/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "cert.h" #include "secoid.h" #include "secder.h" /* XXX remove this when remove the DERTemplates */ #include "secasn1.h" #include "secitem.h" #include #include "secerr.h" #include "certi.h" static const SEC_ASN1Template cert_AVATemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAVA) }, { SEC_ASN1_OBJECT_ID, offsetof(CERTAVA, type) }, { SEC_ASN1_ANY, offsetof(CERTAVA, value) }, { 0 } }; const SEC_ASN1Template CERT_RDNTemplate[] = { { SEC_ASN1_SET_OF, offsetof(CERTRDN, avas), cert_AVATemplate, sizeof(CERTRDN) } }; static int CountArray(void **array) { int count = 0; if (array) { while (*array++) { count++; } } return count; } static void ** AddToArray(PLArenaPool *arena, void **array, void *element) { unsigned count; void **ap; /* Count up number of slots already in use in the array */ count = 0; ap = array; if (ap) { while (*ap++) { count++; } } if (array) { array = (void **)PORT_ArenaGrow(arena, array, (count + 1) * sizeof(void *), (count + 2) * sizeof(void *)); } else { array = (void **)PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *)); } if (array) { array[count] = element; array[count + 1] = 0; } return array; } SECOidTag CERT_GetAVATag(CERTAVA *ava) { SECOidData *oid; if (!ava->type.data) return (SECOidTag)-1; oid = SECOID_FindOID(&ava->type); if (oid) { return (oid->offset); } return (SECOidTag)-1; } static SECStatus SetupAVAType(PLArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp) { unsigned char *oid; unsigned oidLen; unsigned char *cp; int maxLen; SECOidData *oidrec; oidrec = SECOID_FindOIDByTag(type); if (oidrec == NULL) return SECFailure; oid = oidrec->oid.data; oidLen = oidrec->oid.len; maxLen = cert_AVAOidTagToMaxLen(type); if (maxLen < 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } it->data = cp = (unsigned char *)PORT_ArenaAlloc(arena, oidLen); if (cp == NULL) { return SECFailure; } it->len = oidLen; PORT_Memcpy(cp, oid, oidLen); *maxLenp = (unsigned)maxLen; return SECSuccess; } static SECStatus SetupAVAValue(PLArenaPool *arena, int valueType, const SECItem *in, SECItem *out, unsigned maxLen) { PRUint8 *value, *cp, *ucs4Val; unsigned valueLen, valueLenLen, total; unsigned ucs4Len = 0, ucs4MaxLen; value = in->data; valueLen = in->len; switch (valueType) { case SEC_ASN1_PRINTABLE_STRING: case SEC_ASN1_IA5_STRING: case SEC_ASN1_T61_STRING: case SEC_ASN1_UTF8_STRING: /* no conversion required */ break; case SEC_ASN1_UNIVERSAL_STRING: ucs4MaxLen = valueLen * 6; ucs4Val = (PRUint8 *)PORT_ArenaZAlloc(arena, ucs4MaxLen); if (!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, value, valueLen, ucs4Val, ucs4MaxLen, &ucs4Len)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } value = ucs4Val; valueLen = ucs4Len; maxLen *= 4; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (valueLen > maxLen) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } valueLenLen = DER_LengthLength(valueLen); total = 1 + valueLenLen + valueLen; cp = (PRUint8 *)PORT_ArenaAlloc(arena, total); if (!cp) { return SECFailure; } out->data = cp; out->len = total; cp = (PRUint8 *)DER_StoreHeader(cp, valueType, valueLen); PORT_Memcpy(cp, value, valueLen); return SECSuccess; } CERTAVA * CERT_CreateAVAFromRaw(PLArenaPool *pool, const SECItem *OID, const SECItem *value) { CERTAVA *ava; int rv; ava = PORT_ArenaZNew(pool, CERTAVA); if (ava) { rv = SECITEM_CopyItem(pool, &ava->type, OID); if (rv) return NULL; rv = SECITEM_CopyItem(pool, &ava->value, value); if (rv) return NULL; } return ava; } CERTAVA * CERT_CreateAVAFromSECItem(PLArenaPool *arena, SECOidTag kind, int valueType, SECItem *value) { CERTAVA *ava; int rv; unsigned maxLen; ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA)); if (ava) { rv = SetupAVAType(arena, kind, &ava->type, &maxLen); if (rv) { /* Illegal AVA type */ return NULL; } rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen); if (rv) { /* Illegal value type */ return NULL; } } return ava; } CERTAVA * CERT_CreateAVA(PLArenaPool *arena, SECOidTag kind, int valueType, char *value) { SECItem item = { siBuffer, NULL, 0 }; item.data = (PRUint8 *)value; item.len = PORT_Strlen(value); return CERT_CreateAVAFromSECItem(arena, kind, valueType, &item); } CERTAVA * CERT_CopyAVA(PLArenaPool *arena, CERTAVA *from) { CERTAVA *ava; int rv; ava = (CERTAVA *)PORT_ArenaZAlloc(arena, sizeof(CERTAVA)); if (ava) { rv = SECITEM_CopyItem(arena, &ava->type, &from->type); if (rv) goto loser; rv = SECITEM_CopyItem(arena, &ava->value, &from->value); if (rv) goto loser; } return ava; loser: return 0; } CERTRDN * CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...) { CERTAVA *ava; CERTRDN *rdn; va_list ap; unsigned count; CERTAVA **avap; rdn = (CERTRDN *)PORT_ArenaAlloc(arena, sizeof(CERTRDN)); if (rdn) { /* Count number of avas going into the rdn */ count = 0; if (ava0) { count++; va_start(ap, ava0); while ((ava = va_arg(ap, CERTAVA *)) != 0) { count++; } va_end(ap); } /* Now fill in the pointers */ rdn->avas = avap = (CERTAVA **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTAVA *)); if (!avap) { return 0; } if (ava0) { *avap++ = ava0; va_start(ap, ava0); while ((ava = va_arg(ap, CERTAVA *)) != 0) { *avap++ = ava; } va_end(ap); } *avap++ = 0; } return rdn; } SECStatus CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava) { rdn->avas = (CERTAVA **)AddToArray(arena, (void **)rdn->avas, ava); return rdn->avas ? SECSuccess : SECFailure; } SECStatus CERT_CopyRDN(PLArenaPool *arena, CERTRDN *to, CERTRDN *from) { CERTAVA **avas, *fava, *tava; SECStatus rv = SECSuccess; /* Copy each ava from from */ avas = from->avas; if (avas) { if (avas[0] == NULL) { rv = CERT_AddAVA(arena, to, NULL); return rv; } while ((fava = *avas++) != 0) { tava = CERT_CopyAVA(arena, fava); if (!tava) { rv = SECFailure; break; } rv = CERT_AddAVA(arena, to, tava); if (rv != SECSuccess) break; } } return rv; } /************************************************************************/ const SEC_ASN1Template CERT_NameTemplate[] = { { SEC_ASN1_SEQUENCE_OF, offsetof(CERTName, rdns), CERT_RDNTemplate, sizeof(CERTName) } }; SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate) CERTName * CERT_CreateName(CERTRDN *rdn0, ...) { CERTRDN *rdn; CERTName *name; va_list ap; unsigned count; CERTRDN **rdnp; PLArenaPool *arena; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { return (0); } name = (CERTName *)PORT_ArenaAlloc(arena, sizeof(CERTName)); if (name) { name->arena = arena; /* Count number of RDNs going into the Name */ if (!rdn0) { count = 0; } else { count = 1; va_start(ap, rdn0); while ((rdn = va_arg(ap, CERTRDN *)) != 0) { count++; } va_end(ap); } /* Allocate space (including space for terminal null ptr) */ name->rdns = rdnp = (CERTRDN **)PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN *)); if (!name->rdns) { goto loser; } /* Now fill in the pointers */ if (count > 0) { *rdnp++ = rdn0; va_start(ap, rdn0); while ((rdn = va_arg(ap, CERTRDN *)) != 0) { *rdnp++ = rdn; } va_end(ap); } /* null terminate the list */ *rdnp++ = 0; } return name; loser: PORT_FreeArena(arena, PR_FALSE); return (0); } void CERT_DestroyName(CERTName *name) { if (name) { PLArenaPool *arena = name->arena; name->rdns = NULL; name->arena = NULL; if (arena) PORT_FreeArena(arena, PR_FALSE); } } SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn) { name->rdns = (CERTRDN **)AddToArray(name->arena, (void **)name->rdns, rdn); return name->rdns ? SECSuccess : SECFailure; } SECStatus CERT_CopyName(PLArenaPool *arena, CERTName *to, const CERTName *from) { CERTRDN **rdns, *frdn, *trdn; SECStatus rv = SECSuccess; if (!to || !from) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } CERT_DestroyName(to); to->arena = arena; /* Copy each rdn from from */ rdns = from->rdns; if (rdns) { if (rdns[0] == NULL) { rv = CERT_AddRDN(to, NULL); return rv; } while ((frdn = *rdns++) != NULL) { trdn = CERT_CreateRDN(arena, NULL); if (!trdn) { rv = SECFailure; break; } rv = CERT_CopyRDN(arena, trdn, frdn); if (rv != SECSuccess) break; rv = CERT_AddRDN(to, trdn); if (rv != SECSuccess) break; } } return rv; } /************************************************************************/ static void canonicalize(SECItem *foo) { int ch, lastch, len, src, dest; /* strip trailing whitespace. */ len = foo->len; while (len > 0 && ((ch = foo->data[len - 1]) == ' ' || ch == '\t' || ch == '\r' || ch == '\n')) { len--; } src = 0; /* strip leading whitespace. */ while (src < len && ((ch = foo->data[src]) == ' ' || ch == '\t' || ch == '\r' || ch == '\n')) { src++; } dest = 0; lastch = ' '; while (src < len) { ch = foo->data[src++]; if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') { ch = ' '; if (ch == lastch) continue; } else if (ch >= 'A' && ch <= 'Z') { ch |= 0x20; /* downshift */ } foo->data[dest++] = lastch = ch; } foo->len = dest; } /* SECItems a and b contain DER-encoded printable strings. */ SECComparison CERT_CompareDERPrintableStrings(const SECItem *a, const SECItem *b) { SECComparison rv = SECLessThan; SECItem *aVal = CERT_DecodeAVAValue(a); SECItem *bVal = CERT_DecodeAVAValue(b); if (aVal && aVal->len && aVal->data && bVal && bVal->len && bVal->data) { canonicalize(aVal); canonicalize(bVal); rv = SECITEM_CompareItem(aVal, bVal); } SECITEM_FreeItem(aVal, PR_TRUE); SECITEM_FreeItem(bVal, PR_TRUE); return rv; } SECComparison CERT_CompareAVA(const CERTAVA *a, const CERTAVA *b) { SECComparison rv; rv = SECITEM_CompareItem(&a->type, &b->type); if (SECEqual != rv) return rv; /* Attribute types don't match. */ /* Let's be optimistic. Maybe the values will just compare equal. */ rv = SECITEM_CompareItem(&a->value, &b->value); if (SECEqual == rv) return rv; /* values compared exactly. */ if (a->value.len && a->value.data && b->value.len && b->value.data) { /* Here, the values did not match. ** If the values had different encodings, convert them to the same ** encoding and compare that way. */ if (a->value.data[0] != b->value.data[0]) { /* encodings differ. Convert both to UTF-8 and compare. */ SECItem *aVal = CERT_DecodeAVAValue(&a->value); SECItem *bVal = CERT_DecodeAVAValue(&b->value); if (aVal && aVal->len && aVal->data && bVal && bVal->len && bVal->data) { rv = SECITEM_CompareItem(aVal, bVal); } SECITEM_FreeItem(aVal, PR_TRUE); SECITEM_FreeItem(bVal, PR_TRUE); } else if (a->value.data[0] == 0x13) { /* both are printable strings. */ /* printable strings */ rv = CERT_CompareDERPrintableStrings(&a->value, &b->value); } } return rv; } SECComparison CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b) { CERTAVA **aavas, *aava; CERTAVA **bavas, *bava; int ac, bc; SECComparison rv = SECEqual; aavas = a->avas; bavas = b->avas; /* ** Make sure array of ava's are the same length. If not, then we are ** not equal */ ac = CountArray((void **)aavas); bc = CountArray((void **)bavas); if (ac < bc) return SECLessThan; if (ac > bc) return SECGreaterThan; while (NULL != (aava = *aavas++)) { for (bavas = b->avas; NULL != (bava = *bavas++);) { rv = SECITEM_CompareItem(&aava->type, &bava->type); if (SECEqual == rv) { rv = CERT_CompareAVA(aava, bava); if (SECEqual != rv) return rv; break; } } if (!bava) /* didn't find a match */ return SECGreaterThan; } return rv; } SECComparison CERT_CompareName(const CERTName *a, const CERTName *b) { CERTRDN **ardns; CERTRDN **brdns; int ac, bc; SECComparison rv = SECEqual; ardns = a->rdns; brdns = b->rdns; /* ** Make sure array of rdn's are the same length. If not, then we are ** not equal */ ac = CountArray((void **)ardns); bc = CountArray((void **)brdns); if (ac < bc) return SECLessThan; if (ac > bc) return SECGreaterThan; while (rv == SECEqual && *ardns) { rv = CERT_CompareRDN(*ardns++, *brdns++); } return rv; } /* Moved from certhtml.c */ SECItem * CERT_DecodeAVAValue(const SECItem *derAVAValue) { SECItem *retItem; const SEC_ASN1Template *theTemplate = NULL; enum { conv_none, conv_ucs4, conv_ucs2, conv_iso88591 } convert = conv_none; SECItem avaValue = { siBuffer, 0 }; PORTCheapArenaPool tmpArena; if (!derAVAValue || !derAVAValue->len || !derAVAValue->data) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } switch (derAVAValue->data[0]) { case SEC_ASN1_UNIVERSAL_STRING: convert = conv_ucs4; theTemplate = SEC_ASN1_GET(SEC_UniversalStringTemplate); break; case SEC_ASN1_IA5_STRING: theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate); break; case SEC_ASN1_PRINTABLE_STRING: theTemplate = SEC_ASN1_GET(SEC_PrintableStringTemplate); break; case SEC_ASN1_T61_STRING: /* * Per common practice, we're not decoding actual T.61, but instead * treating T61-labeled strings as containing ISO-8859-1. */ convert = conv_iso88591; theTemplate = SEC_ASN1_GET(SEC_T61StringTemplate); break; case SEC_ASN1_BMP_STRING: convert = conv_ucs2; theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate); break; case SEC_ASN1_UTF8_STRING: /* No conversion needed ! */ theTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate); break; default: PORT_SetError(SEC_ERROR_INVALID_AVA); return NULL; } PORT_Memset(&avaValue, 0, sizeof(SECItem)); PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); if (SEC_QuickDERDecodeItem(&tmpArena.arena, &avaValue, theTemplate, derAVAValue) != SECSuccess) { PORT_DestroyCheapArena(&tmpArena); return NULL; } if (convert != conv_none) { unsigned int utf8ValLen = avaValue.len * 3; unsigned char *utf8Val = (unsigned char *)PORT_ArenaZAlloc(&tmpArena.arena, utf8ValLen); switch (convert) { case conv_ucs4: if (avaValue.len % 4 != 0 || !PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len, utf8Val, utf8ValLen, &utf8ValLen)) { PORT_DestroyCheapArena(&tmpArena); PORT_SetError(SEC_ERROR_INVALID_AVA); return NULL; } break; case conv_ucs2: if (avaValue.len % 2 != 0 || !PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len, utf8Val, utf8ValLen, &utf8ValLen)) { PORT_DestroyCheapArena(&tmpArena); PORT_SetError(SEC_ERROR_INVALID_AVA); return NULL; } break; case conv_iso88591: if (!PORT_ISO88591_UTF8Conversion(avaValue.data, avaValue.len, utf8Val, utf8ValLen, &utf8ValLen)) { PORT_DestroyCheapArena(&tmpArena); PORT_SetError(SEC_ERROR_INVALID_AVA); return NULL; } break; case conv_none: PORT_Assert(0); /* not reached */ break; } avaValue.data = utf8Val; avaValue.len = utf8ValLen; } retItem = SECITEM_DupItem(&avaValue); PORT_DestroyCheapArena(&tmpArena); return retItem; }