зеркало из https://github.com/mozilla/pjs.git
532 строки
13 KiB
C
532 строки
13 KiB
C
/* ***** BEGIN LICENSE BLOCK *****
|
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
|
*
|
|
* The contents of this file are subject to the Mozilla Public License Version
|
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
* http://www.mozilla.org/MPL/
|
|
*
|
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
|
* for the specific language governing rights and limitations under the
|
|
* License.
|
|
*
|
|
* The Original Code is the Netscape security libraries.
|
|
*
|
|
* The Initial Developer of the Original Code is
|
|
* Netscape Communications Corporation.
|
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
|
* the Initial Developer. All Rights Reserved.
|
|
*
|
|
* Contributor(s):
|
|
*
|
|
* Alternatively, the contents of this file may be used under the terms of
|
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
|
* of those above. If you wish to allow use of your version of this file only
|
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
|
* use your version of this file under the terms of the MPL, indicate your
|
|
* decision by deleting the provisions above and replace them with the notice
|
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
|
* the provisions above, a recipient may use your version of this file under
|
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
|
*
|
|
* ***** END LICENSE BLOCK ***** */
|
|
|
|
/*
|
|
* Certificate Extensions handling code
|
|
*
|
|
*/
|
|
|
|
#include "cert.h"
|
|
#include "secitem.h"
|
|
#include "secoid.h"
|
|
#include "secder.h"
|
|
#include "secasn1.h"
|
|
#include "certxutl.h"
|
|
#include "secerr.h"
|
|
|
|
#ifdef OLD
|
|
#include "ocspti.h" /* XXX a better extensions interface would not
|
|
* require knowledge of data structures of callers */
|
|
#endif
|
|
|
|
static CERTCertExtension *
|
|
GetExtension (CERTCertExtension **extensions, SECItem *oid)
|
|
{
|
|
CERTCertExtension **exts;
|
|
CERTCertExtension *ext = NULL;
|
|
SECComparison comp;
|
|
|
|
exts = extensions;
|
|
|
|
if (exts) {
|
|
while ( *exts ) {
|
|
ext = *exts;
|
|
comp = SECITEM_CompareItem(oid, &ext->id);
|
|
if ( comp == SECEqual )
|
|
break;
|
|
|
|
exts++;
|
|
}
|
|
return (*exts ? ext : NULL);
|
|
}
|
|
return (NULL);
|
|
}
|
|
|
|
SECStatus
|
|
cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
|
|
{
|
|
CERTCertExtension *ext;
|
|
SECStatus rv = SECSuccess;
|
|
|
|
ext = GetExtension (extensions, oid);
|
|
if (ext == NULL) {
|
|
PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
|
|
return (SECFailure);
|
|
}
|
|
if (value)
|
|
rv = SECITEM_CopyItem(NULL, value, &ext->value);
|
|
return (rv);
|
|
}
|
|
|
|
|
|
SECStatus
|
|
CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
|
|
{
|
|
CERTCertExtension *ext;
|
|
SECOidData *oid;
|
|
|
|
if (!isCritical)
|
|
return (SECSuccess);
|
|
|
|
/* find the extension in the extensions list */
|
|
oid = SECOID_FindOIDByTag((SECOidTag)tag);
|
|
if ( !oid ) {
|
|
return(SECFailure);
|
|
}
|
|
ext = GetExtension (extensions, &oid->oid);
|
|
if (ext == NULL) {
|
|
PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
|
|
return (SECFailure);
|
|
}
|
|
|
|
/* If the criticality is omitted, then it is false by default.
|
|
ex->critical.data is NULL */
|
|
if (ext->critical.data == NULL)
|
|
*isCritical = PR_FALSE;
|
|
else
|
|
*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
|
|
return (SECSuccess);
|
|
}
|
|
|
|
SECStatus
|
|
cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
|
|
{
|
|
SECOidData *oid;
|
|
|
|
oid = SECOID_FindOIDByTag((SECOidTag)tag);
|
|
if ( !oid ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
return(cert_FindExtensionByOID(extensions, &oid->oid, value));
|
|
}
|
|
|
|
|
|
typedef struct _extNode {
|
|
struct _extNode *next;
|
|
CERTCertExtension *ext;
|
|
} extNode;
|
|
|
|
typedef struct {
|
|
void (*setExts)(void *object, CERTCertExtension **exts);
|
|
void *object;
|
|
PRArenaPool *ownerArena;
|
|
PRArenaPool *arena;
|
|
extNode *head;
|
|
int count;
|
|
}extRec;
|
|
|
|
/*
|
|
* cert_StartExtensions
|
|
*
|
|
* NOTE: This interface changed significantly to remove knowledge
|
|
* about callers data structures (owner objects)
|
|
*/
|
|
void *
|
|
cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
|
|
void (*setExts)(void *object, CERTCertExtension **exts))
|
|
{
|
|
PRArenaPool *arena;
|
|
extRec *handle;
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
if ( !arena ) {
|
|
return(0);
|
|
}
|
|
|
|
handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
|
|
if ( !handle ) {
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
return(0);
|
|
}
|
|
|
|
handle->object = owner;
|
|
handle->ownerArena = ownerArena;
|
|
handle->setExts = setExts;
|
|
|
|
handle->arena = arena;
|
|
handle->head = 0;
|
|
handle->count = 0;
|
|
|
|
return(handle);
|
|
}
|
|
|
|
static unsigned char hextrue = 0xff;
|
|
|
|
/*
|
|
* Note - assumes that data pointed to by oid->data will not move
|
|
*/
|
|
SECStatus
|
|
CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
|
|
PRBool critical, PRBool copyData)
|
|
{
|
|
CERTCertExtension *ext;
|
|
SECStatus rv;
|
|
extNode *node;
|
|
extRec *handle;
|
|
|
|
handle = (extRec *)exthandle;
|
|
|
|
/* allocate space for extension and list node */
|
|
ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
|
|
sizeof(CERTCertExtension));
|
|
if ( !ext ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
|
|
if ( !node ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
/* add to list */
|
|
node->next = handle->head;
|
|
handle->head = node;
|
|
|
|
/* point to ext struct */
|
|
node->ext = ext;
|
|
|
|
/* the object ID of the extension */
|
|
ext->id = *oid;
|
|
|
|
/* set critical field */
|
|
if ( critical ) {
|
|
ext->critical.data = (unsigned char*)&hextrue;
|
|
ext->critical.len = 1;
|
|
}
|
|
|
|
/* set the value */
|
|
if ( copyData ) {
|
|
rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
|
|
if ( rv ) {
|
|
return(SECFailure);
|
|
}
|
|
} else {
|
|
ext->value = *value;
|
|
}
|
|
|
|
handle->count++;
|
|
|
|
return(SECSuccess);
|
|
|
|
}
|
|
|
|
SECStatus
|
|
CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
|
|
PRBool critical, PRBool copyData)
|
|
{
|
|
SECOidData *oid;
|
|
|
|
oid = SECOID_FindOIDByTag((SECOidTag)idtag);
|
|
if ( !oid ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
|
|
}
|
|
|
|
SECStatus
|
|
CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
|
|
PRBool critical, const SEC_ASN1Template *atemplate)
|
|
{
|
|
extRec *handle;
|
|
SECItem *encitem;
|
|
|
|
handle = (extRec *)exthandle;
|
|
|
|
encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
|
|
if ( encitem == NULL ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
|
|
}
|
|
|
|
void
|
|
PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
|
|
{
|
|
unsigned char onebyte;
|
|
unsigned int i, len = 0;
|
|
|
|
/* to prevent warning on some platform at compile time */
|
|
onebyte = '\0';
|
|
/* Get the position of the right-most turn-on bit */
|
|
for (i = 0; i < (value->len ) * 8; ++i) {
|
|
if (i % 8 == 0)
|
|
onebyte = value->data[i/8];
|
|
if (onebyte & 0x80)
|
|
len = i;
|
|
onebyte <<= 1;
|
|
|
|
}
|
|
bitsmap->data = value->data;
|
|
/* Add one here since we work with base 1 */
|
|
bitsmap->len = len + 1;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
|
|
SECItem *value, PRBool critical)
|
|
{
|
|
SECItem bitsmap;
|
|
|
|
PrepareBitStringForEncoding (&bitsmap, value);
|
|
return (CERT_EncodeAndAddExtension
|
|
(exthandle, idtag, &bitsmap, critical,
|
|
SEC_ASN1_GET(SEC_BitStringTemplate)));
|
|
}
|
|
|
|
SECStatus
|
|
CERT_FinishExtensions(void *exthandle)
|
|
{
|
|
extRec *handle;
|
|
extNode *node;
|
|
CERTCertExtension **exts;
|
|
SECStatus rv = SECFailure;
|
|
|
|
handle = (extRec *)exthandle;
|
|
|
|
/* allocate space for extensions array */
|
|
exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
|
|
handle->count + 1);
|
|
if (exts == NULL) {
|
|
goto loser;
|
|
}
|
|
|
|
/* put extensions in owner object and update its version number */
|
|
|
|
#ifdef OLD
|
|
switch (handle->type) {
|
|
case CertificateExtensions:
|
|
handle->owner.cert->extensions = exts;
|
|
DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
|
|
SEC_CERTIFICATE_VERSION_3);
|
|
break;
|
|
case CrlExtensions:
|
|
handle->owner.crl->extensions = exts;
|
|
DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
|
|
SEC_CRL_VERSION_2);
|
|
break;
|
|
case OCSPRequestExtensions:
|
|
handle->owner.request->tbsRequest->requestExtensions = exts;
|
|
break;
|
|
case OCSPSingleRequestExtensions:
|
|
handle->owner.singleRequest->singleRequestExtensions = exts;
|
|
break;
|
|
case OCSPResponseSingleExtensions:
|
|
handle->owner.singleResponse->singleExtensions = exts;
|
|
break;
|
|
}
|
|
#endif
|
|
|
|
handle->setExts(handle->object, exts);
|
|
|
|
/* update the version number */
|
|
|
|
/* copy each extension pointer */
|
|
node = handle->head;
|
|
while ( node ) {
|
|
*exts = node->ext;
|
|
|
|
node = node->next;
|
|
exts++;
|
|
}
|
|
|
|
/* terminate the array of extensions */
|
|
*exts = 0;
|
|
|
|
rv = SECSuccess;
|
|
|
|
loser:
|
|
/* free working arena */
|
|
PORT_FreeArena(handle->arena, PR_FALSE);
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
CERT_MergeExtensions(void *exthandle, CERTCertExtension **extensions)
|
|
{
|
|
CERTCertExtension *ext;
|
|
SECStatus rv = SECSuccess;
|
|
SECOidTag tag;
|
|
extNode *node;
|
|
extRec *handle = exthandle;
|
|
|
|
if (!exthandle || !extensions) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
while ((ext = *extensions++) != NULL) {
|
|
tag = SECOID_FindOIDTag(&ext->id);
|
|
for (node=handle->head; node != NULL; node=node->next) {
|
|
if (tag == 0) {
|
|
if (SECITEM_ItemsAreEqual(&ext->id, &node->ext->id))
|
|
break;
|
|
}
|
|
else {
|
|
if (SECOID_FindOIDTag(&node->ext->id) == tag) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (node == NULL) {
|
|
PRBool critical = (ext->critical.len != 0 &&
|
|
ext->critical.data[ext->critical.len - 1] != 0);
|
|
if (critical && tag == SEC_OID_UNKNOWN) {
|
|
PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
|
|
rv = SECFailure;
|
|
break;
|
|
}
|
|
/* add to list */
|
|
rv = CERT_AddExtensionByOID (exthandle, &ext->id, &ext->value,
|
|
critical, PR_TRUE);
|
|
if (rv != SECSuccess)
|
|
break;
|
|
}
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* get the value of the Netscape Certificate Type Extension
|
|
*/
|
|
SECStatus
|
|
CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
|
|
SECItem *retItem)
|
|
{
|
|
SECItem wrapperItem, tmpItem = {siBuffer,0};
|
|
SECStatus rv;
|
|
PRArenaPool *arena = NULL;
|
|
|
|
wrapperItem.data = NULL;
|
|
tmpItem.data = NULL;
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
|
|
if ( ! arena ) {
|
|
return(SECFailure);
|
|
}
|
|
|
|
rv = cert_FindExtension(extensions, tag, &wrapperItem);
|
|
if ( rv != SECSuccess ) {
|
|
goto loser;
|
|
}
|
|
|
|
rv = SEC_QuickDERDecodeItem(arena, &tmpItem,
|
|
SEC_ASN1_GET(SEC_BitStringTemplate),
|
|
&wrapperItem);
|
|
|
|
if ( rv != SECSuccess ) {
|
|
goto loser;
|
|
}
|
|
|
|
retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
|
|
if ( retItem->data == NULL ) {
|
|
goto loser;
|
|
}
|
|
|
|
PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
|
|
retItem->len = tmpItem.len;
|
|
|
|
rv = SECSuccess;
|
|
goto done;
|
|
|
|
loser:
|
|
rv = SECFailure;
|
|
|
|
done:
|
|
if ( arena ) {
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
}
|
|
|
|
if ( wrapperItem.data ) {
|
|
PORT_Free(wrapperItem.data);
|
|
}
|
|
|
|
return(rv);
|
|
}
|
|
|
|
PRBool
|
|
cert_HasCriticalExtension (CERTCertExtension **extensions)
|
|
{
|
|
CERTCertExtension **exts;
|
|
CERTCertExtension *ext = NULL;
|
|
PRBool hasCriticalExten = PR_FALSE;
|
|
|
|
exts = extensions;
|
|
|
|
if (exts) {
|
|
while ( *exts ) {
|
|
ext = *exts;
|
|
/* If the criticality is omitted, it's non-critical */
|
|
if (ext->critical.data && ext->critical.data[0] == 0xff) {
|
|
hasCriticalExten = PR_TRUE;
|
|
break;
|
|
}
|
|
exts++;
|
|
}
|
|
}
|
|
return (hasCriticalExten);
|
|
}
|
|
|
|
PRBool
|
|
cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
|
|
{
|
|
CERTCertExtension **exts;
|
|
CERTCertExtension *ext = NULL;
|
|
PRBool hasUnknownCriticalExten = PR_FALSE;
|
|
|
|
exts = extensions;
|
|
|
|
if (exts) {
|
|
while ( *exts ) {
|
|
ext = *exts;
|
|
/* If the criticality is omitted, it's non-critical.
|
|
If an extension is critical, make sure that we know
|
|
how to process the extension.
|
|
*/
|
|
if (ext->critical.data && ext->critical.data[0] == 0xff) {
|
|
if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
|
|
hasUnknownCriticalExten = PR_TRUE;
|
|
break;
|
|
}
|
|
}
|
|
exts++;
|
|
}
|
|
}
|
|
return (hasUnknownCriticalExten);
|
|
}
|