * Verify the certificate validity (user-chosen profile, CA callback, 2779 * not restartable). 2780 */ 2781 int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, 2782 mbedtls_x509_crt_ca_cb_t f_ca_cb, 2783 void *p_ca_cb, 2784 const mbedtls_x509_crt_profile *profile, 2785 const char *cn, uint32_t *flags, 2786 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2787 void *p_vrfy) 2788 { 2789 return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL, 2790 f_ca_cb, p_ca_cb, 2791 profile, cn, flags, 2792 f_vrfy, p_vrfy, NULL); 2793 } 2794 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 2795 2796 int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, 2797 mbedtls_x509_crt *trust_ca, 2798 mbedtls_x509_crl *ca_crl, 2799 const mbedtls_x509_crt_profile *profile, 2800 const char *cn, uint32_t *flags, 2801 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 2802 void *p_vrfy, 2803 mbedtls_x509_crt_restart_ctx *rs_ctx) 2804 { 2805 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl, 2806 NULL, NULL, 2807 profile, cn, flags, 2808 f_vrfy, p_vrfy, rs_ctx); 2809 } 2810 2811 2812 /* 2813 * Initialize a certificate chain 2814 */ 2815 void mbedtls_x509_crt_init(mbedtls_x509_crt *crt) 2816 { 2817 memset(crt, 0, sizeof(mbedtls_x509_crt)); 2818 } 2819 2820 /* 2821 * Unallocate all certificate data 2822 */ 2823 void mbedtls_x509_crt_free(mbedtls_x509_crt *crt) 2824 { 2825 mbedtls_x509_crt *cert_cur = crt; 2826 mbedtls_x509_crt *cert_prv; 2827 2828 while (cert_cur != NULL) { 2829 mbedtls_pk_free(&cert_cur->pk); 2830 2831 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 2832 mbedtls_free(cert_cur->sig_opts); 2833 #endif 2834 2835 mbedtls_asn1_free_named_data_list_shallow(cert_cur->issuer.next); 2836 mbedtls_asn1_free_named_data_list_shallow(cert_cur->subject.next); 2837 mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next); 2838 mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next); 2839 mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next); 2840 2841 if (cert_cur->raw.p != NULL && cert_cur->own_buffer) { 2842 mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len); 2843 mbedtls_free(cert_cur->raw.p); 2844 } 2845 2846 cert_prv = cert_cur; 2847 cert_cur = cert_cur->next; 2848 2849 mbedtls_platform_zeroize(cert_prv, sizeof(mbedtls_x509_crt)); 2850 if (cert_prv != crt) { 2851 mbedtls_free(cert_prv); 2852 } 2853 } 2854 } 2855 2856 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) 2857 /* 2858 * Initialize a restart context 2859 */ 2860 void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx) 2861 { 2862 mbedtls_pk_restart_init(&ctx->pk); 2863 2864 ctx->parent = NULL; 2865 ctx->fallback_parent = NULL; 2866 ctx->fallback_signature_is_good = 0; 2867 2868 ctx->parent_is_trusted = -1; 2869 2870 ctx->in_progress = x509_crt_rs_none; 2871 ctx->self_cnt = 0; 2872 x509_crt_verify_chain_reset(&ctx->ver_chain); 2873 } 2874 2875 /* 2876 * Free the components of a restart context 2877 */ 2878 void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx) 2879 { 2880 if (ctx == NULL) { 2881 return; 2882 } 2883 2884 mbedtls_pk_restart_free(&ctx->pk); 2885 mbedtls_x509_crt_restart_init(ctx); 2886 } 2887 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ 2888 2889 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2890