/* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS IS" basis, * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License * for the specific language governing rights and limitations under the * License. * * The Original Code is the Netscape security libraries. * * The Initial Developer of the Original Code is * Netscape Communications Corporation. * Portions created by the Initial Developer are Copyright (C) 1994-2000 * the Initial Developer. All Rights Reserved. * * Contributor(s): * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), * in which case the provisions of the GPL or the LGPL are applicable instead * of those above. If you wish to allow use of your version of this file only * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Code for dealing with X509.V3 extensions. * * $Id: certv3.c,v 1.10 2007/10/12 01:44:40 julien.pierre.boogz%sun.com Exp $ */ #include "cert.h" #include "secitem.h" #include "secoid.h" #include "secder.h" #include "secasn1.h" #include "certxutl.h" #include "secerr.h" SECStatus CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid, SECItem *value) { return (cert_FindExtensionByOID (cert->extensions, oid, value)); } SECStatus CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value) { return (cert_FindExtension (cert->extensions, tag, value)); } static void SetExts(void *object, CERTCertExtension **exts) { CERTCertificate *cert = (CERTCertificate *)object; cert->extensions = exts; DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3); } void * CERT_StartCertExtensions(CERTCertificate *cert) { return (cert_StartExtensions ((void *)cert, cert->arena, SetExts)); } /* find the given extension in the certificate of the Issuer of 'cert' */ SECStatus CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value) { CERTCertificate *issuercert; SECStatus rv; issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer); if ( issuercert ) { rv = cert_FindExtension(issuercert->extensions, tag, value); CERT_DestroyCertificate(issuercert); } else { rv = SECFailure; } return(rv); } /* find a URL extension in the cert or its CA * apply the base URL string if it exists */ char * CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag) { SECStatus rv; SECItem urlitem = {siBuffer,0}; SECItem baseitem = {siBuffer,0}; SECItem urlstringitem = {siBuffer,0}; SECItem basestringitem = {siBuffer,0}; PRArenaPool *arena = NULL; PRBool hasbase; char *urlstring; char *str; int len; unsigned int i; urlstring = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if ( ! arena ) { goto loser; } hasbase = PR_FALSE; rv = cert_FindExtension(cert->extensions, tag, &urlitem); if ( rv == SECSuccess ) { rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL, &baseitem); if ( rv == SECSuccess ) { hasbase = PR_TRUE; } } else if ( catag ) { /* if the cert doesn't have the extensions, see if the issuer does */ rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem); if ( rv != SECSuccess ) { goto loser; } rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL, &baseitem); if ( rv == SECSuccess ) { hasbase = PR_TRUE; } } else { goto loser; } rv = SEC_QuickDERDecodeItem(arena, &urlstringitem, SEC_ASN1_GET(SEC_IA5StringTemplate), &urlitem); if ( rv != SECSuccess ) { goto loser; } if ( hasbase ) { rv = SEC_QuickDERDecodeItem(arena, &basestringitem, SEC_ASN1_GET(SEC_IA5StringTemplate), &baseitem); if ( rv != SECSuccess ) { goto loser; } } len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1; str = urlstring = (char *)PORT_Alloc(len); if ( urlstring == NULL ) { goto loser; } /* copy the URL base first */ if ( hasbase ) { /* if the urlstring has a : in it, then we assume it is an absolute * URL, and will not get the base string pre-pended */ for ( i = 0; i < urlstringitem.len; i++ ) { if ( urlstringitem.data[i] == ':' ) { goto nobase; } } PORT_Memcpy(str, basestringitem.data, basestringitem.len); str += basestringitem.len; } nobase: /* copy the rest (or all) of the URL */ PORT_Memcpy(str, urlstringitem.data, urlstringitem.len); str += urlstringitem.len; *str = '\0'; goto done; loser: if ( urlstring ) { PORT_Free(urlstring); } urlstring = NULL; done: if ( arena ) { PORT_FreeArena(arena, PR_FALSE); } if ( baseitem.data ) { PORT_Free(baseitem.data); } if ( urlitem.data ) { PORT_Free(urlitem.data); } return(urlstring); } /* * get the value of the Netscape Certificate Type Extension */ SECStatus CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem) { return (CERT_FindBitStringExtension (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem)); } /* * get the value of a string type extension */ char * CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag) { SECItem wrapperItem, tmpItem = {siBuffer,0}; SECStatus rv; PRArenaPool *arena = NULL; char *retstring = NULL; wrapperItem.data = NULL; tmpItem.data = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if ( ! arena ) { goto loser; } rv = cert_FindExtension(cert->extensions, oidtag, &wrapperItem); if ( rv != SECSuccess ) { goto loser; } rv = SEC_QuickDERDecodeItem(arena, &tmpItem, SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem); if ( rv != SECSuccess ) { goto loser; } retstring = (char *)PORT_Alloc(tmpItem.len + 1 ); if ( retstring == NULL ) { goto loser; } PORT_Memcpy(retstring, tmpItem.data, tmpItem.len); retstring[tmpItem.len] = '\0'; loser: if ( arena ) { PORT_FreeArena(arena, PR_FALSE); } if ( wrapperItem.data ) { PORT_Free(wrapperItem.data); } return(retstring); } /* * get the value of the X.509 v3 Key Usage Extension */ SECStatus CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem) { return (CERT_FindBitStringExtension(cert->extensions, SEC_OID_X509_KEY_USAGE, retItem)); } /* * get the value of the X.509 v3 Key Usage Extension */ SECStatus CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, SECItem *retItem) { SECStatus rv; SECItem encodedValue = {siBuffer, NULL, 0 }; SECItem decodedValue = {siBuffer, NULL, 0 }; rv = cert_FindExtension (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue); if (rv == SECSuccess) { PLArenaPool * tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (tmpArena) { rv = SEC_QuickDERDecodeItem(tmpArena, &decodedValue, SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedValue); if (rv == SECSuccess) { rv = SECITEM_CopyItem(NULL, retItem, &decodedValue); } PORT_FreeArena(tmpArena, PR_FALSE); } else { rv = SECFailure; } } SECITEM_FreeItem(&encodedValue, PR_FALSE); return rv; } SECStatus CERT_FindBasicConstraintExten(CERTCertificate *cert, CERTBasicConstraints *value) { SECItem encodedExtenValue; SECStatus rv; encodedExtenValue.data = NULL; encodedExtenValue.len = 0; rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS, &encodedExtenValue); if ( rv != SECSuccess ) { return (rv); } rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue); /* free the raw extension data */ PORT_Free(encodedExtenValue.data); encodedExtenValue.data = NULL; return(rv); } CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert) { SECItem encodedExtenValue; SECStatus rv; CERTAuthKeyID *ret; encodedExtenValue.data = NULL; encodedExtenValue.len = 0; rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID, &encodedExtenValue); if ( rv != SECSuccess ) { return (NULL); } ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); PORT_Free(encodedExtenValue.data); encodedExtenValue.data = NULL; return(ret); } SECStatus CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage) { SECItem keyUsage; SECStatus rv; /* There is no extension, v1 or v2 certificate */ if (cert->extensions == NULL) { return (SECSuccess); } keyUsage.data = NULL; /* This code formerly ignored the Key Usage extension if it was ** marked non-critical. That was wrong. Since we do understand it, ** we are obligated to honor it, whether or not it is critical. */ rv = CERT_FindKeyUsageExtension(cert, &keyUsage); if (rv == SECFailure) { rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess : SECFailure; } else if (!(keyUsage.data[0] & usage)) { PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID); rv = SECFailure; } PORT_Free (keyUsage.data); return (rv); }