diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/asn1/x509af | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/asn1/x509af')
-rw-r--r-- | epan/dissectors/asn1/x509af/AuthenticationFramework.asn | 287 | ||||
-rw-r--r-- | epan/dissectors/asn1/x509af/CMakeLists.txt | 45 | ||||
-rw-r--r-- | epan/dissectors/asn1/x509af/packet-x509af-template.c | 194 | ||||
-rw-r--r-- | epan/dissectors/asn1/x509af/packet-x509af-template.h | 20 | ||||
-rw-r--r-- | epan/dissectors/asn1/x509af/x509af.cnf | 176 |
5 files changed, 722 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/x509af/AuthenticationFramework.asn b/epan/dissectors/asn1/x509af/AuthenticationFramework.asn new file mode 100644 index 00000000..a978e122 --- /dev/null +++ b/epan/dissectors/asn1/x509af/AuthenticationFramework.asn @@ -0,0 +1,287 @@ +-- Module AuthenticationFramework (X.509:08/1997) + +AuthenticationFramework {joint-iso-itu-t ds(5) module(1) + authenticationFramework(7) 3} DEFINITIONS ::= +BEGIN + +-- EXPORTS All +-- The types and values defined in this module are exported for use in the other ASN.1 modules contained +-- within the Directory Specifications, and for the use of other applications which will use them to access +-- Directory services. Other applications may use them for their own purposes, but this will not constrain +-- extensions and modifications needed to maintain or improve the Directory service. +IMPORTS + id-at, id-mr, informationFramework, upperBounds, selectedAttributeTypes, + basicAccessControl, certificateExtensions + FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) + usefulDefinitions(0) 3} + Name, ATTRIBUTE, AttributeType, MATCHING-RULE, Attribute, RDNSequence + FROM InformationFramework informationFramework + ub-user-password + FROM UpperBounds upperBounds + AuthenticationLevel + FROM BasicAccessControl basicAccessControl + UniqueIdentifier, octetStringMatch + FROM SelectedAttributeTypes selectedAttributeTypes + certificateExactMatch, certificatePairExactMatch, certificateListExactMatch, + GeneralNames + FROM CertificateExtensions certificateExtensions; + +-- basic certificate definition +Certificate ::= SEQUENCE { + signedCertificate SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject SubjectName, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueIdentifier [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version must be v2 or v3 + subjectUniqueIdentifier [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- if present, version must be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version must be v3 -- }, + algorithmIdentifier AlgorithmIdentifier, + encrypted BIT STRING +} + +-- imported to allow labelling +SubjectName ::= CHOICE { + rdnSequence RDNSequence +} + +Version ::= INTEGER {v1(0), v2(1), v3(2)} + +CertificateSerialNumber ::= INTEGER + +AlgorithmIdentifier ::= SEQUENCE { + algorithmId OBJECT IDENTIFIER, + parameters ANY OPTIONAL +} + +-- Definition of the following information object set is deferred, perhaps to standardized +-- profiles or to protocol implementation conformance statements. The set is required to +-- specify a table constraint on the parameters component of AlgorithmIdentifier. +--SupportedAlgorithms ALGORITHM ::= +--{...} + +Validity ::= SEQUENCE {notBefore Time, + notAfter Time +} + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING +} + +Time ::= CHOICE {utcTime UTCTime, + generalizedTime GeneralizedTime +} + +Extensions ::= SEQUENCE OF Extension + +-- For those extensions where ordering of individual extensions within the SEQUENCE is significant, the +-- specification of those individual extensions shall include the rules for the significance of the order therein +Extension ::= SEQUENCE { + extnId OBJECT IDENTIFIER, + critical BOOLEAN OPTIONAL, + extnValue OCTET STRING +-- contains a DER encoding of a value of type &ExtnType +-- for the extension object identified by extnId +} + +--ExtensionSet EXTENSION ::= +-- {...} + +EXTENSION ::= CLASS {&id OBJECT IDENTIFIER UNIQUE, + &ExtnType +}WITH SYNTAX {SYNTAX &ExtnType + IDENTIFIED BY &id +} + +-- other certificate constructs +Certificates ::= SEQUENCE { + userCertificate Certificate, + certificationPath ForwardCertificationPath OPTIONAL +} + +ForwardCertificationPath ::= SEQUENCE OF CrossCertificates + +CrossCertificates ::= SET OF Certificate + +CertificationPath ::= SEQUENCE { + userCertificate Certificate, + theCACertificates SEQUENCE OF CertificatePair OPTIONAL +} + +CertificatePair ::= SEQUENCE { + issuedByThisCA [0] Certificate OPTIONAL, + issuedToThisCA [1] Certificate OPTIONAL + -- at least one of the pair shall be present +} + +-- Certificate Revocation List (CRL) +CertificateList ::= SEQUENCE { + signedCertificateList SEQUENCE { + version Version OPTIONAL, + -- if present, version must be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates + SEQUENCE OF + SEQUENCE {userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL} OPTIONAL, + crlExtensions [0] Extensions OPTIONAL}, + algorithmIdentifier AlgorithmIdentifier, + encrypted BIT STRING +} + +-- attribute certificate +AttributeCertificationPath ::= SEQUENCE { + attributeCertificate AttributeCertificate, + acPath SEQUENCE OF ACPathData OPTIONAL +} + +ACPathData ::= SEQUENCE { + certificate [0] Certificate OPTIONAL, + attributeCertificate [1] AttributeCertificate OPTIONAL +} + +--attributeCertificate ATTRIBUTE ::= { +-- WITH SYNTAX AttributeCertificate +-- EQUALITY MATCHING RULE attributeCertificateMatch +-- ID id-at-attributeCertificate +--} + +AttributeCertificate ::= SEQUENCE { + signedAttributeCertificateInfo AttributeCertificateInfo, + algorithmIdentifier AlgorithmIdentifier, + encrypted BIT STRING +} + +AttributeCertificateInfo ::= SEQUENCE { + version Version DEFAULT v1, + subject + CHOICE {baseCertificateID [0] IssuerSerial, + subjectName [1] GeneralNames + }, + issuer GeneralNames, + signature AlgorithmIdentifier, + serialNumber CertificateSerialNumber, + attCertValidityPeriod AttCertValidityPeriod, + attributes SEQUENCE OF Attribute, + issuerUniqueID UniqueIdentifier OPTIONAL, + extensions Extensions OPTIONAL +} + +IssuerSerial ::= SEQUENCE { + issuer GeneralNames, + serial CertificateSerialNumber, + issuerUID UniqueIdentifier OPTIONAL +} + +AttCertValidityPeriod ::= SEQUENCE { + notBeforeTime GeneralizedTime, + notAfterTime GeneralizedTime +} + +--attributeCertificateMatch MATCHING-RULE ::= { +-- SYNTAX AttributeCertificateAssertion +-- ID id-mr-attributeCertificateMatch +--} + +AttributeCertificateAssertion ::= SEQUENCE { + subject + [0] CHOICE {baseCertificateID [0] IssuerSerial, + subjectName [1] SubjectName} OPTIONAL, + issuer [1] Name OPTIONAL, + attCertValidity [2] GeneralizedTime OPTIONAL, + attType [3] SET OF AttributeType OPTIONAL +} + +-- At least one component of the sequence must be present +-- attribute types +--userPassword ATTRIBUTE ::= { +-- WITH SYNTAX OCTET STRING(SIZE (0..ub-user-password)) +-- EQUALITY MATCHING RULE octetStringMatch +-- ID id-at-userPassword +--} + +--userCertificate ATTRIBUTE ::= { +-- WITH SYNTAX Certificate +-- EQUALITY MATCHING RULE certificateExactMatch +-- ID id-at-userCertificate +--} + +--cACertificate ATTRIBUTE ::= { +-- WITH SYNTAX Certificate +-- EQUALITY MATCHING RULE certificateExactMatch +-- ID id-at-cAcertificate +--} + +--crossCertificatePair ATTRIBUTE ::= { +-- WITH SYNTAX CertificatePair +-- EQUALITY MATCHING RULE certificatePairExactMatch +-- ID id-at-crossCertificatePair +--} + +--authorityRevocationList ATTRIBUTE ::= { +-- WITH SYNTAX CertificateList +-- EQUALITY MATCHING RULE certificateListExactMatch +-- ID id-at-authorityRevocationList +--} + +--certificateRevocationList ATTRIBUTE ::= { +-- WITH SYNTAX CertificateList +-- EQUALITY MATCHING RULE certificateListExactMatch +-- ID id-at-certificateRevocationList +--} + +--attributeCertificateRevocationList ATTRIBUTE ::= { +-- WITH SYNTAX CertificateList +-- ID id-at-attributeCertificateRevocationList +--} + +-- information object classes +--ALGORITHM ::= TYPE-IDENTIFIER + +-- object identifier assignments +--id-at-userPassword OBJECT IDENTIFIER ::= +-- {id-at 35} + +id-at-userCertificate OBJECT IDENTIFIER ::= {id-at 36} + +id-at-cAcertificate OBJECT IDENTIFIER ::= {id-at 37} + +id-at-authorityRevocationList OBJECT IDENTIFIER ::= {id-at 38} + +id-at-certificateRevocationList OBJECT IDENTIFIER ::= {id-at 39} + +id-at-crossCertificatePair OBJECT IDENTIFIER ::= {id-at 40} + +id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58} + +id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59} + +--id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42} + +-- these are sneaked in from DSS - a separate dissector seems OTT + +DSS-Params ::= SEQUENCE { + p INTEGER, + q INTEGER, + g INTEGER +} +-- WS Add some stuff fytom RFC 1274 + +ub-user-identifier INTEGER ::= 256 +Userid ::= UTF8String (SIZE (1 .. ub-user-identifier)) + +END + +-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D + diff --git a/epan/dissectors/asn1/x509af/CMakeLists.txt b/epan/dissectors/asn1/x509af/CMakeLists.txt new file mode 100644 index 00000000..213294c9 --- /dev/null +++ b/epan/dissectors/asn1/x509af/CMakeLists.txt @@ -0,0 +1,45 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME x509af ) + +set( PROTO_OPT ) + +set( EXPORT_FILES + ${PROTOCOL_NAME}-exp.cnf +) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + AuthenticationFramework.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b ) + +set( EXTRA_CNF + "${CMAKE_CURRENT_BINARY_DIR}/../x509ce/x509ce-exp.cnf" + "${CMAKE_CURRENT_BINARY_DIR}/../x509if/x509if-exp.cnf" + "${CMAKE_CURRENT_BINARY_DIR}/../x509sat/x509sat-exp.cnf" +) + +ASN2WRS() diff --git a/epan/dissectors/asn1/x509af/packet-x509af-template.c b/epan/dissectors/asn1/x509af/packet-x509af-template.c new file mode 100644 index 00000000..314007f2 --- /dev/null +++ b/epan/dissectors/asn1/x509af/packet-x509af-template.c @@ -0,0 +1,194 @@ +/* packet-x509af.c + * Routines for X.509 Authentication Framework packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/oids.h> +#include <epan/asn1.h> +#include <epan/strutil.h> + +#include "packet-ber.h" +#include "packet-x509af.h" +#include "packet-x509ce.h" +#include "packet-x509if.h" +#include "packet-x509sat.h" +#include "packet-ldap.h" +#include "packet-pkcs1.h" +#if defined(HAVE_LIBGNUTLS) +#include <gnutls/gnutls.h> +#endif + +#define PNAME "X.509 Authentication Framework" +#define PSNAME "X509AF" +#define PFNAME "x509af" + +void proto_register_x509af(void); +void proto_reg_handoff_x509af(void); + +static dissector_handle_t pkix_crl_handle; + +/* Initialize the protocol and registered fields */ +static int proto_x509af = -1; +static int hf_x509af_algorithm_id = -1; +static int hf_x509af_extension_id = -1; +#include "packet-x509af-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_pkix_crl = -1; +#include "packet-x509af-ett.c" +static const char *algorithm_id = NULL; +static void +x509af_export_publickey(tvbuff_t *tvb, asn1_ctx_t *actx, int offset, int len); +#include "packet-x509af-fn.c" + +/* Exports the SubjectPublicKeyInfo structure as gnutls_datum_t. + * actx->private_data is assumed to be a gnutls_datum_t pointer which will be + * filled in if non-NULL. */ +static void +x509af_export_publickey(tvbuff_t *tvb _U_, asn1_ctx_t *actx _U_, int offset _U_, int len _U_) +{ +#if defined(HAVE_LIBGNUTLS) + gnutls_datum_t *subjectPublicKeyInfo = (gnutls_datum_t *)actx->private_data; + if (subjectPublicKeyInfo) { + subjectPublicKeyInfo->data = (guchar *) tvb_get_ptr(tvb, offset, len); + subjectPublicKeyInfo->size = len; + actx->private_data = NULL; + } +#endif +} + +const char *x509af_get_last_algorithm_id(void) { + return algorithm_id; +} + + +static int +dissect_pkix_crl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_) +{ + proto_tree *tree; + asn1_ctx_t asn1_ctx; + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "PKIX-CRL"); + + col_set_str(pinfo->cinfo, COL_INFO, "Certificate Revocation List"); + + + tree=proto_tree_add_subtree(parent_tree, tvb, 0, -1, ett_pkix_crl, NULL, "Certificate Revocation List"); + + return dissect_x509af_CertificateList(FALSE, tvb, 0, &asn1_ctx, tree, -1); +} + +static void +x509af_cleanup_protocol(void) +{ + algorithm_id = NULL; +} + +/*--- proto_register_x509af ----------------------------------------------*/ +void proto_register_x509af(void) { + + /* List of fields */ + static hf_register_info hf[] = { + { &hf_x509af_algorithm_id, + { "Algorithm Id", "x509af.algorithm.id", + FT_OID, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_x509af_extension_id, + { "Extension Id", "x509af.extension.id", + FT_OID, BASE_NONE, NULL, 0, + NULL, HFILL }}, +#include "packet-x509af-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_pkix_crl, +#include "packet-x509af-ettarr.c" + }; + + /* Register protocol */ + proto_x509af = proto_register_protocol(PNAME, PSNAME, PFNAME); + + /* Register fields and subtrees */ + proto_register_field_array(proto_x509af, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + register_cleanup_routine(&x509af_cleanup_protocol); + + pkix_crl_handle = register_dissector(PFNAME, dissect_pkix_crl, proto_x509af); + + register_ber_syntax_dissector("Certificate", proto_x509af, dissect_x509af_Certificate_PDU); + register_ber_syntax_dissector("CertificateList", proto_x509af, dissect_CertificateList_PDU); + register_ber_syntax_dissector("CrossCertificatePair", proto_x509af, dissect_CertificatePair_PDU); + + register_ber_oid_syntax(".cer", NULL, "Certificate"); + register_ber_oid_syntax(".crt", NULL, "Certificate"); + register_ber_oid_syntax(".crl", NULL, "CertificateList"); +} + + +/*--- proto_reg_handoff_x509af -------------------------------------------*/ +void proto_reg_handoff_x509af(void) { + + dissector_add_string("media_type", "application/pkix-crl", pkix_crl_handle); + +#include "packet-x509af-dis-tab.c" + + /*XXX these should really go to a better place but since + I have not that ITU standard, I'll put it here for the time + being. + Only implemented those algorithms that take no parameters + for the time being, ronnie + */ + /* from http://www.alvestrand.no/objectid/1.3.14.3.2.html */ + register_ber_oid_dissector("1.3.14.3.2.2", dissect_ber_oid_NULL_callback, proto_x509af, "md4WithRSA"); + register_ber_oid_dissector("1.3.14.3.2.3", dissect_ber_oid_NULL_callback, proto_x509af, "md5WithRSA"); + register_ber_oid_dissector("1.3.14.3.2.4", dissect_ber_oid_NULL_callback, proto_x509af, "md4WithRSAEncryption"); + register_ber_oid_dissector("1.3.14.3.2.6", dissect_ber_oid_NULL_callback, proto_x509af, "desECB"); + register_ber_oid_dissector("1.3.14.3.2.11", dissect_ber_oid_NULL_callback, proto_x509af, "rsaSignature"); + register_ber_oid_dissector("1.3.14.3.2.14", dissect_ber_oid_NULL_callback, proto_x509af, "mdc2WithRSASignature"); + register_ber_oid_dissector("1.3.14.3.2.15", dissect_ber_oid_NULL_callback, proto_x509af, "shaWithRSASignature"); + register_ber_oid_dissector("1.3.14.3.2.16", dissect_ber_oid_NULL_callback, proto_x509af, "dhWithCommonModulus"); + register_ber_oid_dissector("1.3.14.3.2.17", dissect_ber_oid_NULL_callback, proto_x509af, "desEDE"); + register_ber_oid_dissector("1.3.14.3.2.18", dissect_ber_oid_NULL_callback, proto_x509af, "sha"); + register_ber_oid_dissector("1.3.14.3.2.19", dissect_ber_oid_NULL_callback, proto_x509af, "mdc-2"); + register_ber_oid_dissector("1.3.14.3.2.20", dissect_ber_oid_NULL_callback, proto_x509af, "dsaCommon"); + register_ber_oid_dissector("1.3.14.3.2.21", dissect_ber_oid_NULL_callback, proto_x509af, "dsaCommonWithSHA"); + register_ber_oid_dissector("1.3.14.3.2.22", dissect_ber_oid_NULL_callback, proto_x509af, "rsaKeyTransport"); + register_ber_oid_dissector("1.3.14.3.2.23", dissect_ber_oid_NULL_callback, proto_x509af, "keyed-hash-seal"); + register_ber_oid_dissector("1.3.14.3.2.24", dissect_ber_oid_NULL_callback, proto_x509af, "md2WithRSASignature"); + register_ber_oid_dissector("1.3.14.3.2.25", dissect_ber_oid_NULL_callback, proto_x509af, "md5WithRSASignature"); + register_ber_oid_dissector("1.3.14.3.2.26", dissect_ber_oid_NULL_callback, proto_x509af, "SHA-1"); + register_ber_oid_dissector("1.3.14.3.2.27", dissect_ber_oid_NULL_callback, proto_x509af, "dsaWithSHA1"); + register_ber_oid_dissector("1.3.14.3.2.28", dissect_ber_oid_NULL_callback, proto_x509af, "dsaWithCommonSHA1"); + register_ber_oid_dissector("1.3.14.3.2.29", dissect_ber_oid_NULL_callback, proto_x509af, "sha-1WithRSAEncryption"); + + /* these will generally be encoded as ";binary" in LDAP */ + + dissector_add_string("ldap.name", "cACertificate", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af)); + dissector_add_string("ldap.name", "userCertificate", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af)); + + dissector_add_string("ldap.name", "certificateRevocationList", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af)); + dissector_add_string("ldap.name", "crl", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af)); + + dissector_add_string("ldap.name", "authorityRevocationList", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af)); + dissector_add_string("ldap.name", "arl", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af)); + + dissector_add_string("ldap.name", "crossCertificatePair", create_dissector_handle(dissect_CertificatePair_PDU, proto_x509af)); + + /* RFC 7468 files */ + dissector_add_string("rfc7468.preeb_label", "CERTIFICATE", create_dissector_handle(dissect_x509af_Certificate_PDU, proto_x509af)); + dissector_add_string("rfc7468.preeb_label", "X509 CRL", create_dissector_handle(dissect_CertificateList_PDU, proto_x509af)); + dissector_add_string("rfc7468.preeb_label", "ATTRIBUTE CERTIFICATE", create_dissector_handle(dissect_AttributeCertificate_PDU, proto_x509af)); + dissector_add_string("rfc7468.preeb_label", "PUBLIC KEY", create_dissector_handle(dissect_SubjectPublicKeyInfo_PDU, proto_x509af)); +} diff --git a/epan/dissectors/asn1/x509af/packet-x509af-template.h b/epan/dissectors/asn1/x509af/packet-x509af-template.h new file mode 100644 index 00000000..7e4d971d --- /dev/null +++ b/epan/dissectors/asn1/x509af/packet-x509af-template.h @@ -0,0 +1,20 @@ +/* packet-x509af.h + * Routines for X.509 Authentication Framework packet dissection + * Ronnie Sahlberg 2004 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_X509AF_H +#define PACKET_X509AF_H + +#include "packet-x509af-exp.h" + +extern const char* x509af_get_last_algorithm_id(void); + +#endif /* PACKET_X509AF_H */ + diff --git a/epan/dissectors/asn1/x509af/x509af.cnf b/epan/dissectors/asn1/x509af/x509af.cnf new file mode 100644 index 00000000..3061ed2c --- /dev/null +++ b/epan/dissectors/asn1/x509af/x509af.cnf @@ -0,0 +1,176 @@ +# x509.cnf +# X509 conformation file + +#.IMPORT ../x509ce/x509ce-exp.cnf +#.IMPORT ../x509if/x509if-exp.cnf +#.IMPORT ../x509sat/x509sat-exp.cnf + +#.MODULE_EXPORTS +EXTENSION +ACPathData +AlgorithmIdentifier +AttCertValidityPeriod +AttributeCertificate +AttributeCertificateAssertion +AttributeCertificateInfo +AttributeCertificationPath +Certificate +Certificate_PDU +Certificates +CertificateList +CertificatePair +CertificateSerialNumber +CertificationPath +CrossCertificates +Extension +Extensions +ForwardCertificationPath +IssuerSerial +SubjectPublicKeyInfo +Time +Validity +Version + +#.PDU +SubjectPublicKeyInfo + +#.REGISTER +Certificate B "2.5.4.36" "id-at-userCertificate" +Certificate B "2.5.4.37" "id-at-cAcertificate" +CertificateList B "2.5.4.38" "id-at-authorityRevocationList" +CertificateList B "2.5.4.39" "id-at-certificateRevocationList" +CertificatePair B "2.5.4.40" "id-at-crossCertificatePair" +CertificateList B "2.5.4.53" "id-at-deltaRevocationList" +AttributeCertificate B "2.5.4.58" "id-at-attributeCertificate" +CertificateList B "2.5.4.59" "id-at-attributeCertificateRevocationList" + +DSS-Params B "1.2.840.10040.4.1" "id-dsa" +# WS Implemet from RFC 1274 +Userid B "0.9.2342.19200300.100.1.1" "id-userid" + +#.TYPE_RENAME +AttributeCertificateInfo/subject InfoSubject +AttributeCertificateAssertion/subject AssertionSubject + +#.FIELD_RENAME +AttributeCertificateInfo/issuer issuerName +AttributeCertificateInfo/subject info_subject +AttributeCertificateAssertion/subject assertion_subject + +AttributeCertificateAssertion/issuer assertionIssuer + +AttributeCertificateInfo/subject/subjectName infoSubjectName +AttributeCertificateAssertion/subject/subjectName assertionSubjectName +IssuerSerial/issuer issuerName +CertificateList/signedCertificateList/revokedCertificates/_item/userCertificate revokedUserCertificate +#.END + +#.FN_PARS AlgorithmIdentifier/algorithmId + FN_VARIANT = _str HF_INDEX = hf_x509af_algorithm_id VAL_PTR = &actx->external.direct_reference + +#.FN_BODY AlgorithmIdentifier/algorithmId + const char *name; + + %(DEFAULT_BODY)s + + if (algorithm_id) { + wmem_free(wmem_file_scope(), (void*)algorithm_id); + } + + if(actx->external.direct_reference) { + algorithm_id = (const char *)wmem_strdup(wmem_file_scope(), actx->external.direct_reference); + + name = oid_resolved_from_string(actx->pinfo->pool, actx->external.direct_reference); + + proto_item_append_text(tree, " (%%s)", name ? name : actx->external.direct_reference); + } else { + algorithm_id = NULL; + } + +#.FN_BODY AlgorithmIdentifier/parameters + offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_HDR SubjectPublicKeyInfo + int orig_offset = offset; +#.FN_FTR SubjectPublicKeyInfo + x509af_export_publickey(tvb, actx, orig_offset, offset - orig_offset); +#.END + +#.FN_BODY SubjectPublicKeyInfo/subjectPublicKey + tvbuff_t *bs_tvb = NULL; +# proto_tree *subtree; + + dissect_ber_bitstring(FALSE, actx, NULL, tvb, offset, + NULL, 0, hf_index, -1, &bs_tvb); + + /* See RFC 3279 for possible subjectPublicKey values given an Algorithm ID. + * The contents of subjectPublicKey are always explicitly tagged. */ + if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.113549.1.1.1")) { /* id-rsa */ + offset += dissect_pkcs1_RSAPublicKey(FALSE, bs_tvb, 0, actx, tree, hf_index); + +# TODO: PKCS#1 only defines RSA; DH and DSA are from PKIX1Algorithms2008 +# } else if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.10040.4.1")) { /* id-dsa */ +# subtree = proto_item_add_subtree(actx->created_item, ett_subjectpublickey); +# offset += dissect_DSAPublicKey(FALSE, bs_tvb, 0, actx, subtree, hf_dsa_y); +# +# } else if (bs_tvb && !g_strcmp0(algorithm_id, "1.2.840.10046.2.1")) { /* dhpublicnumber */ +# subtree = proto_item_add_subtree(actx->created_item, ett_subjectpublickey); +# offset += dissect_DHPublicKey(FALSE, bs_tvb, 0, actx, subtree, hf_dh_y); +# + } else { + offset = dissect_ber_bitstring(FALSE, actx, tree, tvb, offset, + NULL, 0, hf_index, -1, NULL); + } + +#.FN_PARS Extension/extnId + FN_VARIANT = _str HF_INDEX = hf_x509af_extension_id VAL_PTR = &actx->external.direct_reference + +#.FN_BODY Extension/extnId + const char *name; + + %(DEFAULT_BODY)s + + if(actx->external.direct_reference) { + name = oid_resolved_from_string(actx->pinfo->pool, actx->external.direct_reference); + + proto_item_append_text(tree, " (%%s)", name ? name : actx->external.direct_reference); + } + +#.FN_BODY Extension/extnValue + gint8 ber_class; + bool pc, ind; + gint32 tag; + guint32 len; + /* skip past the T and L */ + offset = dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &ber_class, &pc, &tag); + offset = dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, &ind); + offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL); + +#.FN_BODY Time/utcTime + char *outstr, *newstr; + guint32 tvblen; + + /* the 2-digit year can only be in the range 1950..2049 https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 */ + offset = dissect_ber_UTCTime(implicit_tag, actx, tree, tvb, offset, hf_index, &outstr, &tvblen); + if (hf_index >= 0 && outstr) { + newstr = wmem_strconcat(actx->pinfo->pool, outstr[0] < '5' ? "20": "19", outstr, NULL); + proto_tree_add_string(tree, hf_index, tvb, offset - tvblen, tvblen, newstr); + } + +#.FN_BODY SubjectName + + const char* str; + %(DEFAULT_BODY)s + + str = x509if_get_last_dn(); + proto_item_append_text(proto_item_get_parent(tree), " (%%s)", str?str:""); + +#.TYPE_ATTR +CertificateSerialNumber TYPE = FT_BYTES DISPLAY = BASE_NONE +DSS-Params/p TYPE = FT_BYTES DISPLAY = BASE_NONE +DSS-Params/q TYPE = FT_BYTES DISPLAY = BASE_NONE +DSS-Params/g TYPE = FT_BYTES DISPLAY = BASE_NONE + +#.FN_PARS CertificateSerialNumber FN_VARIANT = 64 + +#.END |