Line data Source code
1 : /*
2 : * Copyright (C) 2003-2012 Free Software Foundation, Inc.
3 : * Copyright (C) 2017 Red Hat, Inc.
4 : *
5 : * Author: Nikos Mavrogiannopoulos
6 : *
7 : * This file is part of GnuTLS.
8 : *
9 : * The GnuTLS is free software; you can redistribute it and/or
10 : * modify it under the terms of the GNU Lesser General Public License
11 : * as published by the Free Software Foundation; either version 2.1 of
12 : * the License, or (at your option) any later version.
13 : *
14 : * This library is distributed in the hope that it will be useful, but
15 : * WITHOUT ANY WARRANTY; without even the implied warranty of
16 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 : * Lesser General Public License for more details.
18 : *
19 : * You should have received a copy of the GNU Lesser General Public License
20 : * along with this program. If not, see <https://www.gnu.org/licenses/>
21 : *
22 : */
23 :
24 : #ifndef GNUTLS_LIB_X509_COMMON_H
25 : #define GNUTLS_LIB_X509_COMMON_H
26 :
27 : #include <algorithms.h>
28 : #include <abstract_int.h>
29 : #include <x509/x509_int.h>
30 : #include <fips.h>
31 :
32 : #define MAX_STRING_LEN 512
33 :
34 : #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
35 : # define MAX_ITER_COUNT 10*1024
36 : #else
37 : /* Set a maximum iteration count over which we refuse to
38 : * decode a file. That is to prevent DoS. */
39 : # define MAX_ITER_COUNT (10*1024*1024)
40 : #endif
41 :
42 : #define GNUTLS_XML_SHOW_ALL 1
43 :
44 : #define PEM_CRL "X509 CRL"
45 : #define PEM_X509_CERT "X509 CERTIFICATE"
46 : #define PEM_X509_CERT2 "CERTIFICATE"
47 : #define PEM_PKCS7 "PKCS7"
48 : #define PEM_PKCS12 "PKCS12"
49 : #define PEM_PK "PUBLIC KEY"
50 :
51 : /* public key algorithm's OIDs
52 : */
53 : #define PK_PKIX1_RSA_OID "1.2.840.113549.1.1.1"
54 : #define PK_PKIX1_RSA_PSS_OID "1.2.840.113549.1.1.10"
55 : #define PK_X509_RSA_OID "2.5.8.1.1"
56 : #define PK_DSA_OID "1.2.840.10040.4.1"
57 : #define PK_GOST_R3410_94_OID "1.2.643.2.2.20"
58 : #define PK_GOST_R3410_2001_OID "1.2.643.2.2.19"
59 : #define PK_GOST_R3410_2012_256_OID "1.2.643.7.1.1.1.1"
60 : #define PK_GOST_R3410_2012_512_OID "1.2.643.7.1.1.1.2"
61 :
62 : /* signature OIDs
63 : */
64 : #define SIG_DSA_SHA1_OID "1.2.840.10040.4.3"
65 : /* those two from draft-ietf-pkix-sha2-dsa-ecdsa-06 */
66 : #define SIG_DSA_SHA224_OID "2.16.840.1.101.3.4.3.1"
67 : #define SIG_DSA_SHA256_OID "2.16.840.1.101.3.4.3.2"
68 : #define SIG_DSA_SHA384_OID "2.16.840.1.101.3.4.3.3"
69 : #define SIG_DSA_SHA512_OID "2.16.840.1.101.3.4.3.4"
70 :
71 : #define SIG_RSA_MD5_OID "1.2.840.113549.1.1.4"
72 : #define SIG_RSA_MD2_OID "1.2.840.113549.1.1.2"
73 : #define SIG_RSA_SHA1_OID "1.2.840.113549.1.1.5"
74 : #define SIG_RSA_SHA224_OID "1.2.840.113549.1.1.14"
75 : #define SIG_RSA_SHA256_OID "1.2.840.113549.1.1.11"
76 : #define SIG_RSA_SHA384_OID "1.2.840.113549.1.1.12"
77 : #define SIG_RSA_SHA512_OID "1.2.840.113549.1.1.13"
78 : #define SIG_RSA_RMD160_OID "1.3.36.3.3.1.2"
79 : #define SIG_GOST_R3410_94_OID "1.2.643.2.2.4"
80 : #define SIG_GOST_R3410_2001_OID "1.2.643.2.2.3"
81 : #define SIG_GOST_R3410_2012_256_OID "1.2.643.7.1.1.3.2"
82 : #define SIG_GOST_R3410_2012_512_OID "1.2.643.7.1.1.3.3"
83 : #define ISO_SIG_RSA_SHA1_OID "1.3.14.3.2.29"
84 :
85 : #define SIG_DSA_SHA3_224_OID "2.16.840.1.101.3.4.3.5"
86 : #define SIG_DSA_SHA3_256_OID "2.16.840.1.101.3.4.3.6"
87 : #define SIG_DSA_SHA3_384_OID "2.16.840.1.101.3.4.3.7"
88 : #define SIG_DSA_SHA3_512_OID "2.16.840.1.101.3.4.3.8"
89 :
90 : #define SIG_ECDSA_SHA3_224_OID "2.16.840.1.101.3.4.3.9"
91 : #define SIG_ECDSA_SHA3_256_OID "2.16.840.1.101.3.4.3.10"
92 : #define SIG_ECDSA_SHA3_384_OID "2.16.840.1.101.3.4.3.11"
93 : #define SIG_ECDSA_SHA3_512_OID "2.16.840.1.101.3.4.3.12"
94 :
95 : #define SIG_RSA_SHA3_224_OID "2.16.840.1.101.3.4.3.13"
96 : #define SIG_RSA_SHA3_256_OID "2.16.840.1.101.3.4.3.14"
97 : #define SIG_RSA_SHA3_384_OID "2.16.840.1.101.3.4.3.15"
98 : #define SIG_RSA_SHA3_512_OID "2.16.840.1.101.3.4.3.16"
99 :
100 : #define SIG_EDDSA_SHA512_OID "1.3.101.112"
101 : #define SIG_ED448_OID "1.3.101.113"
102 :
103 : #define XMPP_OID "1.3.6.1.5.5.7.8.5"
104 : #define KRB5_PRINCIPAL_OID "1.3.6.1.5.2.2"
105 : #define PKIX1_RSA_PSS_MGF1_OID "1.2.840.113549.1.1.8"
106 :
107 : #define GOST28147_89_OID "1.2.643.2.2.21"
108 : #define GOST28147_89_TC26Z_OID "1.2.643.7.1.2.5.1.1"
109 : #define GOST28147_89_CPA_OID "1.2.643.2.2.31.1"
110 : #define GOST28147_89_CPB_OID "1.2.643.2.2.31.2"
111 : #define GOST28147_89_CPC_OID "1.2.643.2.2.31.3"
112 : #define GOST28147_89_CPD_OID "1.2.643.2.2.31.4"
113 :
114 : #define ASN1_NULL "\x05\x00"
115 : #define ASN1_NULL_SIZE 2
116 :
117 : struct oid_to_string {
118 : const char *oid;
119 : unsigned oid_size;
120 : const char *name_desc;
121 : unsigned name_desc_size;
122 : const char *asn_desc; /* description in the pkix file if complex type */
123 : unsigned int etype; /* the libtasn1 ASN1_ETYPE or INVALID
124 : * if cannot be simply parsed */
125 : };
126 :
127 : const struct oid_to_string *_gnutls_oid_get_entry(const struct oid_to_string *ots, const char *oid);
128 :
129 : int _gnutls_x509_set_time(ASN1_TYPE c2, const char *where, time_t tim,
130 : int force_general);
131 : int
132 : _gnutls_x509_set_raw_time(ASN1_TYPE c2, const char *where, time_t tim);
133 :
134 : int _gnutls_x509_decode_string(unsigned int etype,
135 : const uint8_t * der, size_t der_size,
136 : gnutls_datum_t * output,
137 : unsigned allow_ber);
138 :
139 : int _gnutls_x509_encode_string(unsigned int etype,
140 : const void *input_data, size_t input_size,
141 : gnutls_datum_t * output);
142 :
143 : int _gnutls_x509_dn_to_string(const char *OID, void *value,
144 : int value_size, gnutls_datum_t * out);
145 : const char *_gnutls_ldap_string_to_oid(const char *str, unsigned str_len);
146 :
147 : time_t _gnutls_x509_get_time(ASN1_TYPE c2, const char *when, int general);
148 :
149 : gnutls_x509_subject_alt_name_t _gnutls_x509_san_find_type(char *str_type);
150 :
151 : int _gnutls_x509_der_encode_and_copy(ASN1_TYPE src, const char *src_name,
152 : ASN1_TYPE dest, const char *dest_name,
153 : int str);
154 : int _gnutls_x509_der_encode(ASN1_TYPE src, const char *src_name,
155 : gnutls_datum_t * res, int str);
156 :
157 : #define _gnutls_x509_export_int(asn1, format, header, out, out_size) \
158 : _gnutls_x509_export_int_named(asn1, "", format, header, out, out_size)
159 :
160 : int _gnutls_x509_export_int_named(ASN1_TYPE asn1_data, const char *name,
161 : gnutls_x509_crt_fmt_t format,
162 : const char *pem_header,
163 : unsigned char *output_data,
164 : size_t * output_data_size);
165 :
166 : #define _gnutls_x509_export_int2(asn1, format, header, out) \
167 : _gnutls_x509_export_int_named2(asn1, "", format, header, out)
168 : int _gnutls_x509_export_int_named2(ASN1_TYPE asn1_data, const char *name,
169 : gnutls_x509_crt_fmt_t format,
170 : const char *pem_header,
171 : gnutls_datum_t * out);
172 :
173 : int _gnutls_x509_read_value(ASN1_TYPE c, const char *root,
174 : gnutls_datum_t * ret);
175 : int _gnutls_x509_read_null_value(ASN1_TYPE c, const char *root,
176 : gnutls_datum_t * ret);
177 : int _gnutls_x509_read_string(ASN1_TYPE c, const char *root,
178 : gnutls_datum_t * ret, unsigned int etype,
179 : unsigned allow_ber);
180 : int _gnutls_x509_write_value(ASN1_TYPE c, const char *root,
181 : const gnutls_datum_t * data);
182 :
183 : int _gnutls_x509_write_string(ASN1_TYPE c, const char *root,
184 : const gnutls_datum_t * data,
185 : unsigned int etype);
186 :
187 : int _gnutls_x509_encode_and_write_attribute(const char *given_oid,
188 : ASN1_TYPE asn1_struct,
189 : const char *where,
190 : const void *data,
191 : int sizeof_data, int multi);
192 : int _gnutls_x509_decode_and_read_attribute(ASN1_TYPE asn1_struct,
193 : const char *where, char *oid,
194 : int oid_size,
195 : gnutls_datum_t * value,
196 : int multi, int octet);
197 :
198 : int _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name,
199 : gnutls_ecc_curve_t *curve,
200 : unsigned int *bits);
201 :
202 : int
203 : _gnutls_x509_get_signature_algorithm(ASN1_TYPE src, const char *src_name);
204 :
205 : int _gnutls_x509_encode_and_copy_PKI_params(ASN1_TYPE dst,
206 : const char *dst_name,
207 : const gnutls_pk_params_st * params);
208 : int _gnutls_x509_encode_PKI_params(gnutls_datum_t * der,
209 : const gnutls_pk_params_st * params);
210 : int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name,
211 : ASN1_TYPE src, const char *src_name);
212 :
213 : int _gnutls_x509_get_signed_data(ASN1_TYPE src, const gnutls_datum_t *der,
214 : const char *src_name,
215 : gnutls_datum_t * signed_data);
216 : int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
217 : gnutls_datum_t * signature);
218 :
219 :
220 : int _gnutls_get_asn_mpis(ASN1_TYPE asn, const char *root,
221 : gnutls_pk_params_st * params);
222 :
223 : int _gnutls_get_key_id(gnutls_pk_params_st *,
224 : unsigned char *output_data,
225 : size_t * output_data_size, unsigned flags);
226 :
227 : void _asnstr_append_name(char *name, size_t name_size, const char *part1,
228 : const char *part2);
229 :
230 : /* Given a @c2 which it returns an allocated DER encoding of @whom in @out */
231 : inline static int
232 1680 : _gnutls_x509_get_raw_field(ASN1_TYPE c2, const char *whom, gnutls_datum_t *out)
233 : {
234 1680 : return _gnutls_x509_der_encode(c2, whom, out, 0);
235 : }
236 :
237 : int
238 : _gnutls_x509_get_raw_field2(ASN1_TYPE c2, const gnutls_datum_t * raw,
239 : const char *whom, gnutls_datum_t * dn);
240 :
241 : unsigned
242 : _gnutls_check_if_same_key(gnutls_x509_crt_t cert1,
243 : gnutls_x509_crt_t cert2,
244 : unsigned is_ca);
245 :
246 : unsigned
247 : _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
248 : gnutls_datum_t *cert2bin);
249 :
250 : unsigned
251 : _gnutls_check_valid_key_id(const gnutls_datum_t *key_id,
252 : gnutls_x509_crt_t cert, time_t now,
253 : unsigned *has_ski);
254 :
255 : unsigned _gnutls_check_key_purpose(gnutls_x509_crt_t cert, const char *purpose, unsigned no_any);
256 :
257 : time_t _gnutls_x509_generalTime2gtime(const char *ttime);
258 :
259 : int _gnutls_get_extension(ASN1_TYPE asn, const char *root,
260 : const char *extension_id, int indx,
261 : gnutls_datum_t * ret, unsigned int *_critical);
262 :
263 : int _gnutls_set_extension(ASN1_TYPE asn, const char *root,
264 : const char *ext_id,
265 : const gnutls_datum_t * ext_data, unsigned int critical);
266 :
267 : int _gnutls_strdatum_to_buf(gnutls_datum_t * d, void *buf,
268 : size_t * sizeof_buf);
269 :
270 : unsigned _gnutls_is_same_dn(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2);
271 :
272 : int _gnutls_copy_string(const gnutls_datum_t* str, uint8_t *out, size_t *out_size);
273 : int _gnutls_copy_data(const gnutls_datum_t* str, uint8_t *out, size_t *out_size);
274 :
275 : int _gnutls_x509_decode_ext(const gnutls_datum_t *der, gnutls_x509_ext_st *out);
276 : int _gnutls_x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert,
277 : gnutls_datum_t * rpubkey);
278 :
279 : int _gnutls_x509_get_version(ASN1_TYPE root, const char *name);
280 :
281 : int x509_crt_to_raw_pubkey(gnutls_x509_crt_t crt,
282 : gnutls_datum_t * rpubkey);
283 :
284 : typedef void (*gnutls_cert_vfunc)(gnutls_x509_crt_t);
285 :
286 : gnutls_x509_crt_t *_gnutls_sort_clist(gnutls_x509_crt_t
287 : sorted[DEFAULT_MAX_VERIFY_DEPTH],
288 : gnutls_x509_crt_t * clist,
289 : unsigned int *clist_size,
290 : gnutls_cert_vfunc func);
291 :
292 : int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr);
293 :
294 178691 : inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider,
295 : int len, char *errorDescription)
296 : {
297 : #if defined(STRICT_DER_TIME) || !defined(ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME)
298 : # define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER
299 : #else
300 : # define _ASN1_DER_FLAGS (ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER)
301 : #endif
302 178691 : return asn1_der_decoding2(element, ider, &len, _ASN1_DER_FLAGS, errorDescription);
303 : }
304 :
305 : #endif /* GNUTLS_LIB_X509_COMMON_H */
|