diff options
Diffstat (limited to '')
-rw-r--r-- | security/nss/lib/certdb/secname.c | 701 |
1 files changed, 701 insertions, 0 deletions
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c new file mode 100644 index 0000000000..654dfdf3f0 --- /dev/null +++ b/security/nss/lib/certdb/secname.c @@ -0,0 +1,701 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "cert.h" +#include "secoid.h" +#include "secder.h" /* XXX remove this when remove the DERTemplates */ +#include "secasn1.h" +#include "secitem.h" +#include <stdarg.h> +#include "secerr.h" +#include "certi.h" + +static const SEC_ASN1Template cert_AVATemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAVA) }, + { SEC_ASN1_OBJECT_ID, offsetof(CERTAVA, type) }, + { SEC_ASN1_ANY, offsetof(CERTAVA, value) }, + { 0 } +}; + +const SEC_ASN1Template CERT_RDNTemplate[] = { + { SEC_ASN1_SET_OF, offsetof(CERTRDN, avas), cert_AVATemplate, + sizeof(CERTRDN) } +}; + +static int +CountArray(void **array) +{ + int count = 0; + if (array) { + while (*array++) { + count++; + } + } + return count; +} + +static void ** +AddToArray(PLArenaPool *arena, void **array, void *element) +{ + unsigned count; + void **ap; + + /* Count up number of slots already in use in the array */ + count = 0; + ap = array; + if (ap) { + while (*ap++) { + count++; + } + } + + if (array) { + array = + (void **)PORT_ArenaGrow(arena, array, (count + 1) * sizeof(void *), + (count + 2) * sizeof(void *)); + } else { + array = (void **)PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *)); + } + if (array) { + array[count] = element; + array[count + 1] = 0; + } + return array; +} + +SECOidTag +CERT_GetAVATag(CERTAVA *ava) +{ + SECOidData *oid; + if (!ava->type.data) + return (SECOidTag)-1; + + oid = SECOID_FindOID(&ava->type); + + if (oid) { + return (oid->offset); + } + return (SECOidTag)-1; +} + +static SECStatus +SetupAVAType(PLArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp) +{ + unsigned char *oid; + unsigned oidLen; + unsigned char *cp; + int maxLen; + SECOidData *oidrec; + + oidrec = SECOID_FindOIDByTag(type); + if (oidrec == NULL) + return SECFailure; + + oid = oidrec->oid.data; + oidLen = oidrec->oid.len; + + maxLen = cert_AVAOidTagToMaxLen(type); + if (maxLen < 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + it->data = cp = (unsigned char *)PORT_ArenaAlloc(arena, oidLen); + if (cp == NULL) { + return SECFailure; + } + it->len = oidLen; + PORT_Memcpy(cp, oid, oidLen); + *maxLenp = (unsigned)maxLen; + return SECSuccess; +} + +static SECStatus +SetupAVAValue(PLArenaPool *arena, int valueType, const SECItem *in, + SECItem *out, unsigned maxLen) +{ + PRUint8 *value, *cp, *ucs4Val; + unsigned valueLen, valueLenLen, total; + unsigned ucs4Len = 0, ucs4MaxLen; + + value = in->data; + valueLen = in->len; + switch (valueType) { + case SEC_ASN1_PRINTABLE_STRING: + case SEC_ASN1_IA5_STRING: + case SEC_ASN1_T61_STRING: + case SEC_ASN1_UTF8_STRING: /* no conversion required */ + break; + case SEC_ASN1_UNIVERSAL_STRING: + ucs4MaxLen = valueLen * 6; + ucs4Val = (PRUint8 *)PORT_ArenaZAlloc(arena, ucs4MaxLen); + if (!ucs4Val || + !PORT_UCS4_UTF8Conversion(PR_TRUE, value, valueLen, ucs4Val, + ucs4MaxLen, &ucs4Len)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + value = ucs4Val; + valueLen = ucs4Len; + maxLen *= 4; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (valueLen > maxLen) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + valueLenLen = DER_LengthLength(valueLen); + total = 1 + valueLenLen + valueLen; + cp = (PRUint8 *)PORT_ArenaAlloc(arena, total); + if (!cp) { + return SECFailure; + } + out->data = cp; + out->len = total; + cp = (PRUint8 *)DER_StoreHeader(cp, valueType, valueLen); + PORT_Memcpy(cp, value, valueLen); + return SECSuccess; +} + +CERTAVA * +CERT_CreateAVAFromRaw(PLArenaPool *pool, const SECItem *OID, + const SECItem *value) +{ + CERTAVA *ava; + int rv; + + ava = PORT_ArenaZNew(pool, CERTAVA); + if (ava) { + rv = SECITEM_CopyItem(pool, &ava->type, OID); + if (rv) + return NULL; + + rv = SECITEM_CopyItem(pool, &ava->value, value); + if (rv) + return NULL; + } + return ava; +} + +CERTAVA * +CERT_CreateAVAFromSECItem(PLArenaPool *arena, SECOidTag kind, int valueType, + SECItem *value) +{ + CERTAVA *ava; + int rv; + unsigned maxLen; + + ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA)); + if (ava) { + rv = SetupAVAType(arena, kind, &ava->type, &maxLen); + if (rv) { + /* Illegal AVA type */ + return NULL; + } + rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen); + if (rv) { + /* Illegal value type */ + return NULL; + } + } + return ava; +} + +CERTAVA * +CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind, int valueType, char *value) +{ + SECItem item = { siBuffer, NULL, 0 }; + + item.data = (PRUint8 *)value; + item.len = PORT_Strlen(value); + + return CERT_CreateAVAFromSECItem(arena, kind, valueType, &item); +} + +CERTAVA * +CERT_CopyAVA(PLArenaPool *arena, CERTAVA *from) +{ + CERTAVA *ava; + int rv; + + ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA)); + if (ava) { + rv = SECITEM_CopyItem(arena, &ava->type, &from->type); + if (rv) + goto loser; + rv = SECITEM_CopyItem(arena, &ava->value, &from->value); + if (rv) + goto loser; + } + return ava; + +loser: + return 0; +} + +CERTRDN * +CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...) +{ + CERTAVA *ava; + CERTRDN *rdn; + va_list ap; + unsigned count; + CERTAVA **avap; + + rdn = (CERTRDN *)PORT_ArenaAlloc(arena, sizeof(CERTRDN)); + if (rdn) { + /* Count number of avas going into the rdn */ + count = 0; + if (ava0) { + count++; + va_start(ap, ava0); + while ((ava = va_arg(ap, CERTAVA *)) != 0) { + count++; + } + va_end(ap); + } + + /* Now fill in the pointers */ + rdn->avas = avap = + (CERTAVA **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTAVA *)); + if (!avap) { + return 0; + } + if (ava0) { + *avap++ = ava0; + va_start(ap, ava0); + while ((ava = va_arg(ap, CERTAVA *)) != 0) { + *avap++ = ava; + } + va_end(ap); + } + *avap++ = 0; + } + return rdn; +} + +SECStatus +CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava) +{ + rdn->avas = (CERTAVA **)AddToArray(arena, (void **)rdn->avas, ava); + return rdn->avas ? SECSuccess : SECFailure; +} + +SECStatus +CERT_CopyRDN(PLArenaPool *arena, CERTRDN *to, CERTRDN *from) +{ + CERTAVA **avas, *fava, *tava; + SECStatus rv = SECSuccess; + + /* Copy each ava from from */ + avas = from->avas; + if (avas) { + if (avas[0] == NULL) { + rv = CERT_AddAVA(arena, to, NULL); + return rv; + } + while ((fava = *avas++) != 0) { + tava = CERT_CopyAVA(arena, fava); + if (!tava) { + rv = SECFailure; + break; + } + rv = CERT_AddAVA(arena, to, tava); + if (rv != SECSuccess) + break; + } + } + return rv; +} + +/************************************************************************/ + +const SEC_ASN1Template CERT_NameTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, offsetof(CERTName, rdns), CERT_RDNTemplate, + sizeof(CERTName) } +}; + +SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate) + +CERTName * +CERT_CreateName(CERTRDN *rdn0, ...) +{ + CERTRDN *rdn; + CERTName *name; + va_list ap; + unsigned count; + CERTRDN **rdnp; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return (0); + } + + name = (CERTName *)PORT_ArenaAlloc(arena, sizeof(CERTName)); + if (name) { + name->arena = arena; + + /* Count number of RDNs going into the Name */ + if (!rdn0) { + count = 0; + } else { + count = 1; + va_start(ap, rdn0); + while ((rdn = va_arg(ap, CERTRDN *)) != 0) { + count++; + } + va_end(ap); + } + + /* Allocate space (including space for terminal null ptr) */ + name->rdns = rdnp = + (CERTRDN **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN *)); + if (!name->rdns) { + goto loser; + } + + /* Now fill in the pointers */ + if (count > 0) { + *rdnp++ = rdn0; + va_start(ap, rdn0); + while ((rdn = va_arg(ap, CERTRDN *)) != 0) { + *rdnp++ = rdn; + } + va_end(ap); + } + + /* null terminate the list */ + *rdnp++ = 0; + } + return name; + +loser: + PORT_FreeArena(arena, PR_FALSE); + return (0); +} + +void +CERT_DestroyName(CERTName *name) +{ + if (name) { + PLArenaPool *arena = name->arena; + name->rdns = NULL; + name->arena = NULL; + if (arena) + PORT_FreeArena(arena, PR_FALSE); + } +} + +SECStatus +CERT_AddRDN(CERTName *name, CERTRDN *rdn) +{ + name->rdns = (CERTRDN **)AddToArray(name->arena, (void **)name->rdns, rdn); + return name->rdns ? SECSuccess : SECFailure; +} + +SECStatus +CERT_CopyName(PLArenaPool *arena, CERTName *to, const CERTName *from) +{ + CERTRDN **rdns, *frdn, *trdn; + SECStatus rv = SECSuccess; + + if (!to || !from) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + CERT_DestroyName(to); + to->arena = arena; + + /* Copy each rdn from from */ + rdns = from->rdns; + if (rdns) { + if (rdns[0] == NULL) { + rv = CERT_AddRDN(to, NULL); + return rv; + } + while ((frdn = *rdns++) != NULL) { + trdn = CERT_CreateRDN(arena, NULL); + if (!trdn) { + rv = SECFailure; + break; + } + rv = CERT_CopyRDN(arena, trdn, frdn); + if (rv != SECSuccess) + break; + rv = CERT_AddRDN(to, trdn); + if (rv != SECSuccess) + break; + } + } + return rv; +} + +/************************************************************************/ + +static void +canonicalize(SECItem *foo) +{ + int ch, lastch, len, src, dest; + + /* strip trailing whitespace. */ + len = foo->len; + while (len > 0 && ((ch = foo->data[len - 1]) == ' ' || ch == '\t' || + ch == '\r' || ch == '\n')) { + len--; + } + + src = 0; + /* strip leading whitespace. */ + while (src < len && ((ch = foo->data[src]) == ' ' || ch == '\t' || + ch == '\r' || ch == '\n')) { + src++; + } + dest = 0; + lastch = ' '; + while (src < len) { + ch = foo->data[src++]; + if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') { + ch = ' '; + if (ch == lastch) + continue; + } else if (ch >= 'A' && ch <= 'Z') { + ch |= 0x20; /* downshift */ + } + foo->data[dest++] = lastch = ch; + } + foo->len = dest; +} + +/* SECItems a and b contain DER-encoded printable strings. */ +SECComparison +CERT_CompareDERPrintableStrings(const SECItem *a, const SECItem *b) +{ + SECComparison rv = SECLessThan; + SECItem *aVal = CERT_DecodeAVAValue(a); + SECItem *bVal = CERT_DecodeAVAValue(b); + + if (aVal && aVal->len && aVal->data && bVal && bVal->len && bVal->data) { + canonicalize(aVal); + canonicalize(bVal); + rv = SECITEM_CompareItem(aVal, bVal); + } + SECITEM_FreeItem(aVal, PR_TRUE); + SECITEM_FreeItem(bVal, PR_TRUE); + return rv; +} + +SECComparison +CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b) +{ + SECComparison rv; + + rv = SECITEM_CompareItem(&a->type, &b->type); + if (SECEqual != rv) + return rv; /* Attribute types don't match. */ + /* Let's be optimistic. Maybe the values will just compare equal. */ + rv = SECITEM_CompareItem(&a->value, &b->value); + if (SECEqual == rv) + return rv; /* values compared exactly. */ + if (a->value.len && a->value.data && b->value.len && b->value.data) { + /* Here, the values did not match. + ** If the values had different encodings, convert them to the same + ** encoding and compare that way. + */ + if (a->value.data[0] != b->value.data[0]) { + /* encodings differ. Convert both to UTF-8 and compare. */ + SECItem *aVal = CERT_DecodeAVAValue(&a->value); + SECItem *bVal = CERT_DecodeAVAValue(&b->value); + if (aVal && aVal->len && aVal->data && bVal && bVal->len && + bVal->data) { + rv = SECITEM_CompareItem(aVal, bVal); + } + SECITEM_FreeItem(aVal, PR_TRUE); + SECITEM_FreeItem(bVal, PR_TRUE); + } else if (a->value.data[0] == 0x13) { /* both are printable strings. */ + /* printable strings */ + rv = CERT_CompareDERPrintableStrings(&a->value, &b->value); + } + } + return rv; +} + +SECComparison +CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b) +{ + CERTAVA **aavas, *aava; + CERTAVA **bavas, *bava; + int ac, bc; + SECComparison rv = SECEqual; + + aavas = a->avas; + bavas = b->avas; + + /* + ** Make sure array of ava's are the same length. If not, then we are + ** not equal + */ + ac = CountArray((void **)aavas); + bc = CountArray((void **)bavas); + if (ac < bc) + return SECLessThan; + if (ac > bc) + return SECGreaterThan; + + while (NULL != (aava = *aavas++)) { + for (bavas = b->avas; NULL != (bava = *bavas++);) { + rv = SECITEM_CompareItem(&aava->type, &bava->type); + if (SECEqual == rv) { + rv = CERT_CompareAVA(aava, bava); + if (SECEqual != rv) + return rv; + break; + } + } + if (!bava) /* didn't find a match */ + return SECGreaterThan; + } + return rv; +} + +SECComparison +CERT_CompareName(const CERTName *a, const CERTName *b) +{ + CERTRDN **ardns; + CERTRDN **brdns; + int ac, bc; + SECComparison rv = SECEqual; + + ardns = a->rdns; + brdns = b->rdns; + + /* + ** Make sure array of rdn's are the same length. If not, then we are + ** not equal + */ + ac = CountArray((void **)ardns); + bc = CountArray((void **)brdns); + if (ac < bc) + return SECLessThan; + if (ac > bc) + return SECGreaterThan; + + while (rv == SECEqual && *ardns) { + rv = CERT_CompareRDN(*ardns++, *brdns++); + } + return rv; +} + +/* Moved from certhtml.c */ +SECItem * +CERT_DecodeAVAValue(const SECItem *derAVAValue) +{ + SECItem *retItem; + const SEC_ASN1Template *theTemplate = NULL; + enum { conv_none, + conv_ucs4, + conv_ucs2, + conv_iso88591 } convert = conv_none; + SECItem avaValue = { siBuffer, 0 }; + PORTCheapArenaPool tmpArena; + + if (!derAVAValue || !derAVAValue->len || !derAVAValue->data) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + switch (derAVAValue->data[0]) { + case SEC_ASN1_UNIVERSAL_STRING: + convert = conv_ucs4; + theTemplate = SEC_ASN1_GET(SEC_UniversalStringTemplate); + break; + case SEC_ASN1_IA5_STRING: + theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate); + break; + case SEC_ASN1_PRINTABLE_STRING: + theTemplate = SEC_ASN1_GET(SEC_PrintableStringTemplate); + break; + case SEC_ASN1_T61_STRING: + /* + * Per common practice, we're not decoding actual T.61, but instead + * treating T61-labeled strings as containing ISO-8859-1. + */ + convert = conv_iso88591; + theTemplate = SEC_ASN1_GET(SEC_T61StringTemplate); + break; + case SEC_ASN1_BMP_STRING: + convert = conv_ucs2; + theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate); + break; + case SEC_ASN1_UTF8_STRING: + /* No conversion needed ! */ + theTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate); + break; + default: + PORT_SetError(SEC_ERROR_INVALID_AVA); + return NULL; + } + + PORT_Memset(&avaValue, 0, sizeof(SECItem)); + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + if (SEC_QuickDERDecodeItem(&tmpArena.arena, &avaValue, theTemplate, + derAVAValue) != SECSuccess) { + PORT_DestroyCheapArena(&tmpArena); + return NULL; + } + + if (convert != conv_none) { + unsigned int utf8ValLen = avaValue.len * 3; + unsigned char *utf8Val = + (unsigned char *)PORT_ArenaZAlloc(&tmpArena.arena, utf8ValLen); + + switch (convert) { + case conv_ucs4: + if (avaValue.len % 4 != 0 || + !PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, + avaValue.len, utf8Val, utf8ValLen, + &utf8ValLen)) { + PORT_DestroyCheapArena(&tmpArena); + PORT_SetError(SEC_ERROR_INVALID_AVA); + return NULL; + } + break; + case conv_ucs2: + if (avaValue.len % 2 != 0 || + !PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, + avaValue.len, utf8Val, utf8ValLen, + &utf8ValLen)) { + PORT_DestroyCheapArena(&tmpArena); + PORT_SetError(SEC_ERROR_INVALID_AVA); + return NULL; + } + break; + case conv_iso88591: + if (!PORT_ISO88591_UTF8Conversion(avaValue.data, avaValue.len, + utf8Val, utf8ValLen, + &utf8ValLen)) { + PORT_DestroyCheapArena(&tmpArena); + PORT_SetError(SEC_ERROR_INVALID_AVA); + return NULL; + } + break; + case conv_none: + PORT_Assert(0); /* not reached */ + break; + } + + avaValue.data = utf8Val; + avaValue.len = utf8ValLen; + } + + retItem = SECITEM_DupItem(&avaValue); + PORT_DestroyCheapArena(&tmpArena); + return retItem; +} |