summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/certdb/secname.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/nss/lib/certdb/secname.c701
1 files changed, 701 insertions, 0 deletions
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c
new file mode 100644
index 0000000000..654dfdf3f0
--- /dev/null
+++ b/security/nss/lib/certdb/secname.c
@@ -0,0 +1,701 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "cert.h"
+#include "secoid.h"
+#include "secder.h" /* XXX remove this when remove the DERTemplates */
+#include "secasn1.h"
+#include "secitem.h"
+#include <stdarg.h>
+#include "secerr.h"
+#include "certi.h"
+
+static const SEC_ASN1Template cert_AVATemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAVA) },
+ { SEC_ASN1_OBJECT_ID, offsetof(CERTAVA, type) },
+ { SEC_ASN1_ANY, offsetof(CERTAVA, value) },
+ { 0 }
+};
+
+const SEC_ASN1Template CERT_RDNTemplate[] = {
+ { SEC_ASN1_SET_OF, offsetof(CERTRDN, avas), cert_AVATemplate,
+ sizeof(CERTRDN) }
+};
+
+static int
+CountArray(void **array)
+{
+ int count = 0;
+ if (array) {
+ while (*array++) {
+ count++;
+ }
+ }
+ return count;
+}
+
+static void **
+AddToArray(PLArenaPool *arena, void **array, void *element)
+{
+ unsigned count;
+ void **ap;
+
+ /* Count up number of slots already in use in the array */
+ count = 0;
+ ap = array;
+ if (ap) {
+ while (*ap++) {
+ count++;
+ }
+ }
+
+ if (array) {
+ array =
+ (void **)PORT_ArenaGrow(arena, array, (count + 1) * sizeof(void *),
+ (count + 2) * sizeof(void *));
+ } else {
+ array = (void **)PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
+ }
+ if (array) {
+ array[count] = element;
+ array[count + 1] = 0;
+ }
+ return array;
+}
+
+SECOidTag
+CERT_GetAVATag(CERTAVA *ava)
+{
+ SECOidData *oid;
+ if (!ava->type.data)
+ return (SECOidTag)-1;
+
+ oid = SECOID_FindOID(&ava->type);
+
+ if (oid) {
+ return (oid->offset);
+ }
+ return (SECOidTag)-1;
+}
+
+static SECStatus
+SetupAVAType(PLArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
+{
+ unsigned char *oid;
+ unsigned oidLen;
+ unsigned char *cp;
+ int maxLen;
+ SECOidData *oidrec;
+
+ oidrec = SECOID_FindOIDByTag(type);
+ if (oidrec == NULL)
+ return SECFailure;
+
+ oid = oidrec->oid.data;
+ oidLen = oidrec->oid.len;
+
+ maxLen = cert_AVAOidTagToMaxLen(type);
+ if (maxLen < 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ it->data = cp = (unsigned char *)PORT_ArenaAlloc(arena, oidLen);
+ if (cp == NULL) {
+ return SECFailure;
+ }
+ it->len = oidLen;
+ PORT_Memcpy(cp, oid, oidLen);
+ *maxLenp = (unsigned)maxLen;
+ return SECSuccess;
+}
+
+static SECStatus
+SetupAVAValue(PLArenaPool *arena, int valueType, const SECItem *in,
+ SECItem *out, unsigned maxLen)
+{
+ PRUint8 *value, *cp, *ucs4Val;
+ unsigned valueLen, valueLenLen, total;
+ unsigned ucs4Len = 0, ucs4MaxLen;
+
+ value = in->data;
+ valueLen = in->len;
+ switch (valueType) {
+ case SEC_ASN1_PRINTABLE_STRING:
+ case SEC_ASN1_IA5_STRING:
+ case SEC_ASN1_T61_STRING:
+ case SEC_ASN1_UTF8_STRING: /* no conversion required */
+ break;
+ case SEC_ASN1_UNIVERSAL_STRING:
+ ucs4MaxLen = valueLen * 6;
+ ucs4Val = (PRUint8 *)PORT_ArenaZAlloc(arena, ucs4MaxLen);
+ if (!ucs4Val ||
+ !PORT_UCS4_UTF8Conversion(PR_TRUE, value, valueLen, ucs4Val,
+ ucs4MaxLen, &ucs4Len)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ value = ucs4Val;
+ valueLen = ucs4Len;
+ maxLen *= 4;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (valueLen > maxLen) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ valueLenLen = DER_LengthLength(valueLen);
+ total = 1 + valueLenLen + valueLen;
+ cp = (PRUint8 *)PORT_ArenaAlloc(arena, total);
+ if (!cp) {
+ return SECFailure;
+ }
+ out->data = cp;
+ out->len = total;
+ cp = (PRUint8 *)DER_StoreHeader(cp, valueType, valueLen);
+ PORT_Memcpy(cp, value, valueLen);
+ return SECSuccess;
+}
+
+CERTAVA *
+CERT_CreateAVAFromRaw(PLArenaPool *pool, const SECItem *OID,
+ const SECItem *value)
+{
+ CERTAVA *ava;
+ int rv;
+
+ ava = PORT_ArenaZNew(pool, CERTAVA);
+ if (ava) {
+ rv = SECITEM_CopyItem(pool, &ava->type, OID);
+ if (rv)
+ return NULL;
+
+ rv = SECITEM_CopyItem(pool, &ava->value, value);
+ if (rv)
+ return NULL;
+ }
+ return ava;
+}
+
+CERTAVA *
+CERT_CreateAVAFromSECItem(PLArenaPool *arena, SECOidTag kind, int valueType,
+ SECItem *value)
+{
+ CERTAVA *ava;
+ int rv;
+ unsigned maxLen;
+
+ ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+ if (ava) {
+ rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
+ if (rv) {
+ /* Illegal AVA type */
+ return NULL;
+ }
+ rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
+ if (rv) {
+ /* Illegal value type */
+ return NULL;
+ }
+ }
+ return ava;
+}
+
+CERTAVA *
+CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind, int valueType, char *value)
+{
+ SECItem item = { siBuffer, NULL, 0 };
+
+ item.data = (PRUint8 *)value;
+ item.len = PORT_Strlen(value);
+
+ return CERT_CreateAVAFromSECItem(arena, kind, valueType, &item);
+}
+
+CERTAVA *
+CERT_CopyAVA(PLArenaPool *arena, CERTAVA *from)
+{
+ CERTAVA *ava;
+ int rv;
+
+ ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+ if (ava) {
+ rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
+ if (rv)
+ goto loser;
+ rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
+ if (rv)
+ goto loser;
+ }
+ return ava;
+
+loser:
+ return 0;
+}
+
+CERTRDN *
+CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...)
+{
+ CERTAVA *ava;
+ CERTRDN *rdn;
+ va_list ap;
+ unsigned count;
+ CERTAVA **avap;
+
+ rdn = (CERTRDN *)PORT_ArenaAlloc(arena, sizeof(CERTRDN));
+ if (rdn) {
+ /* Count number of avas going into the rdn */
+ count = 0;
+ if (ava0) {
+ count++;
+ va_start(ap, ava0);
+ while ((ava = va_arg(ap, CERTAVA *)) != 0) {
+ count++;
+ }
+ va_end(ap);
+ }
+
+ /* Now fill in the pointers */
+ rdn->avas = avap =
+ (CERTAVA **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTAVA *));
+ if (!avap) {
+ return 0;
+ }
+ if (ava0) {
+ *avap++ = ava0;
+ va_start(ap, ava0);
+ while ((ava = va_arg(ap, CERTAVA *)) != 0) {
+ *avap++ = ava;
+ }
+ va_end(ap);
+ }
+ *avap++ = 0;
+ }
+ return rdn;
+}
+
+SECStatus
+CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
+{
+ rdn->avas = (CERTAVA **)AddToArray(arena, (void **)rdn->avas, ava);
+ return rdn->avas ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyRDN(PLArenaPool *arena, CERTRDN *to, CERTRDN *from)
+{
+ CERTAVA **avas, *fava, *tava;
+ SECStatus rv = SECSuccess;
+
+ /* Copy each ava from from */
+ avas = from->avas;
+ if (avas) {
+ if (avas[0] == NULL) {
+ rv = CERT_AddAVA(arena, to, NULL);
+ return rv;
+ }
+ while ((fava = *avas++) != 0) {
+ tava = CERT_CopyAVA(arena, fava);
+ if (!tava) {
+ rv = SECFailure;
+ break;
+ }
+ rv = CERT_AddAVA(arena, to, tava);
+ if (rv != SECSuccess)
+ break;
+ }
+ }
+ return rv;
+}
+
+/************************************************************************/
+
+const SEC_ASN1Template CERT_NameTemplate[] = {
+ { SEC_ASN1_SEQUENCE_OF, offsetof(CERTName, rdns), CERT_RDNTemplate,
+ sizeof(CERTName) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate)
+
+CERTName *
+CERT_CreateName(CERTRDN *rdn0, ...)
+{
+ CERTRDN *rdn;
+ CERTName *name;
+ va_list ap;
+ unsigned count;
+ CERTRDN **rdnp;
+ PLArenaPool *arena;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ return (0);
+ }
+
+ name = (CERTName *)PORT_ArenaAlloc(arena, sizeof(CERTName));
+ if (name) {
+ name->arena = arena;
+
+ /* Count number of RDNs going into the Name */
+ if (!rdn0) {
+ count = 0;
+ } else {
+ count = 1;
+ va_start(ap, rdn0);
+ while ((rdn = va_arg(ap, CERTRDN *)) != 0) {
+ count++;
+ }
+ va_end(ap);
+ }
+
+ /* Allocate space (including space for terminal null ptr) */
+ name->rdns = rdnp =
+ (CERTRDN **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN *));
+ if (!name->rdns) {
+ goto loser;
+ }
+
+ /* Now fill in the pointers */
+ if (count > 0) {
+ *rdnp++ = rdn0;
+ va_start(ap, rdn0);
+ while ((rdn = va_arg(ap, CERTRDN *)) != 0) {
+ *rdnp++ = rdn;
+ }
+ va_end(ap);
+ }
+
+ /* null terminate the list */
+ *rdnp++ = 0;
+ }
+ return name;
+
+loser:
+ PORT_FreeArena(arena, PR_FALSE);
+ return (0);
+}
+
+void
+CERT_DestroyName(CERTName *name)
+{
+ if (name) {
+ PLArenaPool *arena = name->arena;
+ name->rdns = NULL;
+ name->arena = NULL;
+ if (arena)
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+}
+
+SECStatus
+CERT_AddRDN(CERTName *name, CERTRDN *rdn)
+{
+ name->rdns = (CERTRDN **)AddToArray(name->arena, (void **)name->rdns, rdn);
+ return name->rdns ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyName(PLArenaPool *arena, CERTName *to, const CERTName *from)
+{
+ CERTRDN **rdns, *frdn, *trdn;
+ SECStatus rv = SECSuccess;
+
+ if (!to || !from) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ CERT_DestroyName(to);
+ to->arena = arena;
+
+ /* Copy each rdn from from */
+ rdns = from->rdns;
+ if (rdns) {
+ if (rdns[0] == NULL) {
+ rv = CERT_AddRDN(to, NULL);
+ return rv;
+ }
+ while ((frdn = *rdns++) != NULL) {
+ trdn = CERT_CreateRDN(arena, NULL);
+ if (!trdn) {
+ rv = SECFailure;
+ break;
+ }
+ rv = CERT_CopyRDN(arena, trdn, frdn);
+ if (rv != SECSuccess)
+ break;
+ rv = CERT_AddRDN(to, trdn);
+ if (rv != SECSuccess)
+ break;
+ }
+ }
+ return rv;
+}
+
+/************************************************************************/
+
+static void
+canonicalize(SECItem *foo)
+{
+ int ch, lastch, len, src, dest;
+
+ /* strip trailing whitespace. */
+ len = foo->len;
+ while (len > 0 && ((ch = foo->data[len - 1]) == ' ' || ch == '\t' ||
+ ch == '\r' || ch == '\n')) {
+ len--;
+ }
+
+ src = 0;
+ /* strip leading whitespace. */
+ while (src < len && ((ch = foo->data[src]) == ' ' || ch == '\t' ||
+ ch == '\r' || ch == '\n')) {
+ src++;
+ }
+ dest = 0;
+ lastch = ' ';
+ while (src < len) {
+ ch = foo->data[src++];
+ if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
+ ch = ' ';
+ if (ch == lastch)
+ continue;
+ } else if (ch >= 'A' && ch <= 'Z') {
+ ch |= 0x20; /* downshift */
+ }
+ foo->data[dest++] = lastch = ch;
+ }
+ foo->len = dest;
+}
+
+/* SECItems a and b contain DER-encoded printable strings. */
+SECComparison
+CERT_CompareDERPrintableStrings(const SECItem *a, const SECItem *b)
+{
+ SECComparison rv = SECLessThan;
+ SECItem *aVal = CERT_DecodeAVAValue(a);
+ SECItem *bVal = CERT_DecodeAVAValue(b);
+
+ if (aVal && aVal->len && aVal->data && bVal && bVal->len && bVal->data) {
+ canonicalize(aVal);
+ canonicalize(bVal);
+ rv = SECITEM_CompareItem(aVal, bVal);
+ }
+ SECITEM_FreeItem(aVal, PR_TRUE);
+ SECITEM_FreeItem(bVal, PR_TRUE);
+ return rv;
+}
+
+SECComparison
+CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b)
+{
+ SECComparison rv;
+
+ rv = SECITEM_CompareItem(&a->type, &b->type);
+ if (SECEqual != rv)
+ return rv; /* Attribute types don't match. */
+ /* Let's be optimistic. Maybe the values will just compare equal. */
+ rv = SECITEM_CompareItem(&a->value, &b->value);
+ if (SECEqual == rv)
+ return rv; /* values compared exactly. */
+ if (a->value.len && a->value.data && b->value.len && b->value.data) {
+ /* Here, the values did not match.
+ ** If the values had different encodings, convert them to the same
+ ** encoding and compare that way.
+ */
+ if (a->value.data[0] != b->value.data[0]) {
+ /* encodings differ. Convert both to UTF-8 and compare. */
+ SECItem *aVal = CERT_DecodeAVAValue(&a->value);
+ SECItem *bVal = CERT_DecodeAVAValue(&b->value);
+ if (aVal && aVal->len && aVal->data && bVal && bVal->len &&
+ bVal->data) {
+ rv = SECITEM_CompareItem(aVal, bVal);
+ }
+ SECITEM_FreeItem(aVal, PR_TRUE);
+ SECITEM_FreeItem(bVal, PR_TRUE);
+ } else if (a->value.data[0] == 0x13) { /* both are printable strings. */
+ /* printable strings */
+ rv = CERT_CompareDERPrintableStrings(&a->value, &b->value);
+ }
+ }
+ return rv;
+}
+
+SECComparison
+CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b)
+{
+ CERTAVA **aavas, *aava;
+ CERTAVA **bavas, *bava;
+ int ac, bc;
+ SECComparison rv = SECEqual;
+
+ aavas = a->avas;
+ bavas = b->avas;
+
+ /*
+ ** Make sure array of ava's are the same length. If not, then we are
+ ** not equal
+ */
+ ac = CountArray((void **)aavas);
+ bc = CountArray((void **)bavas);
+ if (ac < bc)
+ return SECLessThan;
+ if (ac > bc)
+ return SECGreaterThan;
+
+ while (NULL != (aava = *aavas++)) {
+ for (bavas = b->avas; NULL != (bava = *bavas++);) {
+ rv = SECITEM_CompareItem(&aava->type, &bava->type);
+ if (SECEqual == rv) {
+ rv = CERT_CompareAVA(aava, bava);
+ if (SECEqual != rv)
+ return rv;
+ break;
+ }
+ }
+ if (!bava) /* didn't find a match */
+ return SECGreaterThan;
+ }
+ return rv;
+}
+
+SECComparison
+CERT_CompareName(const CERTName *a, const CERTName *b)
+{
+ CERTRDN **ardns;
+ CERTRDN **brdns;
+ int ac, bc;
+ SECComparison rv = SECEqual;
+
+ ardns = a->rdns;
+ brdns = b->rdns;
+
+ /*
+ ** Make sure array of rdn's are the same length. If not, then we are
+ ** not equal
+ */
+ ac = CountArray((void **)ardns);
+ bc = CountArray((void **)brdns);
+ if (ac < bc)
+ return SECLessThan;
+ if (ac > bc)
+ return SECGreaterThan;
+
+ while (rv == SECEqual && *ardns) {
+ rv = CERT_CompareRDN(*ardns++, *brdns++);
+ }
+ return rv;
+}
+
+/* Moved from certhtml.c */
+SECItem *
+CERT_DecodeAVAValue(const SECItem *derAVAValue)
+{
+ SECItem *retItem;
+ const SEC_ASN1Template *theTemplate = NULL;
+ enum { conv_none,
+ conv_ucs4,
+ conv_ucs2,
+ conv_iso88591 } convert = conv_none;
+ SECItem avaValue = { siBuffer, 0 };
+ PORTCheapArenaPool tmpArena;
+
+ if (!derAVAValue || !derAVAValue->len || !derAVAValue->data) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ switch (derAVAValue->data[0]) {
+ case SEC_ASN1_UNIVERSAL_STRING:
+ convert = conv_ucs4;
+ theTemplate = SEC_ASN1_GET(SEC_UniversalStringTemplate);
+ break;
+ case SEC_ASN1_IA5_STRING:
+ theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+ break;
+ case SEC_ASN1_PRINTABLE_STRING:
+ theTemplate = SEC_ASN1_GET(SEC_PrintableStringTemplate);
+ break;
+ case SEC_ASN1_T61_STRING:
+ /*
+ * Per common practice, we're not decoding actual T.61, but instead
+ * treating T61-labeled strings as containing ISO-8859-1.
+ */
+ convert = conv_iso88591;
+ theTemplate = SEC_ASN1_GET(SEC_T61StringTemplate);
+ break;
+ case SEC_ASN1_BMP_STRING:
+ convert = conv_ucs2;
+ theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
+ break;
+ case SEC_ASN1_UTF8_STRING:
+ /* No conversion needed ! */
+ theTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate);
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_AVA);
+ return NULL;
+ }
+
+ PORT_Memset(&avaValue, 0, sizeof(SECItem));
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+ if (SEC_QuickDERDecodeItem(&tmpArena.arena, &avaValue, theTemplate,
+ derAVAValue) != SECSuccess) {
+ PORT_DestroyCheapArena(&tmpArena);
+ return NULL;
+ }
+
+ if (convert != conv_none) {
+ unsigned int utf8ValLen = avaValue.len * 3;
+ unsigned char *utf8Val =
+ (unsigned char *)PORT_ArenaZAlloc(&tmpArena.arena, utf8ValLen);
+
+ switch (convert) {
+ case conv_ucs4:
+ if (avaValue.len % 4 != 0 ||
+ !PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data,
+ avaValue.len, utf8Val, utf8ValLen,
+ &utf8ValLen)) {
+ PORT_DestroyCheapArena(&tmpArena);
+ PORT_SetError(SEC_ERROR_INVALID_AVA);
+ return NULL;
+ }
+ break;
+ case conv_ucs2:
+ if (avaValue.len % 2 != 0 ||
+ !PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data,
+ avaValue.len, utf8Val, utf8ValLen,
+ &utf8ValLen)) {
+ PORT_DestroyCheapArena(&tmpArena);
+ PORT_SetError(SEC_ERROR_INVALID_AVA);
+ return NULL;
+ }
+ break;
+ case conv_iso88591:
+ if (!PORT_ISO88591_UTF8Conversion(avaValue.data, avaValue.len,
+ utf8Val, utf8ValLen,
+ &utf8ValLen)) {
+ PORT_DestroyCheapArena(&tmpArena);
+ PORT_SetError(SEC_ERROR_INVALID_AVA);
+ return NULL;
+ }
+ break;
+ case conv_none:
+ PORT_Assert(0); /* not reached */
+ break;
+ }
+
+ avaValue.data = utf8Val;
+ avaValue.len = utf8ValLen;
+ }
+
+ retItem = SECITEM_DupItem(&avaValue);
+ PORT_DestroyCheapArena(&tmpArena);
+ return retItem;
+}