1/*
2 * X.509 certificate parsing and verification
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19/*
20 * The ITU-T X.509 standard defines a certificate format for PKI.
21 *
22 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
23 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
24 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
25 *
26 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
27 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
28 *
29 * [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
30 */
31
32#include "common.h"
33
34#if defined(MBEDTLS_X509_CRT_PARSE_C)
35
36#include "mbedtls/x509_crt.h"
37#include "mbedtls/error.h"
38#include "mbedtls/oid.h"
39#include "mbedtls/platform_util.h"
40
41#include <string.h>
42
43#if defined(MBEDTLS_PEM_PARSE_C)
44#include "mbedtls/pem.h"
45#endif
46
47#if defined(MBEDTLS_USE_PSA_CRYPTO)
48#include "psa/crypto.h"
49#include "mbedtls/psa_util.h"
50#endif
51
52#include "mbedtls/platform.h"
53
54#if defined(MBEDTLS_THREADING_C)
55#include "mbedtls/threading.h"
56#endif
57
58#if defined(MBEDTLS_HAVE_TIME)
59#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
60#include <windows.h>
61#else
62#include <time.h>
63#endif
64#endif
65
66#if defined(MBEDTLS_FS_IO)
67#include <stdio.h>
68#if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
69#include <sys/types.h>
70#include <sys/stat.h>
71#include <dirent.h>
72#include <errno.h>
73#endif /* !_WIN32 || EFIX64 || EFI32 */
74#endif
75
76/*
77 * Item in a verification chain: cert and flags for it
78 */
79typedef struct {
80 mbedtls_x509_crt *crt;
81 uint32_t flags;
82} x509_crt_verify_chain_item;
83
84/*
85 * Max size of verification chain: end-entity + intermediates + trusted root
86 */
87#define X509_MAX_VERIFY_CHAIN_SIZE (MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2)
88
89/* Default profile. Do not remove items unless there are serious security
90 * concerns. */
91const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
92{
93 /* Only SHA-2 hashes */
94 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
95 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
96 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
97 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
98 0xFFFFFFF, /* Any PK alg */
99 0xFFFFFFF, /* Any curve */
100 2048,
101};
102
103/*
104 * Next-default profile
105 */
106const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
107{
108 /* Hashes from SHA-256 and above */
109 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
110 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
111 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
112 0xFFFFFFF, /* Any PK alg */
113#if defined(MBEDTLS_ECP_C)
114 /* Curves at or above 128-bit security level */
115 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
116 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1) |
117 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP521R1) |
118 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP256R1) |
119 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
120 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
121 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256K1),
122#else
123 0,
124#endif
125 2048,
126};
127
128/*
129 * NSA Suite B Profile
130 */
131const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
132{
133 /* Only SHA-256 and 384 */
134 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
135 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384),
136 /* Only ECDSA */
137 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
138 MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
139#if defined(MBEDTLS_ECP_C)
140 /* Only NIST P-256 and P-384 */
141 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
142 MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
143#else
144 0,
145#endif
146 0,
147};
148
149/*
150 * Check md_alg against profile
151 * Return 0 if md_alg is acceptable for this profile, -1 otherwise
152 */
153static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile,
154 mbedtls_md_type_t md_alg)
155{
156 if (md_alg == MBEDTLS_MD_NONE) {
157 return -1;
158 }
159
160 if ((profile->allowed_mds & MBEDTLS_X509_ID_FLAG(md_alg)) != 0) {
161 return 0;
162 }
163
164 return -1;
165}
166
167/*
168 * Check pk_alg against profile
169 * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
170 */
171static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile,
172 mbedtls_pk_type_t pk_alg)
173{
174 if (pk_alg == MBEDTLS_PK_NONE) {
175 return -1;
176 }
177
178 if ((profile->allowed_pks & MBEDTLS_X509_ID_FLAG(pk_alg)) != 0) {
179 return 0;
180 }
181
182 return -1;
183}
184
185/*
186 * Check key against profile
187 * Return 0 if pk is acceptable for this profile, -1 otherwise
188 */
189static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
190 const mbedtls_pk_context *pk)
191{
192 const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk);
193
194#if defined(MBEDTLS_RSA_C)
195 if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) {
196 if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) {
197 return 0;
198 }
199
200 return -1;
201 }
202#endif
203
204#if defined(MBEDTLS_ECP_C)
205 if (pk_alg == MBEDTLS_PK_ECDSA ||
206 pk_alg == MBEDTLS_PK_ECKEY ||
207 pk_alg == MBEDTLS_PK_ECKEY_DH) {
208 const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id;
209
210 if (gid == MBEDTLS_ECP_DP_NONE) {
211 return -1;
212 }
213
214 if ((profile->allowed_curves & MBEDTLS_X509_ID_FLAG(gid)) != 0) {
215 return 0;
216 }
217
218 return -1;
219 }
220#endif
221
222 return -1;
223}
224
225/*
226 * Like memcmp, but case-insensitive and always returns -1 if different
227 */
228static int x509_memcasecmp(const void *s1, const void *s2, size_t len)
229{
230 size_t i;
231 unsigned char diff;
232 const unsigned char *n1 = s1, *n2 = s2;
233
234 for (i = 0; i < len; i++) {
235 diff = n1[i] ^ n2[i];
236
237 if (diff == 0) {
238 continue;
239 }
240
241 if (diff == 32 &&
242 ((n1[i] >= 'a' && n1[i] <= 'z') ||
243 (n1[i] >= 'A' && n1[i] <= 'Z'))) {
244 continue;
245 }
246
247 return -1;
248 }
249
250 return 0;
251}
252
253/*
254 * Return 0 if name matches wildcard, -1 otherwise
255 */
256static int x509_check_wildcard(const char *cn, const mbedtls_x509_buf *name)
257{
258 size_t i;
259 size_t cn_idx = 0, cn_len = strlen(cn);
260
261 /* We can't have a match if there is no wildcard to match */
262 if (name->len < 3 || name->p[0] != '*' || name->p[1] != '.') {
263 return -1;
264 }
265
266 for (i = 0; i < cn_len; ++i) {
267 if (cn[i] == '.') {
268 cn_idx = i;
269 break;
270 }
271 }
272
273 if (cn_idx == 0) {
274 return -1;
275 }
276
277 if (cn_len - cn_idx == name->len - 1 &&
278 x509_memcasecmp(name->p + 1, cn + cn_idx, name->len - 1) == 0) {
279 return 0;
280 }
281
282 return -1;
283}
284
285/*
286 * Compare two X.509 strings, case-insensitive, and allowing for some encoding
287 * variations (but not all).
288 *
289 * Return 0 if equal, -1 otherwise.
290 */
291static int x509_string_cmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b)
292{
293 if (a->tag == b->tag &&
294 a->len == b->len &&
295 memcmp(a->p, b->p, b->len) == 0) {
296 return 0;
297 }
298
299 if ((a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
300 (b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING) &&
301 a->len == b->len &&
302 x509_memcasecmp(a->p, b->p, b->len) == 0) {
303 return 0;
304 }
305
306 return -1;
307}
308
309/*
310 * Compare two X.509 Names (aka rdnSequence).
311 *
312 * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
313 * we sometimes return unequal when the full algorithm would return equal,
314 * but never the other way. (In particular, we don't do Unicode normalisation
315 * or space folding.)
316 *
317 * Return 0 if equal, -1 otherwise.
318 */
319static int x509_name_cmp(const mbedtls_x509_name *a, const mbedtls_x509_name *b)
320{
321 /* Avoid recursion, it might not be optimised by the compiler */
322 while (a != NULL || b != NULL) {
323 if (a == NULL || b == NULL) {
324 return -1;
325 }
326
327 /* type */
328 if (a->oid.tag != b->oid.tag ||
329 a->oid.len != b->oid.len ||
330 memcmp(a->oid.p, b->oid.p, b->oid.len) != 0) {
331 return -1;
332 }
333
334 /* value */
335 if (x509_string_cmp(&a->val, &b->val) != 0) {
336 return -1;
337 }
338
339 /* structure of the list of sets */
340 if (a->next_merged != b->next_merged) {
341 return -1;
342 }
343
344 a = a->next;
345 b = b->next;
346 }
347
348 /* a == NULL == b */
349 return 0;
350}
351
352/*
353 * Reset (init or clear) a verify_chain
354 */
355static void x509_crt_verify_chain_reset(
356 mbedtls_x509_crt_verify_chain *ver_chain)
357{
358 size_t i;
359
360 for (i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++) {
361 ver_chain->items[i].crt = NULL;
362 ver_chain->items[i].flags = (uint32_t) -1;
363 }
364
365 ver_chain->len = 0;
366
367#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
368 ver_chain->trust_ca_cb_result = NULL;
369#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
370}
371
372/*
373 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
374 */
375static int x509_get_version(unsigned char **p,
376 const unsigned char *end,
377 int *ver)
378{
379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
380 size_t len;
381
382 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
383 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
384 0)) != 0) {
385 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
386 *ver = 0;
387 return 0;
388 }
389
390 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
391 }
392
393 end = *p + len;
394
395 if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
396 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
397 }
398
399 if (*p != end) {
400 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION,
401 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
402 }
403
404 return 0;
405}
406
407/*
408 * Validity ::= SEQUENCE {
409 * notBefore Time,
410 * notAfter Time }
411 */
412static int x509_get_dates(unsigned char **p,
413 const unsigned char *end,
414 mbedtls_x509_time *from,
415 mbedtls_x509_time *to)
416{
417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
418 size_t len;
419
420 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
421 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
422 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
423 }
424
425 end = *p + len;
426
427 if ((ret = mbedtls_x509_get_time(p, end, from)) != 0) {
428 return ret;
429 }
430
431 if ((ret = mbedtls_x509_get_time(p, end, to)) != 0) {
432 return ret;
433 }
434
435 if (*p != end) {
436 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
437 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
438 }
439
440 return 0;
441}
442
443/*
444 * X.509 v2/v3 unique identifier (not parsed)
445 */
446static int x509_get_uid(unsigned char **p,
447 const unsigned char *end,
448 mbedtls_x509_buf *uid, int n)
449{
450 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
451
452 if (*p == end) {
453 return 0;
454 }
455
456 uid->tag = **p;
457
458 if ((ret = mbedtls_asn1_get_tag(p, end, &uid->len,
459 MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
460 n)) != 0) {
461 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
462 return 0;
463 }
464
465 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
466 }
467
468 uid->p = *p;
469 *p += uid->len;
470
471 return 0;
472}
473
474static int x509_get_basic_constraints(unsigned char **p,
475 const unsigned char *end,
476 int *ca_istrue,
477 int *max_pathlen)
478{
479 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
480 size_t len;
481
482 /*
483 * BasicConstraints ::= SEQUENCE {
484 * cA BOOLEAN DEFAULT FALSE,
485 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
486 */
487 *ca_istrue = 0; /* DEFAULT FALSE */
488 *max_pathlen = 0; /* endless */
489
490 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
491 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
492 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
493 }
494
495 if (*p == end) {
496 return 0;
497 }
498
499 if ((ret = mbedtls_asn1_get_bool(p, end, ca_istrue)) != 0) {
500 if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
501 ret = mbedtls_asn1_get_int(p, end, ca_istrue);
502 }
503
504 if (ret != 0) {
505 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
506 }
507
508 if (*ca_istrue != 0) {
509 *ca_istrue = 1;
510 }
511 }
512
513 if (*p == end) {
514 return 0;
515 }
516
517 if ((ret = mbedtls_asn1_get_int(p, end, max_pathlen)) != 0) {
518 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
519 }
520
521 if (*p != end) {
522 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
523 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
524 }
525
526 /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
527 * overflow, which is an undefined behavior. */
528 if (*max_pathlen == INT_MAX) {
529 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
530 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
531 }
532
533 (*max_pathlen)++;
534
535 return 0;
536}
537
538static int x509_get_ns_cert_type(unsigned char **p,
539 const unsigned char *end,
540 unsigned char *ns_cert_type)
541{
542 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
543 mbedtls_x509_bitstring bs = { 0, 0, NULL };
544
545 if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
546 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
547 }
548
549 if (bs.len != 1) {
550 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
551 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
552 }
553
554 /* Get actual bitstring */
555 *ns_cert_type = *bs.p;
556 return 0;
557}
558
559static int x509_get_key_usage(unsigned char **p,
560 const unsigned char *end,
561 unsigned int *key_usage)
562{
563 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
564 size_t i;
565 mbedtls_x509_bitstring bs = { 0, 0, NULL };
566
567 if ((ret = mbedtls_asn1_get_bitstring(p, end, &bs)) != 0) {
568 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
569 }
570
571 if (bs.len < 1) {
572 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
573 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
574 }
575
576 /* Get actual bitstring */
577 *key_usage = 0;
578 for (i = 0; i < bs.len && i < sizeof(unsigned int); i++) {
579 *key_usage |= (unsigned int) bs.p[i] << (8*i);
580 }
581
582 return 0;
583}
584
585/*
586 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
587 *
588 * KeyPurposeId ::= OBJECT IDENTIFIER
589 */
590static int x509_get_ext_key_usage(unsigned char **p,
591 const unsigned char *end,
592 mbedtls_x509_sequence *ext_key_usage)
593{
594 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
595
596 if ((ret = mbedtls_asn1_get_sequence_of(p, end, ext_key_usage, MBEDTLS_ASN1_OID)) != 0) {
597 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
598 }
599
600 /* Sequence length must be >= 1 */
601 if (ext_key_usage->buf.p == NULL) {
602 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
603 MBEDTLS_ERR_ASN1_INVALID_LENGTH);
604 }
605
606 return 0;
607}
608
609/*
610 * SubjectAltName ::= GeneralNames
611 *
612 * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
613 *
614 * GeneralName ::= CHOICE {
615 * otherName [0] OtherName,
616 * rfc822Name [1] IA5String,
617 * dNSName [2] IA5String,
618 * x400Address [3] ORAddress,
619 * directoryName [4] Name,
620 * ediPartyName [5] EDIPartyName,
621 * uniformResourceIdentifier [6] IA5String,
622 * iPAddress [7] OCTET STRING,
623 * registeredID [8] OBJECT IDENTIFIER }
624 *
625 * OtherName ::= SEQUENCE {
626 * type-id OBJECT IDENTIFIER,
627 * value [0] EXPLICIT ANY DEFINED BY type-id }
628 *
629 * EDIPartyName ::= SEQUENCE {
630 * nameAssigner [0] DirectoryString OPTIONAL,
631 * partyName [1] DirectoryString }
632 *
633 * NOTE: we list all types, but only use dNSName and otherName
634 * of type HwModuleName, as defined in RFC 4108, at this point.
635 */
636static int x509_get_subject_alt_name(unsigned char **p,
637 const unsigned char *end,
638 mbedtls_x509_sequence *subject_alt_name)
639{
640 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
641 size_t len, tag_len;
642 mbedtls_asn1_sequence *cur = subject_alt_name;
643
644 /* Get main sequence tag */
645 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
646 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
647 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
648 }
649
650 if (*p + len != end) {
651 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
652 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
653 }
654
655 while (*p < end) {
656 mbedtls_x509_subject_alternative_name dummy_san_buf;
657 mbedtls_x509_buf tmp_san_buf;
658 memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
659
660 tmp_san_buf.tag = **p;
661 (*p)++;
662
663 if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
664 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
665 }
666
667 tmp_san_buf.p = *p;
668 tmp_san_buf.len = tag_len;
669
670 if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
671 MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
672 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
673 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
674 }
675
676 /*
677 * Check that the SAN is structured correctly.
678 */
679 ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf);
680 /*
681 * In case the extension is malformed, return an error,
682 * and clear the allocated sequences.
683 */
684 if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
685 mbedtls_x509_sequence *seq_cur = subject_alt_name->next;
686 mbedtls_x509_sequence *seq_prv;
687 while (seq_cur != NULL) {
688 seq_prv = seq_cur;
689 seq_cur = seq_cur->next;
690 mbedtls_platform_zeroize(seq_prv,
691 sizeof(mbedtls_x509_sequence));
692 mbedtls_free(seq_prv);
693 }
694 subject_alt_name->next = NULL;
695 return ret;
696 }
697
698 /* Allocate and assign next pointer */
699 if (cur->buf.p != NULL) {
700 if (cur->next != NULL) {
701 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
702 }
703
704 cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
705
706 if (cur->next == NULL) {
707 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
708 MBEDTLS_ERR_ASN1_ALLOC_FAILED);
709 }
710
711 cur = cur->next;
712 }
713
714 cur->buf = tmp_san_buf;
715 *p += tmp_san_buf.len;
716 }
717
718 /* Set final sequence entry's next pointer to NULL */
719 cur->next = NULL;
720
721 if (*p != end) {
722 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
723 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
724 }
725
726 return 0;
727}
728
729/*
730 * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
731 *
732 * anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 }
733 *
734 * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
735 *
736 * PolicyInformation ::= SEQUENCE {
737 * policyIdentifier CertPolicyId,
738 * policyQualifiers SEQUENCE SIZE (1..MAX) OF
739 * PolicyQualifierInfo OPTIONAL }
740 *
741 * CertPolicyId ::= OBJECT IDENTIFIER
742 *
743 * PolicyQualifierInfo ::= SEQUENCE {
744 * policyQualifierId PolicyQualifierId,
745 * qualifier ANY DEFINED BY policyQualifierId }
746 *
747 * -- policyQualifierIds for Internet policy qualifiers
748 *
749 * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
750 * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 }
751 * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 }
752 *
753 * PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
754 *
755 * Qualifier ::= CHOICE {
756 * cPSuri CPSuri,
757 * userNotice UserNotice }
758 *
759 * CPSuri ::= IA5String
760 *
761 * UserNotice ::= SEQUENCE {
762 * noticeRef NoticeReference OPTIONAL,
763 * explicitText DisplayText OPTIONAL }
764 *
765 * NoticeReference ::= SEQUENCE {
766 * organization DisplayText,
767 * noticeNumbers SEQUENCE OF INTEGER }
768 *
769 * DisplayText ::= CHOICE {
770 * ia5String IA5String (SIZE (1..200)),
771 * visibleString VisibleString (SIZE (1..200)),
772 * bmpString BMPString (SIZE (1..200)),
773 * utf8String UTF8String (SIZE (1..200)) }
774 *
775 * NOTE: we only parse and use anyPolicy without qualifiers at this point
776 * as defined in RFC 5280.
777 */
778static int x509_get_certificate_policies(unsigned char **p,
779 const unsigned char *end,
780 mbedtls_x509_sequence *certificate_policies)
781{
782 int ret, parse_ret = 0;
783 size_t len;
784 mbedtls_asn1_buf *buf;
785 mbedtls_asn1_sequence *cur = certificate_policies;
786
787 /* Get main sequence tag */
788 ret = mbedtls_asn1_get_tag(p, end, &len,
789 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
790 if (ret != 0) {
791 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
792 }
793
794 if (*p + len != end) {
795 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
796 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
797 }
798
799 /*
800 * Cannot be an empty sequence.
801 */
802 if (len == 0) {
803 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
804 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
805 }
806
807 while (*p < end) {
808 mbedtls_x509_buf policy_oid;
809 const unsigned char *policy_end;
810
811 /*
812 * Get the policy sequence
813 */
814 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
815 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
816 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
817 }
818
819 policy_end = *p + len;
820
821 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
822 MBEDTLS_ASN1_OID)) != 0) {
823 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
824 }
825
826 policy_oid.tag = MBEDTLS_ASN1_OID;
827 policy_oid.len = len;
828 policy_oid.p = *p;
829
830 /*
831 * Only AnyPolicy is currently supported when enforcing policy.
832 */
833 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_POLICY, &policy_oid) != 0) {
834 /*
835 * Set the parsing return code but continue parsing, in case this
836 * extension is critical and MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
837 * is configured.
838 */
839 parse_ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
840 }
841
842 /* Allocate and assign next pointer */
843 if (cur->buf.p != NULL) {
844 if (cur->next != NULL) {
845 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
846 }
847
848 cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
849
850 if (cur->next == NULL) {
851 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
852 MBEDTLS_ERR_ASN1_ALLOC_FAILED);
853 }
854
855 cur = cur->next;
856 }
857
858 buf = &(cur->buf);
859 buf->tag = policy_oid.tag;
860 buf->p = policy_oid.p;
861 buf->len = policy_oid.len;
862
863 *p += len;
864
865 /*
866 * If there is an optional qualifier, then *p < policy_end
867 * Check the Qualifier len to verify it doesn't exceed policy_end.
868 */
869 if (*p < policy_end) {
870 if ((ret = mbedtls_asn1_get_tag(p, policy_end, &len,
871 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
872 0) {
873 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
874 }
875 /*
876 * Skip the optional policy qualifiers.
877 */
878 *p += len;
879 }
880
881 if (*p != policy_end) {
882 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
883 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
884 }
885 }
886
887 /* Set final sequence entry's next pointer to NULL */
888 cur->next = NULL;
889
890 if (*p != end) {
891 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
892 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
893 }
894
895 return parse_ret;
896}
897
898/*
899 * X.509 v3 extensions
900 *
901 */
902static int x509_get_crt_ext(unsigned char **p,
903 const unsigned char *end,
904 mbedtls_x509_crt *crt,
905 mbedtls_x509_crt_ext_cb_t cb,
906 void *p_ctx)
907{
908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
909 size_t len;
910 unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
911
912 if (*p == end) {
913 return 0;
914 }
915
916 if ((ret = mbedtls_x509_get_ext(p, end, &crt->v3_ext, 3)) != 0) {
917 return ret;
918 }
919
920 end = crt->v3_ext.p + crt->v3_ext.len;
921 while (*p < end) {
922 /*
923 * Extension ::= SEQUENCE {
924 * extnID OBJECT IDENTIFIER,
925 * critical BOOLEAN DEFAULT FALSE,
926 * extnValue OCTET STRING }
927 */
928 mbedtls_x509_buf extn_oid = { 0, 0, NULL };
929 int is_critical = 0; /* DEFAULT FALSE */
930 int ext_type = 0;
931
932 if ((ret = mbedtls_asn1_get_tag(p, end, &len,
933 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
934 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
935 }
936
937 end_ext_data = *p + len;
938
939 /* Get extension ID */
940 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &extn_oid.len,
941 MBEDTLS_ASN1_OID)) != 0) {
942 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
943 }
944
945 extn_oid.tag = MBEDTLS_ASN1_OID;
946 extn_oid.p = *p;
947 *p += extn_oid.len;
948
949 /* Get optional critical */
950 if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, &is_critical)) != 0 &&
951 (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
952 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
953 }
954
955 /* Data should be octet string type */
956 if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
957 MBEDTLS_ASN1_OCTET_STRING)) != 0) {
958 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
959 }
960
961 start_ext_octet = *p;
962 end_ext_octet = *p + len;
963
964 if (end_ext_octet != end_ext_data) {
965 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
966 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
967 }
968
969 /*
970 * Detect supported extensions
971 */
972 ret = mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
973
974 if (ret != 0) {
975 /* Give the callback (if any) a chance to handle the extension */
976 if (cb != NULL) {
977 ret = cb(p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet);
978 if (ret != 0 && is_critical) {
979 return ret;
980 }
981 *p = end_ext_octet;
982 continue;
983 }
984
985 /* No parser found, skip extension */
986 *p = end_ext_octet;
987
988#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
989 if (is_critical) {
990 /* Data is marked as critical: fail */
991 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
992 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
993 }
994#endif
995 continue;
996 }
997
998 /* Forbid repeated extensions */
999 if ((crt->ext_types & ext_type) != 0) {
1000 return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
1001 }
1002
1003 crt->ext_types |= ext_type;
1004
1005 switch (ext_type) {
1006 case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
1007 /* Parse basic constraints */
1008 if ((ret = x509_get_basic_constraints(p, end_ext_octet,
1009 &crt->ca_istrue, &crt->max_pathlen)) != 0) {
1010 return ret;
1011 }
1012 break;
1013
1014 case MBEDTLS_X509_EXT_KEY_USAGE:
1015 /* Parse key usage */
1016 if ((ret = x509_get_key_usage(p, end_ext_octet,
1017 &crt->key_usage)) != 0) {
1018 return ret;
1019 }
1020 break;
1021
1022 case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
1023 /* Parse extended key usage */
1024 if ((ret = x509_get_ext_key_usage(p, end_ext_octet,
1025 &crt->ext_key_usage)) != 0) {
1026 return ret;
1027 }
1028 break;
1029
1030 case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
1031 /* Parse subject alt name */
1032 if ((ret = x509_get_subject_alt_name(p, end_ext_octet,
1033 &crt->subject_alt_names)) != 0) {
1034 return ret;
1035 }
1036 break;
1037
1038 case MBEDTLS_X509_EXT_NS_CERT_TYPE:
1039 /* Parse netscape certificate type */
1040 if ((ret = x509_get_ns_cert_type(p, end_ext_octet,
1041 &crt->ns_cert_type)) != 0) {
1042 return ret;
1043 }
1044 break;
1045
1046 case MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES:
1047 /* Parse certificate policies type */
1048 if ((ret = x509_get_certificate_policies(p, end_ext_octet,
1049 &crt->certificate_policies)) != 0) {
1050 /* Give the callback (if any) a chance to handle the extension
1051 * if it contains unsupported policies */
1052 if (ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
1053 cb(p_ctx, crt, &extn_oid, is_critical,
1054 start_ext_octet, end_ext_octet) == 0) {
1055 break;
1056 }
1057
1058#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
1059 if (is_critical) {
1060 return ret;
1061 } else
1062#endif
1063 /*
1064 * If MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE is returned, then we
1065 * cannot interpret or enforce the policy. However, it is up to
1066 * the user to choose how to enforce the policies,
1067 * unless the extension is critical.
1068 */
1069 if (ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
1070 return ret;
1071 }
1072 }
1073 break;
1074
1075 default:
1076 /*
1077 * If this is a non-critical extension, which the oid layer
1078 * supports, but there isn't an x509 parser for it,
1079 * skip the extension.
1080 */
1081#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
1082 if (is_critical) {
1083 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
1084 } else
1085#endif
1086 *p = end_ext_octet;
1087 }
1088 }
1089
1090 if (*p != end) {
1091 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
1092 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1093 }
1094
1095 return 0;
1096}
1097
1098/*
1099 * Parse and fill a single X.509 certificate in DER format
1100 */
1101static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
1102 const unsigned char *buf,
1103 size_t buflen,
1104 int make_copy,
1105 mbedtls_x509_crt_ext_cb_t cb,
1106 void *p_ctx)
1107{
1108 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1109 size_t len;
1110 unsigned char *p, *end, *crt_end;
1111 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
1112
1113 memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
1114 memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
1115 memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
1116
1117 /*
1118 * Check for valid input
1119 */
1120 if (crt == NULL || buf == NULL) {
1121 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1122 }
1123
1124 /* Use the original buffer until we figure out actual length. */
1125 p = (unsigned char *) buf;
1126 len = buflen;
1127 end = p + len;
1128
1129 /*
1130 * Certificate ::= SEQUENCE {
1131 * tbsCertificate TBSCertificate,
1132 * signatureAlgorithm AlgorithmIdentifier,
1133 * signatureValue BIT STRING }
1134 */
1135 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1136 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1137 mbedtls_x509_crt_free(crt);
1138 return MBEDTLS_ERR_X509_INVALID_FORMAT;
1139 }
1140
1141 end = crt_end = p + len;
1142 crt->raw.len = crt_end - buf;
1143 if (make_copy != 0) {
1144 /* Create and populate a new buffer for the raw field. */
1145 crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
1146 if (crt->raw.p == NULL) {
1147 return MBEDTLS_ERR_X509_ALLOC_FAILED;
1148 }
1149
1150 memcpy(crt->raw.p, buf, crt->raw.len);
1151 crt->own_buffer = 1;
1152
1153 p += crt->raw.len - len;
1154 end = crt_end = p + len;
1155 } else {
1156 crt->raw.p = (unsigned char *) buf;
1157 crt->own_buffer = 0;
1158 }
1159
1160 /*
1161 * TBSCertificate ::= SEQUENCE {
1162 */
1163 crt->tbs.p = p;
1164
1165 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1166 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1167 mbedtls_x509_crt_free(crt);
1168 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1169 }
1170
1171 end = p + len;
1172 crt->tbs.len = end - crt->tbs.p;
1173
1174 /*
1175 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
1176 *
1177 * CertificateSerialNumber ::= INTEGER
1178 *
1179 * signature AlgorithmIdentifier
1180 */
1181 if ((ret = x509_get_version(&p, end, &crt->version)) != 0 ||
1182 (ret = mbedtls_x509_get_serial(&p, end, &crt->serial)) != 0 ||
1183 (ret = mbedtls_x509_get_alg(&p, end, &crt->sig_oid,
1184 &sig_params1)) != 0) {
1185 mbedtls_x509_crt_free(crt);
1186 return ret;
1187 }
1188
1189 if (crt->version < 0 || crt->version > 2) {
1190 mbedtls_x509_crt_free(crt);
1191 return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
1192 }
1193
1194 crt->version++;
1195
1196 if ((ret = mbedtls_x509_get_sig_alg(&crt->sig_oid, &sig_params1,
1197 &crt->sig_md, &crt->sig_pk,
1198 &crt->sig_opts)) != 0) {
1199 mbedtls_x509_crt_free(crt);
1200 return ret;
1201 }
1202
1203 /*
1204 * issuer Name
1205 */
1206 crt->issuer_raw.p = p;
1207
1208 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1209 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1210 mbedtls_x509_crt_free(crt);
1211 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1212 }
1213
1214 if ((ret = mbedtls_x509_get_name(&p, p + len, &crt->issuer)) != 0) {
1215 mbedtls_x509_crt_free(crt);
1216 return ret;
1217 }
1218
1219 crt->issuer_raw.len = p - crt->issuer_raw.p;
1220
1221 /*
1222 * Validity ::= SEQUENCE {
1223 * notBefore Time,
1224 * notAfter Time }
1225 *
1226 */
1227 if ((ret = x509_get_dates(&p, end, &crt->valid_from,
1228 &crt->valid_to)) != 0) {
1229 mbedtls_x509_crt_free(crt);
1230 return ret;
1231 }
1232
1233 /*
1234 * subject Name
1235 */
1236 crt->subject_raw.p = p;
1237
1238 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1239 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1240 mbedtls_x509_crt_free(crt);
1241 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
1242 }
1243
1244 if (len && (ret = mbedtls_x509_get_name(&p, p + len, &crt->subject)) != 0) {
1245 mbedtls_x509_crt_free(crt);
1246 return ret;
1247 }
1248
1249 crt->subject_raw.len = p - crt->subject_raw.p;
1250
1251 /*
1252 * SubjectPublicKeyInfo
1253 */
1254 crt->pk_raw.p = p;
1255 if ((ret = mbedtls_pk_parse_subpubkey(&p, end, &crt->pk)) != 0) {
1256 mbedtls_x509_crt_free(crt);
1257 return ret;
1258 }
1259 crt->pk_raw.len = p - crt->pk_raw.p;
1260
1261 /*
1262 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
1263 * -- If present, version shall be v2 or v3
1264 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
1265 * -- If present, version shall be v2 or v3
1266 * extensions [3] EXPLICIT Extensions OPTIONAL
1267 * -- If present, version shall be v3
1268 */
1269 if (crt->version == 2 || crt->version == 3) {
1270 ret = x509_get_uid(&p, end, &crt->issuer_id, 1);
1271 if (ret != 0) {
1272 mbedtls_x509_crt_free(crt);
1273 return ret;
1274 }
1275 }
1276
1277 if (crt->version == 2 || crt->version == 3) {
1278 ret = x509_get_uid(&p, end, &crt->subject_id, 2);
1279 if (ret != 0) {
1280 mbedtls_x509_crt_free(crt);
1281 return ret;
1282 }
1283 }
1284
1285 int extensions_allowed = 1;
1286#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
1287 if (crt->version != 3) {
1288 extensions_allowed = 0;
1289 }
1290#endif
1291 if (extensions_allowed) {
1292 ret = x509_get_crt_ext(&p, end, crt, cb, p_ctx);
1293 if (ret != 0) {
1294 mbedtls_x509_crt_free(crt);
1295 return ret;
1296 }
1297 }
1298
1299 if (p != end) {
1300 mbedtls_x509_crt_free(crt);
1301 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1302 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1303 }
1304
1305 end = crt_end;
1306
1307 /*
1308 * }
1309 * -- end of TBSCertificate
1310 *
1311 * signatureAlgorithm AlgorithmIdentifier,
1312 * signatureValue BIT STRING
1313 */
1314 if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
1315 mbedtls_x509_crt_free(crt);
1316 return ret;
1317 }
1318
1319 if (crt->sig_oid.len != sig_oid2.len ||
1320 memcmp(crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len) != 0 ||
1321 sig_params1.tag != sig_params2.tag ||
1322 sig_params1.len != sig_params2.len ||
1323 (sig_params1.len != 0 &&
1324 memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
1325 mbedtls_x509_crt_free(crt);
1326 return MBEDTLS_ERR_X509_SIG_MISMATCH;
1327 }
1328
1329 if ((ret = mbedtls_x509_get_sig(&p, end, &crt->sig)) != 0) {
1330 mbedtls_x509_crt_free(crt);
1331 return ret;
1332 }
1333
1334 if (p != end) {
1335 mbedtls_x509_crt_free(crt);
1336 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
1337 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1338 }
1339
1340 return 0;
1341}
1342
1343/*
1344 * Parse one X.509 certificate in DER format from a buffer and add them to a
1345 * chained list
1346 */
1347static int mbedtls_x509_crt_parse_der_internal(mbedtls_x509_crt *chain,
1348 const unsigned char *buf,
1349 size_t buflen,
1350 int make_copy,
1351 mbedtls_x509_crt_ext_cb_t cb,
1352 void *p_ctx)
1353{
1354 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1355 mbedtls_x509_crt *crt = chain, *prev = NULL;
1356
1357 /*
1358 * Check for valid input
1359 */
1360 if (crt == NULL || buf == NULL) {
1361 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1362 }
1363
1364 while (crt->version != 0 && crt->next != NULL) {
1365 prev = crt;
1366 crt = crt->next;
1367 }
1368
1369 /*
1370 * Add new certificate on the end of the chain if needed.
1371 */
1372 if (crt->version != 0 && crt->next == NULL) {
1373 crt->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
1374
1375 if (crt->next == NULL) {
1376 return MBEDTLS_ERR_X509_ALLOC_FAILED;
1377 }
1378
1379 prev = crt;
1380 mbedtls_x509_crt_init(crt->next);
1381 crt = crt->next;
1382 }
1383
1384 ret = x509_crt_parse_der_core(crt, buf, buflen, make_copy, cb, p_ctx);
1385 if (ret != 0) {
1386 if (prev) {
1387 prev->next = NULL;
1388 }
1389
1390 if (crt != chain) {
1391 mbedtls_free(crt);
1392 }
1393
1394 return ret;
1395 }
1396
1397 return 0;
1398}
1399
1400int mbedtls_x509_crt_parse_der_nocopy(mbedtls_x509_crt *chain,
1401 const unsigned char *buf,
1402 size_t buflen)
1403{
1404 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 0, NULL, NULL);
1405}
1406
1407int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
1408 const unsigned char *buf,
1409 size_t buflen,
1410 int make_copy,
1411 mbedtls_x509_crt_ext_cb_t cb,
1412 void *p_ctx)
1413{
1414 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, make_copy, cb, p_ctx);
1415}
1416
1417int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
1418 const unsigned char *buf,
1419 size_t buflen)
1420{
1421 return mbedtls_x509_crt_parse_der_internal(chain, buf, buflen, 1, NULL, NULL);
1422}
1423
1424/*
1425 * Parse one or more PEM certificates from a buffer and add them to the chained
1426 * list
1427 */
1428int mbedtls_x509_crt_parse(mbedtls_x509_crt *chain,
1429 const unsigned char *buf,
1430 size_t buflen)
1431{
1432#if defined(MBEDTLS_PEM_PARSE_C)
1433 int success = 0, first_error = 0, total_failed = 0;
1434 int buf_format = MBEDTLS_X509_FORMAT_DER;
1435#endif
1436
1437 /*
1438 * Check for valid input
1439 */
1440 if (chain == NULL || buf == NULL) {
1441 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1442 }
1443
1444 /*
1445 * Determine buffer content. Buffer contains either one DER certificate or
1446 * one or more PEM certificates.
1447 */
1448#if defined(MBEDTLS_PEM_PARSE_C)
1449 if (buflen != 0 && buf[buflen - 1] == '\0' &&
1450 strstr((const char *) buf, "-----BEGIN CERTIFICATE-----") != NULL) {
1451 buf_format = MBEDTLS_X509_FORMAT_PEM;
1452 }
1453
1454 if (buf_format == MBEDTLS_X509_FORMAT_DER) {
1455 return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1456 }
1457#else
1458 return mbedtls_x509_crt_parse_der(chain, buf, buflen);
1459#endif
1460
1461#if defined(MBEDTLS_PEM_PARSE_C)
1462 if (buf_format == MBEDTLS_X509_FORMAT_PEM) {
1463 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1464 mbedtls_pem_context pem;
1465
1466 /* 1 rather than 0 since the terminating NULL byte is counted in */
1467 while (buflen > 1) {
1468 size_t use_len;
1469 mbedtls_pem_init(&pem);
1470
1471 /* If we get there, we know the string is null-terminated */
1472 ret = mbedtls_pem_read_buffer(&pem,
1473 "-----BEGIN CERTIFICATE-----",
1474 "-----END CERTIFICATE-----",
1475 buf, NULL, 0, &use_len);
1476
1477 if (ret == 0) {
1478 /*
1479 * Was PEM encoded
1480 */
1481 buflen -= use_len;
1482 buf += use_len;
1483 } else if (ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA) {
1484 return ret;
1485 } else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
1486 mbedtls_pem_free(&pem);
1487
1488 /*
1489 * PEM header and footer were found
1490 */
1491 buflen -= use_len;
1492 buf += use_len;
1493
1494 if (first_error == 0) {
1495 first_error = ret;
1496 }
1497
1498 total_failed++;
1499 continue;
1500 } else {
1501 break;
1502 }
1503
1504 ret = mbedtls_x509_crt_parse_der(chain, pem.buf, pem.buflen);
1505
1506 mbedtls_pem_free(&pem);
1507
1508 if (ret != 0) {
1509 /*
1510 * Quit parsing on a memory error
1511 */
1512 if (ret == MBEDTLS_ERR_X509_ALLOC_FAILED) {
1513 return ret;
1514 }
1515
1516 if (first_error == 0) {
1517 first_error = ret;
1518 }
1519
1520 total_failed++;
1521 continue;
1522 }
1523
1524 success = 1;
1525 }
1526 }
1527
1528 if (success) {
1529 return total_failed;
1530 } else if (first_error) {
1531 return first_error;
1532 } else {
1533 return MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT;
1534 }
1535#endif /* MBEDTLS_PEM_PARSE_C */
1536}
1537
1538#if defined(MBEDTLS_FS_IO)
1539/*
1540 * Load one or more certificates and add them to the chained list
1541 */
1542int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path)
1543{
1544 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1545 size_t n;
1546 unsigned char *buf;
1547
1548 if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
1549 return ret;
1550 }
1551
1552 ret = mbedtls_x509_crt_parse(chain, buf, n);
1553
1554 mbedtls_platform_zeroize(buf, n);
1555 mbedtls_free(buf);
1556
1557 return ret;
1558}
1559
1560int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
1561{
1562 int ret = 0;
1563#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
1564 int w_ret;
1565 WCHAR szDir[MAX_PATH];
1566 char filename[MAX_PATH];
1567 char *p;
1568 size_t len = strlen(path);
1569
1570 WIN32_FIND_DATAW file_data;
1571 HANDLE hFind;
1572
1573 if (len > MAX_PATH - 3) {
1574 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1575 }
1576
1577 memset(szDir, 0, sizeof(szDir));
1578 memset(filename, 0, MAX_PATH);
1579 memcpy(filename, path, len);
1580 filename[len++] = '\\';
1581 p = filename + len;
1582 filename[len++] = '*';
1583
1584 w_ret = MultiByteToWideChar(CP_ACP, 0, filename, (int) len, szDir,
1585 MAX_PATH - 3);
1586 if (w_ret == 0) {
1587 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1588 }
1589
1590 hFind = FindFirstFileW(szDir, &file_data);
1591 if (hFind == INVALID_HANDLE_VALUE) {
1592 return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1593 }
1594
1595 len = MAX_PATH - len;
1596 do {
1597 memset(p, 0, len);
1598
1599 if (file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
1600 continue;
1601 }
1602
1603 w_ret = WideCharToMultiByte(CP_ACP, 0, file_data.cFileName,
1604 -1,
1605 p, (int) len,
1606 NULL, NULL);
1607 if (w_ret == 0) {
1608 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1609 goto cleanup;
1610 }
1611
1612 w_ret = mbedtls_x509_crt_parse_file(chain, filename);
1613 if (w_ret < 0) {
1614 ret++;
1615 } else {
1616 ret += w_ret;
1617 }
1618 } while (FindNextFileW(hFind, &file_data) != 0);
1619
1620 if (GetLastError() != ERROR_NO_MORE_FILES) {
1621 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1622 }
1623
1624cleanup:
1625 FindClose(hFind);
1626#else /* _WIN32 */
1627 int t_ret;
1628 int snp_ret;
1629 struct stat sb;
1630 struct dirent *entry;
1631 char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
1632 DIR *dir = opendir(path);
1633
1634 if (dir == NULL) {
1635 return MBEDTLS_ERR_X509_FILE_IO_ERROR;
1636 }
1637
1638#if defined(MBEDTLS_THREADING_C)
1639 if ((ret = mbedtls_mutex_lock(&mbedtls_threading_readdir_mutex)) != 0) {
1640 closedir(dir);
1641 return ret;
1642 }
1643#endif /* MBEDTLS_THREADING_C */
1644
1645 memset(&sb, 0, sizeof(sb));
1646
1647 while ((entry = readdir(dir)) != NULL) {
1648 snp_ret = mbedtls_snprintf(entry_name, sizeof(entry_name),
1649 "%s/%s", path, entry->d_name);
1650
1651 if (snp_ret < 0 || (size_t) snp_ret >= sizeof(entry_name)) {
1652 ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1653 goto cleanup;
1654 } else if (stat(entry_name, &sb) == -1) {
1655 if (errno == ENOENT) {
1656 /* Broken symbolic link - ignore this entry.
1657 stat(2) will return this error for either (a) a dangling
1658 symlink or (b) a missing file.
1659 Given that we have just obtained the filename from readdir,
1660 assume that it does exist and therefore treat this as a
1661 dangling symlink. */
1662 continue;
1663 } else {
1664 /* Some other file error; report the error. */
1665 ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
1666 goto cleanup;
1667 }
1668 }
1669
1670 if (!S_ISREG(sb.st_mode)) {
1671 continue;
1672 }
1673
1674 // Ignore parse errors
1675 //
1676 t_ret = mbedtls_x509_crt_parse_file(chain, entry_name);
1677 if (t_ret < 0) {
1678 ret++;
1679 } else {
1680 ret += t_ret;
1681 }
1682 }
1683
1684cleanup:
1685 closedir(dir);
1686
1687#if defined(MBEDTLS_THREADING_C)
1688 if (mbedtls_mutex_unlock(&mbedtls_threading_readdir_mutex) != 0) {
1689 ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
1690 }
1691#endif /* MBEDTLS_THREADING_C */
1692
1693#endif /* _WIN32 */
1694
1695 return ret;
1696}
1697#endif /* MBEDTLS_FS_IO */
1698
1699/*
1700 * OtherName ::= SEQUENCE {
1701 * type-id OBJECT IDENTIFIER,
1702 * value [0] EXPLICIT ANY DEFINED BY type-id }
1703 *
1704 * HardwareModuleName ::= SEQUENCE {
1705 * hwType OBJECT IDENTIFIER,
1706 * hwSerialNum OCTET STRING }
1707 *
1708 * NOTE: we currently only parse and use otherName of type HwModuleName,
1709 * as defined in RFC 4108.
1710 */
1711static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
1712 mbedtls_x509_san_other_name *other_name)
1713{
1714 int ret = 0;
1715 size_t len;
1716 unsigned char *p = subject_alt_name->p;
1717 const unsigned char *end = p + subject_alt_name->len;
1718 mbedtls_x509_buf cur_oid;
1719
1720 if ((subject_alt_name->tag &
1721 (MBEDTLS_ASN1_TAG_CLASS_MASK | MBEDTLS_ASN1_TAG_VALUE_MASK)) !=
1722 (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME)) {
1723 /*
1724 * The given subject alternative name is not of type "othername".
1725 */
1726 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
1727 }
1728
1729 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1730 MBEDTLS_ASN1_OID)) != 0) {
1731 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1732 }
1733
1734 cur_oid.tag = MBEDTLS_ASN1_OID;
1735 cur_oid.p = p;
1736 cur_oid.len = len;
1737
1738 /*
1739 * Only HwModuleName is currently supported.
1740 */
1741 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &cur_oid) != 0) {
1742 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
1743 }
1744
1745 p += len;
1746 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1747 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) !=
1748 0) {
1749 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1750 }
1751
1752 if (end != p + len) {
1753 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
1754 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1755 }
1756
1757 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1758 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
1759 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1760 }
1761
1762 if (end != p + len) {
1763 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
1764 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1765 }
1766
1767 if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
1768 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1769 }
1770
1771 other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
1772 other_name->value.hardware_module_name.oid.p = p;
1773 other_name->value.hardware_module_name.oid.len = len;
1774
1775 p += len;
1776 if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
1777 MBEDTLS_ASN1_OCTET_STRING)) != 0) {
1778 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1779 }
1780
1781 other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
1782 other_name->value.hardware_module_name.val.p = p;
1783 other_name->value.hardware_module_name.val.len = len;
1784 p += len;
1785 if (p != end) {
1786 return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
1787 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
1788 }
1789 return 0;
1790}
1791
1792static int x509_info_subject_alt_name(char **buf, size_t *size,
1793 const mbedtls_x509_sequence
1794 *subject_alt_name,
1795 const char *prefix)
1796{
1797 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1798 size_t i;
1799 size_t n = *size;
1800 char *p = *buf;
1801 const mbedtls_x509_sequence *cur = subject_alt_name;
1802 mbedtls_x509_subject_alternative_name san;
1803 int parse_ret;
1804
1805 while (cur != NULL) {
1806 memset(&san, 0, sizeof(san));
1807 parse_ret = mbedtls_x509_parse_subject_alt_name(&cur->buf, &san);
1808 if (parse_ret != 0) {
1809 if (parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
1810 ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
1811 MBEDTLS_X509_SAFE_SNPRINTF;
1812 } else {
1813 ret = mbedtls_snprintf(p, n, "\n%s <malformed>", prefix);
1814 MBEDTLS_X509_SAFE_SNPRINTF;
1815 }
1816 cur = cur->next;
1817 continue;
1818 }
1819
1820 switch (san.type) {
1821 /*
1822 * otherName
1823 */
1824 case MBEDTLS_X509_SAN_OTHER_NAME:
1825 {
1826 mbedtls_x509_san_other_name *other_name = &san.san.other_name;
1827
1828 ret = mbedtls_snprintf(p, n, "\n%s otherName :", prefix);
1829 MBEDTLS_X509_SAFE_SNPRINTF;
1830
1831 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME,
1832 &other_name->value.hardware_module_name.oid) != 0) {
1833 ret = mbedtls_snprintf(p, n, "\n%s hardware module name :", prefix);
1834 MBEDTLS_X509_SAFE_SNPRINTF;
1835 ret =
1836 mbedtls_snprintf(p, n, "\n%s hardware type : ", prefix);
1837 MBEDTLS_X509_SAFE_SNPRINTF;
1838
1839 ret = mbedtls_oid_get_numeric_string(p,
1840 n,
1841 &other_name->value.hardware_module_name.oid);
1842 MBEDTLS_X509_SAFE_SNPRINTF;
1843
1844 ret =
1845 mbedtls_snprintf(p, n, "\n%s hardware serial number : ", prefix);
1846 MBEDTLS_X509_SAFE_SNPRINTF;
1847
1848 for (i = 0; i < other_name->value.hardware_module_name.val.len; i++) {
1849 ret = mbedtls_snprintf(p,
1850 n,
1851 "%02X",
1852 other_name->value.hardware_module_name.val.p[i]);
1853 MBEDTLS_X509_SAFE_SNPRINTF;
1854 }
1855 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
1856 }
1857 break;
1858
1859 /*
1860 * dNSName
1861 */
1862 case MBEDTLS_X509_SAN_DNS_NAME:
1863 {
1864 ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
1865 MBEDTLS_X509_SAFE_SNPRINTF;
1866 if (san.san.unstructured_name.len >= n) {
1867 *p = '\0';
1868 return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
1869 }
1870
1871 memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
1872 p += san.san.unstructured_name.len;
1873 n -= san.san.unstructured_name.len;
1874 }
1875 break;
1876
1877 /*
1878 * Type not supported, skip item.
1879 */
1880 default:
1881 ret = mbedtls_snprintf(p, n, "\n%s <unsupported>", prefix);
1882 MBEDTLS_X509_SAFE_SNPRINTF;
1883 break;
1884 }
1885
1886 cur = cur->next;
1887 }
1888
1889 *p = '\0';
1890
1891 *size = n;
1892 *buf = p;
1893
1894 return 0;
1895}
1896
1897int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
1898 mbedtls_x509_subject_alternative_name *san)
1899{
1900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1901 switch (san_buf->tag &
1902 (MBEDTLS_ASN1_TAG_CLASS_MASK |
1903 MBEDTLS_ASN1_TAG_VALUE_MASK)) {
1904 /*
1905 * otherName
1906 */
1907 case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_OTHER_NAME):
1908 {
1909 mbedtls_x509_san_other_name other_name;
1910
1911 ret = x509_get_other_name(san_buf, &other_name);
1912 if (ret != 0) {
1913 return ret;
1914 }
1915
1916 memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
1917 san->type = MBEDTLS_X509_SAN_OTHER_NAME;
1918 memcpy(&san->san.other_name,
1919 &other_name, sizeof(other_name));
1920
1921 }
1922 break;
1923
1924 /*
1925 * dNSName
1926 */
1927 case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_DNS_NAME):
1928 {
1929 memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
1930 san->type = MBEDTLS_X509_SAN_DNS_NAME;
1931
1932 memcpy(&san->san.unstructured_name,
1933 san_buf, sizeof(*san_buf));
1934
1935 }
1936 break;
1937
1938 /*
1939 * Type not supported
1940 */
1941 default:
1942 return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
1943 }
1944 return 0;
1945}
1946
1947#define PRINT_ITEM(i) \
1948 do { \
1949 ret = mbedtls_snprintf(p, n, "%s" i, sep); \
1950 MBEDTLS_X509_SAFE_SNPRINTF; \
1951 sep = ", "; \
1952 } while (0)
1953
1954#define CERT_TYPE(type, name) \
1955 do { \
1956 if (ns_cert_type & (type)) { \
1957 PRINT_ITEM(name); \
1958 } \
1959 } while (0)
1960
1961static int x509_info_cert_type(char **buf, size_t *size,
1962 unsigned char ns_cert_type)
1963{
1964 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1965 size_t n = *size;
1966 char *p = *buf;
1967 const char *sep = "";
1968
1969 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT, "SSL Client");
1970 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER, "SSL Server");
1971 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL, "Email");
1972 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing");
1973 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_RESERVED, "Reserved");
1974 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_SSL_CA, "SSL CA");
1975 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA, "Email CA");
1976 CERT_TYPE(MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA");
1977
1978 *size = n;
1979 *buf = p;
1980
1981 return 0;
1982}
1983
1984#define KEY_USAGE(code, name) \
1985 do { \
1986 if (key_usage & (code)) { \
1987 PRINT_ITEM(name); \
1988 } \
1989 } while (0)
1990
1991static int x509_info_key_usage(char **buf, size_t *size,
1992 unsigned int key_usage)
1993{
1994 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1995 size_t n = *size;
1996 char *p = *buf;
1997 const char *sep = "";
1998
1999 KEY_USAGE(MBEDTLS_X509_KU_DIGITAL_SIGNATURE, "Digital Signature");
2000 KEY_USAGE(MBEDTLS_X509_KU_NON_REPUDIATION, "Non Repudiation");
2001 KEY_USAGE(MBEDTLS_X509_KU_KEY_ENCIPHERMENT, "Key Encipherment");
2002 KEY_USAGE(MBEDTLS_X509_KU_DATA_ENCIPHERMENT, "Data Encipherment");
2003 KEY_USAGE(MBEDTLS_X509_KU_KEY_AGREEMENT, "Key Agreement");
2004 KEY_USAGE(MBEDTLS_X509_KU_KEY_CERT_SIGN, "Key Cert Sign");
2005 KEY_USAGE(MBEDTLS_X509_KU_CRL_SIGN, "CRL Sign");
2006 KEY_USAGE(MBEDTLS_X509_KU_ENCIPHER_ONLY, "Encipher Only");
2007 KEY_USAGE(MBEDTLS_X509_KU_DECIPHER_ONLY, "Decipher Only");
2008
2009 *size = n;
2010 *buf = p;
2011
2012 return 0;
2013}
2014
2015static int x509_info_ext_key_usage(char **buf, size_t *size,
2016 const mbedtls_x509_sequence *extended_key_usage)
2017{
2018 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2019 const char *desc;
2020 size_t n = *size;
2021 char *p = *buf;
2022 const mbedtls_x509_sequence *cur = extended_key_usage;
2023 const char *sep = "";
2024
2025 while (cur != NULL) {
2026 if (mbedtls_oid_get_extended_key_usage(&cur->buf, &desc) != 0) {
2027 desc = "???";
2028 }
2029
2030 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
2031 MBEDTLS_X509_SAFE_SNPRINTF;
2032
2033 sep = ", ";
2034
2035 cur = cur->next;
2036 }
2037
2038 *size = n;
2039 *buf = p;
2040
2041 return 0;
2042}
2043
2044static int x509_info_cert_policies(char **buf, size_t *size,
2045 const mbedtls_x509_sequence *certificate_policies)
2046{
2047 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2048 const char *desc;
2049 size_t n = *size;
2050 char *p = *buf;
2051 const mbedtls_x509_sequence *cur = certificate_policies;
2052 const char *sep = "";
2053
2054 while (cur != NULL) {
2055 if (mbedtls_oid_get_certificate_policies(&cur->buf, &desc) != 0) {
2056 desc = "???";
2057 }
2058
2059 ret = mbedtls_snprintf(p, n, "%s%s", sep, desc);
2060 MBEDTLS_X509_SAFE_SNPRINTF;
2061
2062 sep = ", ";
2063
2064 cur = cur->next;
2065 }
2066
2067 *size = n;
2068 *buf = p;
2069
2070 return 0;
2071}
2072
2073/*
2074 * Return an informational string about the certificate.
2075 */
2076#define BEFORE_COLON 18
2077#define BC "18"
2078int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
2079 const mbedtls_x509_crt *crt)
2080{
2081 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2082 size_t n;
2083 char *p;
2084 char key_size_str[BEFORE_COLON];
2085
2086 p = buf;
2087 n = size;
2088
2089 if (NULL == crt) {
2090 ret = mbedtls_snprintf(p, n, "\nCertificate is uninitialised!\n");
2091 MBEDTLS_X509_SAFE_SNPRINTF;
2092
2093 return (int) (size - n);
2094 }
2095
2096 ret = mbedtls_snprintf(p, n, "%scert. version : %d\n",
2097 prefix, crt->version);
2098 MBEDTLS_X509_SAFE_SNPRINTF;
2099 ret = mbedtls_snprintf(p, n, "%sserial number : ",
2100 prefix);
2101 MBEDTLS_X509_SAFE_SNPRINTF;
2102
2103 ret = mbedtls_x509_serial_gets(p, n, &crt->serial);
2104 MBEDTLS_X509_SAFE_SNPRINTF;
2105
2106 ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix);
2107 MBEDTLS_X509_SAFE_SNPRINTF;
2108 ret = mbedtls_x509_dn_gets(p, n, &crt->issuer);
2109 MBEDTLS_X509_SAFE_SNPRINTF;
2110
2111 ret = mbedtls_snprintf(p, n, "\n%ssubject name : ", prefix);
2112 MBEDTLS_X509_SAFE_SNPRINTF;
2113 ret = mbedtls_x509_dn_gets(p, n, &crt->subject);
2114 MBEDTLS_X509_SAFE_SNPRINTF;
2115
2116 ret = mbedtls_snprintf(p, n, "\n%sissued on : " \
2117 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
2118 crt->valid_from.year, crt->valid_from.mon,
2119 crt->valid_from.day, crt->valid_from.hour,
2120 crt->valid_from.min, crt->valid_from.sec);
2121 MBEDTLS_X509_SAFE_SNPRINTF;
2122
2123 ret = mbedtls_snprintf(p, n, "\n%sexpires on : " \
2124 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
2125 crt->valid_to.year, crt->valid_to.mon,
2126 crt->valid_to.day, crt->valid_to.hour,
2127 crt->valid_to.min, crt->valid_to.sec);
2128 MBEDTLS_X509_SAFE_SNPRINTF;
2129
2130 ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
2131 MBEDTLS_X509_SAFE_SNPRINTF;
2132
2133 ret = mbedtls_x509_sig_alg_gets(p, n, &crt->sig_oid, crt->sig_pk,
2134 crt->sig_md, crt->sig_opts);
2135 MBEDTLS_X509_SAFE_SNPRINTF;
2136
2137 /* Key size */
2138 if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
2139 mbedtls_pk_get_name(&crt->pk))) != 0) {
2140 return ret;
2141 }
2142
2143 ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
2144 (int) mbedtls_pk_get_bitlen(&crt->pk));
2145 MBEDTLS_X509_SAFE_SNPRINTF;
2146
2147 /*
2148 * Optional extensions
2149 */
2150
2151 if (crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS) {
2152 ret = mbedtls_snprintf(p, n, "\n%sbasic constraints : CA=%s", prefix,
2153 crt->ca_istrue ? "true" : "false");
2154 MBEDTLS_X509_SAFE_SNPRINTF;
2155
2156 if (crt->max_pathlen > 0) {
2157 ret = mbedtls_snprintf(p, n, ", max_pathlen=%d", crt->max_pathlen - 1);
2158 MBEDTLS_X509_SAFE_SNPRINTF;
2159 }
2160 }
2161
2162 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
2163 ret = mbedtls_snprintf(p, n, "\n%ssubject alt name :", prefix);
2164 MBEDTLS_X509_SAFE_SNPRINTF;
2165
2166 if ((ret = x509_info_subject_alt_name(&p, &n,
2167 &crt->subject_alt_names,
2168 prefix)) != 0) {
2169 return ret;
2170 }
2171 }
2172
2173 if (crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) {
2174 ret = mbedtls_snprintf(p, n, "\n%scert. type : ", prefix);
2175 MBEDTLS_X509_SAFE_SNPRINTF;
2176
2177 if ((ret = x509_info_cert_type(&p, &n, crt->ns_cert_type)) != 0) {
2178 return ret;
2179 }
2180 }
2181
2182 if (crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) {
2183 ret = mbedtls_snprintf(p, n, "\n%skey usage : ", prefix);
2184 MBEDTLS_X509_SAFE_SNPRINTF;
2185
2186 if ((ret = x509_info_key_usage(&p, &n, crt->key_usage)) != 0) {
2187 return ret;
2188 }
2189 }
2190
2191 if (crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) {
2192 ret = mbedtls_snprintf(p, n, "\n%sext key usage : ", prefix);
2193 MBEDTLS_X509_SAFE_SNPRINTF;
2194
2195 if ((ret = x509_info_ext_key_usage(&p, &n,
2196 &crt->ext_key_usage)) != 0) {
2197 return ret;
2198 }
2199 }
2200
2201 if (crt->ext_types & MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES) {
2202 ret = mbedtls_snprintf(p, n, "\n%scertificate policies : ", prefix);
2203 MBEDTLS_X509_SAFE_SNPRINTF;
2204
2205 if ((ret = x509_info_cert_policies(&p, &n,
2206 &crt->certificate_policies)) != 0) {
2207 return ret;
2208 }
2209 }
2210
2211 ret = mbedtls_snprintf(p, n, "\n");
2212 MBEDTLS_X509_SAFE_SNPRINTF;
2213
2214 return (int) (size - n);
2215}
2216
2217struct x509_crt_verify_string {
2218 int code;
2219 const char *string;
2220};
2221
2222static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
2223 { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" },
2224 { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" },
2225 { MBEDTLS_X509_BADCERT_CN_MISMATCH,
2226 "The certificate Common Name (CN) does not match with the expected CN" },
2227 { MBEDTLS_X509_BADCERT_NOT_TRUSTED,
2228 "The certificate is not correctly signed by the trusted CA" },
2229 { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" },
2230 { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" },
2231 { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" },
2232 { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" },
2233 { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" },
2234 { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" },
2235 { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" },
2236 { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" },
2237 { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
2238 { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" },
2239 { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." },
2240 { MBEDTLS_X509_BADCERT_BAD_PK,
2241 "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
2242 { MBEDTLS_X509_BADCERT_BAD_KEY,
2243 "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
2244 { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." },
2245 { MBEDTLS_X509_BADCRL_BAD_PK,
2246 "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
2247 { MBEDTLS_X509_BADCRL_BAD_KEY,
2248 "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
2249 { 0, NULL }
2250};
2251
2252int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
2253 uint32_t flags)
2254{
2255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2256 const struct x509_crt_verify_string *cur;
2257 char *p = buf;
2258 size_t n = size;
2259
2260 for (cur = x509_crt_verify_strings; cur->string != NULL; cur++) {
2261 if ((flags & cur->code) == 0) {
2262 continue;
2263 }
2264
2265 ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, cur->string);
2266 MBEDTLS_X509_SAFE_SNPRINTF;
2267 flags ^= cur->code;
2268 }
2269
2270 if (flags != 0) {
2271 ret = mbedtls_snprintf(p, n, "%sUnknown reason "
2272 "(this should not happen)\n", prefix);
2273 MBEDTLS_X509_SAFE_SNPRINTF;
2274 }
2275
2276 return (int) (size - n);
2277}
2278
2279#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2280int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
2281 unsigned int usage)
2282{
2283 unsigned int usage_must, usage_may;
2284 unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
2285 | MBEDTLS_X509_KU_DECIPHER_ONLY;
2286
2287 if ((crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE) == 0) {
2288 return 0;
2289 }
2290
2291 usage_must = usage & ~may_mask;
2292
2293 if (((crt->key_usage & ~may_mask) & usage_must) != usage_must) {
2294 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2295 }
2296
2297 usage_may = usage & may_mask;
2298
2299 if (((crt->key_usage & may_mask) | usage_may) != usage_may) {
2300 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2301 }
2302
2303 return 0;
2304}
2305#endif
2306
2307#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
2308int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
2309 const char *usage_oid,
2310 size_t usage_len)
2311{
2312 const mbedtls_x509_sequence *cur;
2313
2314 /* Extension is not mandatory, absent means no restriction */
2315 if ((crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE) == 0) {
2316 return 0;
2317 }
2318
2319 /*
2320 * Look for the requested usage (or wildcard ANY) in our list
2321 */
2322 for (cur = &crt->ext_key_usage; cur != NULL; cur = cur->next) {
2323 const mbedtls_x509_buf *cur_oid = &cur->buf;
2324
2325 if (cur_oid->len == usage_len &&
2326 memcmp(cur_oid->p, usage_oid, usage_len) == 0) {
2327 return 0;
2328 }
2329
2330 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid) == 0) {
2331 return 0;
2332 }
2333 }
2334
2335 return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
2336}
2337#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
2338
2339#if defined(MBEDTLS_X509_CRL_PARSE_C)
2340/*
2341 * Return 1 if the certificate is revoked, or 0 otherwise.
2342 */
2343int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl)
2344{
2345 const mbedtls_x509_crl_entry *cur = &crl->entry;
2346
2347 while (cur != NULL && cur->serial.len != 0) {
2348 if (crt->serial.len == cur->serial.len &&
2349 memcmp(crt->serial.p, cur->serial.p, crt->serial.len) == 0) {
2350 return 1;
2351 }
2352
2353 cur = cur->next;
2354 }
2355
2356 return 0;
2357}
2358
2359/*
2360 * Check that the given certificate is not revoked according to the CRL.
2361 * Skip validation if no CRL for the given CA is present.
2362 */
2363static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
2364 mbedtls_x509_crl *crl_list,
2365 const mbedtls_x509_crt_profile *profile)
2366{
2367 int flags = 0;
2368 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2369 const mbedtls_md_info_t *md_info;
2370
2371 if (ca == NULL) {
2372 return flags;
2373 }
2374
2375 while (crl_list != NULL) {
2376 if (crl_list->version == 0 ||
2377 x509_name_cmp(&crl_list->issuer, &ca->subject) != 0) {
2378 crl_list = crl_list->next;
2379 continue;
2380 }
2381
2382 /*
2383 * Check if the CA is configured to sign CRLs
2384 */
2385#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2386 if (mbedtls_x509_crt_check_key_usage(ca,
2387 MBEDTLS_X509_KU_CRL_SIGN) != 0) {
2388 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2389 break;
2390 }
2391#endif
2392
2393 /*
2394 * Check if CRL is correctly signed by the trusted CA
2395 */
2396 if (x509_profile_check_md_alg(profile, crl_list->sig_md) != 0) {
2397 flags |= MBEDTLS_X509_BADCRL_BAD_MD;
2398 }
2399
2400 if (x509_profile_check_pk_alg(profile, crl_list->sig_pk) != 0) {
2401 flags |= MBEDTLS_X509_BADCRL_BAD_PK;
2402 }
2403
2404 md_info = mbedtls_md_info_from_type(crl_list->sig_md);
2405 if (mbedtls_md(md_info, crl_list->tbs.p, crl_list->tbs.len, hash) != 0) {
2406 /* Note: this can't happen except after an internal error */
2407 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2408 break;
2409 }
2410
2411 if (x509_profile_check_key(profile, &ca->pk) != 0) {
2412 flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2413 }
2414
2415 if (mbedtls_pk_verify_ext(crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
2416 crl_list->sig_md, hash, mbedtls_md_get_size(md_info),
2417 crl_list->sig.p, crl_list->sig.len) != 0) {
2418 flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
2419 break;
2420 }
2421
2422 /*
2423 * Check for validity of CRL (Do not drop out)
2424 */
2425 if (mbedtls_x509_time_is_past(&crl_list->next_update)) {
2426 flags |= MBEDTLS_X509_BADCRL_EXPIRED;
2427 }
2428
2429 if (mbedtls_x509_time_is_future(&crl_list->this_update)) {
2430 flags |= MBEDTLS_X509_BADCRL_FUTURE;
2431 }
2432
2433 /*
2434 * Check if certificate is revoked
2435 */
2436 if (mbedtls_x509_crt_is_revoked(crt, crl_list)) {
2437 flags |= MBEDTLS_X509_BADCERT_REVOKED;
2438 break;
2439 }
2440
2441 crl_list = crl_list->next;
2442 }
2443
2444 return flags;
2445}
2446#endif /* MBEDTLS_X509_CRL_PARSE_C */
2447
2448/*
2449 * Check the signature of a certificate by its parent
2450 */
2451static int x509_crt_check_signature(const mbedtls_x509_crt *child,
2452 mbedtls_x509_crt *parent,
2453 mbedtls_x509_crt_restart_ctx *rs_ctx)
2454{
2455 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
2456 size_t hash_len;
2457#if !defined(MBEDTLS_USE_PSA_CRYPTO)
2458 const mbedtls_md_info_t *md_info;
2459 md_info = mbedtls_md_info_from_type(child->sig_md);
2460 hash_len = mbedtls_md_get_size(md_info);
2461
2462 /* Note: hash errors can happen only after an internal error */
2463 if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
2464 return -1;
2465 }
2466#else
2467 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
2468 psa_algorithm_t hash_alg = mbedtls_psa_translate_md(child->sig_md);
2469
2470 if (psa_hash_setup(&hash_operation, hash_alg) != PSA_SUCCESS) {
2471 return -1;
2472 }
2473
2474 if (psa_hash_update(&hash_operation, child->tbs.p, child->tbs.len)
2475 != PSA_SUCCESS) {
2476 return -1;
2477 }
2478
2479 if (psa_hash_finish(&hash_operation, hash, sizeof(hash), &hash_len)
2480 != PSA_SUCCESS) {
2481 return -1;
2482 }
2483#endif /* MBEDTLS_USE_PSA_CRYPTO */
2484 /* Skip expensive computation on obvious mismatch */
2485 if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
2486 return -1;
2487 }
2488
2489#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2490 if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) {
2491 return mbedtls_pk_verify_restartable(&parent->pk,
2492 child->sig_md, hash, hash_len,
2493 child->sig.p, child->sig.len, &rs_ctx->pk);
2494 }
2495#else
2496 (void) rs_ctx;
2497#endif
2498
2499 return mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent->pk,
2500 child->sig_md, hash, hash_len,
2501 child->sig.p, child->sig.len);
2502}
2503
2504/*
2505 * Check if 'parent' is a suitable parent (signing CA) for 'child'.
2506 * Return 0 if yes, -1 if not.
2507 *
2508 * top means parent is a locally-trusted certificate
2509 */
2510static int x509_crt_check_parent(const mbedtls_x509_crt *child,
2511 const mbedtls_x509_crt *parent,
2512 int top)
2513{
2514 int need_ca_bit;
2515
2516 /* Parent must be the issuer */
2517 if (x509_name_cmp(&child->issuer, &parent->subject) != 0) {
2518 return -1;
2519 }
2520
2521 /* Parent must have the basicConstraints CA bit set as a general rule */
2522 need_ca_bit = 1;
2523
2524 /* Exception: v1/v2 certificates that are locally trusted. */
2525 if (top && parent->version < 3) {
2526 need_ca_bit = 0;
2527 }
2528
2529 if (need_ca_bit && !parent->ca_istrue) {
2530 return -1;
2531 }
2532
2533#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
2534 if (need_ca_bit &&
2535 mbedtls_x509_crt_check_key_usage(parent, MBEDTLS_X509_KU_KEY_CERT_SIGN) != 0) {
2536 return -1;
2537 }
2538#endif
2539
2540 return 0;
2541}
2542
2543/*
2544 * Find a suitable parent for child in candidates, or return NULL.
2545 *
2546 * Here suitable is defined as:
2547 * 1. subject name matches child's issuer
2548 * 2. if necessary, the CA bit is set and key usage allows signing certs
2549 * 3. for trusted roots, the signature is correct
2550 * (for intermediates, the signature is checked and the result reported)
2551 * 4. pathlen constraints are satisfied
2552 *
2553 * If there's a suitable candidate which is also time-valid, return the first
2554 * such. Otherwise, return the first suitable candidate (or NULL if there is
2555 * none).
2556 *
2557 * The rationale for this rule is that someone could have a list of trusted
2558 * roots with two versions on the same root with different validity periods.
2559 * (At least one user reported having such a list and wanted it to just work.)
2560 * The reason we don't just require time-validity is that generally there is
2561 * only one version, and if it's expired we want the flags to state that
2562 * rather than NOT_TRUSTED, as would be the case if we required it here.
2563 *
2564 * The rationale for rule 3 (signature for trusted roots) is that users might
2565 * have two versions of the same CA with different keys in their list, and the
2566 * way we select the correct one is by checking the signature (as we don't
2567 * rely on key identifier extensions). (This is one way users might choose to
2568 * handle key rollover, another relies on self-issued certs, see [SIRO].)
2569 *
2570 * Arguments:
2571 * - [in] child: certificate for which we're looking for a parent
2572 * - [in] candidates: chained list of potential parents
2573 * - [out] r_parent: parent found (or NULL)
2574 * - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
2575 * - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
2576 * of the chain, 0 otherwise
2577 * - [in] path_cnt: number of intermediates seen so far
2578 * - [in] self_cnt: number of self-signed intermediates seen so far
2579 * (will never be greater than path_cnt)
2580 * - [in-out] rs_ctx: context for restarting operations
2581 *
2582 * Return value:
2583 * - 0 on success
2584 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2585 */
2586static int x509_crt_find_parent_in(
2587 mbedtls_x509_crt *child,
2588 mbedtls_x509_crt *candidates,
2589 mbedtls_x509_crt **r_parent,
2590 int *r_signature_is_good,
2591 int top,
2592 unsigned path_cnt,
2593 unsigned self_cnt,
2594 mbedtls_x509_crt_restart_ctx *rs_ctx)
2595{
2596 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2597 mbedtls_x509_crt *parent, *fallback_parent;
2598 int signature_is_good = 0, fallback_signature_is_good;
2599
2600#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2601 /* did we have something in progress? */
2602 if (rs_ctx != NULL && rs_ctx->parent != NULL) {
2603 /* restore saved state */
2604 parent = rs_ctx->parent;
2605 fallback_parent = rs_ctx->fallback_parent;
2606 fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
2607
2608 /* clear saved state */
2609 rs_ctx->parent = NULL;
2610 rs_ctx->fallback_parent = NULL;
2611 rs_ctx->fallback_signature_is_good = 0;
2612
2613 /* resume where we left */
2614 goto check_signature;
2615 }
2616#endif
2617
2618 fallback_parent = NULL;
2619 fallback_signature_is_good = 0;
2620
2621 for (parent = candidates; parent != NULL; parent = parent->next) {
2622 /* basic parenting skills (name, CA bit, key usage) */
2623 if (x509_crt_check_parent(child, parent, top) != 0) {
2624 continue;
2625 }
2626
2627 /* +1 because stored max_pathlen is 1 higher that the actual value */
2628 if (parent->max_pathlen > 0 &&
2629 (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt) {
2630 continue;
2631 }
2632
2633 /* Signature */
2634#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2635check_signature:
2636#endif
2637 ret = x509_crt_check_signature(child, parent, rs_ctx);
2638
2639#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2640 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2641 /* save state */
2642 rs_ctx->parent = parent;
2643 rs_ctx->fallback_parent = fallback_parent;
2644 rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
2645
2646 return ret;
2647 }
2648#else
2649 (void) ret;
2650#endif
2651
2652 signature_is_good = ret == 0;
2653 if (top && !signature_is_good) {
2654 continue;
2655 }
2656
2657 /* optional time check */
2658 if (mbedtls_x509_time_is_past(&parent->valid_to) ||
2659 mbedtls_x509_time_is_future(&parent->valid_from)) {
2660 if (fallback_parent == NULL) {
2661 fallback_parent = parent;
2662 fallback_signature_is_good = signature_is_good;
2663 }
2664
2665 continue;
2666 }
2667
2668 *r_parent = parent;
2669 *r_signature_is_good = signature_is_good;
2670
2671 break;
2672 }
2673
2674 if (parent == NULL) {
2675 *r_parent = fallback_parent;
2676 *r_signature_is_good = fallback_signature_is_good;
2677 }
2678
2679 return 0;
2680}
2681
2682/*
2683 * Find a parent in trusted CAs or the provided chain, or return NULL.
2684 *
2685 * Searches in trusted CAs first, and return the first suitable parent found
2686 * (see find_parent_in() for definition of suitable).
2687 *
2688 * Arguments:
2689 * - [in] child: certificate for which we're looking for a parent, followed
2690 * by a chain of possible intermediates
2691 * - [in] trust_ca: list of locally trusted certificates
2692 * - [out] parent: parent found (or NULL)
2693 * - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
2694 * - [out] signature_is_good: 1 if child signature by parent is valid, or 0
2695 * - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
2696 * - [in] self_cnt: number of self-signed certs in the chain so far
2697 * (will always be no greater than path_cnt)
2698 * - [in-out] rs_ctx: context for restarting operations
2699 *
2700 * Return value:
2701 * - 0 on success
2702 * - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
2703 */
2704static int x509_crt_find_parent(
2705 mbedtls_x509_crt *child,
2706 mbedtls_x509_crt *trust_ca,
2707 mbedtls_x509_crt **parent,
2708 int *parent_is_trusted,
2709 int *signature_is_good,
2710 unsigned path_cnt,
2711 unsigned self_cnt,
2712 mbedtls_x509_crt_restart_ctx *rs_ctx)
2713{
2714 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2715 mbedtls_x509_crt *search_list;
2716
2717 *parent_is_trusted = 1;
2718
2719#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2720 /* restore then clear saved state if we have some stored */
2721 if (rs_ctx != NULL && rs_ctx->parent_is_trusted != -1) {
2722 *parent_is_trusted = rs_ctx->parent_is_trusted;
2723 rs_ctx->parent_is_trusted = -1;
2724 }
2725#endif
2726
2727 while (1) {
2728 search_list = *parent_is_trusted ? trust_ca : child->next;
2729
2730 ret = x509_crt_find_parent_in(child, search_list,
2731 parent, signature_is_good,
2732 *parent_is_trusted,
2733 path_cnt, self_cnt, rs_ctx);
2734
2735#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2736 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2737 /* save state */
2738 rs_ctx->parent_is_trusted = *parent_is_trusted;
2739 return ret;
2740 }
2741#else
2742 (void) ret;
2743#endif
2744
2745 /* stop here if found or already in second iteration */
2746 if (*parent != NULL || *parent_is_trusted == 0) {
2747 break;
2748 }
2749
2750 /* prepare second iteration */
2751 *parent_is_trusted = 0;
2752 }
2753
2754 /* extra precaution against mistakes in the caller */
2755 if (*parent == NULL) {
2756 *parent_is_trusted = 0;
2757 *signature_is_good = 0;
2758 }
2759
2760 return 0;
2761}
2762
2763/*
2764 * Check if an end-entity certificate is locally trusted
2765 *
2766 * Currently we require such certificates to be self-signed (actually only
2767 * check for self-issued as self-signatures are not checked)
2768 */
2769static int x509_crt_check_ee_locally_trusted(
2770 mbedtls_x509_crt *crt,
2771 mbedtls_x509_crt *trust_ca)
2772{
2773 mbedtls_x509_crt *cur;
2774
2775 /* must be self-issued */
2776 if (x509_name_cmp(&crt->issuer, &crt->subject) != 0) {
2777 return -1;
2778 }
2779
2780 /* look for an exact match with trusted cert */
2781 for (cur = trust_ca; cur != NULL; cur = cur->next) {
2782 if (crt->raw.len == cur->raw.len &&
2783 memcmp(crt->raw.p, cur->raw.p, crt->raw.len) == 0) {
2784 return 0;
2785 }
2786 }
2787
2788 /* too bad */
2789 return -1;
2790}
2791
2792/*
2793 * Build and verify a certificate chain
2794 *
2795 * Given a peer-provided list of certificates EE, C1, ..., Cn and
2796 * a list of trusted certs R1, ... Rp, try to build and verify a chain
2797 * EE, Ci1, ... Ciq [, Rj]
2798 * such that every cert in the chain is a child of the next one,
2799 * jumping to a trusted root as early as possible.
2800 *
2801 * Verify that chain and return it with flags for all issues found.
2802 *
2803 * Special cases:
2804 * - EE == Rj -> return a one-element list containing it
2805 * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
2806 * -> return that chain with NOT_TRUSTED set on Ciq
2807 *
2808 * Tests for (aspects of) this function should include at least:
2809 * - trusted EE
2810 * - EE -> trusted root
2811 * - EE -> intermediate CA -> trusted root
2812 * - if relevant: EE untrusted
2813 * - if relevant: EE -> intermediate, untrusted
2814 * with the aspect under test checked at each relevant level (EE, int, root).
2815 * For some aspects longer chains are required, but usually length 2 is
2816 * enough (but length 1 is not in general).
2817 *
2818 * Arguments:
2819 * - [in] crt: the cert list EE, C1, ..., Cn
2820 * - [in] trust_ca: the trusted list R1, ..., Rp
2821 * - [in] ca_crl, profile: as in verify_with_profile()
2822 * - [out] ver_chain: the built and verified chain
2823 * Only valid when return value is 0, may contain garbage otherwise!
2824 * Restart note: need not be the same when calling again to resume.
2825 * - [in-out] rs_ctx: context for restarting operations
2826 *
2827 * Return value:
2828 * - non-zero if the chain could not be fully built and examined
2829 * - 0 is the chain was successfully built and examined,
2830 * even if it was found to be invalid
2831 */
2832static int x509_crt_verify_chain(
2833 mbedtls_x509_crt *crt,
2834 mbedtls_x509_crt *trust_ca,
2835 mbedtls_x509_crl *ca_crl,
2836 mbedtls_x509_crt_ca_cb_t f_ca_cb,
2837 void *p_ca_cb,
2838 const mbedtls_x509_crt_profile *profile,
2839 mbedtls_x509_crt_verify_chain *ver_chain,
2840 mbedtls_x509_crt_restart_ctx *rs_ctx)
2841{
2842 /* Don't initialize any of those variables here, so that the compiler can
2843 * catch potential issues with jumping ahead when restarting */
2844 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2845 uint32_t *flags;
2846 mbedtls_x509_crt_verify_chain_item *cur;
2847 mbedtls_x509_crt *child;
2848 mbedtls_x509_crt *parent;
2849 int parent_is_trusted;
2850 int child_is_trusted;
2851 int signature_is_good;
2852 unsigned self_cnt;
2853 mbedtls_x509_crt *cur_trust_ca = NULL;
2854
2855#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2856 /* resume if we had an operation in progress */
2857 if (rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent) {
2858 /* restore saved state */
2859 *ver_chain = rs_ctx->ver_chain; /* struct copy */
2860 self_cnt = rs_ctx->self_cnt;
2861
2862 /* restore derived state */
2863 cur = &ver_chain->items[ver_chain->len - 1];
2864 child = cur->crt;
2865 flags = &cur->flags;
2866
2867 goto find_parent;
2868 }
2869#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
2870
2871 child = crt;
2872 self_cnt = 0;
2873 parent_is_trusted = 0;
2874 child_is_trusted = 0;
2875
2876 while (1) {
2877 /* Add certificate to the verification chain */
2878 cur = &ver_chain->items[ver_chain->len];
2879 cur->crt = child;
2880 cur->flags = 0;
2881 ver_chain->len++;
2882 flags = &cur->flags;
2883
2884 /* Check time-validity (all certificates) */
2885 if (mbedtls_x509_time_is_past(&child->valid_to)) {
2886 *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
2887 }
2888
2889 if (mbedtls_x509_time_is_future(&child->valid_from)) {
2890 *flags |= MBEDTLS_X509_BADCERT_FUTURE;
2891 }
2892
2893 /* Stop here for trusted roots (but not for trusted EE certs) */
2894 if (child_is_trusted) {
2895 return 0;
2896 }
2897
2898 /* Check signature algorithm: MD & PK algs */
2899 if (x509_profile_check_md_alg(profile, child->sig_md) != 0) {
2900 *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
2901 }
2902
2903 if (x509_profile_check_pk_alg(profile, child->sig_pk) != 0) {
2904 *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
2905 }
2906
2907 /* Special case: EE certs that are locally trusted */
2908 if (ver_chain->len == 1 &&
2909 x509_crt_check_ee_locally_trusted(child, trust_ca) == 0) {
2910 return 0;
2911 }
2912
2913#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2914find_parent:
2915#endif
2916
2917 /* Obtain list of potential trusted signers from CA callback,
2918 * or use statically provided list. */
2919#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2920 if (f_ca_cb != NULL) {
2921 mbedtls_x509_crt_free(ver_chain->trust_ca_cb_result);
2922 mbedtls_free(ver_chain->trust_ca_cb_result);
2923 ver_chain->trust_ca_cb_result = NULL;
2924
2925 ret = f_ca_cb(p_ca_cb, child, &ver_chain->trust_ca_cb_result);
2926 if (ret != 0) {
2927 return MBEDTLS_ERR_X509_FATAL_ERROR;
2928 }
2929
2930 cur_trust_ca = ver_chain->trust_ca_cb_result;
2931 } else
2932#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2933 {
2934 ((void) f_ca_cb);
2935 ((void) p_ca_cb);
2936 cur_trust_ca = trust_ca;
2937 }
2938
2939 /* Look for a parent in trusted CAs or up the chain */
2940 ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
2941 &parent_is_trusted, &signature_is_good,
2942 ver_chain->len - 1, self_cnt, rs_ctx);
2943
2944#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
2945 if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2946 /* save state */
2947 rs_ctx->in_progress = x509_crt_rs_find_parent;
2948 rs_ctx->self_cnt = self_cnt;
2949 rs_ctx->ver_chain = *ver_chain; /* struct copy */
2950
2951 return ret;
2952 }
2953#else
2954 (void) ret;
2955#endif
2956
2957 /* No parent? We're done here */
2958 if (parent == NULL) {
2959 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2960 return 0;
2961 }
2962
2963 /* Count intermediate self-issued (not necessarily self-signed) certs.
2964 * These can occur with some strategies for key rollover, see [SIRO],
2965 * and should be excluded from max_pathlen checks. */
2966 if (ver_chain->len != 1 &&
2967 x509_name_cmp(&child->issuer, &child->subject) == 0) {
2968 self_cnt++;
2969 }
2970
2971 /* path_cnt is 0 for the first intermediate CA,
2972 * and if parent is trusted it's not an intermediate CA */
2973 if (!parent_is_trusted &&
2974 ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA) {
2975 /* return immediately to avoid overflow the chain array */
2976 return MBEDTLS_ERR_X509_FATAL_ERROR;
2977 }
2978
2979 /* signature was checked while searching parent */
2980 if (!signature_is_good) {
2981 *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
2982 }
2983
2984 /* check size of signing key */
2985 if (x509_profile_check_key(profile, &parent->pk) != 0) {
2986 *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
2987 }
2988
2989#if defined(MBEDTLS_X509_CRL_PARSE_C)
2990 /* Check trusted CA's CRL for the given crt */
2991 *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile);
2992#else
2993 (void) ca_crl;
2994#endif
2995
2996 /* prepare for next iteration */
2997 child = parent;
2998 parent = NULL;
2999 child_is_trusted = parent_is_trusted;
3000 signature_is_good = 0;
3001 }
3002}
3003
3004/*
3005 * Check for CN match
3006 */
3007static int x509_crt_check_cn(const mbedtls_x509_buf *name,
3008 const char *cn, size_t cn_len)
3009{
3010 /* try exact match */
3011 if (name->len == cn_len &&
3012 x509_memcasecmp(cn, name->p, cn_len) == 0) {
3013 return 0;
3014 }
3015
3016 /* try wildcard match */
3017 if (x509_check_wildcard(cn, name) == 0) {
3018 return 0;
3019 }
3020
3021 return -1;
3022}
3023
3024/*
3025 * Check for SAN match, see RFC 5280 Section 4.2.1.6
3026 */
3027static int x509_crt_check_san(const mbedtls_x509_buf *name,
3028 const char *cn, size_t cn_len)
3029{
3030 const unsigned char san_type = (unsigned char) name->tag &
3031 MBEDTLS_ASN1_TAG_VALUE_MASK;
3032
3033 /* dNSName */
3034 if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
3035 return x509_crt_check_cn(name, cn, cn_len);
3036 }
3037
3038 /* (We may handle other types here later.) */
3039
3040 /* Unrecognized type */
3041 return -1;
3042}
3043
3044/*
3045 * Verify the requested CN - only call this if cn is not NULL!
3046 */
3047static void x509_crt_verify_name(const mbedtls_x509_crt *crt,
3048 const char *cn,
3049 uint32_t *flags)
3050{
3051 const mbedtls_x509_name *name;
3052 const mbedtls_x509_sequence *cur;
3053 size_t cn_len = strlen(cn);
3054
3055 if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
3056 for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
3057 if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
3058 break;
3059 }
3060 }
3061
3062 if (cur == NULL) {
3063 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
3064 }
3065 } else {
3066 for (name = &crt->subject; name != NULL; name = name->next) {
3067 if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
3068 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
3069 break;
3070 }
3071 }
3072
3073 if (name == NULL) {
3074 *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
3075 }
3076 }
3077}
3078
3079/*
3080 * Merge the flags for all certs in the chain, after calling callback
3081 */
3082static int x509_crt_merge_flags_with_cb(
3083 uint32_t *flags,
3084 const mbedtls_x509_crt_verify_chain *ver_chain,
3085 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3086 void *p_vrfy)
3087{
3088 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3089 unsigned i;
3090 uint32_t cur_flags;
3091 const mbedtls_x509_crt_verify_chain_item *cur;
3092
3093 for (i = ver_chain->len; i != 0; --i) {
3094 cur = &ver_chain->items[i-1];
3095 cur_flags = cur->flags;
3096
3097 if (NULL != f_vrfy) {
3098 if ((ret = f_vrfy(p_vrfy, cur->crt, (int) i-1, &cur_flags)) != 0) {
3099 return ret;
3100 }
3101 }
3102
3103 *flags |= cur_flags;
3104 }
3105
3106 return 0;
3107}
3108
3109/*
3110 * Verify the certificate validity, with profile, restartable version
3111 *
3112 * This function:
3113 * - checks the requested CN (if any)
3114 * - checks the type and size of the EE cert's key,
3115 * as that isn't done as part of chain building/verification currently
3116 * - builds and verifies the chain
3117 * - then calls the callback and merges the flags
3118 *
3119 * The parameters pairs `trust_ca`, `ca_crl` and `f_ca_cb`, `p_ca_cb`
3120 * are mutually exclusive: If `f_ca_cb != NULL`, it will be used by the
3121 * verification routine to search for trusted signers, and CRLs will
3122 * be disabled. Otherwise, `trust_ca` will be used as the static list
3123 * of trusted signers, and `ca_crl` will be use as the static list
3124 * of CRLs.
3125 */
3126static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt,
3127 mbedtls_x509_crt *trust_ca,
3128 mbedtls_x509_crl *ca_crl,
3129 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3130 void *p_ca_cb,
3131 const mbedtls_x509_crt_profile *profile,
3132 const char *cn, uint32_t *flags,
3133 int (*f_vrfy)(void *,
3134 mbedtls_x509_crt *,
3135 int,
3136 uint32_t *),
3137 void *p_vrfy,
3138 mbedtls_x509_crt_restart_ctx *rs_ctx)
3139{
3140 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3141 mbedtls_pk_type_t pk_type;
3142 mbedtls_x509_crt_verify_chain ver_chain;
3143 uint32_t ee_flags;
3144
3145 *flags = 0;
3146 ee_flags = 0;
3147 x509_crt_verify_chain_reset(&ver_chain);
3148
3149 if (profile == NULL) {
3150 ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
3151 goto exit;
3152 }
3153
3154 /* check name if requested */
3155 if (cn != NULL) {
3156 x509_crt_verify_name(crt, cn, &ee_flags);
3157 }
3158
3159 /* Check the type and size of the key */
3160 pk_type = mbedtls_pk_get_type(&crt->pk);
3161
3162 if (x509_profile_check_pk_alg(profile, pk_type) != 0) {
3163 ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
3164 }
3165
3166 if (x509_profile_check_key(profile, &crt->pk) != 0) {
3167 ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
3168 }
3169
3170 /* Check the chain */
3171 ret = x509_crt_verify_chain(crt, trust_ca, ca_crl,
3172 f_ca_cb, p_ca_cb, profile,
3173 &ver_chain, rs_ctx);
3174
3175 if (ret != 0) {
3176 goto exit;
3177 }
3178
3179 /* Merge end-entity flags */
3180 ver_chain.items[0].flags |= ee_flags;
3181
3182 /* Build final flags, calling callback on the way if any */
3183 ret = x509_crt_merge_flags_with_cb(flags, &ver_chain, f_vrfy, p_vrfy);
3184
3185exit:
3186
3187#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3188 mbedtls_x509_crt_free(ver_chain.trust_ca_cb_result);
3189 mbedtls_free(ver_chain.trust_ca_cb_result);
3190 ver_chain.trust_ca_cb_result = NULL;
3191#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3192
3193#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3194 if (rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS) {
3195 mbedtls_x509_crt_restart_free(rs_ctx);
3196 }
3197#endif
3198
3199 /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
3200 * the SSL module for authmode optional, but non-zero return from the
3201 * callback means a fatal error so it shouldn't be ignored */
3202 if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
3203 ret = MBEDTLS_ERR_X509_FATAL_ERROR;
3204 }
3205
3206 if (ret != 0) {
3207 *flags = (uint32_t) -1;
3208 return ret;
3209 }
3210
3211 if (*flags != 0) {
3212 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
3213 }
3214
3215 return 0;
3216}
3217
3218
3219/*
3220 * Verify the certificate validity (default profile, not restartable)
3221 */
3222int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt,
3223 mbedtls_x509_crt *trust_ca,
3224 mbedtls_x509_crl *ca_crl,
3225 const char *cn, uint32_t *flags,
3226 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3227 void *p_vrfy)
3228{
3229 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3230 NULL, NULL,
3231 &mbedtls_x509_crt_profile_default,
3232 cn, flags,
3233 f_vrfy, p_vrfy, NULL);
3234}
3235
3236/*
3237 * Verify the certificate validity (user-chosen profile, not restartable)
3238 */
3239int mbedtls_x509_crt_verify_with_profile(mbedtls_x509_crt *crt,
3240 mbedtls_x509_crt *trust_ca,
3241 mbedtls_x509_crl *ca_crl,
3242 const mbedtls_x509_crt_profile *profile,
3243 const char *cn, uint32_t *flags,
3244 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3245 void *p_vrfy)
3246{
3247 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3248 NULL, NULL,
3249 profile, cn, flags,
3250 f_vrfy, p_vrfy, NULL);
3251}
3252
3253#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3254/*
3255 * Verify the certificate validity (user-chosen profile, CA callback,
3256 * not restartable).
3257 */
3258int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
3259 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3260 void *p_ca_cb,
3261 const mbedtls_x509_crt_profile *profile,
3262 const char *cn, uint32_t *flags,
3263 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3264 void *p_vrfy)
3265{
3266 return x509_crt_verify_restartable_ca_cb(crt, NULL, NULL,
3267 f_ca_cb, p_ca_cb,
3268 profile, cn, flags,
3269 f_vrfy, p_vrfy, NULL);
3270}
3271#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3272
3273int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt,
3274 mbedtls_x509_crt *trust_ca,
3275 mbedtls_x509_crl *ca_crl,
3276 const mbedtls_x509_crt_profile *profile,
3277 const char *cn, uint32_t *flags,
3278 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3279 void *p_vrfy,
3280 mbedtls_x509_crt_restart_ctx *rs_ctx)
3281{
3282 return x509_crt_verify_restartable_ca_cb(crt, trust_ca, ca_crl,
3283 NULL, NULL,
3284 profile, cn, flags,
3285 f_vrfy, p_vrfy, rs_ctx);
3286}
3287
3288
3289/*
3290 * Initialize a certificate chain
3291 */
3292void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
3293{
3294 memset(crt, 0, sizeof(mbedtls_x509_crt));
3295}
3296
3297/*
3298 * Unallocate all certificate data
3299 */
3300void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
3301{
3302 mbedtls_x509_crt *cert_cur = crt;
3303 mbedtls_x509_crt *cert_prv;
3304 mbedtls_x509_name *name_cur;
3305 mbedtls_x509_name *name_prv;
3306 mbedtls_x509_sequence *seq_cur;
3307 mbedtls_x509_sequence *seq_prv;
3308
3309 if (crt == NULL) {
3310 return;
3311 }
3312
3313 do {
3314 mbedtls_pk_free(&cert_cur->pk);
3315
3316#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
3317 mbedtls_free(cert_cur->sig_opts);
3318#endif
3319
3320 name_cur = cert_cur->issuer.next;
3321 while (name_cur != NULL) {
3322 name_prv = name_cur;
3323 name_cur = name_cur->next;
3324 mbedtls_platform_zeroize(name_prv, sizeof(mbedtls_x509_name));
3325 mbedtls_free(name_prv);
3326 }
3327
3328 name_cur = cert_cur->subject.next;
3329 while (name_cur != NULL) {
3330 name_prv = name_cur;
3331 name_cur = name_cur->next;
3332 mbedtls_platform_zeroize(name_prv, sizeof(mbedtls_x509_name));
3333 mbedtls_free(name_prv);
3334 }
3335
3336 seq_cur = cert_cur->ext_key_usage.next;
3337 while (seq_cur != NULL) {
3338 seq_prv = seq_cur;
3339 seq_cur = seq_cur->next;
3340 mbedtls_platform_zeroize(seq_prv,
3341 sizeof(mbedtls_x509_sequence));
3342 mbedtls_free(seq_prv);
3343 }
3344
3345 seq_cur = cert_cur->subject_alt_names.next;
3346 while (seq_cur != NULL) {
3347 seq_prv = seq_cur;
3348 seq_cur = seq_cur->next;
3349 mbedtls_platform_zeroize(seq_prv,
3350 sizeof(mbedtls_x509_sequence));
3351 mbedtls_free(seq_prv);
3352 }
3353
3354 seq_cur = cert_cur->certificate_policies.next;
3355 while (seq_cur != NULL) {
3356 seq_prv = seq_cur;
3357 seq_cur = seq_cur->next;
3358 mbedtls_platform_zeroize(seq_prv,
3359 sizeof(mbedtls_x509_sequence));
3360 mbedtls_free(seq_prv);
3361 }
3362
3363 if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
3364 mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);
3365 mbedtls_free(cert_cur->raw.p);
3366 }
3367
3368 cert_cur = cert_cur->next;
3369 } while (cert_cur != NULL);
3370
3371 cert_cur = crt;
3372 do {
3373 cert_prv = cert_cur;
3374 cert_cur = cert_cur->next;
3375
3376 mbedtls_platform_zeroize(cert_prv, sizeof(mbedtls_x509_crt));
3377 if (cert_prv != crt) {
3378 mbedtls_free(cert_prv);
3379 }
3380 } while (cert_cur != NULL);
3381}
3382
3383#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
3384/*
3385 * Initialize a restart context
3386 */
3387void mbedtls_x509_crt_restart_init(mbedtls_x509_crt_restart_ctx *ctx)
3388{
3389 mbedtls_pk_restart_init(&ctx->pk);
3390
3391 ctx->parent = NULL;
3392 ctx->fallback_parent = NULL;
3393 ctx->fallback_signature_is_good = 0;
3394
3395 ctx->parent_is_trusted = -1;
3396
3397 ctx->in_progress = x509_crt_rs_none;
3398 ctx->self_cnt = 0;
3399 x509_crt_verify_chain_reset(&ctx->ver_chain);
3400}
3401
3402/*
3403 * Free the components of a restart context
3404 */
3405void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx)
3406{
3407 if (ctx == NULL) {
3408 return;
3409 }
3410
3411 mbedtls_pk_restart_free(&ctx->pk);
3412 mbedtls_x509_crt_restart_init(ctx);
3413}
3414#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
3415
3416#endif /* MBEDTLS_X509_CRT_PARSE_C */
3417