Annotation of embedaddon/axTLS/ssl/asn1.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (c) 2007, Cameron Rich
! 3: *
! 4: * All rights reserved.
! 5: *
! 6: * Redistribution and use in source and binary forms, with or without
! 7: * modification, are permitted provided that the following conditions are met:
! 8: *
! 9: * * Redistributions of source code must retain the above copyright notice,
! 10: * this list of conditions and the following disclaimer.
! 11: * * Redistributions in binary form must reproduce the above copyright notice,
! 12: * this list of conditions and the following disclaimer in the documentation
! 13: * and/or other materials provided with the distribution.
! 14: * * Neither the name of the axTLS project nor the names of its contributors
! 15: * may be used to endorse or promote products derived from this software
! 16: * without specific prior written permission.
! 17: *
! 18: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
! 19: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
! 20: * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
! 21: * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
! 22: * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
! 23: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
! 24: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
! 25: * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
! 26: * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
! 27: * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
! 28: * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 29: */
! 30:
! 31: /**
! 32: * Some primitive asn methods for extraction ASN.1 data.
! 33: */
! 34:
! 35: #include <stdio.h>
! 36: #include <stdlib.h>
! 37: #include <string.h>
! 38: #include <time.h>
! 39: #include "os_port.h"
! 40: #include "crypto.h"
! 41: #include "crypto_misc.h"
! 42:
! 43: #define SIG_OID_PREFIX_SIZE 8
! 44: #define SIG_IIS6_OID_SIZE 5
! 45: #define SIG_SUBJECT_ALT_NAME_SIZE 3
! 46:
! 47: /* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */
! 48: static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
! 49: {
! 50: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
! 51: };
! 52:
! 53: static const uint8_t sig_sha1WithRSAEncrypt[SIG_IIS6_OID_SIZE] =
! 54: {
! 55: 0x2b, 0x0e, 0x03, 0x02, 0x1d
! 56: };
! 57:
! 58: static const uint8_t sig_subject_alt_name[SIG_SUBJECT_ALT_NAME_SIZE] =
! 59: {
! 60: 0x55, 0x1d, 0x11
! 61: };
! 62:
! 63: /* CN, O, OU */
! 64: static const uint8_t g_dn_types[] = { 3, 10, 11 };
! 65:
! 66: int get_asn1_length(const uint8_t *buf, int *offset)
! 67: {
! 68: int len, i;
! 69:
! 70: if (!(buf[*offset] & 0x80)) /* short form */
! 71: {
! 72: len = buf[(*offset)++];
! 73: }
! 74: else /* long form */
! 75: {
! 76: int length_bytes = buf[(*offset)++]&0x7f;
! 77: len = 0;
! 78: for (i = 0; i < length_bytes; i++)
! 79: {
! 80: len <<= 8;
! 81: len += buf[(*offset)++];
! 82: }
! 83: }
! 84:
! 85: return len;
! 86: }
! 87:
! 88: /**
! 89: * Skip the ASN1.1 object type and its length. Get ready to read the object's
! 90: * data.
! 91: */
! 92: int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type)
! 93: {
! 94: if (buf[*offset] != obj_type)
! 95: return X509_NOT_OK;
! 96: (*offset)++;
! 97: return get_asn1_length(buf, offset);
! 98: }
! 99:
! 100: /**
! 101: * Skip over an ASN.1 object type completely. Get ready to read the next
! 102: * object.
! 103: */
! 104: int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type)
! 105: {
! 106: int len;
! 107:
! 108: if (buf[*offset] != obj_type)
! 109: return X509_NOT_OK;
! 110: (*offset)++;
! 111: len = get_asn1_length(buf, offset);
! 112: *offset += len;
! 113: return 0;
! 114: }
! 115:
! 116: /**
! 117: * Read an integer value for ASN.1 data
! 118: * Note: This function allocates memory which must be freed by the user.
! 119: */
! 120: int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object)
! 121: {
! 122: int len;
! 123:
! 124: if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0)
! 125: goto end_int_array;
! 126:
! 127: if (len > 1 && buf[*offset] == 0x00) /* ignore the negative byte */
! 128: {
! 129: len--;
! 130: (*offset)++;
! 131: }
! 132:
! 133: *object = (uint8_t *)malloc(len);
! 134: memcpy(*object, &buf[*offset], len);
! 135: *offset += len;
! 136:
! 137: end_int_array:
! 138: return len;
! 139: }
! 140:
! 141: /**
! 142: * Get all the RSA private key specifics from an ASN.1 encoded file
! 143: */
! 144: int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx)
! 145: {
! 146: int offset = 7;
! 147: uint8_t *modulus = NULL, *priv_exp = NULL, *pub_exp = NULL;
! 148: int mod_len, priv_len, pub_len;
! 149: #ifdef CONFIG_BIGINT_CRT
! 150: uint8_t *p = NULL, *q = NULL, *dP = NULL, *dQ = NULL, *qInv = NULL;
! 151: int p_len, q_len, dP_len, dQ_len, qInv_len;
! 152: #endif
! 153:
! 154: /* not in der format */
! 155: if (buf[0] != ASN1_SEQUENCE) /* basic sanity check */
! 156: {
! 157: #ifdef CONFIG_SSL_FULL_MODE
! 158: printf("Error: This is not a valid ASN.1 file\n");
! 159: #endif
! 160: return X509_INVALID_PRIV_KEY;
! 161: }
! 162:
! 163: /* Use the private key to mix up the RNG if possible. */
! 164: RNG_custom_init(buf, len);
! 165:
! 166: mod_len = asn1_get_int(buf, &offset, &modulus);
! 167: pub_len = asn1_get_int(buf, &offset, &pub_exp);
! 168: priv_len = asn1_get_int(buf, &offset, &priv_exp);
! 169:
! 170: if (mod_len <= 0 || pub_len <= 0 || priv_len <= 0)
! 171: return X509_INVALID_PRIV_KEY;
! 172:
! 173: #ifdef CONFIG_BIGINT_CRT
! 174: p_len = asn1_get_int(buf, &offset, &p);
! 175: q_len = asn1_get_int(buf, &offset, &q);
! 176: dP_len = asn1_get_int(buf, &offset, &dP);
! 177: dQ_len = asn1_get_int(buf, &offset, &dQ);
! 178: qInv_len = asn1_get_int(buf, &offset, &qInv);
! 179:
! 180: if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || dQ_len <= 0 || qInv_len <= 0)
! 181: return X509_INVALID_PRIV_KEY;
! 182:
! 183: RSA_priv_key_new(rsa_ctx,
! 184: modulus, mod_len, pub_exp, pub_len, priv_exp, priv_len,
! 185: p, p_len, q, p_len, dP, dP_len, dQ, dQ_len, qInv, qInv_len);
! 186:
! 187: free(p);
! 188: free(q);
! 189: free(dP);
! 190: free(dQ);
! 191: free(qInv);
! 192: #else
! 193: RSA_priv_key_new(rsa_ctx,
! 194: modulus, mod_len, pub_exp, pub_len, priv_exp, priv_len);
! 195: #endif
! 196:
! 197: free(modulus);
! 198: free(priv_exp);
! 199: free(pub_exp);
! 200: return X509_OK;
! 201: }
! 202:
! 203: /**
! 204: * Get the time of a certificate. Ignore hours/minutes/seconds.
! 205: */
! 206: static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
! 207: {
! 208: int ret = X509_NOT_OK, len, t_offset;
! 209: struct tm tm;
! 210:
! 211: if (buf[(*offset)++] != ASN1_UTC_TIME)
! 212: goto end_utc_time;
! 213:
! 214: len = get_asn1_length(buf, offset);
! 215: t_offset = *offset;
! 216:
! 217: memset(&tm, 0, sizeof(struct tm));
! 218: tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0');
! 219:
! 220: if (tm.tm_year <= 50) /* 1951-2050 thing */
! 221: {
! 222: tm.tm_year += 100;
! 223: }
! 224:
! 225: tm.tm_mon = (buf[t_offset+2] - '0')*10 + (buf[t_offset+3] - '0') - 1;
! 226: tm.tm_mday = (buf[t_offset+4] - '0')*10 + (buf[t_offset+5] - '0');
! 227: *t = mktime(&tm);
! 228: *offset += len;
! 229: ret = X509_OK;
! 230:
! 231: end_utc_time:
! 232: return ret;
! 233: }
! 234:
! 235: /**
! 236: * Get the version type of a certificate (which we don't actually care about)
! 237: */
! 238: int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
! 239: {
! 240: int ret = X509_NOT_OK;
! 241:
! 242: (*offset) += 2; /* get past explicit tag */
! 243: if (asn1_skip_obj(cert, offset, ASN1_INTEGER))
! 244: goto end_version;
! 245:
! 246: ret = X509_OK;
! 247: end_version:
! 248: return ret;
! 249: }
! 250:
! 251: /**
! 252: * Retrieve the notbefore and notafter certificate times.
! 253: */
! 254: int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
! 255: {
! 256: return (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
! 257: asn1_get_utc_time(cert, offset, &x509_ctx->not_before) ||
! 258: asn1_get_utc_time(cert, offset, &x509_ctx->not_after));
! 259: }
! 260:
! 261: /**
! 262: * Get the components of a distinguished name
! 263: */
! 264: static int asn1_get_oid_x520(const uint8_t *buf, int *offset)
! 265: {
! 266: int dn_type = 0;
! 267: int len;
! 268:
! 269: if ((len = asn1_next_obj(buf, offset, ASN1_OID)) < 0)
! 270: goto end_oid;
! 271:
! 272: /* expect a sequence of 2.5.4.[x] where x is a one of distinguished name
! 273: components we are interested in. */
! 274: if (len == 3 && buf[(*offset)++] == 0x55 && buf[(*offset)++] == 0x04)
! 275: dn_type = buf[(*offset)++];
! 276: else
! 277: {
! 278: *offset += len; /* skip over it */
! 279: }
! 280:
! 281: end_oid:
! 282: return dn_type;
! 283: }
! 284:
! 285: /**
! 286: * Obtain an ASN.1 printable string type.
! 287: */
! 288: static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
! 289: {
! 290: int len = X509_NOT_OK;
! 291: int asn1_type = buf[*offset];
! 292:
! 293: /* some certs have this awful crud in them for some reason */
! 294: if (asn1_type != ASN1_PRINTABLE_STR &&
! 295: asn1_type != ASN1_PRINTABLE_STR2 &&
! 296: asn1_type != ASN1_TELETEX_STR &&
! 297: asn1_type != ASN1_IA5_STR &&
! 298: asn1_type != ASN1_UNICODE_STR)
! 299: goto end_pnt_str;
! 300:
! 301: (*offset)++;
! 302: len = get_asn1_length(buf, offset);
! 303:
! 304: if (asn1_type == ASN1_UNICODE_STR)
! 305: {
! 306: int i;
! 307: *str = (char *)malloc(len/2+1); /* allow for null */
! 308:
! 309: for (i = 0; i < len; i += 2)
! 310: (*str)[i/2] = buf[*offset + i + 1];
! 311:
! 312: (*str)[len/2] = 0; /* null terminate */
! 313: }
! 314: else
! 315: {
! 316: *str = (char *)malloc(len+1); /* allow for null */
! 317: memcpy(*str, &buf[*offset], len);
! 318: (*str)[len] = 0; /* null terminate */
! 319: }
! 320:
! 321: *offset += len;
! 322:
! 323: end_pnt_str:
! 324: return len;
! 325: }
! 326:
! 327: /**
! 328: * Get the subject name (or the issuer) of a certificate.
! 329: */
! 330: int asn1_name(const uint8_t *cert, int *offset, char *dn[])
! 331: {
! 332: int ret = X509_NOT_OK;
! 333: int dn_type;
! 334: char *tmp;
! 335:
! 336: if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
! 337: goto end_name;
! 338:
! 339: while (asn1_next_obj(cert, offset, ASN1_SET) >= 0)
! 340: {
! 341: int i, found = 0;
! 342:
! 343: if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
! 344: (dn_type = asn1_get_oid_x520(cert, offset)) < 0)
! 345: goto end_name;
! 346:
! 347: tmp = NULL;
! 348:
! 349: if (asn1_get_printable_str(cert, offset, &tmp) < 0)
! 350: {
! 351: free(tmp);
! 352: goto end_name;
! 353: }
! 354:
! 355: /* find the distinguished named type */
! 356: for (i = 0; i < X509_NUM_DN_TYPES; i++)
! 357: {
! 358: if (dn_type == g_dn_types[i])
! 359: {
! 360: if (dn[i] == NULL)
! 361: {
! 362: dn[i] = tmp;
! 363: found = 1;
! 364: break;
! 365: }
! 366: }
! 367: }
! 368:
! 369: if (found == 0) /* not found so get rid of it */
! 370: {
! 371: free(tmp);
! 372: }
! 373: }
! 374:
! 375: ret = X509_OK;
! 376: end_name:
! 377: return ret;
! 378: }
! 379:
! 380: /**
! 381: * Read the modulus and public exponent of a certificate.
! 382: */
! 383: int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
! 384: {
! 385: int ret = X509_NOT_OK, mod_len, pub_len;
! 386: uint8_t *modulus = NULL, *pub_exp = NULL;
! 387:
! 388: if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
! 389: asn1_skip_obj(cert, offset, ASN1_SEQUENCE) ||
! 390: asn1_next_obj(cert, offset, ASN1_BIT_STRING) < 0)
! 391: goto end_pub_key;
! 392:
! 393: (*offset)++; /* ignore the padding bit field */
! 394:
! 395: if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
! 396: goto end_pub_key;
! 397:
! 398: mod_len = asn1_get_int(cert, offset, &modulus);
! 399: pub_len = asn1_get_int(cert, offset, &pub_exp);
! 400:
! 401: RSA_pub_key_new(&x509_ctx->rsa_ctx, modulus, mod_len, pub_exp, pub_len);
! 402:
! 403: free(modulus);
! 404: free(pub_exp);
! 405: ret = X509_OK;
! 406:
! 407: end_pub_key:
! 408: return ret;
! 409: }
! 410:
! 411: #ifdef CONFIG_SSL_CERT_VERIFICATION
! 412: /**
! 413: * Read the signature of the certificate.
! 414: */
! 415: int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
! 416: {
! 417: int ret = X509_NOT_OK;
! 418:
! 419: if (cert[(*offset)++] != ASN1_BIT_STRING)
! 420: goto end_sig;
! 421:
! 422: x509_ctx->sig_len = get_asn1_length(cert, offset)-1;
! 423: (*offset)++; /* ignore bit string padding bits */
! 424: x509_ctx->signature = (uint8_t *)malloc(x509_ctx->sig_len);
! 425: memcpy(x509_ctx->signature, &cert[*offset], x509_ctx->sig_len);
! 426: *offset += x509_ctx->sig_len;
! 427: ret = X509_OK;
! 428:
! 429: end_sig:
! 430: return ret;
! 431: }
! 432:
! 433: /*
! 434: * Compare 2 distinguished name components for equality
! 435: * @return 0 if a match
! 436: */
! 437: static int asn1_compare_dn_comp(const char *dn1, const char *dn2)
! 438: {
! 439: int ret;
! 440:
! 441: if (dn1 == NULL && dn2 == NULL)
! 442: ret = 0;
! 443: else
! 444: ret = (dn1 && dn2) ? strcmp(dn1, dn2) : 1;
! 445:
! 446: return ret;
! 447: }
! 448:
! 449: /**
! 450: * Clean up all of the CA certificates.
! 451: */
! 452: void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx)
! 453: {
! 454: int i = 0;
! 455:
! 456: if (ca_cert_ctx == NULL)
! 457: return;
! 458:
! 459: while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
! 460: {
! 461: x509_free(ca_cert_ctx->cert[i]);
! 462: ca_cert_ctx->cert[i++] = NULL;
! 463: }
! 464:
! 465: free(ca_cert_ctx);
! 466: }
! 467:
! 468: /*
! 469: * Compare 2 distinguished names for equality
! 470: * @return 0 if a match
! 471: */
! 472: int asn1_compare_dn(char * const dn1[], char * const dn2[])
! 473: {
! 474: int i;
! 475:
! 476: for (i = 0; i < X509_NUM_DN_TYPES; i++)
! 477: {
! 478: if (asn1_compare_dn_comp(dn1[i], dn2[i]))
! 479: return 1;
! 480: }
! 481:
! 482: return 0; /* all good */
! 483: }
! 484:
! 485: int asn1_find_oid(const uint8_t* cert, int* offset,
! 486: const uint8_t* oid, int oid_length)
! 487: {
! 488: int seqlen;
! 489: if ((seqlen = asn1_next_obj(cert, offset, ASN1_SEQUENCE))> 0)
! 490: {
! 491: int end = *offset + seqlen;
! 492:
! 493: while (*offset < end)
! 494: {
! 495: int type = cert[(*offset)++];
! 496: int length = get_asn1_length(cert, offset);
! 497: int noffset = *offset + length;
! 498:
! 499: if (type == ASN1_SEQUENCE)
! 500: {
! 501: type = cert[(*offset)++];
! 502: length = get_asn1_length(cert, offset);
! 503:
! 504: if (type == ASN1_OID && length == oid_length &&
! 505: memcmp(cert + *offset, oid, oid_length) == 0)
! 506: {
! 507: *offset += oid_length;
! 508: return 1;
! 509: }
! 510: }
! 511:
! 512: *offset = noffset;
! 513: }
! 514: }
! 515:
! 516: return 0;
! 517: }
! 518:
! 519: int asn1_find_subjectaltname(const uint8_t* cert, int offset)
! 520: {
! 521: if (asn1_find_oid(cert, &offset, sig_subject_alt_name,
! 522: SIG_SUBJECT_ALT_NAME_SIZE))
! 523: {
! 524: return offset;
! 525: }
! 526:
! 527: return 0;
! 528: }
! 529:
! 530: #endif /* CONFIG_SSL_CERT_VERIFICATION */
! 531:
! 532: /**
! 533: * Read the signature type of the certificate. We only support RSA-MD5 and
! 534: * RSA-SHA1 signature types.
! 535: */
! 536: int asn1_signature_type(const uint8_t *cert,
! 537: int *offset, X509_CTX *x509_ctx)
! 538: {
! 539: int ret = X509_NOT_OK, len;
! 540:
! 541: if (cert[(*offset)++] != ASN1_OID)
! 542: goto end_check_sig;
! 543:
! 544: len = get_asn1_length(cert, offset);
! 545:
! 546: if (len == 5 && memcmp(sig_sha1WithRSAEncrypt, &cert[*offset],
! 547: SIG_IIS6_OID_SIZE) == 0)
! 548: {
! 549: x509_ctx->sig_type = SIG_TYPE_SHA1;
! 550: }
! 551: else
! 552: {
! 553: if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
! 554: goto end_check_sig; /* unrecognised cert type */
! 555:
! 556: x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
! 557: }
! 558:
! 559: *offset += len;
! 560: asn1_skip_obj(cert, offset, ASN1_NULL); /* if it's there */
! 561: ret = X509_OK;
! 562:
! 563: end_check_sig:
! 564: return ret;
! 565: }
! 566:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to asn1.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / ssl