зеркало из https://github.com/mozilla/gecko-dev.git
332 строки
9.8 KiB
C
332 строки
9.8 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "cert.h"
|
|
#include "certt.h"
|
|
#include "secder.h"
|
|
#include "key.h"
|
|
#include "secitem.h"
|
|
#include "secasn1.h"
|
|
#include "secerr.h"
|
|
|
|
SEC_ASN1_MKSUB(SEC_AnyTemplate)
|
|
|
|
const SEC_ASN1Template CERT_AttributeTemplate[] = {
|
|
{ SEC_ASN1_SEQUENCE,
|
|
0, NULL, sizeof(CERTAttribute) },
|
|
{ SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
|
|
{ SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue),
|
|
SEC_ASN1_SUB(SEC_AnyTemplate) },
|
|
{ 0 }
|
|
};
|
|
|
|
const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
|
|
{ SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
|
|
};
|
|
|
|
const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
|
|
{ SEC_ASN1_SEQUENCE,
|
|
0, NULL, sizeof(CERTCertificateRequest) },
|
|
{ SEC_ASN1_INTEGER,
|
|
offsetof(CERTCertificateRequest, version) },
|
|
{ SEC_ASN1_INLINE,
|
|
offsetof(CERTCertificateRequest, subject),
|
|
CERT_NameTemplate },
|
|
{ SEC_ASN1_INLINE,
|
|
offsetof(CERTCertificateRequest, subjectPublicKeyInfo),
|
|
CERT_SubjectPublicKeyInfoTemplate },
|
|
{ SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
|
|
offsetof(CERTCertificateRequest, attributes),
|
|
CERT_SetOfAttributeTemplate },
|
|
{ 0 }
|
|
};
|
|
|
|
SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
|
|
|
|
CERTCertificate *
|
|
CERT_CreateCertificate(unsigned long serialNumber,
|
|
CERTName *issuer,
|
|
CERTValidity *validity,
|
|
CERTCertificateRequest *req)
|
|
{
|
|
CERTCertificate *c;
|
|
int rv;
|
|
PLArenaPool *arena;
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
|
|
if (!arena) {
|
|
return (0);
|
|
}
|
|
|
|
c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
|
|
|
|
if (!c) {
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
return 0;
|
|
}
|
|
|
|
c->referenceCount = 1;
|
|
c->arena = arena;
|
|
|
|
/*
|
|
* Default is a plain version 1.
|
|
* If extensions are added, it will get changed as appropriate.
|
|
*/
|
|
rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
|
|
if (rv)
|
|
goto loser;
|
|
|
|
rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
|
|
if (rv)
|
|
goto loser;
|
|
|
|
rv = CERT_CopyName(arena, &c->issuer, issuer);
|
|
if (rv)
|
|
goto loser;
|
|
|
|
rv = CERT_CopyValidity(arena, &c->validity, validity);
|
|
if (rv)
|
|
goto loser;
|
|
|
|
rv = CERT_CopyName(arena, &c->subject, &req->subject);
|
|
if (rv)
|
|
goto loser;
|
|
rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
|
|
&req->subjectPublicKeyInfo);
|
|
if (rv)
|
|
goto loser;
|
|
|
|
return c;
|
|
|
|
loser:
|
|
CERT_DestroyCertificate(c);
|
|
return 0;
|
|
}
|
|
|
|
/************************************************************************/
|
|
/* It's clear from the comments that the original author of this
|
|
* function expected the template for certificate requests to treat
|
|
* the attributes as a SET OF ANY. This function expected to be
|
|
* passed an array of SECItems each of which contained an already encoded
|
|
* Attribute. But the cert request template does not treat the
|
|
* Attributes as a SET OF ANY, and AFAIK never has. Instead the template
|
|
* encodes attributes as a SET OF xxxxxxx. That is, it expects to encode
|
|
* each of the Attributes, not have them pre-encoded. Consequently an
|
|
* array of SECItems containing encoded Attributes is of no value to this
|
|
* function. But we cannot change the signature of this public function.
|
|
* It must continue to take SECItems.
|
|
*
|
|
* I have recoded this function so that each SECItem contains an
|
|
* encoded cert extension. The encoded cert extensions form the list for the
|
|
* single attribute of the cert request. In this implementation there is at most
|
|
* one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.
|
|
*/
|
|
|
|
CERTCertificateRequest *
|
|
CERT_CreateCertificateRequest(CERTName *subject,
|
|
CERTSubjectPublicKeyInfo *spki,
|
|
SECItem **attributes)
|
|
{
|
|
CERTCertificateRequest *certreq;
|
|
PLArenaPool *arena;
|
|
CERTAttribute *attribute;
|
|
SECOidData *oidData;
|
|
SECStatus rv;
|
|
int i = 0;
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
if (arena == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);
|
|
if (!certreq) {
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
return NULL;
|
|
}
|
|
/* below here it is safe to goto loser */
|
|
|
|
certreq->arena = arena;
|
|
|
|
rv = DER_SetUInteger(arena, &certreq->version,
|
|
SEC_CERTIFICATE_REQUEST_VERSION);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
rv = CERT_CopyName(arena, &certreq->subject, subject);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
rv = SECKEY_CopySubjectPublicKeyInfo(arena,
|
|
&certreq->subjectPublicKeyInfo,
|
|
spki);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute *, 2);
|
|
if (!certreq->attributes)
|
|
goto loser;
|
|
|
|
/* Copy over attribute information */
|
|
if (!attributes || !attributes[0]) {
|
|
/*
|
|
** Invent empty attribute information. According to the
|
|
** pkcs#10 spec, attributes has this ASN.1 type:
|
|
**
|
|
** attributes [0] IMPLICIT Attributes
|
|
**
|
|
** Which means, we should create a NULL terminated list
|
|
** with the first entry being NULL;
|
|
*/
|
|
certreq->attributes[0] = NULL;
|
|
return certreq;
|
|
}
|
|
|
|
/* allocate space for attributes */
|
|
attribute = PORT_ArenaZNew(arena, CERTAttribute);
|
|
if (!attribute)
|
|
goto loser;
|
|
|
|
oidData = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
|
|
PORT_Assert(oidData);
|
|
if (!oidData)
|
|
goto loser;
|
|
rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
for (i = 0; attributes[i] != NULL; i++)
|
|
;
|
|
attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i + 1);
|
|
if (!attribute->attrValue)
|
|
goto loser;
|
|
|
|
/* copy attributes */
|
|
for (i = 0; attributes[i]; i++) {
|
|
/*
|
|
** Attributes are a SetOf Attribute which implies
|
|
** lexigraphical ordering. It is assumes that the
|
|
** attributes are passed in sorted. If we need to
|
|
** add functionality to sort them, there is an
|
|
** example in the PKCS 7 code.
|
|
*/
|
|
attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);
|
|
if (!attribute->attrValue[i])
|
|
goto loser;
|
|
}
|
|
|
|
certreq->attributes[0] = attribute;
|
|
|
|
return certreq;
|
|
|
|
loser:
|
|
CERT_DestroyCertificateRequest(certreq);
|
|
return NULL;
|
|
}
|
|
|
|
void
|
|
CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
|
|
{
|
|
if (req && req->arena) {
|
|
PORT_FreeArena(req->arena, PR_FALSE);
|
|
}
|
|
return;
|
|
}
|
|
|
|
static void
|
|
setCRExt(void *o, CERTCertExtension **exts)
|
|
{
|
|
((CERTCertificateRequest *)o)->attributes = (struct CERTAttributeStr **)exts;
|
|
}
|
|
|
|
/*
|
|
** Set up to start gathering cert extensions for a cert request.
|
|
** The list is created as CertExtensions and converted to an
|
|
** attribute list by CERT_FinishCRAttributes().
|
|
*/
|
|
extern void *cert_StartExtensions(void *owner, PLArenaPool *ownerArena,
|
|
void (*setExts)(void *object, CERTCertExtension **exts));
|
|
void *
|
|
CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)
|
|
{
|
|
return (cert_StartExtensions((void *)req, req->arena, setCRExt));
|
|
}
|
|
|
|
/*
|
|
** At entry req->attributes actually contains an list of cert extensions--
|
|
** req-attributes is overloaded until the list is DER encoded (the first
|
|
** ...EncodeItem() below).
|
|
** We turn this into an attribute list by encapsulating it
|
|
** in a PKCS 10 Attribute structure
|
|
*/
|
|
SECStatus
|
|
CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)
|
|
{
|
|
SECItem *extlist;
|
|
SECOidData *oidrec;
|
|
CERTAttribute *attribute;
|
|
|
|
if (!req || !req->arena) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
if (req->attributes == NULL || req->attributes[0] == NULL)
|
|
return SECSuccess;
|
|
|
|
extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,
|
|
SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));
|
|
if (extlist == NULL)
|
|
return (SECFailure);
|
|
|
|
oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
|
|
if (oidrec == NULL)
|
|
return SECFailure;
|
|
|
|
/* now change the list of cert extensions into a list of attributes
|
|
*/
|
|
req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute *, 2);
|
|
|
|
attribute = PORT_ArenaZNew(req->arena, CERTAttribute);
|
|
|
|
if (req->attributes == NULL || attribute == NULL ||
|
|
SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {
|
|
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
|
return SECFailure;
|
|
}
|
|
attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem *, 2);
|
|
|
|
if (attribute->attrValue == NULL)
|
|
return SECFailure;
|
|
|
|
attribute->attrValue[0] = extlist;
|
|
attribute->attrValue[1] = NULL;
|
|
req->attributes[0] = attribute;
|
|
req->attributes[1] = NULL;
|
|
|
|
return SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
|
|
CERTCertExtension ***exts)
|
|
{
|
|
if (req == NULL || exts == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
if (req->attributes == NULL || *req->attributes == NULL)
|
|
return SECSuccess;
|
|
|
|
if ((*req->attributes)->attrValue == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
return (SEC_ASN1DecodeItem(req->arena, exts,
|
|
SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),
|
|
(*req->attributes)->attrValue[0]));
|
|
}
|