X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=crypto%2Fasn1%2Fx_name.c;h=c6658d7affac55c22589c146973842f9f85f865c;hb=5e4430e70df0020f5f1517249851696cb9ac4ad2;hp=15d9aa4ea00039aae32ee6d6c43ebdb491361637;hpb=ec577822f95a8bca0023c5c77cef1a4916822d4a;p=openssl.git diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c index 15d9aa4ea0..c6658d7aff 100644 --- a/crypto/asn1/x_name.c +++ b/crypto/asn1/x_name.c @@ -57,222 +57,448 @@ */ #include +#include #include "cryptlib.h" -#include -#include - -/* - * ASN1err(ASN1_F_D2I_X509_NAME,ERR_R_ASN1_LENGTH_MISMATCH); - * ASN1err(ASN1_F_X509_NAME_NEW,ASN1_R_UNKNOWN_ATTRIBUTE_TYPE); - * ASN1err(ASN1_F_D2I_X509_NAME_ENTRY,ERR_R_ASN1_LENGTH_MISMATCH); - * ASN1err(ASN1_F_X509_NAME_ENTRY_NEW,ASN1_R_UNKNOWN_ATTRIBUTE_TYPE); +#include +#include +#include "asn1_locl.h" + +typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; +DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) + +static int x509_name_ex_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, + const ASN1_ITEM *it, + int tag, int aclass, char opt, ASN1_TLC *ctx); + +static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass); +static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it); +static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it); + +static int x509_name_encode(X509_NAME *a); +static int x509_name_canon(X509_NAME *a); +static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in); +static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname, + unsigned char **in); + + +static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval, + int indent, + const char *fname, + const ASN1_PCTX *pctx); + +ASN1_SEQUENCE(X509_NAME_ENTRY) = { + ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT), + ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE) +} ASN1_SEQUENCE_END(X509_NAME_ENTRY) + +IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY) +IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY) + +/* For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } + * so declare two template wrappers for this */ -#ifndef NOPROTO -static int i2d_X509_NAME_entries(X509_NAME *a); -#else -static int i2d_X509_NAME_entries(); -#endif +ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY) +ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES) -int i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a, unsigned char **pp) - { - M_ASN1_I2D_vars(a); +ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES) +ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) - M_ASN1_I2D_len(a->object,i2d_ASN1_OBJECT); - M_ASN1_I2D_len(a->value,i2d_ASN1_PRINTABLE); +/* Normally that's where it would end: we'd have two nested STACK structures + * representing the ASN1. Unfortunately X509_NAME uses a completely different + * form and caches encodings so we have to process the internal form and convert + * to the external form. + */ - M_ASN1_I2D_seq_total(); +const ASN1_EXTERN_FUNCS x509_name_ff = { + NULL, + x509_name_ex_new, + x509_name_ex_free, + 0, /* Default clear behaviour is OK */ + x509_name_ex_d2i, + x509_name_ex_i2d, + x509_name_ex_print +}; + +IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff) + +IMPLEMENT_ASN1_FUNCTIONS(X509_NAME) +IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME) + +static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) +{ + X509_NAME *ret = NULL; + ret = OPENSSL_malloc(sizeof(X509_NAME)); + if(!ret) goto memerr; + if ((ret->entries=sk_X509_NAME_ENTRY_new_null()) == NULL) + goto memerr; + if((ret->bytes = BUF_MEM_new()) == NULL) goto memerr; + ret->canon_enc = NULL; + ret->canon_enclen = 0; + ret->modified=1; + *val = (ASN1_VALUE *)ret; + return 1; - M_ASN1_I2D_put(a->object,i2d_ASN1_OBJECT); - M_ASN1_I2D_put(a->value,i2d_ASN1_PRINTABLE); + memerr: + ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE); + if (ret) + { + if (ret->entries) + sk_X509_NAME_ENTRY_free(ret->entries); + OPENSSL_free(ret); + } + return 0; +} + +static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + X509_NAME *a; + if(!pval || !*pval) + return; + a = (X509_NAME *)*pval; - M_ASN1_I2D_finish(); + BUF_MEM_free(a->bytes); + sk_X509_NAME_ENTRY_pop_free(a->entries,X509_NAME_ENTRY_free); + if (a->canon_enc) + OPENSSL_free(a->canon_enc); + OPENSSL_free(a); + *pval = NULL; +} + +static int x509_name_ex_d2i(ASN1_VALUE **val, + const unsigned char **in, long len, const ASN1_ITEM *it, + int tag, int aclass, char opt, ASN1_TLC *ctx) +{ + const unsigned char *p = *in, *q; + union { STACK_OF(STACK_OF_X509_NAME_ENTRY) *s; + ASN1_VALUE *a; } intname = {NULL}; + union { X509_NAME *x; ASN1_VALUE *a; } nm = {NULL}; + int i, j, ret; + STACK_OF(X509_NAME_ENTRY) *entries; + X509_NAME_ENTRY *entry; + q = p; + + /* Get internal representation of Name */ + ret = ASN1_item_ex_d2i(&intname.a, + &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL), + tag, aclass, opt, ctx); + + if(ret <= 0) return ret; + + if(*val) x509_name_ex_free(val, NULL); + if(!x509_name_ex_new(&nm.a, NULL)) goto err; + /* We've decoded it: now cache encoding */ + if(!BUF_MEM_grow(nm.x->bytes, p - q)) goto err; + memcpy(nm.x->bytes->data, q, p - q); + + /* Convert internal representation to X509_NAME structure */ + for(i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname.s); i++) { + entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname.s, i); + for(j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) { + entry = sk_X509_NAME_ENTRY_value(entries, j); + entry->set = i; + if(!sk_X509_NAME_ENTRY_push(nm.x->entries, entry)) + goto err; + } + sk_X509_NAME_ENTRY_free(entries); + } + sk_STACK_OF_X509_NAME_ENTRY_free(intname.s); + ret = x509_name_canon(nm.x); + if (!ret) + goto err; + nm.x->modified = 0; + *val = nm.a; + *in = p; + return ret; + err: + ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR); + return 0; +} + +static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) +{ + int ret; + X509_NAME *a = (X509_NAME *)*val; + if(a->modified) { + ret = x509_name_encode(a); + if(ret < 0) + return ret; + ret = x509_name_canon(a); + if(ret < 0) + return ret; } + ret = a->bytes->length; + if(out != NULL) { + memcpy(*out,a->bytes->data,ret); + *out+=ret; + } + return ret; +} -X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a, unsigned char **pp, - long length) +static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne) { - M_ASN1_D2I_vars(a,X509_NAME_ENTRY *,X509_NAME_ENTRY_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT); - M_ASN1_D2I_get(ret->value,d2i_ASN1_PRINTABLE); - ret->set=0; - M_ASN1_D2I_Finish(a,X509_NAME_ENTRY_free,ASN1_F_D2I_X509_NAME_ENTRY); + sk_X509_NAME_ENTRY_free(ne); } -int i2d_X509_NAME(X509_NAME *a, unsigned char **pp) +static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne) { - int ret; - - if (a == NULL) return(0); - if (a->modified) - { - ret=i2d_X509_NAME_entries(a); - if (ret < 0) return(ret); - } + sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free); + } - ret=a->bytes->length; - if (pp != NULL) - { - memcpy(*pp,a->bytes->data,ret); - *pp+=ret; +static int x509_name_encode(X509_NAME *a) +{ + union { STACK_OF(STACK_OF_X509_NAME_ENTRY) *s; + ASN1_VALUE *a; } intname = {NULL}; + int len; + unsigned char *p; + STACK_OF(X509_NAME_ENTRY) *entries = NULL; + X509_NAME_ENTRY *entry; + int i, set = -1; + intname.s = sk_STACK_OF_X509_NAME_ENTRY_new_null(); + if(!intname.s) goto memerr; + for(i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) { + entry = sk_X509_NAME_ENTRY_value(a->entries, i); + if(entry->set != set) { + entries = sk_X509_NAME_ENTRY_new_null(); + if(!entries) goto memerr; + if(!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, + entries)) + goto memerr; + set = entry->set; } - return(ret); + if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr; + } + len = ASN1_item_ex_i2d(&intname.a, NULL, + ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + if (!BUF_MEM_grow(a->bytes,len)) goto memerr; + p=(unsigned char *)a->bytes->data; + ASN1_item_ex_i2d(&intname.a, + &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, + local_sk_X509_NAME_ENTRY_free); + a->modified = 0; + return len; +memerr: + sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s, + local_sk_X509_NAME_ENTRY_free); + ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE); + return -1; +} + +static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval, + int indent, + const char *fname, + const ASN1_PCTX *pctx) + { + if (X509_NAME_print_ex(out, (X509_NAME *)*pval, + indent, pctx->nm_flags) <= 0) + return 0; + return 2; } -static int i2d_X509_NAME_entries(X509_NAME *a) +/* This function generates the canonical encoding of the Name structure. + * In it all strings are converted to UTF8, leading, trailing and + * multiple spaces collapsed, converted to lower case and the leading + * SEQUENCE header removed. + * + * In future we could also normalize the UTF8 too. + * + * By doing this comparison of Name structures can be rapidly + * perfomed by just using memcmp() of the canonical encoding. + * By omitting the leading SEQUENCE name constraints of type + * dirName can also be checked with a simple memcmp(). + */ + +static int x509_name_canon(X509_NAME *a) { - X509_NAME_ENTRY *ne,*fe=NULL; - STACK *sk; - BUF_MEM *buf=NULL; - int set=0,r,ret=0; - int i; unsigned char *p; - int size=0; + STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL; + STACK_OF(X509_NAME_ENTRY) *entries = NULL; + X509_NAME_ENTRY *entry, *tmpentry = NULL; + int i, set = -1, ret = 0; - sk=a->entries; - for (i=0; icanon_enc) { - ne=(X509_NAME_ENTRY *)sk_value(sk,i); - if (fe == NULL) - { - fe=ne; - size=0; - } - - if (ne->set != set) + OPENSSL_free(a->canon_enc); + a->canon_enc = NULL; + } + /* Special case: empty X509_NAME => null encoding */ + if (sk_X509_NAME_ENTRY_num(a->entries) == 0) + { + a->canon_enclen = 0; + return 1; + } + intname = sk_STACK_OF_X509_NAME_ENTRY_new_null(); + if(!intname) + goto err; + for(i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) + { + entry = sk_X509_NAME_ENTRY_value(a->entries, i); + if(entry->set != set) { - ret+=ASN1_object_size(1,size,V_ASN1_SET); - fe->size=size; - fe=ne; - size=0; - set=ne->set; + entries = sk_X509_NAME_ENTRY_new_null(); + if(!entries) + goto err; + if(!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) + goto err; + set = entry->set; } - size+=i2d_X509_NAME_ENTRY(ne,NULL); + tmpentry = X509_NAME_ENTRY_new(); + tmpentry->object = OBJ_dup(entry->object); + if (!asn1_string_canon(tmpentry->value, entry->value)) + goto err; + if(!sk_X509_NAME_ENTRY_push(entries, tmpentry)) + goto err; + tmpentry = NULL; } - ret+=ASN1_object_size(1,size,V_ASN1_SET); - if (fe != NULL) - fe->size=size; + /* Finally generate encoding */ - r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); + a->canon_enclen = i2d_name_canon(intname, NULL); - buf=a->bytes; - if (!BUF_MEM_grow(buf,r)) goto err; - p=(unsigned char *)buf->data; + p = OPENSSL_malloc(a->canon_enclen); - ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL); + if (!p) + goto err; - set= -1; - for (i=0; iset) - { - set=ne->set; - ASN1_put_object(&p,1,ne->size, - V_ASN1_SET,V_ASN1_UNIVERSAL); - } - i2d_X509_NAME_ENTRY(ne,&p); - } - a->modified=0; - return(r); -err: - return(-1); + a->canon_enc = p; + + i2d_name_canon(intname, &p); + + ret = 1; + + err: + + if (tmpentry) + X509_NAME_ENTRY_free(tmpentry); + if (intname) + sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, + local_sk_X509_NAME_ENTRY_pop_free); + return ret; } -X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length) +/* Bitmap of all the types of string that will be canonicalized. */ + +#define ASN1_MASK_CANON \ + (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING \ + | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \ + | B_ASN1_VISIBLESTRING) + + +static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in) { - int set=0,i; - int idx=0; - unsigned char *orig; - M_ASN1_D2I_vars(a,X509_NAME *,X509_NAME_new); + unsigned char *to, *from; + int len, i; - orig= *pp; - if (sk_num(ret->entries) > 0) + /* If type not in bitmask just copy string across */ + if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) { - while (sk_num(ret->entries) > 0) - X509_NAME_ENTRY_free((X509_NAME_ENTRY *) - sk_pop(ret->entries)); + out->type = in->type; + if (!ASN1_STRING_set(out, in->data, in->length)) + return 0; } - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - for (;;) + out->type = V_ASN1_UTF8STRING; + out->length = ASN1_STRING_to_UTF8(&out->data, in); + if (out->length == -1) + return 0; + + to = out->data; + from = to; + + len = out->length; + + /* Convert string in place to canonical form. + * Ultimately we may need to handle a wider range of characters + * but for now ignore anything with MSB set and rely on the + * isspace() and tolower() functions. + */ + + /* Ignore leading spaces */ + while((len > 0) && !(*from & 0x80) && isspace(*from)) { - if (M_ASN1_D2I_end_sequence()) break; - M_ASN1_D2I_get_set(ret->entries,d2i_X509_NAME_ENTRY, - X509_NAME_ENTRY_free); - for (; idx < sk_num(ret->entries); idx++) - { - ((X509_NAME_ENTRY *)sk_value(ret->entries,idx))->set= - set; - } - set++; + from++; + len--; } - i=(int)(c.p-orig); - if (!BUF_MEM_grow(ret->bytes,i)) goto err; - memcpy(ret->bytes->data,orig,i); - ret->bytes->length=i; - ret->modified=0; + to = from + len - 1; - M_ASN1_D2I_Finish(a,X509_NAME_free,ASN1_F_D2I_X509_NAME); - } + /* Ignore trailing spaces */ + while ((len > 0) && !(*to & 0x80) && isspace(*to)) + { + to--; + len--; + } -X509_NAME *X509_NAME_new(void) - { - X509_NAME *ret=NULL; - ASN1_CTX c; + to = out->data; - M_ASN1_New_Malloc(ret,X509_NAME); - if ((ret->entries=sk_new(NULL)) == NULL) - { c.line=__LINE__; goto err2; } - M_ASN1_New(ret->bytes,BUF_MEM_new); - ret->modified=1; - return(ret); - M_ASN1_New_Error(ASN1_F_X509_NAME_NEW); - } + i = 0; + while(i < len) + { + /* If MSB set just copy across */ + if (*from & 0x80) + { + *to++ = *from++; + i++; + } + /* Collapse multiple spaces */ + else if (isspace(*from)) + { + /* Copy one space across */ + *to++ = ' '; + /* Ignore subsequent spaces. Note: don't need to + * check len here because we know the last + * character is a non-space so we can't overflow. + */ + do + { + from++; + i++; + } + while(!(*from & 0x80) && isspace(*from)); + } + else + { + *to++ = tolower(*from++); + i++; + } + } -X509_NAME_ENTRY *X509_NAME_ENTRY_new(void) - { - X509_NAME_ENTRY *ret=NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret,X509_NAME_ENTRY); -/* M_ASN1_New(ret->object,ASN1_OBJECT_new);*/ - ret->object=NULL; - ret->set=0; - M_ASN1_New(ret->value,ASN1_STRING_new); - return(ret); - M_ASN1_New_Error(ASN1_F_X509_NAME_ENTRY_NEW); - } + out->length = to - out->data; -void X509_NAME_free(X509_NAME *a) - { - if(a == NULL) - return; + return 1; - BUF_MEM_free(a->bytes); - sk_pop_free(a->entries,X509_NAME_ENTRY_free); - Free((char *)a); } -void X509_NAME_ENTRY_free(X509_NAME_ENTRY *a) +static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *_intname, + unsigned char **in) { - if (a == NULL) return; - ASN1_OBJECT_free(a->object); - ASN1_BIT_STRING_free(a->value); - Free((char *)a); + int i, len, ltmp; + ASN1_VALUE *v; + STACK_OF(ASN1_VALUE) *intname = (STACK_OF(ASN1_VALUE) *)_intname; + + len = 0; + for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) + { + v = sk_ASN1_VALUE_value(intname, i); + ltmp = ASN1_item_ex_i2d(&v, in, + ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1); + if (ltmp < 0) + return ltmp; + len += ltmp; + } + return len; } int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { X509_NAME *in; - if (*xn == NULL) return(0); + if (!xn || !name) return(0); if (*xn != name) { @@ -286,3 +512,5 @@ int X509_NAME_set(X509_NAME **xn, X509_NAME *name) return(*xn != NULL); } +IMPLEMENT_STACK_OF(X509_NAME_ENTRY) +IMPLEMENT_ASN1_SET_OF(X509_NAME_ENTRY)