Source code

Revision control

Copy as Markdown

Other Tools

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Code for dealing with X509.V3 extensions.
*/
#include "cert.h"
#include "secitem.h"
#include "secoid.h"
#include "secder.h"
#include "secasn1.h"
#include "certxutl.h"
#include "secerr.h"
SECStatus
CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid, SECItem *value)
{
return (cert_FindExtensionByOID(cert->extensions, oid, value));
}
SECStatus
CERT_FindCertExtension(const CERTCertificate *cert, int tag, SECItem *value)
{
return (cert_FindExtension(cert->extensions, tag, value));
}
static void
SetExts(void *object, CERTCertExtension **exts)
{
CERTCertificate *cert = (CERTCertificate *)object;
cert->extensions = exts;
DER_SetUInteger(cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
}
void *
CERT_StartCertExtensions(CERTCertificate *cert)
{
return (cert_StartExtensions((void *)cert, cert->arena, SetExts));
}
/*
* get the value of the Netscape Certificate Type Extension
*/
SECStatus
CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
{
return (CERT_FindBitStringExtension(
cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));
}
/*
* get the value of a string type extension
*/
char *
CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
{
SECItem wrapperItem, tmpItem = { siBuffer, 0 };
SECStatus rv;
PLArenaPool *arena = NULL;
char *retstring = NULL;
wrapperItem.data = NULL;
tmpItem.data = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
goto loser;
}
rv = cert_FindExtension(cert->extensions, oidtag, &wrapperItem);
if (rv != SECSuccess) {
goto loser;
}
rv = SEC_QuickDERDecodeItem(
arena, &tmpItem, SEC_ASN1_GET(SEC_IA5StringTemplate), &wrapperItem);
if (rv != SECSuccess) {
goto loser;
}
retstring = (char *)PORT_Alloc(tmpItem.len + 1);
if (retstring == NULL) {
goto loser;
}
PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
retstring[tmpItem.len] = '\0';
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
if (wrapperItem.data) {
PORT_Free(wrapperItem.data);
}
return (retstring);
}
/*
* get the value of the X.509 v3 Key Usage Extension
*/
SECStatus
CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
{
return (CERT_FindBitStringExtension(cert->extensions,
SEC_OID_X509_KEY_USAGE, retItem));
}
/*
* get the value of the X.509 v3 Key Usage Extension
*/
SECStatus
CERT_FindSubjectKeyIDExtension(CERTCertificate *cert, SECItem *retItem)
{
SECStatus rv;
SECItem encodedValue = { siBuffer, NULL, 0 };
SECItem decodedValue = { siBuffer, NULL, 0 };
rv = cert_FindExtension(cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID,
&encodedValue);
if (rv == SECSuccess) {
PORTCheapArenaPool tmpArena;
PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &decodedValue,
SEC_ASN1_GET(SEC_OctetStringTemplate),
&encodedValue);
if (rv == SECSuccess) {
rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
}
PORT_DestroyCheapArena(&tmpArena);
}
SECITEM_FreeItem(&encodedValue, PR_FALSE);
return rv;
}
SECStatus
CERT_FindBasicConstraintExten(CERTCertificate *cert,
CERTBasicConstraints *value)
{
SECItem encodedExtenValue;
SECStatus rv;
encodedExtenValue.data = NULL;
encodedExtenValue.len = 0;
rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
&encodedExtenValue);
if (rv != SECSuccess) {
return (rv);
}
rv = CERT_DecodeBasicConstraintValue(value, &encodedExtenValue);
/* free the raw extension data */
PORT_Free(encodedExtenValue.data);
encodedExtenValue.data = NULL;
return (rv);
}
CERTAuthKeyID *
CERT_FindAuthKeyIDExten(PLArenaPool *arena, CERTCertificate *cert)
{
SECItem encodedExtenValue;
SECStatus rv;
CERTAuthKeyID *ret;
encodedExtenValue.data = NULL;
encodedExtenValue.len = 0;
rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
&encodedExtenValue);
if (rv != SECSuccess) {
return (NULL);
}
ret = CERT_DecodeAuthKeyID(arena, &encodedExtenValue);
PORT_Free(encodedExtenValue.data);
encodedExtenValue.data = NULL;
return (ret);
}
SECStatus
CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
{
SECItem keyUsage;
SECStatus rv;
/* There is no extension, v1 or v2 certificate */
if (cert->extensions == NULL) {
return (SECSuccess);
}
keyUsage.data = NULL;
/* This code formerly ignored the Key Usage extension if it was
** marked non-critical. That was wrong. Since we do understand it,
** we are obligated to honor it, whether or not it is critical.
*/
rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
if (rv == SECFailure) {
rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
: SECFailure;
} else if (!keyUsage.data || !keyUsage.len || !(keyUsage.data[0] & usage)) {
PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
rv = SECFailure;
}
PORT_Free(keyUsage.data);
return (rv);
}