summaryrefslogtreecommitdiffstats
path: root/thirdparty/mbedtls/library/x509_csr.c
diff options
context:
space:
mode:
Diffstat (limited to 'thirdparty/mbedtls/library/x509_csr.c')
-rw-r--r--thirdparty/mbedtls/library/x509_csr.c295
1 files changed, 277 insertions, 18 deletions
diff --git a/thirdparty/mbedtls/library/x509_csr.c b/thirdparty/mbedtls/library/x509_csr.c
index 095364e5e8..813d64466c 100644
--- a/thirdparty/mbedtls/library/x509_csr.c
+++ b/thirdparty/mbedtls/library/x509_csr.c
@@ -20,6 +20,7 @@
#if defined(MBEDTLS_X509_CSR_PARSE_C)
#include "mbedtls/x509_csr.h"
+#include "x509_internal.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
@@ -58,10 +59,213 @@ static int x509_csr_get_version(unsigned char **p,
}
/*
+ * Parse CSR extension requests in DER format
+ */
+static int x509_csr_parse_extensions(mbedtls_x509_csr *csr,
+ unsigned char **p, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t len;
+ unsigned char *end_ext_data, *end_ext_octet;
+
+ while (*p < end) {
+ mbedtls_x509_buf extn_oid = { 0, 0, NULL };
+ int is_critical = 0; /* DEFAULT FALSE */
+ int ext_type = 0;
+
+ /* Read sequence tag */
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_data = *p + len;
+
+ /* Get extension ID */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ extn_oid.tag = MBEDTLS_ASN1_OID;
+ extn_oid.p = *p;
+ *p += extn_oid.len;
+
+ /* Get optional critical */
+ if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
+ (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ /* Data should be octet string type */
+ if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
+ MBEDTLS_ASN1_OCTET_STRING)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ end_ext_octet = *p + len;
+
+ if (end_ext_octet != end_ext_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ /*
+ * Detect supported extensions and skip unsupported extensions
+ */
+ ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
+
+ if (ret != 0) {
+ /* Give the callback (if any) a chance to handle the extension */
+ if (cb != NULL) {
+ ret = cb(p_ctx, csr, &extn_oid, is_critical, *p, end_ext_octet);
+ if (ret != 0 && is_critical) {
+ return ret;
+ }
+ *p = end_ext_octet;
+ continue;
+ }
+
+ /* No parser found, skip extension */
+ *p = end_ext_octet;
+
+ if (is_critical) {
+ /* Data is marked as critical: fail */
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
+ }
+ continue;
+ }
+
+ /* Forbid repeated extensions */
+ if ((csr->ext_types & ext_type) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_DATA);
+ }
+
+ csr->ext_types |= ext_type;
+
+ switch (ext_type) {
+ case MBEDTLS_X509_EXT_KEY_USAGE:
+ /* Parse key usage */
+ if ((ret = mbedtls_x509_get_key_usage(p, end_ext_data,
+ &csr->key_usage)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+ /* Parse subject alt name */
+ if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_data,
+ &csr->subject_alt_names)) != 0) {
+ return ret;
+ }
+ break;
+
+ case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+ /* Parse netscape certificate type */
+ if ((ret = mbedtls_x509_get_ns_cert_type(p, end_ext_data,
+ &csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ break;
+ default:
+ /*
+ * If this is a non-critical extension, which the oid layer
+ * supports, but there isn't an x509 parser for it,
+ * skip the extension.
+ */
+ if (is_critical) {
+ return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
+ } else {
+ *p = end_ext_octet;
+ }
+ }
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
+ * Parse CSR attributes in DER format
+ */
+static int x509_csr_parse_attributes(mbedtls_x509_csr *csr,
+ const unsigned char *start, const unsigned char *end,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ int ret;
+ size_t len;
+ unsigned char *end_attr_data;
+ unsigned char **p = (unsigned char **) &start;
+
+ while (*p < end) {
+ mbedtls_x509_buf attr_oid = { 0, 0, NULL };
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+ end_attr_data = *p + len;
+
+ /* Get attribute ID */
+ if ((ret = mbedtls_asn1_get_tag(p, end_attr_data, &attr_oid.len,
+ MBEDTLS_ASN1_OID)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ attr_oid.tag = MBEDTLS_ASN1_OID;
+ attr_oid.p = *p;
+ *p += attr_oid.len;
+
+ /* Check that this is an extension-request attribute */
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS9_CSR_EXT_REQ, &attr_oid) == 0) {
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET)) != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
+ 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
+ }
+
+ if ((ret = x509_csr_parse_extensions(csr, p, *p + len, cb, p_ctx)) != 0) {
+ return ret;
+ }
+
+ if (*p != end_attr_data) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+ }
+
+ *p = end_attr_data;
+ }
+
+ if (*p != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
+
+ return 0;
+}
+
+/*
* Parse a CSR in DER format
*/
-int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
- const unsigned char *buf, size_t buflen)
+static int mbedtls_x509_csr_parse_der_internal(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
@@ -125,7 +329,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
}
end = p + len;
- csr->cri.len = end - csr->cri.p;
+ csr->cri.len = (size_t) (end - csr->cri.p);
/*
* Version ::= INTEGER { v1(0) }
@@ -158,7 +362,7 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
return ret;
}
- csr->subject_raw.len = p - csr->subject_raw.p;
+ csr->subject_raw.len = (size_t) (p - csr->subject_raw.p);
/*
* subjectPKInfo SubjectPublicKeyInfo
@@ -185,6 +389,11 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
}
+ if ((ret = x509_csr_parse_attributes(csr, p, p + len, cb, p_ctx)) != 0) {
+ mbedtls_x509_csr_free(csr);
+ return ret;
+ }
+
p += len;
end = csr->raw.p + csr->raw.len;
@@ -220,6 +429,26 @@ int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
}
/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, NULL, NULL);
+}
+
+/*
+ * Parse a CSR in DER format with callback for unknown extensions
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+ const unsigned char *buf, size_t buflen,
+ mbedtls_x509_csr_ext_cb_t cb,
+ void *p_ctx)
+{
+ return mbedtls_x509_csr_parse_der_internal(csr, buf, buflen, cb, p_ctx);
+}
+
+/*
* Parse a CSR, allowing for PEM or raw DER encoding
*/
int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen)
@@ -284,13 +513,13 @@ int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path)
ret = mbedtls_x509_csr_parse(csr, buf, n);
- mbedtls_platform_zeroize(buf, n);
- mbedtls_free(buf);
+ mbedtls_zeroize_and_free(buf, n);
return ret;
}
#endif /* MBEDTLS_FS_IO */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
#define BEFORE_COLON 14
#define BC "14"
/*
@@ -332,8 +561,47 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
(int) mbedtls_pk_get_bitlen(&csr->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
+ /*
+ * Optional extensions
+ */
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+ ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_subject_alt_name(&p, &n,
+ &csr->subject_alt_names,
+ prefix)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
+ ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_cert_type(&p, &n, csr->ns_cert_type)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
+ ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+
+ if ((ret = mbedtls_x509_info_key_usage(&p, &n, csr->key_usage)) != 0) {
+ return ret;
+ }
+ }
+
+ if (csr->ext_types != 0) {
+ ret = mbedtls_snprintf(p, n, "\n");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
return (int) (size - n);
}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
/*
* Initialize a CSR
@@ -348,9 +616,6 @@ void mbedtls_x509_csr_init(mbedtls_x509_csr *csr)
*/
void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
{
- mbedtls_x509_name *name_cur;
- mbedtls_x509_name *name_prv;
-
if (csr == NULL) {
return;
}
@@ -361,17 +626,11 @@ void mbedtls_x509_csr_free(mbedtls_x509_csr *csr)
mbedtls_free(csr->sig_opts);
#endif
- name_cur = csr->subject.next;
- while (name_cur != NULL) {
- name_prv = name_cur;
- name_cur = name_cur->next;
- mbedtls_platform_zeroize(name_prv, sizeof(mbedtls_x509_name));
- mbedtls_free(name_prv);
- }
+ mbedtls_asn1_free_named_data_list_shallow(csr->subject.next);
+ mbedtls_asn1_sequence_free(csr->subject_alt_names.next);
if (csr->raw.p != NULL) {
- mbedtls_platform_zeroize(csr->raw.p, csr->raw.len);
- mbedtls_free(csr->raw.p);
+ mbedtls_zeroize_and_free(csr->raw.p, csr->raw.len);
}
mbedtls_platform_zeroize(csr, sizeof(mbedtls_x509_csr));