Line data Source code
1 : /*
2 : * Copyright (C) 2014-2016 Free Software Foundation, Inc.
3 : * Copyright (C) 2016 Red Hat, Inc.
4 : *
5 : * This file is part of GnuTLS.
6 : *
7 : * The GnuTLS is free software; you can redistribute it and/or
8 : * modify it under the terms of the GNU Lesser General Public License
9 : * as published by the Free Software Foundation; either version 2.1 of
10 : * the License, or (at your option) any later version.
11 : *
12 : * This library is distributed in the hope that it will be useful, but
13 : * WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 : * Lesser General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU Lesser General Public License
18 : * along with this program. If not, see <https://www.gnu.org/licenses/>
19 : *
20 : */
21 :
22 : /* This file contains functions to handle X.509 certificate extensions (the x509-ext API)
23 : */
24 :
25 : #include "gnutls_int.h"
26 : #include <datum.h>
27 : #include "errors.h"
28 : #include <common.h>
29 : #include <x509.h>
30 : #include <x509_b64.h>
31 : #include "x509_ext_int.h"
32 : #include "virt-san.h"
33 : #include <gnutls/x509-ext.h>
34 :
35 : #define MAX_ENTRIES 64
36 : struct gnutls_subject_alt_names_st {
37 : struct name_st *names;
38 : unsigned int size;
39 : };
40 :
41 : /**
42 : * gnutls_subject_alt_names_init:
43 : * @sans: The alternative names
44 : *
45 : * This function will initialize an alternative names structure.
46 : *
47 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
48 : *
49 : * Since: 3.3.0
50 : **/
51 63688 : int gnutls_subject_alt_names_init(gnutls_subject_alt_names_t * sans)
52 : {
53 63688 : *sans = gnutls_calloc(1, sizeof(struct gnutls_subject_alt_names_st));
54 63688 : if (*sans == NULL) {
55 0 : gnutls_assert();
56 0 : return GNUTLS_E_MEMORY_ERROR;
57 : }
58 :
59 : return 0;
60 : }
61 :
62 65918 : static void subject_alt_names_deinit(gnutls_subject_alt_names_t sans)
63 : {
64 65918 : unsigned int i;
65 :
66 97503 : for (i = 0; i < sans->size; i++) {
67 31585 : gnutls_free(sans->names[i].san.data);
68 31585 : gnutls_free(sans->names[i].othername_oid.data);
69 : }
70 65918 : gnutls_free(sans->names);
71 65918 : }
72 :
73 : /**
74 : * gnutls_subject_alt_names_deinit:
75 : * @sans: The alternative names
76 : *
77 : * This function will deinitialize an alternative names structure.
78 : *
79 : * Since: 3.3.0
80 : **/
81 61858 : void gnutls_subject_alt_names_deinit(gnutls_subject_alt_names_t sans)
82 : {
83 61858 : subject_alt_names_deinit(sans);
84 61858 : gnutls_free(sans);
85 61858 : }
86 :
87 : /**
88 : * gnutls_subject_alt_names_get:
89 : * @sans: The alternative names
90 : * @seq: The index of the name to get
91 : * @san_type: Will hold the type of the name (of %gnutls_subject_alt_names_t)
92 : * @san: The alternative name data (should be treated as constant)
93 : * @othername_oid: The object identifier if @san_type is %GNUTLS_SAN_OTHERNAME (should be treated as constant)
94 : *
95 : * This function will return a specific alternative name as stored in
96 : * the @sans type. The returned values should be treated as constant
97 : * and valid for the lifetime of @sans.
98 : *
99 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
100 : * if the index is out of bounds, otherwise a negative error value.
101 : *
102 : * Since: 3.3.0
103 : **/
104 24706 : int gnutls_subject_alt_names_get(gnutls_subject_alt_names_t sans,
105 : unsigned int seq, unsigned int *san_type,
106 : gnutls_datum_t * san,
107 : gnutls_datum_t * othername_oid)
108 : {
109 24706 : if (seq >= sans->size)
110 11969 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
111 :
112 12755 : if (san) {
113 12755 : memcpy(san, &sans->names[seq].san, sizeof(gnutls_datum_t));
114 : }
115 :
116 12755 : if (san_type)
117 12755 : *san_type = sans->names[seq].type;
118 :
119 12755 : if (othername_oid != NULL && sans->names[seq].type == GNUTLS_SAN_OTHERNAME) {
120 398 : othername_oid->data = sans->names[seq].othername_oid.data;
121 398 : othername_oid->size = sans->names[seq].othername_oid.size;
122 : }
123 :
124 : return 0;
125 : }
126 :
127 : /* This is the same as gnutls_subject_alt_names_set() but will not
128 : * copy the strings. It expects all the provided input to be already
129 : * allocated by gnutls. */
130 : static
131 31629 : int subject_alt_names_set(struct name_st **names,
132 : unsigned int *size,
133 : unsigned int san_type,
134 : gnutls_datum_t * san, char *othername_oid,
135 : unsigned raw)
136 : {
137 31629 : void *tmp;
138 31629 : int ret;
139 :
140 31629 : tmp = gnutls_realloc(*names, (*size + 1) * sizeof((*names)[0]));
141 31629 : if (tmp == NULL) {
142 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
143 : }
144 31629 : *names = tmp;
145 :
146 31629 : ret = _gnutls_alt_name_assign_virt_type(&(*names)[*size], san_type, san, othername_oid, raw);
147 31629 : if (ret < 0)
148 3 : return gnutls_assert_val(ret);
149 :
150 31626 : (*size)++;
151 31626 : return 0;
152 : }
153 :
154 : /**
155 : * gnutls_subject_alt_names_set:
156 : * @sans: The alternative names
157 : * @san_type: The type of the name (of %gnutls_subject_alt_names_t)
158 : * @san: The alternative name data
159 : * @othername_oid: The object identifier if @san_type is %GNUTLS_SAN_OTHERNAME
160 : *
161 : * This function will store the specified alternative name in
162 : * the @sans.
163 : *
164 : * Since version 3.5.7 the %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DNSNAME, and
165 : * %GNUTLS_SAN_OTHERNAME_XMPP are converted to ACE format when necessary.
166 : *
167 : * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a negative error value.
168 : *
169 : * Since: 3.3.0
170 : **/
171 376 : int gnutls_subject_alt_names_set(gnutls_subject_alt_names_t sans,
172 : unsigned int san_type,
173 : const gnutls_datum_t * san,
174 : const char *othername_oid)
175 : {
176 376 : int ret;
177 376 : gnutls_datum_t copy;
178 376 : char *ooc;
179 :
180 376 : ret = _gnutls_set_strdatum(©, san->data, san->size);
181 376 : if (ret < 0)
182 0 : return gnutls_assert_val(ret);
183 :
184 376 : if (othername_oid != NULL)
185 4 : ooc = gnutls_strdup(othername_oid);
186 : else
187 : ooc = NULL;
188 376 : ret = subject_alt_names_set(&sans->names, &sans->size,
189 : san_type, ©, ooc, 0);
190 376 : if (ret < 0) {
191 3 : gnutls_free(copy.data);
192 3 : return gnutls_assert_val(ret);
193 : }
194 :
195 : return 0;
196 : }
197 :
198 : /**
199 : * gnutls_x509_ext_import_subject_alt_names:
200 : * @ext: The DER-encoded extension data
201 : * @sans: The alternative names
202 : * @flags: should be zero
203 : *
204 : * This function will export the alternative names in the provided DER-encoded
205 : * SubjectAltName PKIX extension, to a %gnutls_subject_alt_names_t type. @sans
206 : * must be initialized.
207 : *
208 : * This function will succeed even if there no subject alternative names
209 : * in the structure.
210 : *
211 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
212 : *
213 : * Since: 3.3.0
214 : **/
215 16382 : int gnutls_x509_ext_import_subject_alt_names(const gnutls_datum_t * ext,
216 : gnutls_subject_alt_names_t sans,
217 : unsigned int flags)
218 : {
219 16382 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
220 16382 : int result, ret;
221 16382 : unsigned int i;
222 16382 : gnutls_datum_t san, othername_oid;
223 16382 : unsigned type;
224 :
225 16382 : result =
226 16382 : asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", &c2);
227 16382 : if (result != ASN1_SUCCESS) {
228 0 : gnutls_assert();
229 0 : return _gnutls_asn2err(result);
230 : }
231 :
232 16382 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
233 16382 : if (result != ASN1_SUCCESS) {
234 15 : gnutls_assert();
235 15 : ret = _gnutls_asn2err(result);
236 15 : goto cleanup;
237 : }
238 :
239 31120 : for (i=0;;i++) {
240 47487 : san.data = NULL;
241 47487 : san.size = 0;
242 47487 : othername_oid.data = NULL;
243 :
244 47487 : ret = _gnutls_parse_general_name2(c2, "", i, &san, &type, 0);
245 47487 : if (ret < 0)
246 : break;
247 :
248 31129 : if (type == GNUTLS_SAN_OTHERNAME) {
249 1279 : ret =
250 1279 : _gnutls_parse_general_name2(c2, "", i,
251 : &othername_oid,
252 : NULL, 1);
253 1279 : if (ret < 0)
254 : break;
255 :
256 29850 : } else if (san.size == 0 || san.data == NULL) {
257 9 : ret = gnutls_assert_val(GNUTLS_E_X509_UNKNOWN_SAN);
258 : break;
259 : }
260 :
261 62240 : ret = subject_alt_names_set(&sans->names, &sans->size,
262 : type, &san,
263 31120 : (char *)othername_oid.data, 1);
264 31120 : if (ret < 0)
265 : break;
266 : }
267 :
268 16367 : sans->size = i;
269 16367 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
270 21 : gnutls_free(san.data);
271 21 : gnutls_free(othername_oid.data);
272 21 : gnutls_assert();
273 21 : goto cleanup;
274 : }
275 :
276 : ret = 0;
277 16382 : cleanup:
278 16382 : asn1_delete_structure(&c2);
279 16382 : return ret;
280 : }
281 :
282 : /**
283 : * gnutls_x509_ext_export_subject_alt_names:
284 : * @sans: The alternative names
285 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
286 : *
287 : * This function will convert the provided alternative names structure to a
288 : * DER-encoded SubjectAltName PKIX extension. The output data in @ext will be allocated using
289 : * gnutls_malloc().
290 : *
291 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
292 : *
293 : * Since: 3.3.0
294 : **/
295 373 : int gnutls_x509_ext_export_subject_alt_names(gnutls_subject_alt_names_t sans,
296 : gnutls_datum_t * ext)
297 : {
298 373 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
299 373 : int result, ret;
300 373 : unsigned i;
301 :
302 373 : result =
303 373 : asn1_create_element(_gnutls_get_pkix(), "PKIX1.GeneralNames", &c2);
304 373 : if (result != ASN1_SUCCESS) {
305 0 : gnutls_assert();
306 0 : return _gnutls_asn2err(result);
307 : }
308 :
309 1649 : for (i = 0; i < sans->size; i++) {
310 1276 : if (sans->names[i].type == GNUTLS_SAN_OTHERNAME) {
311 63 : ret = _gnutls_write_new_othername(c2, "", (char*)sans->names[i].othername_oid.data,
312 63 : sans->names[i].san.data, sans->names[i].san.size);
313 : } else {
314 1213 : ret =
315 1213 : _gnutls_write_new_general_name(c2, "", sans->names[i].type,
316 1213 : sans->names[i].san.data,
317 : sans->names[i].san.size);
318 : }
319 :
320 1276 : if (ret < 0) {
321 0 : gnutls_assert();
322 0 : goto cleanup;
323 : }
324 : }
325 :
326 373 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
327 373 : if (ret < 0) {
328 0 : gnutls_assert();
329 0 : goto cleanup;
330 : }
331 :
332 : ret = 0;
333 :
334 373 : cleanup:
335 373 : asn1_delete_structure(&c2);
336 373 : return ret;
337 : }
338 :
339 : /**
340 : * gnutls_x509_ext_import_name_constraints:
341 : * @ext: a DER encoded extension
342 : * @nc: The nameconstraints
343 : * @flags: zero or %GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND
344 : *
345 : * This function will return an intermediate type containing
346 : * the name constraints of the provided NameConstraints extension. That
347 : * can be used in combination with gnutls_x509_name_constraints_check()
348 : * to verify whether a server's name is in accordance with the constraints.
349 : *
350 : * When the @flags is set to %GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND, then if
351 : * the @nc type is empty this function will behave identically as if the flag was not set.
352 : * Otherwise if there are elements in the @nc structure then the
353 : * constraints will be merged with the existing constraints following
354 : * RFC5280 p6.1.4 (excluded constraints will be appended, permitted
355 : * will be intersected).
356 : *
357 : * Note that @nc must be initialized prior to calling this function.
358 : *
359 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
360 : * if the extension is not present, otherwise a negative error value.
361 : *
362 : * Since: 3.3.0
363 : **/
364 116 : int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext,
365 : gnutls_x509_name_constraints_t nc,
366 : unsigned int flags)
367 : {
368 116 : int result, ret;
369 116 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
370 116 : gnutls_x509_name_constraints_t nc2 = NULL;
371 :
372 116 : result = asn1_create_element
373 : (_gnutls_get_pkix(), "PKIX1.NameConstraints", &c2);
374 116 : if (result != ASN1_SUCCESS) {
375 0 : gnutls_assert();
376 0 : return _gnutls_asn2err(result);
377 : }
378 :
379 116 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
380 116 : if (result != ASN1_SUCCESS) {
381 8 : gnutls_assert();
382 8 : ret = _gnutls_asn2err(result);
383 8 : goto cleanup;
384 : }
385 :
386 108 : if (flags & GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND &&
387 52 : (nc->permitted != NULL || nc->excluded != NULL)) {
388 15 : ret = gnutls_x509_name_constraints_init (&nc2);
389 15 : if (ret < 0) {
390 0 : gnutls_assert();
391 0 : goto cleanup;
392 : }
393 :
394 15 : ret =
395 30 : _gnutls_extract_name_constraints(c2, "permittedSubtrees",
396 15 : &nc2->permitted);
397 15 : if (ret < 0) {
398 0 : gnutls_assert();
399 0 : goto cleanup;
400 : }
401 :
402 15 : ret =
403 30 : _gnutls_extract_name_constraints(c2, "excludedSubtrees",
404 15 : &nc2->excluded);
405 15 : if (ret < 0) {
406 0 : gnutls_assert();
407 0 : goto cleanup;
408 : }
409 :
410 15 : ret = _gnutls_x509_name_constraints_merge(nc, nc2);
411 15 : if (ret < 0) {
412 0 : gnutls_assert();
413 0 : goto cleanup;
414 : }
415 : } else {
416 93 : _gnutls_name_constraints_node_free(nc->permitted);
417 93 : _gnutls_name_constraints_node_free(nc->excluded);
418 :
419 93 : ret =
420 186 : _gnutls_extract_name_constraints(c2, "permittedSubtrees",
421 93 : &nc->permitted);
422 93 : if (ret < 0) {
423 9 : gnutls_assert();
424 9 : goto cleanup;
425 : }
426 :
427 84 : ret =
428 168 : _gnutls_extract_name_constraints(c2, "excludedSubtrees",
429 84 : &nc->excluded);
430 84 : if (ret < 0) {
431 4 : gnutls_assert();
432 4 : goto cleanup;
433 : }
434 : }
435 :
436 : ret = 0;
437 :
438 116 : cleanup:
439 116 : asn1_delete_structure(&c2);
440 116 : if (nc2)
441 15 : gnutls_x509_name_constraints_deinit (nc2);
442 :
443 : return ret;
444 : }
445 :
446 : /**
447 : * gnutls_x509_ext_export_name_constraints:
448 : * @nc: The nameconstraints
449 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
450 : *
451 : * This function will convert the provided name constraints type to a
452 : * DER-encoded PKIX NameConstraints (2.5.29.30) extension. The output data in
453 : * @ext will be allocated using gnutls_malloc().
454 : *
455 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
456 : *
457 : * Since: 3.3.0
458 : **/
459 3 : int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
460 : gnutls_datum_t * ext)
461 : {
462 3 : int ret, result;
463 3 : uint8_t null = 0;
464 3 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
465 3 : struct name_constraints_node_st *tmp;
466 :
467 3 : if (nc->permitted == NULL && nc->excluded == NULL)
468 0 : return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
469 :
470 3 : result = asn1_create_element
471 : (_gnutls_get_pkix(), "PKIX1.NameConstraints", &c2);
472 3 : if (result != ASN1_SUCCESS) {
473 0 : gnutls_assert();
474 0 : return _gnutls_asn2err(result);
475 : }
476 :
477 3 : if (nc->permitted == NULL) {
478 0 : (void)asn1_write_value(c2, "permittedSubtrees", NULL, 0);
479 : } else {
480 : tmp = nc->permitted;
481 13 : do {
482 13 : result =
483 13 : asn1_write_value(c2, "permittedSubtrees", "NEW", 1);
484 13 : if (result != ASN1_SUCCESS) {
485 0 : gnutls_assert();
486 0 : ret = _gnutls_asn2err(result);
487 0 : goto cleanup;
488 : }
489 :
490 13 : result =
491 13 : asn1_write_value(c2,
492 : "permittedSubtrees.?LAST.maximum",
493 : NULL, 0);
494 13 : if (result != ASN1_SUCCESS) {
495 0 : gnutls_assert();
496 0 : ret = _gnutls_asn2err(result);
497 0 : goto cleanup;
498 : }
499 :
500 13 : result =
501 13 : asn1_write_value(c2,
502 : "permittedSubtrees.?LAST.minimum",
503 : &null, 1);
504 13 : if (result != ASN1_SUCCESS) {
505 0 : gnutls_assert();
506 0 : ret = _gnutls_asn2err(result);
507 0 : goto cleanup;
508 : }
509 :
510 13 : ret =
511 26 : _gnutls_write_general_name(c2,
512 : "permittedSubtrees.?LAST.base",
513 13 : tmp->type,
514 13 : tmp->name.data,
515 : tmp->name.size);
516 13 : if (ret < 0) {
517 0 : gnutls_assert();
518 0 : goto cleanup;
519 : }
520 13 : tmp = tmp->next;
521 13 : } while (tmp != NULL);
522 : }
523 :
524 3 : if (nc->excluded == NULL) {
525 0 : (void)asn1_write_value(c2, "excludedSubtrees", NULL, 0);
526 : } else {
527 : tmp = nc->excluded;
528 14 : do {
529 14 : result =
530 14 : asn1_write_value(c2, "excludedSubtrees", "NEW", 1);
531 14 : if (result != ASN1_SUCCESS) {
532 0 : gnutls_assert();
533 0 : ret = _gnutls_asn2err(result);
534 0 : goto cleanup;
535 : }
536 :
537 14 : result =
538 14 : asn1_write_value(c2,
539 : "excludedSubtrees.?LAST.maximum",
540 : NULL, 0);
541 14 : if (result != ASN1_SUCCESS) {
542 0 : gnutls_assert();
543 0 : ret = _gnutls_asn2err(result);
544 0 : goto cleanup;
545 : }
546 :
547 14 : result =
548 14 : asn1_write_value(c2,
549 : "excludedSubtrees.?LAST.minimum",
550 : &null, 1);
551 14 : if (result != ASN1_SUCCESS) {
552 0 : gnutls_assert();
553 0 : ret = _gnutls_asn2err(result);
554 0 : goto cleanup;
555 : }
556 :
557 14 : ret =
558 28 : _gnutls_write_general_name(c2,
559 : "excludedSubtrees.?LAST.base",
560 14 : tmp->type,
561 14 : tmp->name.data,
562 : tmp->name.size);
563 14 : if (ret < 0) {
564 0 : gnutls_assert();
565 0 : goto cleanup;
566 : }
567 14 : tmp = tmp->next;
568 14 : } while (tmp != NULL);
569 :
570 : }
571 :
572 3 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
573 3 : if (ret < 0) {
574 0 : gnutls_assert();
575 0 : goto cleanup;
576 : }
577 :
578 : ret = 0;
579 :
580 3 : cleanup:
581 3 : asn1_delete_structure(&c2);
582 3 : return ret;
583 : }
584 :
585 : /**
586 : * gnutls_x509_ext_import_subject_key_id:
587 : * @ext: a DER encoded extension
588 : * @id: will contain the subject key ID
589 : *
590 : * This function will return the subject key ID stored in the provided
591 : * SubjectKeyIdentifier extension. The ID will be allocated using
592 : * gnutls_malloc().
593 : *
594 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
595 : * if the extension is not present, otherwise a negative error value.
596 : *
597 : * Since: 3.3.0
598 : **/
599 3927 : int gnutls_x509_ext_import_subject_key_id(const gnutls_datum_t * ext,
600 : gnutls_datum_t * id)
601 : {
602 3927 : int result, ret;
603 3927 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
604 :
605 3927 : if (ext->size == 0 || ext->data == NULL) {
606 0 : gnutls_assert();
607 0 : return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
608 : }
609 :
610 3927 : result = asn1_create_element
611 : (_gnutls_get_pkix(), "PKIX1.SubjectKeyIdentifier", &c2);
612 3927 : if (result != ASN1_SUCCESS) {
613 0 : gnutls_assert();
614 0 : return _gnutls_asn2err(result);
615 : }
616 :
617 3927 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
618 3927 : if (result != ASN1_SUCCESS) {
619 16 : gnutls_assert();
620 16 : ret = _gnutls_asn2err(result);
621 16 : goto cleanup;
622 : }
623 :
624 3911 : ret = _gnutls_x509_read_value(c2, "", id);
625 3911 : if (ret < 0) {
626 0 : gnutls_assert();
627 0 : goto cleanup;
628 : }
629 :
630 : ret = 0;
631 3927 : cleanup:
632 3927 : asn1_delete_structure(&c2);
633 :
634 3927 : return ret;
635 :
636 : }
637 :
638 : /**
639 : * gnutls_x509_ext_export_subject_key_id:
640 : * @id: The key identifier
641 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
642 : *
643 : * This function will convert the provided key identifier to a
644 : * DER-encoded PKIX SubjectKeyIdentifier extension.
645 : * The output data in @ext will be allocated using
646 : * gnutls_malloc().
647 : *
648 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
649 : *
650 : * Since: 3.3.0
651 : **/
652 91 : int gnutls_x509_ext_export_subject_key_id(const gnutls_datum_t * id,
653 : gnutls_datum_t * ext)
654 : {
655 91 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
656 91 : int ret, result;
657 :
658 91 : result =
659 91 : asn1_create_element(_gnutls_get_pkix(),
660 : "PKIX1.SubjectKeyIdentifier", &c2);
661 91 : if (result != ASN1_SUCCESS) {
662 0 : gnutls_assert();
663 0 : return _gnutls_asn2err(result);
664 : }
665 :
666 91 : result = asn1_write_value(c2, "", id->data, id->size);
667 91 : if (result != ASN1_SUCCESS) {
668 0 : gnutls_assert();
669 0 : ret = _gnutls_asn2err(result);
670 0 : goto cleanup;
671 : }
672 :
673 91 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
674 91 : if (ret < 0) {
675 0 : gnutls_assert();
676 0 : goto cleanup;
677 : }
678 :
679 : ret = 0;
680 91 : cleanup:
681 91 : asn1_delete_structure(&c2);
682 91 : return ret;
683 : }
684 :
685 : struct gnutls_x509_aki_st {
686 : gnutls_datum_t id;
687 : struct gnutls_subject_alt_names_st cert_issuer;
688 : gnutls_datum_t serial;
689 : };
690 :
691 : /**
692 : * gnutls_x509_aki_init:
693 : * @aki: The authority key ID type
694 : *
695 : * This function will initialize an authority key ID.
696 : *
697 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
698 : *
699 : * Since: 3.3.0
700 : **/
701 4060 : int gnutls_x509_aki_init(gnutls_x509_aki_t * aki)
702 : {
703 4060 : *aki = gnutls_calloc(1, sizeof(struct gnutls_x509_aki_st));
704 4060 : if (*aki == NULL)
705 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
706 :
707 : return 0;
708 : }
709 :
710 : /**
711 : * gnutls_x509_aki_deinit:
712 : * @aki: The authority key identifier type
713 : *
714 : * This function will deinitialize an authority key identifier.
715 : *
716 : * Since: 3.3.0
717 : **/
718 4060 : void gnutls_x509_aki_deinit(gnutls_x509_aki_t aki)
719 : {
720 4060 : gnutls_free(aki->serial.data);
721 4060 : gnutls_free(aki->id.data);
722 4060 : subject_alt_names_deinit(&aki->cert_issuer);
723 4060 : gnutls_free(aki);
724 4060 : }
725 :
726 : /**
727 : * gnutls_x509_aki_get_id:
728 : * @aki: The authority key ID
729 : * @id: Will hold the identifier
730 : *
731 : * This function will return the key identifier as stored in
732 : * the @aki type. The identifier should be treated as constant.
733 : *
734 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
735 : * if the index is out of bounds, otherwise a negative error value.
736 : *
737 : * Since: 3.3.0
738 : **/
739 3983 : int gnutls_x509_aki_get_id(gnutls_x509_aki_t aki, gnutls_datum_t * id)
740 : {
741 3983 : if (aki->id.size == 0)
742 94 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
743 :
744 3889 : memcpy(id, &aki->id, sizeof(gnutls_datum_t));
745 3889 : return 0;
746 : }
747 :
748 : /**
749 : * gnutls_x509_aki_set_id:
750 : * @aki: The authority key ID
751 : * @id: the key identifier
752 : *
753 : * This function will set the keyIdentifier to be stored in the @aki
754 : * type.
755 : *
756 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
757 : *
758 : * Since: 3.3.0
759 : **/
760 47 : int gnutls_x509_aki_set_id(gnutls_x509_aki_t aki, const gnutls_datum_t * id)
761 : {
762 47 : return _gnutls_set_datum(&aki->id, id->data, id->size);
763 : }
764 :
765 : /**
766 : * gnutls_x509_aki_set_cert_issuer:
767 : * @aki: The authority key ID
768 : * @san_type: the type of the name (of %gnutls_subject_alt_names_t), may be null
769 : * @san: The alternative name data
770 : * @othername_oid: The object identifier if @san_type is %GNUTLS_SAN_OTHERNAME
771 : * @serial: The authorityCertSerialNumber number (may be null)
772 : *
773 : * This function will set the authorityCertIssuer name and the authorityCertSerialNumber
774 : * to be stored in the @aki type. When storing multiple names, the serial
775 : * should be set on the first call, and subsequent calls should use a %NULL serial.
776 : *
777 : * Since version 3.5.7 the %GNUTLS_SAN_RFC822NAME, %GNUTLS_SAN_DNSNAME, and
778 : * %GNUTLS_SAN_OTHERNAME_XMPP are converted to ACE format when necessary.
779 : *
780 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
781 : *
782 : * Since: 3.3.0
783 : **/
784 0 : int gnutls_x509_aki_set_cert_issuer(gnutls_x509_aki_t aki,
785 : unsigned int san_type,
786 : const gnutls_datum_t *san,
787 : const char *othername_oid,
788 : const gnutls_datum_t *serial)
789 : {
790 0 : int ret;
791 0 : gnutls_datum_t t_san, t_othername_oid = { NULL, 0 };
792 :
793 0 : ret = _gnutls_set_datum(&aki->serial, serial->data, serial->size);
794 0 : if (ret < 0)
795 0 : return gnutls_assert_val(ret);
796 :
797 0 : aki->cert_issuer.names[aki->cert_issuer.size].type = san_type;
798 :
799 0 : ret = _gnutls_set_strdatum(&t_san, san->data, san->size);
800 0 : if (ret < 0)
801 0 : return gnutls_assert_val(ret);
802 :
803 0 : if (othername_oid) {
804 0 : t_othername_oid.data = (uint8_t *) gnutls_strdup(othername_oid);
805 0 : if (t_othername_oid.data == NULL) {
806 0 : gnutls_free(t_san.data);
807 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
808 : }
809 : t_othername_oid.size = strlen(othername_oid);
810 : }
811 :
812 0 : ret =
813 0 : subject_alt_names_set(&aki->cert_issuer.names,
814 : &aki->cert_issuer.size, san_type, &t_san,
815 0 : (char *)t_othername_oid.data, 0);
816 0 : if (ret < 0) {
817 0 : gnutls_assert();
818 0 : return ret;
819 : }
820 :
821 : return 0;
822 : }
823 :
824 : /**
825 : * gnutls_x509_aki_get_cert_issuer:
826 : * @aki: The authority key ID
827 : * @seq: The index of the name to get
828 : * @san_type: Will hold the type of the name (of %gnutls_subject_alt_names_t)
829 : * @san: The alternative name data
830 : * @othername_oid: The object identifier if @san_type is %GNUTLS_SAN_OTHERNAME
831 : * @serial: The authorityCertSerialNumber number
832 : *
833 : * This function will return a specific authorityCertIssuer name as stored in
834 : * the @aki type, as well as the authorityCertSerialNumber. All the returned
835 : * values should be treated as constant, and may be set to %NULL when are not required.
836 : *
837 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
838 : * if the index is out of bounds, otherwise a negative error value.
839 : *
840 : * Since: 3.3.0
841 : **/
842 871 : int gnutls_x509_aki_get_cert_issuer(gnutls_x509_aki_t aki, unsigned int seq,
843 : unsigned int *san_type,
844 : gnutls_datum_t *san,
845 : gnutls_datum_t *othername_oid,
846 : gnutls_datum_t *serial)
847 : {
848 871 : if (seq >= aki->cert_issuer.size)
849 841 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
850 :
851 96 : if (aki->serial.size == 0)
852 7 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
853 :
854 89 : if (serial)
855 89 : memcpy(serial, &aki->serial, sizeof(gnutls_datum_t));
856 :
857 89 : if (san) {
858 18 : memcpy(san, &aki->cert_issuer.names[seq].san,
859 : sizeof(gnutls_datum_t));
860 : }
861 :
862 89 : if (othername_oid != NULL
863 18 : && aki->cert_issuer.names[seq].type == GNUTLS_SAN_OTHERNAME) {
864 0 : othername_oid->data =
865 0 : aki->cert_issuer.names[seq].othername_oid.data;
866 0 : othername_oid->size =
867 0 : aki->cert_issuer.names[seq].othername_oid.size;
868 : }
869 :
870 89 : if (san_type)
871 18 : *san_type = aki->cert_issuer.names[seq].type;
872 :
873 : return 0;
874 :
875 : }
876 :
877 : /**
878 : * gnutls_x509_ext_import_authority_key_id:
879 : * @ext: a DER encoded extension
880 : * @aki: An initialized authority key identifier type
881 : * @flags: should be zero
882 : *
883 : * This function will return the subject key ID stored in the provided
884 : * AuthorityKeyIdentifier extension.
885 : *
886 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
887 : * if the extension is not present, otherwise a negative error value.
888 : *
889 : * Since: 3.3.0
890 : **/
891 4013 : int gnutls_x509_ext_import_authority_key_id(const gnutls_datum_t * ext,
892 : gnutls_x509_aki_t aki,
893 : unsigned int flags)
894 : {
895 4013 : int ret;
896 4013 : unsigned i;
897 4013 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
898 4013 : gnutls_datum_t san, othername_oid;
899 4013 : unsigned type;
900 :
901 4013 : ret = asn1_create_element
902 : (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", &c2);
903 4013 : if (ret != ASN1_SUCCESS) {
904 0 : gnutls_assert();
905 0 : return _gnutls_asn2err(ret);
906 : }
907 :
908 4013 : ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
909 4013 : if (ret != ASN1_SUCCESS) {
910 28 : gnutls_assert();
911 28 : ret = _gnutls_asn2err(ret);
912 28 : goto cleanup;
913 : }
914 :
915 : /* Read authorityCertIssuer */
916 133 : for (i=0;;i++) {
917 4118 : san.data = NULL;
918 4118 : san.size = 0;
919 4118 : othername_oid.data = NULL;
920 :
921 4118 : ret = _gnutls_parse_general_name2(c2, "authorityCertIssuer", i,
922 : &san, &type, 0);
923 4118 : if (ret < 0)
924 : break;
925 :
926 133 : if (type == GNUTLS_SAN_OTHERNAME) {
927 0 : ret =
928 0 : _gnutls_parse_general_name2(c2,
929 : "authorityCertIssuer",
930 : i,
931 : &othername_oid,
932 : NULL, 1);
933 0 : if (ret < 0)
934 : break;
935 : }
936 :
937 266 : ret = subject_alt_names_set(&aki->cert_issuer.names,
938 : &aki->cert_issuer.size,
939 : type, &san,
940 133 : (char *)othername_oid.data, 1);
941 133 : if (ret < 0)
942 : break;
943 : }
944 :
945 3985 : aki->cert_issuer.size = i;
946 3985 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
947 2 : && ret != GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
948 1 : gnutls_assert();
949 1 : gnutls_free(san.data);
950 1 : gnutls_free(othername_oid.data);
951 1 : goto cleanup;
952 : }
953 :
954 : /* Read the serial number */
955 3984 : ret =
956 3984 : _gnutls_x509_read_value(c2, "authorityCertSerialNumber",
957 : &aki->serial);
958 3984 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
959 3870 : && ret != GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
960 1 : gnutls_assert();
961 1 : goto cleanup;
962 : }
963 :
964 : /* Read the key identifier */
965 3983 : ret = _gnutls_x509_read_value(c2, "keyIdentifier", &aki->id);
966 3983 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
967 94 : && ret != GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
968 0 : gnutls_assert();
969 0 : goto cleanup;
970 : }
971 :
972 : ret = 0;
973 :
974 4013 : cleanup:
975 4013 : asn1_delete_structure(&c2);
976 :
977 4013 : return ret;
978 : }
979 :
980 : /**
981 : * gnutls_x509_ext_export_authority_key_id:
982 : * @aki: An initialized authority key identifier
983 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
984 : *
985 : * This function will convert the provided key identifier to a
986 : * DER-encoded PKIX AuthorityKeyIdentifier extension.
987 : * The output data in @ext will be allocated using
988 : * gnutls_malloc().
989 : *
990 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
991 : *
992 : * Since: 3.3.0
993 : **/
994 47 : int gnutls_x509_ext_export_authority_key_id(gnutls_x509_aki_t aki,
995 : gnutls_datum_t * ext)
996 : {
997 47 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
998 47 : unsigned i;
999 47 : int result, ret;
1000 :
1001 47 : result =
1002 47 : asn1_create_element(_gnutls_get_pkix(),
1003 : "PKIX1.AuthorityKeyIdentifier", &c2);
1004 47 : if (result != ASN1_SUCCESS) {
1005 0 : gnutls_assert();
1006 0 : return _gnutls_asn2err(result);
1007 : }
1008 :
1009 47 : if (aki->id.data != NULL) {
1010 47 : result =
1011 94 : asn1_write_value(c2, "keyIdentifier", aki->id.data,
1012 47 : aki->id.size);
1013 47 : if (result != ASN1_SUCCESS) {
1014 0 : gnutls_assert();
1015 0 : ret = _gnutls_asn2err(result);
1016 0 : goto cleanup;
1017 : }
1018 : } else {
1019 0 : (void)asn1_write_value(c2, "keyIdentifier", NULL, 0);
1020 : }
1021 :
1022 47 : if (aki->serial.data != NULL) {
1023 0 : result =
1024 0 : asn1_write_value(c2, "authorityCertSerialNumber",
1025 0 : aki->serial.data, aki->serial.size);
1026 0 : if (result != ASN1_SUCCESS) {
1027 0 : gnutls_assert();
1028 0 : ret = _gnutls_asn2err(result);
1029 0 : goto cleanup;
1030 : }
1031 : } else {
1032 47 : (void)asn1_write_value(c2, "authorityCertSerialNumber", NULL, 0);
1033 : }
1034 :
1035 47 : if (aki->cert_issuer.size == 0) {
1036 47 : (void)asn1_write_value(c2, "authorityCertIssuer", NULL, 0);
1037 : } else {
1038 0 : for (i = 0; i < aki->cert_issuer.size; i++) {
1039 0 : ret =
1040 0 : _gnutls_write_new_general_name(c2,
1041 : "authorityCertIssuer",
1042 : aki->cert_issuer.
1043 0 : names[i].type,
1044 : aki->
1045 : cert_issuer.names[i].
1046 0 : san.data,
1047 0 : aki->cert_issuer.
1048 0 : names[i].san.size);
1049 0 : if (ret < 0) {
1050 0 : gnutls_assert();
1051 0 : goto cleanup;
1052 : }
1053 : }
1054 : }
1055 :
1056 47 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
1057 47 : if (ret < 0) {
1058 0 : gnutls_assert();
1059 0 : goto cleanup;
1060 : }
1061 :
1062 : ret = 0;
1063 47 : cleanup:
1064 47 : asn1_delete_structure(&c2);
1065 47 : return ret;
1066 :
1067 : }
1068 :
1069 : /**
1070 : * gnutls_x509_ext_import_key_usage:
1071 : * @ext: the DER encoded extension data
1072 : * @key_usage: where the key usage bits will be stored
1073 : *
1074 : * This function will return certificate's key usage, by reading the DER
1075 : * data of the keyUsage X.509 extension (2.5.29.15). The key usage value will ORed
1076 : * values of the: %GNUTLS_KEY_DIGITAL_SIGNATURE,
1077 : * %GNUTLS_KEY_NON_REPUDIATION, %GNUTLS_KEY_KEY_ENCIPHERMENT,
1078 : * %GNUTLS_KEY_DATA_ENCIPHERMENT, %GNUTLS_KEY_KEY_AGREEMENT,
1079 : * %GNUTLS_KEY_KEY_CERT_SIGN, %GNUTLS_KEY_CRL_SIGN,
1080 : * %GNUTLS_KEY_ENCIPHER_ONLY, %GNUTLS_KEY_DECIPHER_ONLY.
1081 : *
1082 : * Returns: the certificate key usage, or a negative error code in case of
1083 : * parsing error. If the certificate does not contain the keyUsage
1084 : * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1085 : * returned.
1086 : *
1087 : * Since: 3.3.0
1088 : **/
1089 18888 : int gnutls_x509_ext_import_key_usage(const gnutls_datum_t * ext,
1090 : unsigned int *key_usage)
1091 : {
1092 18888 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1093 18888 : int len, result;
1094 18888 : uint8_t str[2];
1095 :
1096 18888 : str[0] = str[1] = 0;
1097 18888 : *key_usage = 0;
1098 :
1099 18888 : if ((result = asn1_create_element
1100 : (_gnutls_get_pkix(), "PKIX1.KeyUsage", &c2)) != ASN1_SUCCESS) {
1101 0 : gnutls_assert();
1102 0 : return _gnutls_asn2err(result);
1103 : }
1104 :
1105 18888 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
1106 18888 : if (result != ASN1_SUCCESS) {
1107 62 : gnutls_assert();
1108 62 : asn1_delete_structure(&c2);
1109 62 : return _gnutls_asn2err(result);
1110 : }
1111 :
1112 18826 : len = sizeof(str);
1113 18826 : result = asn1_read_value(c2, "", str, &len);
1114 18826 : if (result != ASN1_SUCCESS) {
1115 15 : gnutls_assert();
1116 15 : asn1_delete_structure(&c2);
1117 15 : return 0;
1118 : }
1119 :
1120 18811 : *key_usage = str[0] | (str[1] << 8);
1121 :
1122 18811 : asn1_delete_structure(&c2);
1123 :
1124 18811 : return 0;
1125 : }
1126 :
1127 : /**
1128 : * gnutls_x509_ext_export_key_usage:
1129 : * @usage: an ORed sequence of the GNUTLS_KEY_* elements.
1130 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
1131 : *
1132 : * This function will convert the keyUsage bit string to a DER
1133 : * encoded PKIX extension. The @ext data will be allocated using
1134 : * gnutls_malloc().
1135 : *
1136 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1137 : * negative error value.
1138 : *
1139 : * Since: 3.3.0
1140 : **/
1141 81 : int gnutls_x509_ext_export_key_usage(unsigned int usage, gnutls_datum_t * ext)
1142 : {
1143 81 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1144 81 : int result;
1145 81 : uint8_t str[2];
1146 :
1147 81 : result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.KeyUsage", &c2);
1148 81 : if (result != ASN1_SUCCESS) {
1149 0 : gnutls_assert();
1150 0 : return _gnutls_asn2err(result);
1151 : }
1152 :
1153 81 : str[0] = usage & 0xff;
1154 81 : str[1] = usage >> 8;
1155 :
1156 : /* Since KeyUsage is a BIT STRING, the input to asn1_write_value
1157 : * is the number of bits to be read. */
1158 81 : result = asn1_write_value(c2, "", str, 9);
1159 81 : if (result != ASN1_SUCCESS) {
1160 0 : gnutls_assert();
1161 0 : asn1_delete_structure(&c2);
1162 0 : return _gnutls_asn2err(result);
1163 : }
1164 :
1165 81 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
1166 :
1167 81 : asn1_delete_structure(&c2);
1168 :
1169 81 : if (result < 0) {
1170 0 : gnutls_assert();
1171 0 : return result;
1172 : }
1173 :
1174 : return 0;
1175 : }
1176 :
1177 : /**
1178 : * gnutls_x509_ext_import_inhibit_anypolicy:
1179 : * @ext: the DER encoded extension data
1180 : * @skipcerts: will hold the number of certificates after which anypolicy is no longer acceptable.
1181 : *
1182 : * This function will return certificate's value of SkipCerts,
1183 : * by reading the DER data of the Inhibit anyPolicy X.509 extension (2.5.29.54).
1184 : *
1185 : * The @skipcerts value is the number of additional certificates that
1186 : * may appear in the path before the anyPolicy (%GNUTLS_X509_OID_POLICY_ANY)
1187 : * is no longer acceptable.
1188 : *
1189 : * Returns: zero, or a negative error code in case of
1190 : * parsing error. If the certificate does not contain the Inhibit anyPolicy
1191 : * extension %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1192 : * returned.
1193 : *
1194 : * Since: 3.6.0
1195 : **/
1196 6 : int gnutls_x509_ext_import_inhibit_anypolicy(const gnutls_datum_t * ext,
1197 : unsigned int *skipcerts)
1198 : {
1199 6 : int ret;
1200 :
1201 6 : ret = _gnutls_x509_read_der_uint(ext->data, ext->size, skipcerts);
1202 6 : if (ret < 0) {
1203 3 : gnutls_assert();
1204 : }
1205 :
1206 6 : return ret;
1207 : }
1208 :
1209 : /**
1210 : * gnutls_x509_ext_export_inhibit_anypolicy:
1211 : * @skipcerts: number of certificates after which anypolicy is no longer acceptable.
1212 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
1213 : *
1214 : * This function will convert the @skipcerts value to a DER
1215 : * encoded Inhibit AnyPolicy PKIX extension. The @ext data will be allocated using
1216 : * gnutls_malloc().
1217 : *
1218 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1219 : * negative error value.
1220 : *
1221 : * Since: 3.6.0
1222 : **/
1223 1 : int gnutls_x509_ext_export_inhibit_anypolicy(unsigned int skipcerts, gnutls_datum_t * ext)
1224 : {
1225 1 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1226 1 : int result, ret;
1227 :
1228 1 : result = asn1_create_element(_gnutls_get_gnutls_asn(), "GNUTLS.DSAPublicKey", &c2);
1229 1 : if (result != ASN1_SUCCESS) {
1230 0 : gnutls_assert();
1231 0 : return _gnutls_asn2err(result);
1232 : }
1233 :
1234 1 : ret = _gnutls_x509_write_uint32(c2, "", skipcerts);
1235 1 : if (ret < 0) {
1236 0 : gnutls_assert();
1237 0 : goto cleanup;
1238 : }
1239 :
1240 1 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
1241 1 : if (ret < 0) {
1242 0 : gnutls_assert();
1243 0 : goto cleanup;
1244 : }
1245 :
1246 : ret = 0;
1247 :
1248 1 : cleanup:
1249 1 : asn1_delete_structure(&c2);
1250 :
1251 1 : return ret;
1252 : }
1253 :
1254 : /**
1255 : * gnutls_x509_ext_import_private_key_usage_period:
1256 : * @ext: the DER encoded extension data
1257 : * @activation: Will hold the activation time
1258 : * @expiration: Will hold the expiration time
1259 : *
1260 : * This function will return the expiration and activation
1261 : * times of the private key as written in the
1262 : * PKIX extension 2.5.29.16.
1263 : *
1264 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1265 : * negative error value.
1266 : *
1267 : * Since: 3.3.0
1268 : **/
1269 15 : int gnutls_x509_ext_import_private_key_usage_period(const gnutls_datum_t * ext,
1270 : time_t * activation,
1271 : time_t * expiration)
1272 : {
1273 15 : int result, ret;
1274 15 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1275 :
1276 15 : result = asn1_create_element
1277 : (_gnutls_get_pkix(), "PKIX1.PrivateKeyUsagePeriod", &c2);
1278 15 : if (result != ASN1_SUCCESS) {
1279 0 : gnutls_assert();
1280 0 : ret = _gnutls_asn2err(result);
1281 0 : goto cleanup;
1282 : }
1283 :
1284 15 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
1285 15 : if (result != ASN1_SUCCESS) {
1286 7 : gnutls_assert();
1287 7 : ret = _gnutls_asn2err(result);
1288 7 : goto cleanup;
1289 : }
1290 :
1291 8 : if (activation)
1292 8 : *activation = _gnutls_x509_get_time(c2, "notBefore", 1);
1293 :
1294 8 : if (expiration)
1295 8 : *expiration = _gnutls_x509_get_time(c2, "notAfter", 1);
1296 :
1297 : ret = 0;
1298 :
1299 15 : cleanup:
1300 15 : asn1_delete_structure(&c2);
1301 :
1302 15 : return ret;
1303 : }
1304 :
1305 : /**
1306 : * gnutls_x509_ext_export_private_key_usage_period:
1307 : * @activation: The activation time
1308 : * @expiration: The expiration time
1309 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
1310 : *
1311 : * This function will convert the periods provided to a private key
1312 : * usage DER encoded extension (2.5.29.16).
1313 : (
1314 : * The @ext data will be allocated using
1315 : * gnutls_malloc().
1316 : *
1317 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1318 : * negative error value.
1319 : *
1320 : * Since: 3.3.0
1321 : **/
1322 0 : int gnutls_x509_ext_export_private_key_usage_period(time_t activation,
1323 : time_t expiration,
1324 : gnutls_datum_t * ext)
1325 : {
1326 0 : int result;
1327 0 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1328 :
1329 0 : result =
1330 0 : asn1_create_element(_gnutls_get_pkix(),
1331 : "PKIX1.PrivateKeyUsagePeriod", &c2);
1332 0 : if (result != ASN1_SUCCESS) {
1333 0 : gnutls_assert();
1334 0 : return _gnutls_asn2err(result);
1335 : }
1336 :
1337 0 : result = _gnutls_x509_set_time(c2, "notBefore", activation, 1);
1338 0 : if (result < 0) {
1339 0 : gnutls_assert();
1340 0 : goto cleanup;
1341 : }
1342 :
1343 0 : result = _gnutls_x509_set_time(c2, "notAfter", expiration, 1);
1344 0 : if (result < 0) {
1345 0 : gnutls_assert();
1346 0 : goto cleanup;
1347 : }
1348 :
1349 0 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
1350 0 : if (result < 0) {
1351 0 : gnutls_assert();
1352 0 : goto cleanup;
1353 : }
1354 :
1355 0 : cleanup:
1356 0 : asn1_delete_structure(&c2);
1357 :
1358 0 : return result;
1359 :
1360 : }
1361 :
1362 : /**
1363 : * gnutls_x509_ext_import_basic_constraints:
1364 : * @ext: the DER encoded extension data
1365 : * @ca: will be non zero if the CA status is true
1366 : * @pathlen: the path length constraint; will be set to -1 for no limit
1367 : *
1368 : * This function will return the CA status and path length constraint
1369 : * as written in the PKIX extension 2.5.29.19.
1370 : *
1371 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1372 : * negative error value.
1373 : *
1374 : * Since: 3.3.0
1375 : **/
1376 6489 : int gnutls_x509_ext_import_basic_constraints(const gnutls_datum_t * ext,
1377 : unsigned int *ca, int *pathlen)
1378 : {
1379 6489 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1380 6489 : char str[128]="";
1381 6489 : int len, result;
1382 :
1383 6489 : if ((result = asn1_create_element
1384 : (_gnutls_get_pkix(), "PKIX1.BasicConstraints",
1385 : &c2)) != ASN1_SUCCESS) {
1386 0 : gnutls_assert();
1387 0 : return _gnutls_asn2err(result);
1388 : }
1389 :
1390 6489 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
1391 6489 : if (result != ASN1_SUCCESS) {
1392 41 : gnutls_assert();
1393 41 : result = _gnutls_asn2err(result);
1394 41 : goto cleanup;
1395 : }
1396 :
1397 6448 : if (pathlen) {
1398 5922 : result = _gnutls_x509_read_uint(c2, "pathLenConstraint",
1399 : (unsigned int *)
1400 : pathlen);
1401 5922 : if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
1402 5534 : *pathlen = -1;
1403 388 : else if (result != GNUTLS_E_SUCCESS) {
1404 4 : gnutls_assert();
1405 4 : result = _gnutls_asn2err(result);
1406 4 : goto cleanup;
1407 : }
1408 : }
1409 :
1410 : /* the default value of cA is false.
1411 : */
1412 6444 : len = sizeof(str) - 1;
1413 6444 : result = asn1_read_value(c2, "cA", str, &len);
1414 6444 : if (result == ASN1_SUCCESS && strcmp(str, "TRUE") == 0)
1415 5851 : *ca = 1;
1416 : else
1417 593 : *ca = 0;
1418 :
1419 : result = 0;
1420 6489 : cleanup:
1421 6489 : asn1_delete_structure(&c2);
1422 :
1423 6489 : return result;
1424 :
1425 : }
1426 :
1427 : /**
1428 : * gnutls_x509_ext_export_basic_constraints:
1429 : * @ca: non-zero for a CA
1430 : * @pathlen: The path length constraint (set to -1 for no constraint)
1431 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
1432 : *
1433 : * This function will convert the parameters provided to a basic constraints
1434 : * DER encoded extension (2.5.29.19).
1435 : (
1436 : * The @ext data will be allocated using
1437 : * gnutls_malloc().
1438 : *
1439 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1440 : * negative error value.
1441 : *
1442 : * Since: 3.3.0
1443 : **/
1444 105 : int gnutls_x509_ext_export_basic_constraints(unsigned int ca, int pathlen,
1445 : gnutls_datum_t * ext)
1446 : {
1447 105 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1448 105 : const char *str;
1449 105 : int result;
1450 :
1451 105 : if (ca == 0)
1452 : str = "FALSE";
1453 : else
1454 67 : str = "TRUE";
1455 :
1456 105 : result =
1457 105 : asn1_create_element(_gnutls_get_pkix(),
1458 : "PKIX1.BasicConstraints", &c2);
1459 105 : if (result != ASN1_SUCCESS) {
1460 0 : gnutls_assert();
1461 0 : result = _gnutls_asn2err(result);
1462 0 : goto cleanup;
1463 : }
1464 :
1465 105 : result = asn1_write_value(c2, "cA", str, 1);
1466 105 : if (result != ASN1_SUCCESS) {
1467 0 : gnutls_assert();
1468 0 : result = _gnutls_asn2err(result);
1469 0 : goto cleanup;
1470 : }
1471 :
1472 105 : if (pathlen < 0) {
1473 101 : result = asn1_write_value(c2, "pathLenConstraint", NULL, 0);
1474 101 : if (result < 0)
1475 0 : result = _gnutls_asn2err(result);
1476 : } else
1477 4 : result =
1478 4 : _gnutls_x509_write_uint32(c2, "pathLenConstraint", pathlen);
1479 105 : if (result < 0) {
1480 0 : gnutls_assert();
1481 0 : goto cleanup;
1482 : }
1483 :
1484 105 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
1485 105 : if (result < 0) {
1486 0 : gnutls_assert();
1487 0 : goto cleanup;
1488 : }
1489 :
1490 : result = 0;
1491 :
1492 105 : cleanup:
1493 105 : asn1_delete_structure(&c2);
1494 105 : return result;
1495 :
1496 : }
1497 :
1498 : /**
1499 : * gnutls_x509_ext_import_proxy:
1500 : * @ext: the DER encoded extension data
1501 : * @pathlen: pointer to output integer indicating path length (may be
1502 : * NULL), non-negative error codes indicate a present pCPathLenConstraint
1503 : * field and the actual value, -1 indicate that the field is absent.
1504 : * @policyLanguage: output variable with OID of policy language
1505 : * @policy: output variable with policy data
1506 : * @sizeof_policy: output variable with size of policy data
1507 : *
1508 : * This function will return the information from a proxy certificate
1509 : * extension. It reads the ProxyCertInfo X.509 extension (1.3.6.1.5.5.7.1.14).
1510 : * The @policyLanguage and @policy values must be deinitialized using gnutls_free() after use.
1511 : *
1512 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1513 : * negative error value.
1514 : *
1515 : * Since: 3.3.0
1516 : **/
1517 4 : int gnutls_x509_ext_import_proxy(const gnutls_datum_t *ext, int *pathlen,
1518 : char **policyLanguage, char **policy,
1519 : size_t *sizeof_policy)
1520 : {
1521 4 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1522 4 : int result;
1523 4 : gnutls_datum_t value1 = { NULL, 0 };
1524 4 : gnutls_datum_t value2 = { NULL, 0 };
1525 :
1526 4 : if ((result = asn1_create_element
1527 : (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo",
1528 : &c2)) != ASN1_SUCCESS) {
1529 0 : gnutls_assert();
1530 0 : return _gnutls_asn2err(result);
1531 : }
1532 :
1533 4 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
1534 4 : if (result != ASN1_SUCCESS) {
1535 0 : gnutls_assert();
1536 0 : result = _gnutls_asn2err(result);
1537 0 : goto cleanup;
1538 : }
1539 :
1540 4 : if (pathlen) {
1541 4 : result = _gnutls_x509_read_uint(c2, "pCPathLenConstraint",
1542 : (unsigned int *)
1543 : pathlen);
1544 4 : if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
1545 4 : *pathlen = -1;
1546 0 : else if (result != GNUTLS_E_SUCCESS) {
1547 0 : gnutls_assert();
1548 0 : result = _gnutls_asn2err(result);
1549 0 : goto cleanup;
1550 : }
1551 : }
1552 :
1553 4 : result = _gnutls_x509_read_value(c2, "proxyPolicy.policyLanguage",
1554 : &value1);
1555 4 : if (result < 0) {
1556 0 : gnutls_assert();
1557 0 : goto cleanup;
1558 : }
1559 :
1560 4 : result = _gnutls_x509_read_value(c2, "proxyPolicy.policy", &value2);
1561 4 : if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
1562 2 : if (policy)
1563 2 : *policy = NULL;
1564 2 : if (sizeof_policy)
1565 2 : *sizeof_policy = 0;
1566 2 : } else if (result < 0) {
1567 0 : gnutls_assert();
1568 0 : goto cleanup;
1569 : } else {
1570 2 : if (policy) {
1571 2 : *policy = (char *)value2.data;
1572 2 : value2.data = NULL;
1573 : }
1574 2 : if (sizeof_policy)
1575 2 : *sizeof_policy = value2.size;
1576 : }
1577 :
1578 4 : if (policyLanguage) {
1579 4 : *policyLanguage = (char *)value1.data;
1580 4 : value1.data = NULL;
1581 : }
1582 :
1583 : result = 0;
1584 4 : cleanup:
1585 4 : gnutls_free(value1.data);
1586 4 : gnutls_free(value2.data);
1587 4 : asn1_delete_structure(&c2);
1588 :
1589 4 : return result;
1590 : }
1591 :
1592 : /**
1593 : * gnutls_x509_ext_export_proxy:
1594 : * @pathLenConstraint: A negative value will remove the path length constraint,
1595 : * while non-negative values will be set as the length of the pathLenConstraints field.
1596 : * @policyLanguage: OID describing the language of @policy.
1597 : * @policy: uint8_t byte array with policy language, can be %NULL
1598 : * @sizeof_policy: size of @policy.
1599 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
1600 : *
1601 : * This function will convert the parameters provided to a proxyCertInfo extension.
1602 : *
1603 : * The @ext data will be allocated using gnutls_malloc().
1604 : *
1605 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1606 : * negative error value.
1607 : *
1608 : * Since: 3.3.0
1609 : **/
1610 0 : int gnutls_x509_ext_export_proxy(int pathLenConstraint, const char *policyLanguage,
1611 : const char *policy, size_t sizeof_policy,
1612 : gnutls_datum_t * ext)
1613 : {
1614 0 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1615 0 : int result;
1616 :
1617 0 : result = asn1_create_element(_gnutls_get_pkix(),
1618 : "PKIX1.ProxyCertInfo", &c2);
1619 0 : if (result != ASN1_SUCCESS) {
1620 0 : gnutls_assert();
1621 0 : return _gnutls_asn2err(result);
1622 : }
1623 :
1624 0 : if (pathLenConstraint < 0) {
1625 0 : result = asn1_write_value(c2, "pCPathLenConstraint", NULL, 0);
1626 0 : if (result != ASN1_SUCCESS) {
1627 0 : gnutls_assert();
1628 0 : result = _gnutls_asn2err(result);
1629 0 : goto cleanup;
1630 : }
1631 : } else {
1632 0 : result =
1633 0 : _gnutls_x509_write_uint32(c2, "pCPathLenConstraint",
1634 : pathLenConstraint);
1635 :
1636 0 : if (result < 0) {
1637 0 : gnutls_assert();
1638 0 : goto cleanup;
1639 : }
1640 : }
1641 :
1642 0 : result = asn1_write_value(c2, "proxyPolicy.policyLanguage",
1643 : policyLanguage, 1);
1644 0 : if (result < 0) {
1645 0 : gnutls_assert();
1646 0 : result = _gnutls_asn2err(result);
1647 0 : goto cleanup;
1648 : }
1649 :
1650 0 : result = asn1_write_value(c2, "proxyPolicy.policy",
1651 : policy, sizeof_policy);
1652 0 : if (result < 0) {
1653 0 : gnutls_assert();
1654 0 : result = _gnutls_asn2err(result);
1655 0 : goto cleanup;
1656 : }
1657 :
1658 0 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
1659 0 : if (result < 0) {
1660 0 : gnutls_assert();
1661 0 : goto cleanup;
1662 : }
1663 :
1664 : result = 0;
1665 0 : cleanup:
1666 0 : asn1_delete_structure(&c2);
1667 0 : return result;
1668 :
1669 : }
1670 :
1671 90 : static int decode_user_notice(const void *data, size_t size,
1672 : gnutls_datum_t * txt)
1673 : {
1674 90 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1675 90 : int ret, len;
1676 90 : char choice_type[64];
1677 90 : char name[128];
1678 90 : gnutls_datum_t td = {NULL,0}, utd;
1679 :
1680 90 : ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.UserNotice", &c2);
1681 90 : if (ret != ASN1_SUCCESS) {
1682 0 : gnutls_assert();
1683 0 : ret = GNUTLS_E_PARSING_ERROR;
1684 0 : goto cleanup;
1685 : }
1686 :
1687 90 : ret = _asn1_strict_der_decode(&c2, data, size, NULL);
1688 90 : if (ret != ASN1_SUCCESS) {
1689 5 : gnutls_assert();
1690 5 : ret = GNUTLS_E_PARSING_ERROR;
1691 5 : goto cleanup;
1692 : }
1693 :
1694 85 : len = sizeof(choice_type);
1695 85 : ret = asn1_read_value(c2, "explicitText", choice_type, &len);
1696 85 : if (ret != ASN1_SUCCESS) {
1697 3 : gnutls_assert();
1698 3 : ret = GNUTLS_E_PARSING_ERROR;
1699 3 : goto cleanup;
1700 : }
1701 :
1702 82 : if (strcmp(choice_type, "utf8String") != 0
1703 63 : && strcmp(choice_type, "ia5String") != 0
1704 53 : && strcmp(choice_type, "bmpString") != 0
1705 36 : && strcmp(choice_type, "visibleString") != 0) {
1706 0 : gnutls_assert();
1707 0 : ret = GNUTLS_E_PARSING_ERROR;
1708 0 : goto cleanup;
1709 : }
1710 :
1711 82 : snprintf(name, sizeof(name), "explicitText.%s", choice_type);
1712 :
1713 82 : ret = _gnutls_x509_read_value(c2, name, &td);
1714 82 : if (ret < 0) {
1715 1 : gnutls_assert();
1716 1 : goto cleanup;
1717 : }
1718 :
1719 81 : if (strcmp(choice_type, "bmpString") == 0) { /* convert to UTF-8 */
1720 17 : ret = _gnutls_ucs2_to_utf8(td.data, td.size, &utd, 1);
1721 17 : _gnutls_free_datum(&td);
1722 17 : if (ret < 0) {
1723 2 : gnutls_assert();
1724 2 : goto cleanup;
1725 : }
1726 :
1727 15 : td.data = utd.data;
1728 15 : td.size = utd.size;
1729 : } else {
1730 : /* _gnutls_x509_read_value allows that */
1731 64 : td.data[td.size] = 0;
1732 : }
1733 :
1734 79 : txt->data = (void *)td.data;
1735 79 : txt->size = td.size;
1736 79 : ret = 0;
1737 :
1738 90 : cleanup:
1739 90 : asn1_delete_structure(&c2);
1740 90 : return ret;
1741 :
1742 : }
1743 :
1744 : struct gnutls_x509_policies_st {
1745 : struct gnutls_x509_policy_st policy[MAX_ENTRIES];
1746 : unsigned int size;
1747 : };
1748 :
1749 : /**
1750 : * gnutls_x509_policies_init:
1751 : * @policies: The authority key ID
1752 : *
1753 : * This function will initialize an authority key ID type.
1754 : *
1755 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
1756 : *
1757 : * Since: 3.3.0
1758 : **/
1759 316 : int gnutls_x509_policies_init(gnutls_x509_policies_t * policies)
1760 : {
1761 316 : *policies = gnutls_calloc(1, sizeof(struct gnutls_x509_policies_st));
1762 316 : if (*policies == NULL)
1763 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1764 :
1765 : return 0;
1766 : }
1767 :
1768 : /**
1769 : * gnutls_x509_policies_deinit:
1770 : * @policies: The authority key identifier
1771 : *
1772 : * This function will deinitialize an authority key identifier type.
1773 : *
1774 : * Since: 3.3.0
1775 : **/
1776 316 : void gnutls_x509_policies_deinit(gnutls_x509_policies_t policies)
1777 : {
1778 316 : unsigned i;
1779 :
1780 701 : for (i = 0; i < policies->size; i++) {
1781 385 : gnutls_x509_policy_release(&policies->policy[i]);
1782 : }
1783 316 : gnutls_free(policies);
1784 316 : }
1785 :
1786 : /**
1787 : * gnutls_x509_policies_get:
1788 : * @policies: The policies
1789 : * @seq: The index of the name to get
1790 : * @policy: Will hold the policy
1791 : *
1792 : * This function will return a specific policy as stored in
1793 : * the @policies type. The returned values should be treated as constant
1794 : * and valid for the lifetime of @policies.
1795 : *
1796 : * The any policy OID is available as the %GNUTLS_X509_OID_POLICY_ANY macro.
1797 : *
1798 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
1799 : * if the index is out of bounds, otherwise a negative error value.
1800 : *
1801 : * Since: 3.3.0
1802 : **/
1803 645 : int gnutls_x509_policies_get(gnutls_x509_policies_t policies,
1804 : unsigned int seq,
1805 : struct gnutls_x509_policy_st *policy)
1806 : {
1807 645 : if (seq >= policies->size)
1808 266 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
1809 :
1810 379 : if (policy) {
1811 379 : memcpy(policy, &policies->policy[seq],
1812 : sizeof(struct gnutls_x509_policy_st));
1813 : }
1814 :
1815 : return 0;
1816 : }
1817 :
1818 0 : void _gnutls_x509_policies_erase(gnutls_x509_policies_t policies,
1819 : unsigned int seq)
1820 : {
1821 0 : if (seq >= policies->size)
1822 : return;
1823 :
1824 0 : memset(&policies->policy[seq], 0, sizeof(struct gnutls_x509_policy_st));
1825 : }
1826 :
1827 : /**
1828 : * gnutls_x509_policies_set:
1829 : * @policies: An initialized policies
1830 : * @seq: The index of the name to get
1831 : * @policy: Contains the policy to set
1832 : *
1833 : * This function will store the specified policy in
1834 : * the provided @policies.
1835 : *
1836 : * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a negative error value.
1837 : *
1838 : * Since: 3.3.0
1839 : **/
1840 3 : int gnutls_x509_policies_set(gnutls_x509_policies_t policies,
1841 : const struct gnutls_x509_policy_st *policy)
1842 : {
1843 3 : unsigned i;
1844 :
1845 3 : if (policies->size + 1 > MAX_ENTRIES)
1846 0 : return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
1847 :
1848 3 : policies->policy[policies->size].oid = gnutls_strdup(policy->oid);
1849 3 : if (policies->policy[policies->size].oid == NULL)
1850 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1851 :
1852 9 : for (i = 0; i < policy->qualifiers; i++) {
1853 6 : policies->policy[policies->size].qualifier[i].type =
1854 6 : policy->qualifier[i].type;
1855 6 : policies->policy[policies->size].qualifier[i].size =
1856 6 : policy->qualifier[i].size;
1857 12 : policies->policy[policies->size].qualifier[i].data =
1858 6 : gnutls_malloc(policy->qualifier[i].size + 1);
1859 6 : if (policies->policy[policies->size].qualifier[i].data == NULL)
1860 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
1861 6 : memcpy(policies->policy[policies->size].qualifier[i].data,
1862 6 : policy->qualifier[i].data, policy->qualifier[i].size);
1863 6 : policies->policy[policies->size].qualifier[i].data[policy->
1864 6 : qualifier[i].
1865 6 : size] = 0;
1866 : }
1867 :
1868 3 : policies->policy[policies->size].qualifiers = policy->qualifiers;
1869 3 : policies->size++;
1870 :
1871 3 : return 0;
1872 : }
1873 :
1874 : /**
1875 : * gnutls_x509_ext_import_policies:
1876 : * @ext: the DER encoded extension data
1877 : * @policies: A pointer to an initialized policies.
1878 : * @flags: should be zero
1879 : *
1880 : * This function will extract the certificate policy extension (2.5.29.32)
1881 : * and store it the provided policies.
1882 : *
1883 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
1884 : *
1885 : * Since: 3.3.0
1886 : **/
1887 315 : int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext,
1888 : gnutls_x509_policies_t policies,
1889 : unsigned int flags)
1890 : {
1891 315 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
1892 315 : char tmpstr[128];
1893 315 : char tmpoid[MAX_OID_SIZE];
1894 315 : gnutls_datum_t tmpd = { NULL, 0 };
1895 315 : int ret, len;
1896 315 : unsigned i, j, current = 0;
1897 :
1898 315 : ret = asn1_create_element
1899 : (_gnutls_get_pkix(), "PKIX1.certificatePolicies", &c2);
1900 315 : if (ret != ASN1_SUCCESS) {
1901 0 : gnutls_assert();
1902 0 : ret = _gnutls_asn2err(ret);
1903 0 : goto cleanup;
1904 : }
1905 :
1906 315 : ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
1907 315 : if (ret != ASN1_SUCCESS) {
1908 31 : gnutls_assert();
1909 31 : ret = _gnutls_asn2err(ret);
1910 31 : goto cleanup;
1911 : }
1912 :
1913 : for (j = 0;; j++) {
1914 679 : if (j >= MAX_ENTRIES)
1915 : break;
1916 :
1917 679 : memset(&policies->policy[j], 0,
1918 : sizeof(struct gnutls_x509_policy_st));
1919 :
1920 : /* create a string like "?1"
1921 : */
1922 679 : snprintf(tmpstr, sizeof(tmpstr), "?%u.policyIdentifier", j + 1);
1923 679 : current = j+1;
1924 :
1925 679 : ret = _gnutls_x509_read_value(c2, tmpstr, &tmpd);
1926 679 : if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
1927 : break;
1928 :
1929 411 : if (ret < 0) {
1930 0 : gnutls_assert();
1931 0 : goto full_cleanup;
1932 : }
1933 :
1934 411 : policies->policy[j].oid = (void *)tmpd.data;
1935 411 : tmpd.data = NULL;
1936 :
1937 606 : for (i = 0; i < GNUTLS_MAX_QUALIFIERS; i++) {
1938 606 : gnutls_datum_t td;
1939 :
1940 606 : snprintf(tmpstr, sizeof(tmpstr),
1941 : "?%u.policyQualifiers.?%u.policyQualifierId",
1942 : j + 1, i + 1);
1943 :
1944 606 : len = sizeof(tmpoid);
1945 606 : ret = asn1_read_value(c2, tmpstr, tmpoid, &len);
1946 :
1947 606 : if (ret == ASN1_ELEMENT_NOT_FOUND)
1948 : break; /* finished */
1949 :
1950 211 : if (ret != ASN1_SUCCESS) {
1951 0 : gnutls_assert();
1952 0 : ret = _gnutls_asn2err(ret);
1953 16 : goto full_cleanup;
1954 : }
1955 :
1956 211 : if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.1") == 0) {
1957 99 : snprintf(tmpstr, sizeof(tmpstr),
1958 : "?%u.policyQualifiers.?%u.qualifier",
1959 : j + 1, i + 1);
1960 :
1961 99 : ret =
1962 99 : _gnutls_x509_read_string(c2, tmpstr, &td,
1963 : ASN1_ETYPE_IA5_STRING, 0);
1964 99 : if (ret < 0) {
1965 5 : gnutls_assert();
1966 5 : goto full_cleanup;
1967 : }
1968 :
1969 94 : policies->policy[j].qualifier[i].data =
1970 94 : (void *)td.data;
1971 94 : policies->policy[j].qualifier[i].size = td.size;
1972 94 : td.data = NULL;
1973 94 : policies->policy[j].qualifier[i].type =
1974 : GNUTLS_X509_QUALIFIER_URI;
1975 112 : } else if (strcmp(tmpoid, "1.3.6.1.5.5.7.2.2") == 0) {
1976 90 : gnutls_datum_t txt = {NULL, 0};
1977 :
1978 90 : snprintf(tmpstr, sizeof(tmpstr),
1979 : "?%u.policyQualifiers.?%u.qualifier",
1980 : j + 1, i + 1);
1981 :
1982 90 : ret = _gnutls_x509_read_value(c2, tmpstr, &td);
1983 90 : if (ret < 0) {
1984 0 : gnutls_assert();
1985 11 : goto full_cleanup;
1986 : }
1987 :
1988 90 : ret =
1989 90 : decode_user_notice(td.data, td.size, &txt);
1990 90 : gnutls_free(td.data);
1991 :
1992 90 : if (ret < 0) {
1993 11 : gnutls_assert();
1994 11 : goto full_cleanup;
1995 : }
1996 :
1997 79 : policies->policy[j].qualifier[i].data =
1998 79 : (void *)txt.data;
1999 79 : policies->policy[j].qualifier[i].size =
2000 79 : txt.size;
2001 79 : policies->policy[j].qualifier[i].type =
2002 : GNUTLS_X509_QUALIFIER_NOTICE;
2003 : } else
2004 22 : policies->policy[j].qualifier[i].type =
2005 : GNUTLS_X509_QUALIFIER_UNKNOWN;
2006 :
2007 195 : policies->policy[j].qualifiers++;
2008 : }
2009 :
2010 : }
2011 :
2012 268 : policies->size = j;
2013 :
2014 268 : ret = 0;
2015 268 : goto cleanup;
2016 :
2017 16 : full_cleanup:
2018 45 : for (j = 0; j < current; j++)
2019 29 : gnutls_x509_policy_release(&policies->policy[j]);
2020 :
2021 16 : cleanup:
2022 315 : _gnutls_free_datum(&tmpd);
2023 315 : asn1_delete_structure(&c2);
2024 315 : return ret;
2025 :
2026 : }
2027 :
2028 6 : static int encode_user_notice(const gnutls_datum_t * txt,
2029 : gnutls_datum_t * der_data)
2030 : {
2031 6 : int result;
2032 6 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2033 :
2034 12 : if ((result =
2035 6 : asn1_create_element(_gnutls_get_pkix(),
2036 : "PKIX1.UserNotice", &c2)) != ASN1_SUCCESS) {
2037 0 : gnutls_assert();
2038 0 : result = _gnutls_asn2err(result);
2039 0 : goto error;
2040 : }
2041 :
2042 : /* delete noticeRef */
2043 6 : result = asn1_write_value(c2, "noticeRef", NULL, 0);
2044 6 : if (result != ASN1_SUCCESS) {
2045 0 : gnutls_assert();
2046 0 : result = _gnutls_asn2err(result);
2047 0 : goto error;
2048 : }
2049 :
2050 6 : result = asn1_write_value(c2, "explicitText", "utf8String", 1);
2051 6 : if (result != ASN1_SUCCESS) {
2052 0 : gnutls_assert();
2053 0 : result = _gnutls_asn2err(result);
2054 0 : goto error;
2055 : }
2056 :
2057 6 : result =
2058 12 : asn1_write_value(c2, "explicitText.utf8String", txt->data,
2059 6 : txt->size);
2060 6 : if (result != ASN1_SUCCESS) {
2061 0 : gnutls_assert();
2062 0 : result = _gnutls_asn2err(result);
2063 0 : goto error;
2064 : }
2065 :
2066 6 : result = _gnutls_x509_der_encode(c2, "", der_data, 0);
2067 6 : if (result < 0) {
2068 0 : gnutls_assert();
2069 0 : goto error;
2070 : }
2071 :
2072 : result = 0;
2073 :
2074 6 : error:
2075 6 : asn1_delete_structure(&c2);
2076 6 : return result;
2077 :
2078 : }
2079 :
2080 : /**
2081 : * gnutls_x509_ext_export_policies:
2082 : * @policies: A pointer to an initialized policies.
2083 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
2084 : *
2085 : * This function will convert the provided policies, to a certificate policy
2086 : * DER encoded extension (2.5.29.32).
2087 : *
2088 : * The @ext data will be allocated using gnutls_malloc().
2089 : *
2090 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2091 : *
2092 : * Since: 3.3.0
2093 : **/
2094 3 : int gnutls_x509_ext_export_policies(gnutls_x509_policies_t policies,
2095 : gnutls_datum_t * ext)
2096 : {
2097 3 : int result;
2098 3 : unsigned i, j;
2099 3 : gnutls_datum_t der_data = {NULL, 0}, tmpd;
2100 3 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2101 3 : const char *oid;
2102 :
2103 3 : result =
2104 3 : asn1_create_element(_gnutls_get_pkix(),
2105 : "PKIX1.certificatePolicies", &c2);
2106 3 : if (result != ASN1_SUCCESS) {
2107 0 : gnutls_assert();
2108 0 : result = _gnutls_asn2err(result);
2109 0 : goto cleanup;
2110 : }
2111 :
2112 9 : for (j = 0; j < policies->size; j++) {
2113 : /* 1. write a new policy */
2114 6 : result = asn1_write_value(c2, "", "NEW", 1);
2115 6 : if (result != ASN1_SUCCESS) {
2116 0 : gnutls_assert();
2117 0 : result = _gnutls_asn2err(result);
2118 0 : goto cleanup;
2119 : }
2120 :
2121 : /* 2. Add the OID.
2122 : */
2123 6 : result =
2124 12 : asn1_write_value(c2, "?LAST.policyIdentifier",
2125 6 : policies->policy[j].oid, 1);
2126 6 : if (result != ASN1_SUCCESS) {
2127 0 : gnutls_assert();
2128 0 : result = _gnutls_asn2err(result);
2129 0 : goto cleanup;
2130 : }
2131 :
2132 18 : for (i = 0;
2133 18 : i < MIN(policies->policy[j].qualifiers,
2134 12 : GNUTLS_MAX_QUALIFIERS); i++) {
2135 12 : result =
2136 12 : asn1_write_value(c2, "?LAST.policyQualifiers",
2137 : "NEW", 1);
2138 12 : if (result != ASN1_SUCCESS) {
2139 0 : gnutls_assert();
2140 0 : result = _gnutls_asn2err(result);
2141 0 : goto cleanup;
2142 : }
2143 :
2144 12 : if (policies->policy[j].qualifier[i].type ==
2145 : GNUTLS_X509_QUALIFIER_URI)
2146 : oid = "1.3.6.1.5.5.7.2.1";
2147 6 : else if (policies->policy[j].qualifier[i].type ==
2148 : GNUTLS_X509_QUALIFIER_NOTICE)
2149 : oid = "1.3.6.1.5.5.7.2.2";
2150 : else {
2151 0 : result =
2152 0 : gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
2153 0 : goto cleanup;
2154 : }
2155 :
2156 12 : result =
2157 12 : asn1_write_value(c2,
2158 : "?LAST.policyQualifiers.?LAST.policyQualifierId",
2159 : oid, 1);
2160 12 : if (result != ASN1_SUCCESS) {
2161 0 : gnutls_assert();
2162 0 : result = _gnutls_asn2err(result);
2163 0 : goto cleanup;
2164 : }
2165 :
2166 12 : if (policies->policy[j].qualifier[i].type ==
2167 : GNUTLS_X509_QUALIFIER_URI) {
2168 6 : tmpd.data =
2169 6 : (void *)policies->policy[j].qualifier[i].
2170 : data;
2171 6 : tmpd.size =
2172 6 : policies->policy[j].qualifier[i].size;
2173 6 : result =
2174 6 : _gnutls_x509_write_string(c2,
2175 : "?LAST.policyQualifiers.?LAST.qualifier",
2176 : &tmpd,
2177 : ASN1_ETYPE_IA5_STRING);
2178 6 : if (result < 0) {
2179 0 : gnutls_assert();
2180 0 : goto cleanup;
2181 : }
2182 6 : } else if (policies->policy[j].qualifier[i].type ==
2183 : GNUTLS_X509_QUALIFIER_NOTICE) {
2184 6 : tmpd.data =
2185 6 : (void *)policies->policy[j].qualifier[i].
2186 : data;
2187 6 : tmpd.size =
2188 6 : policies->policy[j].qualifier[i].size;
2189 :
2190 6 : if (tmpd.size > 200) {
2191 0 : gnutls_assert();
2192 0 : result = GNUTLS_E_INVALID_REQUEST;
2193 0 : goto cleanup;
2194 : }
2195 :
2196 6 : result = encode_user_notice(&tmpd, &der_data);
2197 6 : if (result < 0) {
2198 0 : gnutls_assert();
2199 0 : goto cleanup;
2200 : }
2201 :
2202 6 : result =
2203 6 : _gnutls_x509_write_value(c2,
2204 : "?LAST.policyQualifiers.?LAST.qualifier",
2205 : &der_data);
2206 6 : _gnutls_free_datum(&der_data);
2207 6 : if (result < 0) {
2208 0 : gnutls_assert();
2209 0 : goto cleanup;
2210 : }
2211 : }
2212 : }
2213 : }
2214 :
2215 3 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
2216 3 : if (result < 0) {
2217 0 : gnutls_assert();
2218 0 : goto cleanup;
2219 : }
2220 :
2221 3 : cleanup:
2222 3 : asn1_delete_structure(&c2);
2223 :
2224 3 : return result;
2225 : }
2226 :
2227 : struct crl_dist_point_st {
2228 : unsigned int type;
2229 : gnutls_datum_t san;
2230 : unsigned int reasons;
2231 : };
2232 :
2233 : struct gnutls_x509_crl_dist_points_st {
2234 : struct crl_dist_point_st *points;
2235 : unsigned int size;
2236 : };
2237 :
2238 : /**
2239 : * gnutls_x509_crl_dist_points_init:
2240 : * @cdp: The CRL distribution points
2241 : *
2242 : * This function will initialize a CRL distribution points type.
2243 : *
2244 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2245 : *
2246 : * Since: 3.3.0
2247 : **/
2248 331 : int gnutls_x509_crl_dist_points_init(gnutls_x509_crl_dist_points_t * cdp)
2249 : {
2250 331 : *cdp = gnutls_calloc(1, sizeof(struct gnutls_x509_crl_dist_points_st));
2251 331 : if (*cdp == NULL)
2252 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2253 :
2254 : return 0;
2255 : }
2256 :
2257 : /**
2258 : * gnutls_x509_crl_dist_points_deinit:
2259 : * @cdp: The CRL distribution points
2260 : *
2261 : * This function will deinitialize a CRL distribution points type.
2262 : *
2263 : * Since: 3.3.0
2264 : **/
2265 331 : void gnutls_x509_crl_dist_points_deinit(gnutls_x509_crl_dist_points_t cdp)
2266 : {
2267 331 : unsigned i;
2268 :
2269 896 : for (i = 0; i < cdp->size; i++) {
2270 565 : gnutls_free(cdp->points[i].san.data);
2271 : }
2272 331 : gnutls_free(cdp->points);
2273 331 : gnutls_free(cdp);
2274 331 : }
2275 :
2276 : /**
2277 : * gnutls_x509_crl_dist_points_get:
2278 : * @cdp: The CRL distribution points
2279 : * @seq: specifies the sequence number of the distribution point (0 for the first one, 1 for the second etc.)
2280 : * @type: The name type of the corresponding name (gnutls_x509_subject_alt_name_t)
2281 : * @san: The distribution point names (to be treated as constant)
2282 : * @reasons: Revocation reasons. An ORed sequence of flags from %gnutls_x509_crl_reason_flags_t.
2283 : *
2284 : * This function retrieves the individual CRL distribution points (2.5.29.31),
2285 : * contained in provided type.
2286 : *
2287 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
2288 : * if the index is out of bounds, otherwise a negative error value.
2289 : **/
2290 :
2291 520 : int gnutls_x509_crl_dist_points_get(gnutls_x509_crl_dist_points_t cdp,
2292 : unsigned int seq, unsigned int *type,
2293 : gnutls_datum_t * san, unsigned int *reasons)
2294 : {
2295 520 : if (seq >= cdp->size)
2296 187 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
2297 :
2298 333 : if (reasons)
2299 333 : *reasons = cdp->points[seq].reasons;
2300 :
2301 333 : if (type)
2302 333 : *type = cdp->points[seq].type;
2303 :
2304 333 : if (san) {
2305 333 : san->data = cdp->points[seq].san.data;
2306 333 : san->size = cdp->points[seq].san.size;
2307 : }
2308 :
2309 : return 0;
2310 : }
2311 :
2312 : static
2313 565 : int crl_dist_points_set(gnutls_x509_crl_dist_points_t cdp,
2314 : gnutls_x509_subject_alt_name_t type,
2315 : const gnutls_datum_t * san, unsigned int reasons)
2316 : {
2317 565 : void *tmp;
2318 :
2319 : /* new dist point */
2320 565 : tmp =
2321 1130 : gnutls_realloc(cdp->points,
2322 565 : (cdp->size + 1) * sizeof(cdp->points[0]));
2323 565 : if (tmp == NULL) {
2324 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2325 : }
2326 565 : cdp->points = tmp;
2327 :
2328 565 : cdp->points[cdp->size].type = type;
2329 565 : cdp->points[cdp->size].san.data = san->data;
2330 565 : cdp->points[cdp->size].san.size = san->size;
2331 565 : cdp->points[cdp->size].reasons = reasons;
2332 :
2333 565 : cdp->size++;
2334 565 : return 0;
2335 :
2336 : }
2337 :
2338 : /**
2339 : * gnutls_x509_crl_dist_points_set:
2340 : * @cdp: The CRL distribution points
2341 : * @type: The type of the name (of %gnutls_subject_alt_names_t)
2342 : * @san: The point name data
2343 : * @reasons: Revocation reasons. An ORed sequence of flags from %gnutls_x509_crl_reason_flags_t.
2344 : *
2345 : * This function will store the specified CRL distribution point value
2346 : * the @cdp type.
2347 : *
2348 : * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a negative error value.
2349 : *
2350 : * Since: 3.3.0
2351 : **/
2352 122 : int gnutls_x509_crl_dist_points_set(gnutls_x509_crl_dist_points_t cdp,
2353 : gnutls_x509_subject_alt_name_t type,
2354 : const gnutls_datum_t * san,
2355 : unsigned int reasons)
2356 : {
2357 122 : int ret;
2358 122 : gnutls_datum_t t_san;
2359 :
2360 122 : ret = _gnutls_set_datum(&t_san, san->data, san->size);
2361 122 : if (ret < 0)
2362 0 : return gnutls_assert_val(ret);
2363 :
2364 122 : ret = crl_dist_points_set(cdp, type, &t_san, reasons);
2365 122 : if (ret < 0) {
2366 0 : gnutls_free(t_san.data);
2367 0 : return gnutls_assert_val(ret);
2368 : }
2369 :
2370 : return 0;
2371 : }
2372 :
2373 : /**
2374 : * gnutls_x509_ext_import_crl_dist_points:
2375 : * @ext: the DER encoded extension data
2376 : * @cdp: A pointer to an initialized CRL distribution points.
2377 : * @flags: should be zero
2378 : *
2379 : * This function will extract the CRL distribution points extension (2.5.29.31)
2380 : * and store it into the provided type.
2381 : *
2382 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2383 : *
2384 : * Since: 3.3.0
2385 : **/
2386 281 : int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
2387 : gnutls_x509_crl_dist_points_t cdp,
2388 : unsigned int flags)
2389 : {
2390 281 : int result;
2391 281 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2392 281 : char name[MAX_NAME_SIZE];
2393 281 : int len, ret;
2394 281 : uint8_t reasons[2];
2395 281 : unsigned i, type, rflags, j;
2396 281 : gnutls_datum_t san = {NULL, 0};
2397 :
2398 281 : result = asn1_create_element
2399 : (_gnutls_get_pkix(), "PKIX1.CRLDistributionPoints", &c2);
2400 281 : if (result != ASN1_SUCCESS) {
2401 0 : gnutls_assert();
2402 0 : return _gnutls_asn2err(result);
2403 : }
2404 :
2405 281 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
2406 :
2407 281 : if (result != ASN1_SUCCESS) {
2408 20 : gnutls_assert();
2409 20 : ret = _gnutls_asn2err(result);
2410 20 : goto cleanup;
2411 : }
2412 :
2413 : /* Return the different names from the first CRLDistr. point.
2414 : * The whole thing is a mess.
2415 : */
2416 :
2417 : i = 0;
2418 538 : do {
2419 538 : snprintf(name, sizeof(name), "?%u.reasons", (unsigned)i + 1);
2420 :
2421 538 : len = sizeof(reasons);
2422 538 : result = asn1_read_value(c2, name, reasons, &len);
2423 :
2424 538 : if (result != ASN1_VALUE_NOT_FOUND &&
2425 538 : result != ASN1_ELEMENT_NOT_FOUND &&
2426 : result != ASN1_SUCCESS) {
2427 1 : gnutls_assert();
2428 1 : ret = _gnutls_asn2err(result);
2429 1 : break;
2430 : }
2431 :
2432 537 : if (result == ASN1_VALUE_NOT_FOUND
2433 537 : || result == ASN1_ELEMENT_NOT_FOUND)
2434 : rflags = 0;
2435 : else
2436 3 : rflags = reasons[0] | (reasons[1] << 8);
2437 :
2438 537 : snprintf(name, sizeof(name),
2439 : "?%u.distributionPoint.fullName", (unsigned)i + 1);
2440 :
2441 537 : for (j=0;;j++) {
2442 980 : san.data = NULL;
2443 980 : san.size = 0;
2444 :
2445 980 : ret =
2446 980 : _gnutls_parse_general_name2(c2, name, j, &san,
2447 : &type, 0);
2448 980 : if (j > 0
2449 980 : && ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
2450 : ret = 0;
2451 : break;
2452 : }
2453 703 : if (ret < 0)
2454 : break;
2455 :
2456 443 : ret = crl_dist_points_set(cdp, type, &san, rflags);
2457 443 : if (ret < 0)
2458 : break;
2459 443 : san.data = NULL; /* it is now in cdp */
2460 : }
2461 :
2462 537 : i++;
2463 537 : } while (ret >= 0);
2464 :
2465 261 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
2466 2 : gnutls_assert();
2467 2 : gnutls_free(san.data);
2468 2 : goto cleanup;
2469 : }
2470 :
2471 : ret = 0;
2472 281 : cleanup:
2473 281 : asn1_delete_structure(&c2);
2474 281 : return ret;
2475 : }
2476 :
2477 : /**
2478 : * gnutls_x509_ext_export_crl_dist_points:
2479 : * @cdp: A pointer to an initialized CRL distribution points.
2480 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
2481 : *
2482 : * This function will convert the provided policies, to a certificate policy
2483 : * DER encoded extension (2.5.29.31).
2484 : *
2485 : * The @ext data will be allocated using gnutls_malloc().
2486 : *
2487 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2488 : *
2489 : * Since: 3.3.0
2490 : **/
2491 122 : int gnutls_x509_ext_export_crl_dist_points(gnutls_x509_crl_dist_points_t cdp,
2492 : gnutls_datum_t * ext)
2493 : {
2494 122 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2495 122 : int result;
2496 122 : uint8_t reasons[2];
2497 122 : unsigned i;
2498 :
2499 122 : result =
2500 122 : asn1_create_element(_gnutls_get_pkix(),
2501 : "PKIX1.CRLDistributionPoints", &c2);
2502 122 : if (result != ASN1_SUCCESS) {
2503 0 : gnutls_assert();
2504 0 : result = _gnutls_asn2err(result);
2505 0 : goto cleanup;
2506 : }
2507 :
2508 352 : for (i = 0; i < cdp->size; i++) {
2509 :
2510 230 : if (i == 0
2511 108 : || cdp->points[i].reasons != cdp->points[i - 1].reasons) {
2512 122 : result = asn1_write_value(c2, "", "NEW", 1);
2513 122 : if (result != ASN1_SUCCESS) {
2514 0 : gnutls_assert();
2515 0 : result = _gnutls_asn2err(result);
2516 0 : goto cleanup;
2517 : }
2518 :
2519 122 : if (cdp->points[i].reasons) {
2520 0 : reasons[0] = cdp->points[i].reasons & 0xff;
2521 0 : reasons[1] = cdp->points[i].reasons >> 8;
2522 :
2523 0 : result =
2524 0 : asn1_write_value(c2, "?LAST.reasons",
2525 : reasons, 2);
2526 : } else {
2527 122 : result =
2528 122 : asn1_write_value(c2, "?LAST.reasons", NULL,
2529 : 0);
2530 : }
2531 :
2532 122 : if (result != ASN1_SUCCESS) {
2533 0 : gnutls_assert();
2534 0 : result = _gnutls_asn2err(result);
2535 0 : goto cleanup;
2536 : }
2537 :
2538 122 : result =
2539 122 : asn1_write_value(c2, "?LAST.cRLIssuer", NULL, 0);
2540 122 : if (result != ASN1_SUCCESS) {
2541 0 : gnutls_assert();
2542 0 : result = _gnutls_asn2err(result);
2543 0 : goto cleanup;
2544 : }
2545 : /* When used as type CHOICE.
2546 : */
2547 122 : result =
2548 122 : asn1_write_value(c2, "?LAST.distributionPoint",
2549 : "fullName", 1);
2550 122 : if (result != ASN1_SUCCESS) {
2551 0 : gnutls_assert();
2552 0 : result = _gnutls_asn2err(result);
2553 0 : goto cleanup;
2554 : }
2555 : }
2556 :
2557 230 : result =
2558 460 : _gnutls_write_new_general_name(c2,
2559 : "?LAST.distributionPoint.fullName",
2560 230 : cdp->points[i].type,
2561 230 : cdp->points[i].san.data,
2562 230 : cdp->points[i].san.size);
2563 230 : if (result < 0) {
2564 0 : gnutls_assert();
2565 0 : goto cleanup;
2566 : }
2567 : }
2568 :
2569 122 : result = _gnutls_x509_der_encode(c2, "", ext, 0);
2570 122 : if (result < 0) {
2571 0 : gnutls_assert();
2572 0 : goto cleanup;
2573 : }
2574 :
2575 : result = 0;
2576 :
2577 122 : cleanup:
2578 122 : asn1_delete_structure(&c2);
2579 :
2580 122 : return result;
2581 :
2582 : }
2583 :
2584 : struct gnutls_x509_aia_st {
2585 : struct {
2586 : gnutls_datum_t oid;
2587 : unsigned int san_type;
2588 : gnutls_datum_t san;
2589 : } *aia;
2590 : unsigned int size;
2591 : };
2592 :
2593 : /**
2594 : * gnutls_x509_aia_init:
2595 : * @aia: The authority info access
2596 : *
2597 : * This function will initialize an authority info access type.
2598 : *
2599 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2600 : *
2601 : * Since: 3.3.0
2602 : **/
2603 120 : int gnutls_x509_aia_init(gnutls_x509_aia_t * aia)
2604 : {
2605 120 : *aia = gnutls_calloc(1, sizeof(struct gnutls_x509_aia_st));
2606 120 : if (*aia == NULL)
2607 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2608 :
2609 : return 0;
2610 : }
2611 :
2612 : /**
2613 : * gnutls_x509_aia_deinit:
2614 : * @aia: The authority info access
2615 : *
2616 : * This function will deinitialize an authority info access type.
2617 : *
2618 : * Since: 3.3.0
2619 : **/
2620 120 : void gnutls_x509_aia_deinit(gnutls_x509_aia_t aia)
2621 : {
2622 120 : unsigned i;
2623 :
2624 286 : for (i = 0; i < aia->size; i++) {
2625 166 : gnutls_free(aia->aia[i].san.data);
2626 166 : gnutls_free(aia->aia[i].oid.data);
2627 : }
2628 120 : gnutls_free(aia->aia);
2629 120 : gnutls_free(aia);
2630 120 : }
2631 :
2632 : /**
2633 : * gnutls_x509_aia_get:
2634 : * @aia: The authority info access
2635 : * @seq: specifies the sequence number of the access descriptor (0 for the first one, 1 for the second etc.)
2636 : * @oid: the type of available data; to be treated as constant.
2637 : * @san_type: Will hold the type of the name of %gnutls_subject_alt_names_t (may be null).
2638 : * @san: the access location name; to be treated as constant (may be null).
2639 : *
2640 : * This function reads from the Authority Information Access type.
2641 : *
2642 : * The @seq input parameter is used to indicate which member of the
2643 : * sequence the caller is interested in. The first member is 0, the
2644 : * second member 1 and so on. When the @seq value is out of bounds,
2645 : * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
2646 : *
2647 : * Typically @oid is %GNUTLS_OID_AD_CAISSUERS or %GNUTLS_OID_AD_OCSP.
2648 : *
2649 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2650 : *
2651 : * Since: 3.3.0
2652 : **/
2653 261 : int gnutls_x509_aia_get(gnutls_x509_aia_t aia, unsigned int seq,
2654 : gnutls_datum_t *oid,
2655 : unsigned *san_type,
2656 : gnutls_datum_t *san)
2657 : {
2658 261 : if (seq >= aia->size)
2659 99 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
2660 :
2661 162 : if (san_type)
2662 162 : *san_type = aia->aia[seq].san_type;
2663 162 : if (san) {
2664 162 : san->data = aia->aia[seq].san.data;
2665 162 : san->size = aia->aia[seq].san.size;
2666 : }
2667 :
2668 162 : if (oid) {
2669 162 : oid->data = aia->aia[seq].oid.data;
2670 162 : oid->size = aia->aia[seq].oid.size;
2671 : }
2672 :
2673 : return 0;
2674 : }
2675 :
2676 31617 : int _gnutls_alt_name_process(gnutls_datum_t *out, unsigned type, const gnutls_datum_t *san, unsigned raw)
2677 : {
2678 31617 : int ret;
2679 31617 : if (type == GNUTLS_SAN_DNSNAME && !raw) {
2680 180 : ret = gnutls_idna_map((char*)san->data, san->size, out, 0);
2681 180 : if (ret < 0) {
2682 0 : return gnutls_assert_val(ret);
2683 : }
2684 31437 : } else if (type == GNUTLS_SAN_RFC822NAME && !raw) {
2685 114 : ret = _gnutls_idna_email_map((char*)san->data, san->size, out);
2686 114 : if (ret < 0) {
2687 1 : return gnutls_assert_val(ret);
2688 : }
2689 31323 : } else if (type == GNUTLS_SAN_URI && !raw) {
2690 8 : if (!_gnutls_str_is_print((char*)san->data, san->size)) {
2691 0 : _gnutls_debug_log("non-ASCII URIs are not supported\n");
2692 0 : return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
2693 : } else {
2694 4 : ret = _gnutls_set_strdatum(out, san->data, san->size);
2695 4 : if (ret < 0)
2696 0 : return gnutls_assert_val(ret);
2697 : }
2698 : } else {
2699 31319 : ret = _gnutls_set_strdatum(out, san->data, san->size);
2700 31319 : if (ret < 0)
2701 0 : return gnutls_assert_val(ret);
2702 : }
2703 :
2704 : return 0;
2705 : }
2706 :
2707 : /**
2708 : * gnutls_x509_aia_set:
2709 : * @aia: The authority info access
2710 : * @oid: the type of data.
2711 : * @san_type: The type of the name (of %gnutls_subject_alt_names_t)
2712 : * @san: The alternative name data
2713 : * @othername_oid: The object identifier if @san_type is %GNUTLS_SAN_OTHERNAME
2714 : *
2715 : * This function will store the specified alternative name in
2716 : * the @aia type.
2717 : *
2718 : * Typically the value for @oid should be %GNUTLS_OID_AD_OCSP, or
2719 : * %GNUTLS_OID_AD_CAISSUERS.
2720 : *
2721 : * Since version 3.5.7 the %GNUTLS_SAN_RFC822NAME, and %GNUTLS_SAN_DNSNAME,
2722 : * are converted to ACE format when necessary.
2723 : *
2724 : * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a negative error value.
2725 : *
2726 : * Since: 3.3.0
2727 : **/
2728 4 : int gnutls_x509_aia_set(gnutls_x509_aia_t aia,
2729 : const char *oid,
2730 : unsigned san_type,
2731 : const gnutls_datum_t * san)
2732 : {
2733 4 : int ret;
2734 4 : void *tmp;
2735 4 : unsigned indx;
2736 :
2737 4 : tmp = gnutls_realloc(aia->aia, (aia->size + 1) * sizeof(aia->aia[0]));
2738 4 : if (tmp == NULL) {
2739 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2740 : }
2741 4 : aia->aia = tmp;
2742 4 : indx = aia->size;
2743 :
2744 4 : aia->aia[indx].san_type = san_type;
2745 4 : if (oid) {
2746 4 : aia->aia[indx].oid.data = (void*)gnutls_strdup(oid);
2747 4 : aia->aia[indx].oid.size = strlen(oid);
2748 : } else {
2749 0 : aia->aia[indx].oid.data = NULL;
2750 0 : aia->aia[indx].oid.size = 0;
2751 : }
2752 :
2753 4 : ret = _gnutls_alt_name_process(&aia->aia[indx].san, san_type, san, 0);
2754 4 : if (ret < 0)
2755 0 : return gnutls_assert_val(ret);
2756 :
2757 4 : aia->size++;
2758 :
2759 4 : return 0;
2760 : }
2761 :
2762 :
2763 99 : static int parse_aia(ASN1_TYPE c2, gnutls_x509_aia_t aia)
2764 : {
2765 99 : int len;
2766 99 : char nptr[MAX_NAME_SIZE];
2767 99 : int ret, result;
2768 99 : char tmpoid[MAX_OID_SIZE];
2769 99 : void * tmp;
2770 99 : unsigned i, indx;
2771 :
2772 261 : for (i = 1;; i++) {
2773 261 : snprintf(nptr, sizeof(nptr), "?%u.accessMethod", i);
2774 :
2775 261 : len = sizeof(tmpoid);
2776 261 : result = asn1_read_value(c2, nptr, tmpoid, &len);
2777 261 : if (result == ASN1_VALUE_NOT_FOUND
2778 261 : || result == ASN1_ELEMENT_NOT_FOUND) {
2779 : ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2780 : break;
2781 : }
2782 :
2783 162 : if (result != ASN1_SUCCESS) {
2784 0 : gnutls_assert();
2785 0 : return _gnutls_asn2err(result);
2786 : }
2787 :
2788 162 : indx = aia->size;
2789 162 : tmp = gnutls_realloc(aia->aia, (aia->size + 1) * sizeof(aia->aia[0]));
2790 162 : if (tmp == NULL) {
2791 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2792 : }
2793 162 : aia->aia = tmp;
2794 :
2795 162 : snprintf(nptr, sizeof(nptr), "?%u.accessLocation", i);
2796 :
2797 :
2798 324 : ret = _gnutls_parse_general_name2(c2, nptr, -1, &aia->aia[indx].san,
2799 162 : &aia->aia[indx].san_type, 0);
2800 162 : if (ret < 0)
2801 : break;
2802 :
2803 : /* we do the strdup after parsing to avoid a memory leak */
2804 162 : aia->aia[indx].oid.data = (void*)gnutls_strdup(tmpoid);
2805 162 : aia->aia[indx].oid.size = strlen(tmpoid);
2806 :
2807 162 : aia->size++;
2808 :
2809 162 : if (aia->aia[indx].oid.data == NULL) {
2810 0 : gnutls_assert();
2811 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2812 : }
2813 : }
2814 :
2815 99 : if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
2816 0 : return ret;
2817 : }
2818 :
2819 : return 0;
2820 : }
2821 :
2822 : /**
2823 : * gnutls_x509_ext_import_aia:
2824 : * @ext: The DER-encoded extension data
2825 : * @aia: The authority info access
2826 : * @flags: should be zero
2827 : *
2828 : * This function extracts the Authority Information Access (AIA)
2829 : * extension from the provided DER-encoded data; see RFC 5280 section 4.2.2.1
2830 : * for more information on the extension. The
2831 : * AIA extension holds a sequence of AccessDescription (AD) data.
2832 : *
2833 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2834 : *
2835 : * Since: 3.3.0
2836 : **/
2837 116 : int gnutls_x509_ext_import_aia(const gnutls_datum_t * ext,
2838 : gnutls_x509_aia_t aia,
2839 : unsigned int flags)
2840 : {
2841 116 : int ret;
2842 116 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2843 :
2844 116 : if (ext->size == 0 || ext->data == NULL) {
2845 1 : gnutls_assert();
2846 1 : return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
2847 : }
2848 :
2849 115 : ret = asn1_create_element(_gnutls_get_pkix(),
2850 : "PKIX1.AuthorityInfoAccessSyntax", &c2);
2851 115 : if (ret != ASN1_SUCCESS) {
2852 0 : gnutls_assert();
2853 0 : return _gnutls_asn2err(ret);
2854 : }
2855 :
2856 115 : ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
2857 115 : if (ret != ASN1_SUCCESS) {
2858 16 : gnutls_assert();
2859 16 : ret = _gnutls_asn2err(ret);
2860 16 : goto cleanup;
2861 : }
2862 :
2863 99 : ret = parse_aia(c2, aia);
2864 99 : if (ret < 0) {
2865 0 : gnutls_assert();
2866 : }
2867 :
2868 99 : cleanup:
2869 115 : asn1_delete_structure(&c2);
2870 :
2871 115 : return ret;
2872 :
2873 : }
2874 :
2875 : /**
2876 : * gnutls_x509_ext_export_aia:
2877 : * @aia: The authority info access
2878 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
2879 : *
2880 : * This function will DER encode the Authority Information Access (AIA)
2881 : * extension; see RFC 5280 section 4.2.2.1 for more information on the
2882 : * extension.
2883 : *
2884 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2885 : * negative error value.
2886 : *
2887 : * Since: 3.3.0
2888 : **/
2889 4 : int gnutls_x509_ext_export_aia(gnutls_x509_aia_t aia,
2890 : gnutls_datum_t * ext)
2891 : {
2892 4 : int ret, result;
2893 4 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
2894 4 : unsigned int i;
2895 :
2896 4 : ret = asn1_create_element(_gnutls_get_pkix(),
2897 : "PKIX1.AuthorityInfoAccessSyntax", &c2);
2898 4 : if (ret != ASN1_SUCCESS) {
2899 0 : gnutls_assert();
2900 0 : return _gnutls_asn2err(ret);
2901 : }
2902 :
2903 : /* 1. create a new element.
2904 : */
2905 8 : for (i=0;i<aia->size;i++) {
2906 4 : result = asn1_write_value(c2, "", "NEW", 1);
2907 4 : if (result != ASN1_SUCCESS) {
2908 0 : gnutls_assert();
2909 0 : ret = _gnutls_asn2err(result);
2910 0 : goto cleanup;
2911 : }
2912 :
2913 : /* 2. Add the OID.
2914 : */
2915 4 : result = asn1_write_value(c2, "?LAST.accessMethod", aia->aia[i].oid.data, 1);
2916 4 : if (result != ASN1_SUCCESS) {
2917 0 : gnutls_assert();
2918 0 : ret = _gnutls_asn2err(result);
2919 0 : goto cleanup;
2920 : }
2921 :
2922 4 : ret =
2923 8 : _gnutls_write_general_name(c2,
2924 : "?LAST.accessLocation",
2925 4 : aia->aia[i].san_type,
2926 4 : aia->aia[i].san.data,
2927 4 : aia->aia[i].san.size);
2928 4 : if (ret < 0) {
2929 0 : gnutls_assert();
2930 0 : goto cleanup;
2931 : }
2932 : }
2933 :
2934 4 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
2935 4 : if (ret < 0) {
2936 0 : gnutls_assert();
2937 0 : goto cleanup;
2938 : }
2939 :
2940 4 : cleanup:
2941 4 : asn1_delete_structure(&c2);
2942 :
2943 4 : return ret;
2944 : }
2945 :
2946 :
2947 : struct gnutls_x509_key_purposes_st {
2948 : gnutls_datum_t oid[MAX_ENTRIES];
2949 : unsigned int size;
2950 : };
2951 :
2952 : /**
2953 : * gnutls_subject_alt_names_init:
2954 : * @p: The key purposes
2955 : *
2956 : * This function will initialize an alternative names type.
2957 : *
2958 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
2959 : *
2960 : * Since: 3.3.0
2961 : **/
2962 711 : int gnutls_x509_key_purpose_init(gnutls_x509_key_purposes_t * p)
2963 : {
2964 711 : *p = gnutls_calloc(1, sizeof(struct gnutls_x509_key_purposes_st));
2965 711 : if (*p == NULL) {
2966 0 : gnutls_assert();
2967 0 : return GNUTLS_E_MEMORY_ERROR;
2968 : }
2969 :
2970 : return 0;
2971 : }
2972 :
2973 1341 : static void key_purposes_deinit(gnutls_x509_key_purposes_t p)
2974 : {
2975 1341 : unsigned int i;
2976 :
2977 2374 : for (i = 0; i < p->size; i++) {
2978 1033 : gnutls_free(p->oid[i].data);
2979 : }
2980 1341 : }
2981 :
2982 : /**
2983 : * gnutls_x509_key_purpose_deinit:
2984 : * @p: The key purposes
2985 : *
2986 : * This function will deinitialize a key purposes type.
2987 : *
2988 : * Since: 3.3.0
2989 : **/
2990 711 : void gnutls_x509_key_purpose_deinit(gnutls_x509_key_purposes_t p)
2991 : {
2992 711 : key_purposes_deinit(p);
2993 711 : gnutls_free(p);
2994 711 : }
2995 :
2996 : /**
2997 : * gnutls_x509_key_purpose_set:
2998 : * @p: The key purposes
2999 : * @oid: The object identifier of the key purpose
3000 : *
3001 : * This function will store the specified key purpose in the
3002 : * purposes.
3003 : *
3004 : * Returns: On success, %GNUTLS_E_SUCCESS (0), otherwise a negative error value.
3005 : *
3006 : * Since: 3.3.0
3007 : **/
3008 68 : int gnutls_x509_key_purpose_set(gnutls_x509_key_purposes_t p, const char *oid)
3009 : {
3010 68 : if (p->size + 1 > MAX_ENTRIES)
3011 0 : return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3012 :
3013 68 : p->oid[p->size].data = (void*)gnutls_strdup(oid);
3014 68 : if (p->oid[p->size].data == NULL)
3015 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
3016 :
3017 68 : p->oid[p->size].size = strlen(oid);
3018 68 : p->size++;
3019 :
3020 68 : return 0;
3021 : }
3022 :
3023 : /**
3024 : * gnutls_x509_key_purpose_get:
3025 : * @p: The key purposes
3026 : * @idx: The index of the key purpose to retrieve
3027 : * @oid: Will hold the object identifier of the key purpose (to be treated as constant)
3028 : *
3029 : * This function will retrieve the specified by the index key purpose in the
3030 : * purposes type. The object identifier will be a null terminated string.
3031 : *
3032 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
3033 : * if the index is out of bounds, otherwise a negative error value.
3034 : *
3035 : * Since: 3.3.0
3036 : **/
3037 1179 : int gnutls_x509_key_purpose_get(gnutls_x509_key_purposes_t p, unsigned idx, gnutls_datum_t *oid)
3038 : {
3039 1179 : if (idx >= p->size)
3040 270 : return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
3041 :
3042 910 : oid->data = p->oid[idx].data;
3043 910 : oid->size = p->oid[idx].size;
3044 :
3045 910 : return 0;
3046 : }
3047 :
3048 : /**
3049 : * gnutls_x509_ext_import_key_purposes:
3050 : * @ext: The DER-encoded extension data
3051 : * @p: The key purposes
3052 : * @flags: should be zero
3053 : *
3054 : * This function will extract the key purposes in the provided DER-encoded
3055 : * ExtKeyUsageSyntax PKIX extension, to a %gnutls_x509_key_purposes_t type.
3056 : * The data must be initialized.
3057 : *
3058 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
3059 : *
3060 : * Since: 3.3.0
3061 : **/
3062 645 : int gnutls_x509_ext_import_key_purposes(const gnutls_datum_t * ext,
3063 : gnutls_x509_key_purposes_t p,
3064 : unsigned int flags)
3065 : {
3066 645 : char tmpstr[MAX_NAME_SIZE];
3067 645 : int result, ret;
3068 645 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
3069 645 : gnutls_datum_t oid = {NULL, 0};
3070 645 : unsigned i;
3071 :
3072 645 : result = asn1_create_element
3073 : (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2);
3074 645 : if (result != ASN1_SUCCESS) {
3075 0 : gnutls_assert();
3076 0 : return _gnutls_asn2err(result);
3077 : }
3078 :
3079 645 : result = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
3080 645 : if (result != ASN1_SUCCESS) {
3081 15 : gnutls_assert();
3082 15 : ret = _gnutls_asn2err(result);
3083 15 : goto cleanup;
3084 : }
3085 :
3086 630 : key_purposes_deinit(p);
3087 630 : i = 0;
3088 630 : p->size = 0;
3089 :
3090 1595 : for (;i<MAX_ENTRIES;i++) {
3091 : /* create a string like "?1"
3092 : */
3093 1595 : snprintf(tmpstr, sizeof(tmpstr), "?%u", i+1);
3094 :
3095 1595 : ret = _gnutls_x509_read_value(c2, tmpstr, &oid);
3096 1595 : if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
3097 : break;
3098 : }
3099 :
3100 965 : if (ret < 0) {
3101 0 : gnutls_assert();
3102 0 : goto cleanup;
3103 : }
3104 :
3105 965 : p->oid[i].data = oid.data;
3106 965 : p->oid[i].size = oid.size;
3107 :
3108 965 : oid.data = NULL;
3109 965 : oid.size = 0;
3110 965 : p->size++;
3111 : }
3112 :
3113 : ret = 0;
3114 645 : cleanup:
3115 645 : gnutls_free(oid.data);
3116 645 : asn1_delete_structure(&c2);
3117 :
3118 645 : return ret;
3119 :
3120 : }
3121 :
3122 : /**
3123 : * gnutls_x509_ext_export_key_purposes:
3124 : * @p: The key purposes
3125 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
3126 : *
3127 : * This function will convert the key purposes type to a
3128 : * DER-encoded PKIX ExtKeyUsageSyntax (2.5.29.37) extension. The output data in
3129 : * @ext will be allocated using gnutls_malloc().
3130 : *
3131 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
3132 : *
3133 : * Since: 3.3.0
3134 : **/
3135 68 : int gnutls_x509_ext_export_key_purposes(gnutls_x509_key_purposes_t p,
3136 : gnutls_datum_t * ext)
3137 : {
3138 68 : int result, ret;
3139 68 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
3140 68 : unsigned i;
3141 :
3142 68 : result = asn1_create_element
3143 : (_gnutls_get_pkix(), "PKIX1.ExtKeyUsageSyntax", &c2);
3144 68 : if (result != ASN1_SUCCESS) {
3145 0 : gnutls_assert();
3146 0 : return _gnutls_asn2err(result);
3147 : }
3148 :
3149 : /* generate the extension.
3150 : */
3151 138 : for (i=0;i<p->size;i++) {
3152 : /* 1. create a new element.
3153 : */
3154 70 : result = asn1_write_value(c2, "", "NEW", 1);
3155 70 : if (result != ASN1_SUCCESS) {
3156 0 : gnutls_assert();
3157 0 : ret = _gnutls_asn2err(result);
3158 0 : goto cleanup;
3159 : }
3160 :
3161 : /* 2. Add the OID.
3162 : */
3163 70 : result = asn1_write_value(c2, "?LAST", p->oid[i].data, 1);
3164 70 : if (result != ASN1_SUCCESS) {
3165 0 : gnutls_assert();
3166 0 : ret = _gnutls_asn2err(result);
3167 0 : goto cleanup;
3168 : }
3169 : }
3170 :
3171 68 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
3172 68 : if (ret < 0) {
3173 0 : gnutls_assert();
3174 0 : goto cleanup;
3175 : }
3176 :
3177 : ret = 0;
3178 :
3179 68 : cleanup:
3180 68 : asn1_delete_structure(&c2);
3181 68 : return ret;
3182 : }
3183 :
3184 : /**
3185 : * gnutls_ext_deinit:
3186 : * @ext: The extensions structure
3187 : *
3188 : * This function will deinitialize an extensions structure.
3189 : *
3190 : * Since: 3.3.8
3191 : **/
3192 9 : void gnutls_x509_ext_deinit(gnutls_x509_ext_st *ext)
3193 : {
3194 9 : gnutls_free(ext->oid);
3195 9 : gnutls_free(ext->data.data);
3196 9 : }
3197 :
3198 9 : int _gnutls_x509_decode_ext(const gnutls_datum_t *der, gnutls_x509_ext_st *out)
3199 : {
3200 9 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
3201 9 : char str_critical[10];
3202 9 : char oid[MAX_OID_SIZE];
3203 9 : int result, len, ret;
3204 :
3205 9 : memset(out, 0, sizeof(*out));
3206 :
3207 : /* decode der */
3208 9 : result = asn1_create_element(_gnutls_get_pkix(), "PKIX1.Extension", &c2);
3209 9 : if (result != ASN1_SUCCESS) {
3210 0 : gnutls_assert();
3211 0 : return _gnutls_asn2err(result);
3212 : }
3213 :
3214 9 : result = _asn1_strict_der_decode(&c2, der->data, der->size, NULL);
3215 9 : if (result != ASN1_SUCCESS) {
3216 0 : gnutls_assert();
3217 0 : ret = _gnutls_asn2err(result);
3218 0 : goto cleanup;
3219 : }
3220 :
3221 9 : len = sizeof(oid)-1;
3222 9 : result = asn1_read_value(c2, "extnID", oid, &len);
3223 9 : if (result != ASN1_SUCCESS) {
3224 0 : gnutls_assert();
3225 0 : ret = _gnutls_asn2err(result);
3226 0 : goto cleanup;
3227 : }
3228 :
3229 9 : len = sizeof(str_critical)-1;
3230 9 : result = asn1_read_value(c2, "critical", str_critical, &len);
3231 9 : if (result != ASN1_SUCCESS) {
3232 0 : gnutls_assert();
3233 0 : ret = _gnutls_asn2err(result);
3234 0 : goto cleanup;
3235 : }
3236 :
3237 9 : if (str_critical[0] == 'T')
3238 8 : out->critical = 1;
3239 : else
3240 1 : out->critical = 0;
3241 :
3242 9 : ret = _gnutls_x509_read_value(c2, "extnValue", &out->data);
3243 9 : if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE || ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
3244 0 : out->data.data = NULL;
3245 0 : out->data.size = 0;
3246 9 : } else if (ret < 0) {
3247 0 : gnutls_assert();
3248 0 : goto fail;
3249 : }
3250 :
3251 9 : out->oid = gnutls_strdup(oid);
3252 9 : if (out->oid == NULL) {
3253 0 : ret = GNUTLS_E_MEMORY_ERROR;
3254 0 : goto fail;
3255 : }
3256 :
3257 9 : ret = 0;
3258 9 : goto cleanup;
3259 0 : fail:
3260 0 : memset(out, 0, sizeof(*out));
3261 9 : cleanup:
3262 9 : asn1_delete_structure(&c2);
3263 9 : return ret;
3264 :
3265 : }
3266 :
3267 : /* flags can be zero or GNUTLS_EXT_FLAG_APPEND
3268 : */
3269 73 : static int parse_tlsfeatures(ASN1_TYPE c2, gnutls_x509_tlsfeatures_t f, unsigned flags)
3270 : {
3271 73 : char nptr[MAX_NAME_SIZE];
3272 73 : int result;
3273 73 : unsigned i, indx, j;
3274 73 : unsigned int feature;
3275 :
3276 73 : if (!(flags & GNUTLS_EXT_FLAG_APPEND))
3277 46 : f->size = 0;
3278 :
3279 286 : for (i = 1;; i++) {
3280 359 : unsigned skip = 0;
3281 359 : snprintf(nptr, sizeof(nptr), "?%u", i);
3282 :
3283 359 : result = _gnutls_x509_read_uint(c2, nptr, &feature);
3284 :
3285 359 : if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || result == GNUTLS_E_ASN1_VALUE_NOT_FOUND) {
3286 : break;
3287 : }
3288 287 : else if (result != GNUTLS_E_SUCCESS) {
3289 0 : gnutls_assert();
3290 0 : return _gnutls_asn2err(result);
3291 : }
3292 :
3293 287 : if (feature > UINT16_MAX) {
3294 0 : gnutls_assert();
3295 0 : return GNUTLS_E_CERTIFICATE_ERROR;
3296 : }
3297 :
3298 : /* skip duplicates */
3299 2675 : for (j=0;j<f->size;j++) {
3300 2424 : if (f->feature[j] == feature) {
3301 : skip = 1;
3302 : break;
3303 : }
3304 : }
3305 :
3306 287 : if (!skip) {
3307 251 : if (f->size >= sizeof(f->feature)/sizeof(f->feature[0])) {
3308 1 : gnutls_assert();
3309 1 : return GNUTLS_E_INTERNAL_ERROR;
3310 : }
3311 :
3312 250 : indx = f->size;
3313 250 : f->feature[indx] = feature;
3314 250 : f->size++;
3315 : }
3316 : }
3317 :
3318 : return 0;
3319 : }
3320 :
3321 : /**
3322 : * gnutls_x509_ext_import_tlsfeatures:
3323 : * @ext: The DER-encoded extension data
3324 : * @f: The features structure
3325 : * @flags: zero or %GNUTLS_EXT_FLAG_APPEND
3326 : *
3327 : * This function will export the features in the provided DER-encoded
3328 : * TLS Features PKIX extension, to a %gnutls_x509_tlsfeatures_t type. @f
3329 : * must be initialized.
3330 : *
3331 : * When the @flags is set to %GNUTLS_EXT_FLAG_APPEND,
3332 : * then if the @features structure is empty this function will behave
3333 : * identically as if the flag was not set. Otherwise if there are elements
3334 : * in the @features structure then they will be merged with.
3335 : *
3336 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
3337 : *
3338 : * Since: 3.5.1
3339 : **/
3340 74 : int gnutls_x509_ext_import_tlsfeatures(const gnutls_datum_t * ext,
3341 : gnutls_x509_tlsfeatures_t f,
3342 : unsigned int flags)
3343 : {
3344 74 : int ret;
3345 74 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
3346 :
3347 74 : if (ext->size == 0 || ext->data == NULL) {
3348 1 : gnutls_assert();
3349 1 : return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
3350 : }
3351 :
3352 73 : ret = asn1_create_element(_gnutls_get_pkix(),
3353 : "PKIX1.TlsFeatures", &c2);
3354 73 : if (ret != ASN1_SUCCESS) {
3355 0 : gnutls_assert();
3356 0 : return _gnutls_asn2err(ret);
3357 : }
3358 :
3359 73 : ret = _asn1_strict_der_decode(&c2, ext->data, ext->size, NULL);
3360 73 : if (ret != ASN1_SUCCESS) {
3361 0 : gnutls_assert();
3362 0 : ret = _gnutls_asn2err(ret);
3363 0 : goto cleanup;
3364 : }
3365 :
3366 73 : ret = parse_tlsfeatures(c2, f, flags);
3367 73 : if (ret < 0) {
3368 1 : gnutls_assert();
3369 : }
3370 :
3371 73 : cleanup:
3372 73 : asn1_delete_structure(&c2);
3373 :
3374 73 : return ret;
3375 : }
3376 :
3377 : /**
3378 : * gnutls_x509_ext_export_tlsfeatures:
3379 : * @f: The features structure
3380 : * @ext: The DER-encoded extension data; must be freed using gnutls_free().
3381 : *
3382 : * This function will convert the provided TLS features structure structure to a
3383 : * DER-encoded TLS features PKIX extension. The output data in @ext will be allocated using
3384 : * gnutls_malloc().
3385 : *
3386 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
3387 : *
3388 : * Since: 3.5.1
3389 : **/
3390 6 : int gnutls_x509_ext_export_tlsfeatures(gnutls_x509_tlsfeatures_t f,
3391 : gnutls_datum_t * ext)
3392 : {
3393 6 : if (f == NULL) {
3394 0 : gnutls_assert();
3395 0 : return GNUTLS_E_INVALID_REQUEST;
3396 : }
3397 :
3398 6 : ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
3399 6 : int ret;
3400 6 : unsigned i;
3401 :
3402 6 : ret = asn1_create_element(_gnutls_get_pkix(), "PKIX1.TlsFeatures", &c2);
3403 6 : if (ret != ASN1_SUCCESS) {
3404 0 : gnutls_assert();
3405 0 : return _gnutls_asn2err(ret);
3406 : }
3407 :
3408 18 : for (i = 0; i < f->size; ++i) {
3409 :
3410 12 : ret = asn1_write_value(c2, "", "NEW", 1);
3411 12 : if (ret != ASN1_SUCCESS) {
3412 0 : gnutls_assert();
3413 0 : ret = _gnutls_asn2err(ret);
3414 0 : goto cleanup;
3415 : }
3416 :
3417 12 : ret = _gnutls_x509_write_uint32(c2, "?LAST", f->feature[i]);
3418 12 : if (ret != GNUTLS_E_SUCCESS) {
3419 0 : gnutls_assert();
3420 0 : goto cleanup;
3421 : }
3422 : }
3423 :
3424 6 : ret = _gnutls_x509_der_encode(c2, "", ext, 0);
3425 6 : if (ret < 0) {
3426 0 : gnutls_assert();
3427 0 : goto cleanup;
3428 : }
3429 :
3430 : ret = 0;
3431 :
3432 6 : cleanup:
3433 6 : asn1_delete_structure(&c2);
3434 6 : return ret;
3435 : }
3436 :
3437 : /**
3438 : * gnutls_x509_tlsfeatures_add:
3439 : * @f: The TLS features
3440 : * @feature: The feature to add
3441 : *
3442 : * This function will append a feature to the X.509 TLS features
3443 : * extension structure.
3444 : *
3445 : * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
3446 : * otherwise a negative error value.
3447 : *
3448 : * Since: 3.5.1
3449 : **/
3450 143 : int gnutls_x509_tlsfeatures_add(gnutls_x509_tlsfeatures_t f, unsigned int feature)
3451 : {
3452 143 : if (f == NULL) {
3453 0 : gnutls_assert();
3454 0 : return GNUTLS_E_INVALID_REQUEST;
3455 : }
3456 :
3457 143 : if (feature > UINT16_MAX)
3458 0 : return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
3459 :
3460 143 : if (f->size >= sizeof(f->feature)/sizeof(f->feature[0]))
3461 64 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
3462 :
3463 79 : f->feature[f->size++] = feature;
3464 :
3465 79 : return 0;
3466 : }
|
