ReactOS 0.4.16-dev-311-g9382aa2
x509.c
Go to the documentation of this file.
1/*
2 * X.509 common functions for parsing and verification
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46/*
47 * The ITU-T X.509 standard defines a certificate format for PKI.
48 *
49 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
50 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
51 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
52 *
53 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
54 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
55 */
56
57#if !defined(MBEDTLS_CONFIG_FILE)
58#include "mbedtls/config.h"
59#else
60#include MBEDTLS_CONFIG_FILE
61#endif
62
63#if defined(MBEDTLS_X509_USE_C)
64
65#include "mbedtls/x509.h"
66#include "mbedtls/asn1.h"
67#include "mbedtls/oid.h"
68
69#include <stdio.h>
70#include <string.h>
71
72#if defined(MBEDTLS_PEM_PARSE_C)
73#include "mbedtls/pem.h"
74#endif
75
76#if defined(MBEDTLS_PLATFORM_C)
77#include "mbedtls/platform.h"
78#else
79#include <stdio.h>
80#include <stdlib.h>
81#define mbedtls_free free
82#define mbedtls_calloc calloc
83#define mbedtls_printf printf
84#define mbedtls_snprintf snprintf
85#endif
86
87#if defined(MBEDTLS_HAVE_TIME)
89#endif
90#if defined(MBEDTLS_HAVE_TIME_DATE)
92#include <time.h>
93#endif
94
95#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
96#define CHECK_RANGE(min, max, val) \
97 do \
98 { \
99 if( ( val ) < ( min ) || ( val ) > ( max ) ) \
100 { \
101 return( ret ); \
102 } \
103 } while( 0 )
104
105/*
106 * CertificateSerialNumber ::= INTEGER
107 */
108int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
110{
111 int ret;
112
113 if( ( end - *p ) < 1 )
116
121
122 serial->tag = *(*p)++;
123
124 if( ( ret = mbedtls_asn1_get_len( p, end, &serial->len ) ) != 0 )
126
127 serial->p = *p;
128 *p += serial->len;
129
130 return( 0 );
131}
132
133/* Get an algorithm identifier without parameters (eg for signatures)
134 *
135 * AlgorithmIdentifier ::= SEQUENCE {
136 * algorithm OBJECT IDENTIFIER,
137 * parameters ANY DEFINED BY algorithm OPTIONAL }
138 */
139int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
140 mbedtls_x509_buf *alg )
141{
142 int ret;
143
144 if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
146
147 return( 0 );
148}
149
150/*
151 * Parse an algorithm identifier with (optional) parameters
152 */
153int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
155{
156 int ret;
157
158 if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
160
161 return( 0 );
162}
163
164#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
165/*
166 * HashAlgorithm ::= AlgorithmIdentifier
167 *
168 * AlgorithmIdentifier ::= SEQUENCE {
169 * algorithm OBJECT IDENTIFIER,
170 * parameters ANY DEFINED BY algorithm OPTIONAL }
171 *
172 * For HashAlgorithm, parameters MUST be NULL or absent.
173 */
174static int x509_get_hash_alg( const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg )
175{
176 int ret;
177 unsigned char *p;
178 const unsigned char *end;
179 mbedtls_x509_buf md_oid;
180 size_t len;
181
182 /* Make sure we got a SEQUENCE and setup bounds */
186
187 p = (unsigned char *) alg->p;
188 end = p + alg->len;
189
190 if( p >= end )
193
194 /* Parse md_oid */
195 md_oid.tag = *p;
196
197 if( ( ret = mbedtls_asn1_get_tag( &p, end, &md_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
199
200 md_oid.p = p;
201 p += md_oid.len;
202
203 /* Get md_alg from md_oid */
204 if( ( ret = mbedtls_oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
206
207 /* Make sure params is absent of NULL */
208 if( p == end )
209 return( 0 );
210
211 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_NULL ) ) != 0 || len != 0 )
213
214 if( p != end )
217
218 return( 0 );
219}
220
221/*
222 * RSASSA-PSS-params ::= SEQUENCE {
223 * hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier,
224 * maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
225 * saltLength [2] INTEGER DEFAULT 20,
226 * trailerField [3] INTEGER DEFAULT 1 }
227 * -- Note that the tags in this Sequence are explicit.
228 *
229 * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
230 * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
231 * option. Enfore this at parsing time.
232 */
234 mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
235 int *salt_len )
236{
237 int ret;
238 unsigned char *p;
239 const unsigned char *end, *end2;
240 size_t len;
241 mbedtls_x509_buf alg_id, alg_params;
242
243 /* First set everything to defaults */
244 *md_alg = MBEDTLS_MD_SHA1;
245 *mgf_md = MBEDTLS_MD_SHA1;
246 *salt_len = 20;
247
248 /* Make sure params is a SEQUENCE and setup bounds */
252
253 p = (unsigned char *) params->p;
254 end = p + params->len;
255
256 if( p == end )
257 return( 0 );
258
259 /*
260 * HashAlgorithm
261 */
262 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
264 {
265 end2 = p + len;
266
267 /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
268 if( ( ret = mbedtls_x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
269 return( ret );
270
271 if( ( ret = mbedtls_oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
273
274 if( p != end2 )
277 }
280
281 if( p == end )
282 return( 0 );
283
284 /*
285 * MaskGenAlgorithm
286 */
287 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
289 {
290 end2 = p + len;
291
292 /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
293 if( ( ret = mbedtls_x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
294 return( ret );
295
296 /* Only MFG1 is recognised for now */
300
301 /* Parse HashAlgorithm */
302 if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
303 return( ret );
304
305 if( p != end2 )
308 }
311
312 if( p == end )
313 return( 0 );
314
315 /*
316 * salt_len
317 */
318 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
320 {
321 end2 = p + len;
322
323 if( ( ret = mbedtls_asn1_get_int( &p, end2, salt_len ) ) != 0 )
325
326 if( p != end2 )
329 }
332
333 if( p == end )
334 return( 0 );
335
336 /*
337 * trailer_field (if present, must be 1)
338 */
339 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
341 {
342 int trailer_field;
343
344 end2 = p + len;
345
346 if( ( ret = mbedtls_asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
348
349 if( p != end2 )
352
353 if( trailer_field != 1 )
355 }
358
359 if( p != end )
362
363 return( 0 );
364}
365#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
366
367/*
368 * AttributeTypeAndValue ::= SEQUENCE {
369 * type AttributeType,
370 * value AttributeValue }
371 *
372 * AttributeType ::= OBJECT IDENTIFIER
373 *
374 * AttributeValue ::= ANY DEFINED BY AttributeType
375 */
376static int x509_get_attr_type_value( unsigned char **p,
377 const unsigned char *end,
379{
380 int ret;
381 size_t len;
382 mbedtls_x509_buf *oid;
384
385 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
388
389 end = *p + len;
390
391 if( ( end - *p ) < 1 )
394
395 oid = &cur->oid;
396 oid->tag = **p;
397
398 if( ( ret = mbedtls_asn1_get_tag( p, end, &oid->len, MBEDTLS_ASN1_OID ) ) != 0 )
400
401 oid->p = *p;
402 *p += oid->len;
403
404 if( ( end - *p ) < 1 )
407
414
415 val = &cur->val;
416 val->tag = *(*p)++;
417
418 if( ( ret = mbedtls_asn1_get_len( p, end, &val->len ) ) != 0 )
420
421 val->p = *p;
422 *p += val->len;
423
424 if( *p != end )
425 {
428 }
429
430 cur->next = NULL;
431
432 return( 0 );
433}
434
435/*
436 * Name ::= CHOICE { -- only one possibility for now --
437 * rdnSequence RDNSequence }
438 *
439 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
440 *
441 * RelativeDistinguishedName ::=
442 * SET OF AttributeTypeAndValue
443 *
444 * AttributeTypeAndValue ::= SEQUENCE {
445 * type AttributeType,
446 * value AttributeValue }
447 *
448 * AttributeType ::= OBJECT IDENTIFIER
449 *
450 * AttributeValue ::= ANY DEFINED BY AttributeType
451 *
452 * The data structure is optimized for the common case where each RDN has only
453 * one element, which is represented as a list of AttributeTypeAndValue.
454 * For the general case we still use a flat list, but we mark elements of the
455 * same set so that they are "merged" together in the functions that consume
456 * this list, eg mbedtls_x509_dn_gets().
457 */
458int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
460{
461 int ret;
462 size_t set_len;
463 const unsigned char *end_set;
464
465 /* don't use recursion, we'd risk stack overflow if not optimized */
466 while( 1 )
467 {
468 /*
469 * parse SET
470 */
471 if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
474
475 end_set = *p + set_len;
476
477 while( 1 )
478 {
479 if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
480 return( ret );
481
482 if( *p == end_set )
483 break;
484
485 /* Mark this item as being no the only one in a set */
486 cur->next_merged = 1;
487
488 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
489
490 if( cur->next == NULL )
492
493 cur = cur->next;
494 }
495
496 /*
497 * continue until end of SEQUENCE is reached
498 */
499 if( *p == end )
500 return( 0 );
501
502 cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
503
504 if( cur->next == NULL )
506
507 cur = cur->next;
508 }
509}
510
511static int x509_parse_int( unsigned char **p, size_t n, int *res )
512{
513 *res = 0;
514
515 for( ; n > 0; --n )
516 {
517 if( ( **p < '0') || ( **p > '9' ) )
519
520 *res *= 10;
521 *res += ( *(*p)++ - '0' );
522 }
523
524 return( 0 );
525}
526
527static int x509_date_is_valid(const mbedtls_x509_time *t )
528{
530 int month_len;
531
532 CHECK_RANGE( 0, 9999, t->year );
533 CHECK_RANGE( 0, 23, t->hour );
534 CHECK_RANGE( 0, 59, t->min );
535 CHECK_RANGE( 0, 59, t->sec );
536
537 switch( t->mon )
538 {
539 case 1: case 3: case 5: case 7: case 8: case 10: case 12:
540 month_len = 31;
541 break;
542 case 4: case 6: case 9: case 11:
543 month_len = 30;
544 break;
545 case 2:
546 if( ( !( t->year % 4 ) && t->year % 100 ) ||
547 !( t->year % 400 ) )
548 month_len = 29;
549 else
550 month_len = 28;
551 break;
552 default:
553 return( ret );
554 }
555 CHECK_RANGE( 1, month_len, t->day );
556
557 return( 0 );
558}
559
560/*
561 * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
562 * field.
563 */
564static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
566{
567 int ret;
568
569 /*
570 * Minimum length is 10 or 12 depending on yearlen
571 */
572 if ( len < yearlen + 8 )
574 len -= yearlen + 8;
575
576 /*
577 * Parse year, month, day, hour, minute
578 */
579 CHECK( x509_parse_int( p, yearlen, &tm->year ) );
580 if ( 2 == yearlen )
581 {
582 if ( tm->year < 50 )
583 tm->year += 100;
584
585 tm->year += 1900;
586 }
587
588 CHECK( x509_parse_int( p, 2, &tm->mon ) );
589 CHECK( x509_parse_int( p, 2, &tm->day ) );
590 CHECK( x509_parse_int( p, 2, &tm->hour ) );
591 CHECK( x509_parse_int( p, 2, &tm->min ) );
592
593 /*
594 * Parse seconds if present
595 */
596 if ( len >= 2 )
597 {
598 CHECK( x509_parse_int( p, 2, &tm->sec ) );
599 len -= 2;
600 }
601 else
603
604 /*
605 * Parse trailing 'Z' if present
606 */
607 if ( 1 == len && 'Z' == **p )
608 {
609 (*p)++;
610 len--;
611 }
612
613 /*
614 * We should have parsed all characters at this point
615 */
616 if ( 0 != len )
618
619 CHECK( x509_date_is_valid( tm ) );
620
621 return ( 0 );
622}
623
624/*
625 * Time ::= CHOICE {
626 * utcTime UTCTime,
627 * generalTime GeneralizedTime }
628 */
629int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
631{
632 int ret;
633 size_t len, year_len;
634 unsigned char tag;
635
636 if( ( end - *p ) < 1 )
639
640 tag = **p;
641
643 year_len = 2;
645 year_len = 4;
646 else
649
650 (*p)++;
652
653 if( ret != 0 )
655
656 return x509_parse_time( p, len, year_len, tm );
657}
658
659int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
660{
661 int ret;
662 size_t len;
663 int tag_type;
664
665 if( ( end - *p ) < 1 )
668
669 tag_type = **p;
670
671 if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
673
674 sig->tag = tag_type;
675 sig->len = len;
676 sig->p = *p;
677
678 *p += len;
679
680 return( 0 );
681}
682
683/*
684 * Get signature algorithm from alg OID and optional parameters
685 */
686int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
687 mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
688 void **sig_opts )
689{
690 int ret;
691
692 if( *sig_opts != NULL )
694
695 if( ( ret = mbedtls_oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
697
698#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
699 if( *pk_alg == MBEDTLS_PK_RSASSA_PSS )
700 {
702
703 pss_opts = mbedtls_calloc( 1, sizeof( mbedtls_pk_rsassa_pss_options ) );
704 if( pss_opts == NULL )
706
708 md_alg,
709 &pss_opts->mgf1_hash_id,
710 &pss_opts->expected_salt_len );
711 if( ret != 0 )
712 {
713 mbedtls_free( pss_opts );
714 return( ret );
715 }
716
717 *sig_opts = (void *) pss_opts;
718 }
719 else
720#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
721 {
722 /* Make sure parameters are absent or NULL */
723 if( ( sig_params->tag != MBEDTLS_ASN1_NULL && sig_params->tag != 0 ) ||
724 sig_params->len != 0 )
726 }
727
728 return( 0 );
729}
730
731/*
732 * X.509 Extensions (No parsing of extensions, pointer should
733 * be either manually updated or extensions should be parsed!)
734 */
735int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
736 mbedtls_x509_buf *ext, int tag )
737{
738 int ret;
739 size_t len;
740
741 /* Extension structure use EXPLICIT tagging. That is, the actual
742 * `Extensions` structure is wrapped by a tag-length pair using
743 * the respective context-specific tag. */
744 ret = mbedtls_asn1_get_tag( p, end, &ext->len,
746 if( ret != 0 )
748
750 ext->p = *p;
751 end = *p + ext->len;
752
753 /*
754 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
755 */
756 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
759
760 if( end != *p + len )
763
764 return( 0 );
765}
766
767/*
768 * Store the name in printable form into buf; no more
769 * than size characters will be written
770 */
771int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn )
772{
773 int ret;
774 size_t i, n;
775 unsigned char c, merge = 0;
776 const mbedtls_x509_name *name;
777 const char *short_name = NULL;
779
780 memset( s, 0, sizeof( s ) );
781
782 name = dn;
783 p = buf;
784 n = size;
785
786 while( name != NULL )
787 {
788 if( !name->oid.p )
789 {
790 name = name->next;
791 continue;
792 }
793
794 if( name != dn )
795 {
796 ret = mbedtls_snprintf( p, n, merge ? " + " : ", " );
798 }
799
801
802 if( ret == 0 )
803 ret = mbedtls_snprintf( p, n, "%s=", short_name );
804 else
805 ret = mbedtls_snprintf( p, n, "\?\?=" );
807
808 for( i = 0; i < name->val.len; i++ )
809 {
810 if( i >= sizeof( s ) - 1 )
811 break;
812
813 c = name->val.p[i];
814 if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
815 s[i] = '?';
816 else s[i] = c;
817 }
818 s[i] = '\0';
819 ret = mbedtls_snprintf( p, n, "%s", s );
821
822 merge = name->next_merged;
823 name = name->next;
824 }
825
826 return( (int) ( size - n ) );
827}
828
829/*
830 * Store the serial in printable form into buf; no more
831 * than size characters will be written
832 */
833int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial )
834{
835 int ret;
836 size_t i, n, nr;
837 char *p;
838
839 p = buf;
840 n = size;
841
842 nr = ( serial->len <= 32 )
843 ? serial->len : 28;
844
845 for( i = 0; i < nr; i++ )
846 {
847 if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
848 continue;
849
850 ret = mbedtls_snprintf( p, n, "%02X%s",
851 serial->p[i], ( i < nr - 1 ) ? ":" : "" );
853 }
854
855 if( nr != serial->len )
856 {
857 ret = mbedtls_snprintf( p, n, "...." );
859 }
860
861 return( (int) ( size - n ) );
862}
863
864/*
865 * Helper for writing signature algorithms
866 */
867int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
869 const void *sig_opts )
870{
871 int ret;
872 char *p = buf;
873 size_t n = size;
874 const char *desc = NULL;
875
877 if( ret != 0 )
878 ret = mbedtls_snprintf( p, n, "???" );
879 else
880 ret = mbedtls_snprintf( p, n, "%s", desc );
882
883#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
884 if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
885 {
886 const mbedtls_pk_rsassa_pss_options *pss_opts;
887 const mbedtls_md_info_t *md_info, *mgf_md_info;
888
889 pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
890
891 md_info = mbedtls_md_info_from_type( md_alg );
892 mgf_md_info = mbedtls_md_info_from_type( pss_opts->mgf1_hash_id );
893
894 ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
895 md_info ? mbedtls_md_get_name( md_info ) : "???",
896 mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
897 pss_opts->expected_salt_len );
899 }
900#else
901 ((void) pk_alg);
902 ((void) md_alg);
903 ((void) sig_opts);
904#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
905
906 return( (int)( size - n ) );
907}
908
909/*
910 * Helper for writing "RSA key size", "EC key size", etc
911 */
912int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name )
913{
914 char *p = buf;
915 size_t n = buf_size;
916 int ret;
917
918 ret = mbedtls_snprintf( p, n, "%s key size", name );
920
921 return( 0 );
922}
923
924#if defined(MBEDTLS_HAVE_TIME_DATE)
925/*
926 * Set the time structure to the current time.
927 * Return 0 on success, non-zero on failure.
928 */
929static int x509_get_current_time( mbedtls_x509_time *now )
930{
931 struct tm *lt, tm_buf;
933 int ret = 0;
934
935 tt = mbedtls_time( NULL );
936 lt = mbedtls_platform_gmtime_r( &tt, &tm_buf );
937
938 if( lt == NULL )
939 ret = -1;
940 else
941 {
942 now->year = lt->tm_year + 1900;
943 now->mon = lt->tm_mon + 1;
944 now->day = lt->tm_mday;
945 now->hour = lt->tm_hour;
946 now->min = lt->tm_min;
947 now->sec = lt->tm_sec;
948 }
949
950 return( ret );
951}
952
953/*
954 * Return 0 if before <= after, 1 otherwise
955 */
956static int x509_check_time( const mbedtls_x509_time *before, const mbedtls_x509_time *after )
957{
958 if( before->year > after->year )
959 return( 1 );
960
961 if( before->year == after->year &&
962 before->mon > after->mon )
963 return( 1 );
964
965 if( before->year == after->year &&
966 before->mon == after->mon &&
967 before->day > after->day )
968 return( 1 );
969
970 if( before->year == after->year &&
971 before->mon == after->mon &&
972 before->day == after->day &&
973 before->hour > after->hour )
974 return( 1 );
975
976 if( before->year == after->year &&
977 before->mon == after->mon &&
978 before->day == after->day &&
979 before->hour == after->hour &&
980 before->min > after->min )
981 return( 1 );
982
983 if( before->year == after->year &&
984 before->mon == after->mon &&
985 before->day == after->day &&
986 before->hour == after->hour &&
987 before->min == after->min &&
988 before->sec > after->sec )
989 return( 1 );
990
991 return( 0 );
992}
993
995{
997
998 if( x509_get_current_time( &now ) != 0 )
999 return( 1 );
1000
1001 return( x509_check_time( &now, to ) );
1002}
1003
1005{
1007
1008 if( x509_get_current_time( &now ) != 0 )
1009 return( 1 );
1010
1011 return( x509_check_time( from, &now ) );
1012}
1013
1014#else /* MBEDTLS_HAVE_TIME_DATE */
1015
1017{
1018 ((void) to);
1019 return( 0 );
1020}
1021
1023{
1024 ((void) from);
1025 return( 0 );
1026}
1027#endif /* MBEDTLS_HAVE_TIME_DATE */
1028
1029#if defined(MBEDTLS_SELF_TEST)
1030
1031#include "mbedtls/x509_crt.h"
1032#include "mbedtls/certs.h"
1033
1034/*
1035 * Checkup routine
1036 */
1037int mbedtls_x509_self_test( int verbose )
1038{
1039 int ret = 0;
1040#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
1042 mbedtls_x509_crt cacert;
1043 mbedtls_x509_crt clicert;
1044
1045 if( verbose != 0 )
1046 mbedtls_printf( " X.509 certificate load: " );
1047
1048 mbedtls_x509_crt_init( &cacert );
1049 mbedtls_x509_crt_init( &clicert );
1050
1051 ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
1053 if( ret != 0 )
1054 {
1055 if( verbose != 0 )
1056 mbedtls_printf( "failed\n" );
1057
1058 goto cleanup;
1059 }
1060
1061 ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
1063 if( ret != 0 )
1064 {
1065 if( verbose != 0 )
1066 mbedtls_printf( "failed\n" );
1067
1068 goto cleanup;
1069 }
1070
1071 if( verbose != 0 )
1072 mbedtls_printf( "passed\n X.509 signature verify: ");
1073
1074 ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
1075 if( ret != 0 )
1076 {
1077 if( verbose != 0 )
1078 mbedtls_printf( "failed\n" );
1079
1080 goto cleanup;
1081 }
1082
1083 if( verbose != 0 )
1084 mbedtls_printf( "passed\n\n");
1085
1086cleanup:
1087 mbedtls_x509_crt_free( &cacert );
1088 mbedtls_x509_crt_free( &clicert );
1089#else
1090 ((void) verbose);
1091#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA256_C */
1092 return( ret );
1093}
1094
1095#endif /* MBEDTLS_SELF_TEST */
1096
1097#endif /* MBEDTLS_X509_USE_C */
#define CHECK(hwndTarget)
_STLP_MOVE_TO_STD_NAMESPACE _OutputIter merge(_InputIter1 __first1, _InputIter1 __last1, _InputIter2 __first2, _InputIter2 __last2, _OutputIter __result)
Definition: _algo.c:1419
Generic ASN.1 parsing.
const WCHAR * short_name
Definition: reg.c:29
alg_id
Definition: bcrypt_main.c:263
Sample certificates and DHM parameters for testing.
const size_t mbedtls_test_cli_crt_len
const char * mbedtls_test_ca_crt
const size_t mbedtls_test_ca_crt_len
const char * mbedtls_test_cli_crt
#define NULL
Definition: types.h:112
UINT32 uint32_t
Definition: types.h:75
static const WCHAR *const ext[]
Definition: module.c:53
static void cleanup(void)
Definition: main.c:1335
time_t now
Definition: finger.c:65
uint32_t serial
Definition: fsck.fat.h:29
FxCollectionEntry * cur
GLdouble s
Definition: gl.h:2039
GLuint GLuint end
Definition: gl.h:1545
GLdouble GLdouble t
Definition: gl.h:2047
GLsizeiptr size
Definition: glext.h:5919
GLdouble n
Definition: glext.h:7729
GLuint res
Definition: glext.h:9613
const GLubyte * c
Definition: glext.h:8905
GLenum const GLfloat * params
Definition: glext.h:5645
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
GLbitfield flags
Definition: glext.h:7161
GLuint GLfloat * val
Definition: glext.h:7180
GLfloat GLfloat p
Definition: glext.h:8902
GLenum GLsizei len
Definition: glext.h:6722
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
size_t len
Definition: asn1.h:162
unsigned char * p
Definition: asn1.h:163
#define MBEDTLS_OID_CMP(oid_str, oid_buf)
Definition: asn1.h:143
int mbedtls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end, size_t *len)
Retrieve a bitstring ASN.1 tag without unused bits and its value. Updates the pointer to the beginnin...
#define MBEDTLS_ERR_ASN1_OUT_OF_DATA
Definition: asn1.h:76
#define MBEDTLS_ASN1_GENERALIZED_TIME
Definition: asn1.h:110
#define MBEDTLS_ASN1_IA5_STRING
Definition: asn1.h:108
#define MBEDTLS_ASN1_BMP_STRING
Definition: asn1.h:112
#define MBEDTLS_ASN1_PRINTABLE_STRING
Definition: asn1.h:106
#define MBEDTLS_ASN1_SEQUENCE
Definition: asn1.h:104
#define MBEDTLS_ASN1_SET
Definition: asn1.h:105
#define MBEDTLS_ASN1_INTEGER
Definition: asn1.h:98
int mbedtls_asn1_get_int(unsigned char **p, const unsigned char *end, int *val)
Retrieve an integer ASN.1 tag and its value. Updates the pointer to immediately behind the full tag.
#define MBEDTLS_ASN1_PRIMITIVE
Definition: asn1.h:113
#define MBEDTLS_ASN1_CONTEXT_SPECIFIC
Definition: asn1.h:115
#define MBEDTLS_ASN1_CONSTRUCTED
Definition: asn1.h:114
#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
Definition: asn1.h:77
#define MBEDTLS_ASN1_T61_STRING
Definition: asn1.h:107
#define MBEDTLS_ASN1_UTC_TIME
Definition: asn1.h:109
#define MBEDTLS_ASN1_UNIVERSAL_STRING
Definition: asn1.h:111
#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
Definition: asn1.h:79
int mbedtls_asn1_get_len(unsigned char **p, const unsigned char *end, size_t *len)
Get the length of an ASN.1 element. Updates the pointer to immediately behind the length.
#define MBEDTLS_ASN1_OID
Definition: asn1.h:102
int mbedtls_asn1_get_alg_null(unsigned char **p, const unsigned char *end, mbedtls_asn1_buf *alg)
Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no params. Updates the pointer to immedia...
int mbedtls_asn1_get_alg(unsigned char **p, const unsigned char *end, mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params)
Retrieve an AlgorithmIdentifier ASN.1 sequence. Updates the pointer to immediately behind the full Al...
#define MBEDTLS_ASN1_NULL
Definition: asn1.h:101
int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag)
Get the tag and length of the tag. Check for the requested tag. Updates the pointer to immediately be...
#define MBEDTLS_ASN1_UTF8_STRING
Definition: asn1.h:103
#define MBEDTLS_ASN1_BIT_STRING
Definition: asn1.h:99
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE
Definition: x509.h:94
int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse one DER-encoded or one or more concatenated PEM-encoded certificates and add them to the chaine...
int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)
Check a given mbedtls_x509_time against the system time and tell if it's in the past.
int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
Check a given mbedtls_x509_time against the system time and tell if it's in the future.
int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md, int *salt_len)
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
Definition: x509.h:86
int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, mbedtls_x509_name *cur)
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
Definition: x509.h:97
int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn)
Store the certificate DN in printable form into buf; no more than size characters will be written.
int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg)
#define MBEDTLS_ERR_X509_INVALID_SERIAL
Definition: x509.h:90
#define MBEDTLS_X509_SAFE_SNPRINTF
Definition: x509.h:349
int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg, void **sig_opts)
#define MBEDTLS_ERR_X509_INVALID_NAME
Definition: x509.h:92
int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *alg, mbedtls_x509_buf *params)
int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Verify the certificate signature.
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS
Definition: x509.h:95
int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag)
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name)
#define MBEDTLS_ERR_X509_INVALID_DATE
Definition: x509.h:93
int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, const void *sig_opts)
#define MBEDTLS_ERR_X509_ALLOC_FAILED
Definition: x509.h:102
int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *serial)
int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)
int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, mbedtls_x509_time *t)
#define MBEDTLS_X509_MAX_DN_NAME_SIZE
Definition: x509.h:196
#define MBEDTLS_ERR_X509_INVALID_ALG
Definition: x509.h:91
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA
Definition: x509.h:101
int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial)
Store the certificate serial in printable form into buf; no more than size characters will be written...
#define c
Definition: ke_i.h:80
mbedtls_md_type_t
Supported message digests.
Definition: md.h:83
@ MBEDTLS_MD_SHA1
Definition: md.h:88
const char * mbedtls_md_get_name(const mbedtls_md_info_t *md_info)
This function extracts the message-digest name from the message-digest information structure.
ULONG nr
Definition: thread.c:7
static const WCHAR desc[]
Definition: protectdata.c:36
#define CHECK_RANGE(range, expected_start, expected_end)
Definition: richole.c:3547
Object Identifier (OID) database.
int mbedtls_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char **short_name)
Translate an X.509 attribute type OID into the short name (e.g. the OID for an X520 Common Name into ...
#define MBEDTLS_OID_MGF1
Definition: oid.h:240
#define MBEDTLS_ERR_OID_NOT_FOUND
Definition: oid.h:75
int mbedtls_oid_get_sig_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg)
Translate SignatureAlgorithm OID into md_type and pk_type.
int mbedtls_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg)
Translate hash algorithm OID into md_type.
int mbedtls_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char **desc)
Translate SignatureAlgorithm OID into description.
Privacy Enhanced Mail (PEM) decoding.
mbedtls_pk_type_t
Public key types.
Definition: pk.h:103
@ MBEDTLS_PK_RSASSA_PSS
Definition: pk.h:110
mbed TLS Platform time abstraction
#define mbedtls_time
Definition: platform_time.h:99
time_t mbedtls_time_t
Definition: platform_time.h:78
Common and shared functions used by multiple modules in the Mbed TLS library.
#define verbose
Definition: rosglue.h:36
#define mbedtls_md_info_from_type
Configuration options (set of defines)
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
#define mbedtls_free
Definition: platform.h:168
#define mbedtls_snprintf
Definition: platform.h:254
#define mbedtls_calloc
Definition: platform.h:169
#define memset(x, y, z)
Definition: compat.h:39
CardRegion * from
Definition: spigame.cpp:19
Options for RSASSA-PSS signature verification. See mbedtls_rsa_rsassa_pss_verify_ext()
Definition: pk.h:118
mbedtls_md_type_t mgf1_hash_id
Definition: pk.h:119
Definition: name.c:39
Definition: ecma_167.h:138
Definition: time.h:68
int tm_mon
Definition: time.h:73
int tm_year
Definition: time.h:74
int tm_hour
Definition: time.h:71
int tm_sec
Definition: time.h:69
int tm_mday
Definition: time.h:72
int tm_min
Definition: time.h:70
__inline int before(__u32 seq1, __u32 seq2)
Definition: tcpcore.h:2390
__inline int after(__u32 seq1, __u32 seq2)
Definition: tcpcore.h:2395
#define mbedtls_printf
Definition: timing.c:57
int ret
X.509 generic defines and structures.
X.509 certificate parsing and writing.