X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fx509%2Fx509_cmp.c;h=5dfdcd41cb4ffe117604c6b3ab005a0f52e15a63;hp=f9d9510ac50762a0541030bc428ab0a8177950b3;hb=e6526fbf4dc894d71ae3517a1ba484475b79b402;hpb=58964a492275ca9a59a0cd9c8155cb2491b4b909 diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index f9d9510ac5..5dfdcd41cb 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -57,118 +57,230 @@ */ #include -#include -#include +#include #include "cryptlib.h" -#include "asn1.h" -#include "objects.h" -#include "x509.h" +#include +#include +#include +#include -int X509_issuer_and_serial_cmp(a,b) -X509 *a; -X509 *b; +int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) { int i; X509_CINF *ai,*bi; ai=a->cert_info; bi=b->cert_info; - i=ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); + i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber); if (i) return(i); return(X509_NAME_cmp(ai->issuer,bi->issuer)); } -#ifndef NO_MD5 -unsigned long X509_issuer_and_serial_hash(a) -X509 *a; +#ifndef OPENSSL_NO_MD5 +unsigned long X509_issuer_and_serial_hash(X509 *a) { unsigned long ret=0; - MD5_CTX ctx; + EVP_MD_CTX ctx; unsigned char md[16]; - char str[256]; + char *f; - X509_NAME_oneline(a->cert_info->issuer,str,256); - ret=strlen(str); - MD5_Init(&ctx); - MD5_Update(&ctx,(unsigned char *)str,ret); - MD5_Update(&ctx,(unsigned char *)a->cert_info->serialNumber->data, + EVP_MD_CTX_init(&ctx); + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); + ret=strlen(f); + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); + EVP_DigestUpdate(&ctx,(unsigned char *)f,ret); + OPENSSL_free(f); + EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, (unsigned long)a->cert_info->serialNumber->length); - MD5_Final(&(md[0]),&ctx); + EVP_DigestFinal_ex(&ctx,&(md[0]),NULL); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) )&0xffffffffL; + EVP_MD_CTX_cleanup(&ctx); return(ret); } #endif -int X509_issuer_name_cmp(a, b) -X509 *a; -X509 *b; +int X509_issuer_name_cmp(const X509 *a, const X509 *b) { return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer)); } -int X509_subject_name_cmp(a, b) -X509 *a; -X509 *b; +int X509_subject_name_cmp(const X509 *a, const X509 *b) { return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject)); } -int X509_CRL_cmp(a, b) -X509_CRL *a; -X509_CRL *b; +int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) { return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer)); } -X509_NAME *X509_get_issuer_name(a) -X509 *a; +X509_NAME *X509_get_issuer_name(X509 *a) { return(a->cert_info->issuer); } -unsigned long X509_issuer_name_hash(x) -X509 *x; +unsigned long X509_issuer_name_hash(X509 *x) { return(X509_NAME_hash(x->cert_info->issuer)); } -X509_NAME *X509_get_subject_name(a) -X509 *a; +X509_NAME *X509_get_subject_name(X509 *a) { return(a->cert_info->subject); } -ASN1_INTEGER *X509_get_serialNumber(a) -X509 *a; +ASN1_INTEGER *X509_get_serialNumber(X509 *a) { return(a->cert_info->serialNumber); } -unsigned long X509_subject_name_hash(x) -X509 *x; +unsigned long X509_subject_name_hash(X509 *x) { return(X509_NAME_hash(x->cert_info->subject)); } -int X509_NAME_cmp(a, b) -X509_NAME *a; -X509_NAME *b; +#ifndef OPENSSL_NO_SHA +/* Compare two certificates: they must be identical for + * this to work. NB: Although "cmp" operations are generally + * prototyped to take "const" arguments (eg. for use in + * STACKs), the way X509 handling is - these operations may + * involve ensuring the hashes are up-to-date and ensuring + * certain cert information is cached. So this is the point + * where the "depth-first" constification tree has to halt + * with an evil cast. + */ +int X509_cmp(const X509 *a, const X509 *b) +{ + /* ensure hash is valid */ + X509_check_purpose((X509 *)a, -1, 0); + X509_check_purpose((X509 *)b, -1, 0); + + return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); +} +#endif + + +/* Case insensitive string comparision */ +static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int i; + + if (a->length != b->length) + return (a->length - b->length); + + for (i=0; ilength; i++) + { + int ca, cb; + + ca = tolower(a->data[i]); + cb = tolower(b->data[i]); + + if (ca != cb) + return(ca-cb); + } + return 0; +} + +/* Case insensitive string comparision with space normalization + * Space normalization - ignore leading, trailing spaces, + * multiple spaces between characters are replaced by single space + */ +static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + unsigned char *pa = NULL, *pb = NULL; + int la, lb; + + la = a->length; + lb = b->length; + pa = a->data; + pb = b->data; + + /* skip leading spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + + /* skip trailing spaces */ + while (la > 0 && isspace(pa[la-1])) + la--; + while (lb > 0 && isspace(pb[lb-1])) + lb--; + + /* compare strings with space normalization */ + while (la > 0 && lb > 0) + { + int ca, cb; + + /* compare character */ + ca = tolower(*pa); + cb = tolower(*pb); + if (ca != cb) + return (ca - cb); + + pa++; pb++; + la--; lb--; + + if (la <= 0 || lb <= 0) + break; + + /* is white space next character ? */ + if (isspace(*pa) && isspace(*pb)) + { + /* skip remaining white spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + } + } + if (la > 0 || lb > 0) + return la - lb; + + return 0; +} + +int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; X509_NAME_ENTRY *na,*nb; - if (sk_num(a->entries) != sk_num(b->entries)) - return(sk_num(a->entries)-sk_num(b->entries)); - for (i=sk_num(a->entries)-1; i>=0; i--) + if (sk_X509_NAME_ENTRY_num(a->entries) + != sk_X509_NAME_ENTRY_num(b->entries)) + return sk_X509_NAME_ENTRY_num(a->entries) + -sk_X509_NAME_ENTRY_num(b->entries); + for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { - na=(X509_NAME_ENTRY *)sk_value(a->entries,i); - nb=(X509_NAME_ENTRY *)sk_value(b->entries,i); - j=na->value->length-nb->value->length; + na=sk_X509_NAME_ENTRY_value(a->entries,i); + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + j=na->value->type-nb->value->type; if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); + if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING + && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) + j=nocase_cmp(na->value, nb->value); + else + { + j=na->value->length-nb->value->length; + if (j) return(j); + j=memcmp(na->value->data,nb->value->data, + na->value->length); + } if (j) return(j); j=na->set-nb->set; if (j) return(j); @@ -177,37 +289,27 @@ X509_NAME *b; /* We will check the object types after checking the values * since the values will more often be different than the object * types. */ - for (i=sk_num(a->entries)-1; i>=0; i--) + for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { - na=(X509_NAME_ENTRY *)sk_value(a->entries,i); - nb=(X509_NAME_ENTRY *)sk_value(b->entries,i); + na=sk_X509_NAME_ENTRY_value(a->entries,i); + nb=sk_X509_NAME_ENTRY_value(b->entries,i); j=OBJ_cmp(na->object,nb->object); if (j) return(j); } return(0); } -#ifndef NO_MD5 +#ifndef OPENSSL_NO_MD5 /* I now DER encode the name and hash it. Since I cache the DER encoding, - * this is reasonably effiecent. */ -unsigned long X509_NAME_hash(x) -X509_NAME *x; + * this is reasonably efficient. */ +unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; - unsigned char str[256],*p,*pp; - int i; - - i=i2d_X509_NAME(x,NULL); - if (i > sizeof(str)) - p=Malloc(i); - else - p=str; - pp=p; - i2d_X509_NAME(x,&pp); - MD5((unsigned char *)p,i,&(md[0])); - if (p != str) Free(p); + /* Make sure X509_NAME structure contains valid cached encoding */ + i2d_X509_NAME(x,NULL); + EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) @@ -217,41 +319,91 @@ X509_NAME *x; #endif /* Search a stack of X509 for a match */ -X509 *X509_find_by_issuer_and_serial(sk,name,serial) -STACK *sk; -X509_NAME *name; -ASN1_INTEGER *serial; +X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, + ASN1_INTEGER *serial) { int i; X509_CINF cinf; X509 x,*x509=NULL; + if(!sk) return NULL; + x.cert_info= &cinf; cinf.serialNumber=serial; cinf.issuer=name; - for (i=0; icert_info == NULL)) + return(NULL); + return(X509_PUBKEY_get(x->cert_info->key)); + } + +ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) + { + if(!x) return NULL; + return x->cert_info->key->public_key; + } + +int X509_check_private_key(X509 *x, EVP_PKEY *k) + { + EVP_PKEY *xk=NULL; + int ok=0; + + xk=X509_get_pubkey(x); + switch (EVP_PKEY_cmp(xk, k)) + { + case 1: + ok=1; + break; + case 0: + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH); + break; + case -1: + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH); + break; + case -2: +#ifndef OPENSSL_NO_EC + if (k->type == EVP_PKEY_EC) + { + X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB); + break; + } +#endif +#ifndef OPENSSL_NO_DH + if (k->type == EVP_PKEY_DH) + { + /* No idea */ + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY); + break; + } +#endif + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE); + } + + EVP_PKEY_free(xk); + return(ok); + }