2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "crypto/ctype.h"
12 #include "internal/cryptlib.h"
13 #include <openssl/asn1t.h>
14 #include <openssl/x509.h>
15 #include "crypto/x509.h"
16 #include "crypto/asn1.h"
17 #include "x509_local.h"
19 DEFINE_STACK_OF(ASN1_VALUE
)
22 * Maximum length of X509_NAME: much larger than anything we should
23 * ever see in practice.
26 #define X509_NAME_MAX (1024 * 1024)
28 static int x509_name_ex_d2i(ASN1_VALUE
**val
,
29 const unsigned char **in
, long len
,
31 int tag
, int aclass
, char opt
, ASN1_TLC
*ctx
);
33 static int x509_name_ex_i2d(const ASN1_VALUE
**val
, unsigned char **out
,
34 const ASN1_ITEM
*it
, int tag
, int aclass
);
35 static int x509_name_ex_new(ASN1_VALUE
**val
, const ASN1_ITEM
*it
);
36 static void x509_name_ex_free(ASN1_VALUE
**val
, const ASN1_ITEM
*it
);
38 static int x509_name_encode(X509_NAME
*a
);
39 static int x509_name_canon(X509_NAME
*a
);
40 static int asn1_string_canon(ASN1_STRING
*out
, const ASN1_STRING
*in
);
41 static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY
) * intname
,
44 static int x509_name_ex_print(BIO
*out
, const ASN1_VALUE
**pval
,
46 const char *fname
, const ASN1_PCTX
*pctx
);
48 ASN1_SEQUENCE(X509_NAME_ENTRY
) = {
49 ASN1_SIMPLE(X509_NAME_ENTRY
, object
, ASN1_OBJECT
),
50 ASN1_SIMPLE(X509_NAME_ENTRY
, value
, ASN1_PRINTABLE
)
51 } ASN1_SEQUENCE_END(X509_NAME_ENTRY
)
53 IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY
)
54 IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY
)
57 * For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so
58 * declare two template wrappers for this
61 ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES
) =
62 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF
, 0, RDNS
, X509_NAME_ENTRY
)
63 static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES
)
65 ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL
) =
66 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF
, 0, Name
, X509_NAME_ENTRIES
)
67 static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL
)
70 * Normally that's where it would end: we'd have two nested STACK structures
71 * representing the ASN1. Unfortunately X509_NAME uses a completely different
72 * form and caches encodings so we have to process the internal form and
73 * convert to the external form.
76 static const ASN1_EXTERN_FUNCS x509_name_ff
= {
80 0, /* Default clear behaviour is OK */
86 IMPLEMENT_EXTERN_ASN1(X509_NAME
, V_ASN1_SEQUENCE
, x509_name_ff
)
88 IMPLEMENT_ASN1_FUNCTIONS(X509_NAME
)
90 IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME
)
92 static int x509_name_ex_new(ASN1_VALUE
**val
, const ASN1_ITEM
*it
)
94 X509_NAME
*ret
= OPENSSL_zalloc(sizeof(*ret
));
98 if ((ret
->entries
= sk_X509_NAME_ENTRY_new_null()) == NULL
)
100 if ((ret
->bytes
= BUF_MEM_new()) == NULL
)
103 *val
= (ASN1_VALUE
*)ret
;
107 ASN1err(ASN1_F_X509_NAME_EX_NEW
, ERR_R_MALLOC_FAILURE
);
109 sk_X509_NAME_ENTRY_free(ret
->entries
);
115 static void x509_name_ex_free(ASN1_VALUE
**pval
, const ASN1_ITEM
*it
)
119 if (pval
== NULL
|| *pval
== NULL
)
121 a
= (X509_NAME
*)*pval
;
123 BUF_MEM_free(a
->bytes
);
124 sk_X509_NAME_ENTRY_pop_free(a
->entries
, X509_NAME_ENTRY_free
);
125 OPENSSL_free(a
->canon_enc
);
130 static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY
) *ne
)
132 sk_X509_NAME_ENTRY_free(ne
);
135 static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY
) *ne
)
137 sk_X509_NAME_ENTRY_pop_free(ne
, X509_NAME_ENTRY_free
);
140 static int x509_name_ex_d2i(ASN1_VALUE
**val
,
141 const unsigned char **in
, long len
,
142 const ASN1_ITEM
*it
, int tag
, int aclass
,
143 char opt
, ASN1_TLC
*ctx
)
145 const unsigned char *p
= *in
, *q
;
147 STACK_OF(STACK_OF_X509_NAME_ENTRY
) *s
;
159 STACK_OF(X509_NAME_ENTRY
) *entries
;
160 X509_NAME_ENTRY
*entry
;
162 if (len
> X509_NAME_MAX
)
166 /* Get internal representation of Name */
167 ret
= ASN1_item_ex_d2i(&intname
.a
,
168 &p
, len
, ASN1_ITEM_rptr(X509_NAME_INTERNAL
),
169 tag
, aclass
, opt
, ctx
);
175 x509_name_ex_free(val
, NULL
);
176 if (!x509_name_ex_new(&nm
.a
, NULL
))
178 /* We've decoded it: now cache encoding */
179 if (!BUF_MEM_grow(nm
.x
->bytes
, p
- q
))
181 memcpy(nm
.x
->bytes
->data
, q
, p
- q
);
183 /* Convert internal representation to X509_NAME structure */
184 for (i
= 0; i
< sk_STACK_OF_X509_NAME_ENTRY_num(intname
.s
); i
++) {
185 entries
= sk_STACK_OF_X509_NAME_ENTRY_value(intname
.s
, i
);
186 for (j
= 0; j
< sk_X509_NAME_ENTRY_num(entries
); j
++) {
187 entry
= sk_X509_NAME_ENTRY_value(entries
, j
);
189 if (!sk_X509_NAME_ENTRY_push(nm
.x
->entries
, entry
))
191 sk_X509_NAME_ENTRY_set(entries
, j
, NULL
);
194 ret
= x509_name_canon(nm
.x
);
197 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
.s
,
198 local_sk_X509_NAME_ENTRY_free
);
206 X509_NAME_free(nm
.x
);
207 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
.s
,
208 local_sk_X509_NAME_ENTRY_pop_free
);
209 ASN1err(ASN1_F_X509_NAME_EX_D2I
, ERR_R_NESTED_ASN1_ERROR
);
213 static int x509_name_ex_i2d(const ASN1_VALUE
**val
, unsigned char **out
,
214 const ASN1_ITEM
*it
, int tag
, int aclass
)
217 X509_NAME
*a
= (X509_NAME
*)*val
;
220 ret
= x509_name_encode(a
);
223 ret
= x509_name_canon(a
);
227 ret
= a
->bytes
->length
;
229 memcpy(*out
, a
->bytes
->data
, ret
);
235 static int x509_name_encode(X509_NAME
*a
)
238 STACK_OF(STACK_OF_X509_NAME_ENTRY
) *s
;
245 STACK_OF(X509_NAME_ENTRY
) *entries
= NULL
;
246 X509_NAME_ENTRY
*entry
;
249 intname
.s
= sk_STACK_OF_X509_NAME_ENTRY_new_null();
252 for (i
= 0; i
< sk_X509_NAME_ENTRY_num(a
->entries
); i
++) {
253 entry
= sk_X509_NAME_ENTRY_value(a
->entries
, i
);
254 if (entry
->set
!= set
) {
255 entries
= sk_X509_NAME_ENTRY_new_null();
258 if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname
.s
, entries
)) {
259 sk_X509_NAME_ENTRY_free(entries
);
264 if (!sk_X509_NAME_ENTRY_push(entries
, entry
))
267 len
= ASN1_item_ex_i2d(&intname
.a
, NULL
,
268 ASN1_ITEM_rptr(X509_NAME_INTERNAL
), -1, -1);
269 if (!BUF_MEM_grow(a
->bytes
, len
))
271 p
= (unsigned char *)a
->bytes
->data
;
272 ASN1_item_ex_i2d(&intname
.a
,
273 &p
, ASN1_ITEM_rptr(X509_NAME_INTERNAL
), -1, -1);
274 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
.s
,
275 local_sk_X509_NAME_ENTRY_free
);
279 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
.s
,
280 local_sk_X509_NAME_ENTRY_free
);
281 ASN1err(ASN1_F_X509_NAME_ENCODE
, ERR_R_MALLOC_FAILURE
);
285 static int x509_name_ex_print(BIO
*out
, const ASN1_VALUE
**pval
,
287 const char *fname
, const ASN1_PCTX
*pctx
)
289 if (X509_NAME_print_ex(out
, (const X509_NAME
*)*pval
,
290 indent
, pctx
->nm_flags
) <= 0)
296 * This function generates the canonical encoding of the Name structure. In
297 * it all strings are converted to UTF8, leading, trailing and multiple
298 * spaces collapsed, converted to lower case and the leading SEQUENCE header
299 * removed. In future we could also normalize the UTF8 too. By doing this
300 * comparison of Name structures can be rapidly performed by just using
301 * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name
302 * constraints of type dirName can also be checked with a simple memcmp().
305 static int x509_name_canon(X509_NAME
*a
)
308 STACK_OF(STACK_OF_X509_NAME_ENTRY
) *intname
;
309 STACK_OF(X509_NAME_ENTRY
) *entries
= NULL
;
310 X509_NAME_ENTRY
*entry
, *tmpentry
= NULL
;
311 int i
, set
= -1, ret
= 0, len
;
313 OPENSSL_free(a
->canon_enc
);
315 /* Special case: empty X509_NAME => null encoding */
316 if (sk_X509_NAME_ENTRY_num(a
->entries
) == 0) {
320 intname
= sk_STACK_OF_X509_NAME_ENTRY_new_null();
321 if (intname
== NULL
) {
322 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
325 for (i
= 0; i
< sk_X509_NAME_ENTRY_num(a
->entries
); i
++) {
326 entry
= sk_X509_NAME_ENTRY_value(a
->entries
, i
);
327 if (entry
->set
!= set
) {
328 entries
= sk_X509_NAME_ENTRY_new_null();
331 if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname
, entries
)) {
332 sk_X509_NAME_ENTRY_free(entries
);
333 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
338 tmpentry
= X509_NAME_ENTRY_new();
339 if (tmpentry
== NULL
) {
340 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
343 tmpentry
->object
= OBJ_dup(entry
->object
);
344 if (tmpentry
->object
== NULL
) {
345 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
348 if (!asn1_string_canon(tmpentry
->value
, entry
->value
))
350 if (!sk_X509_NAME_ENTRY_push(entries
, tmpentry
)) {
351 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
357 /* Finally generate encoding */
358 len
= i2d_name_canon(intname
, NULL
);
361 a
->canon_enclen
= len
;
363 p
= OPENSSL_malloc(a
->canon_enclen
);
365 X509err(X509_F_X509_NAME_CANON
, ERR_R_MALLOC_FAILURE
);
371 i2d_name_canon(intname
, &p
);
376 X509_NAME_ENTRY_free(tmpentry
);
377 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname
,
378 local_sk_X509_NAME_ENTRY_pop_free
);
382 /* Bitmap of all the types of string that will be canonicalized. */
384 #define ASN1_MASK_CANON \
385 (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING \
386 | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \
387 | B_ASN1_VISIBLESTRING)
389 static int asn1_string_canon(ASN1_STRING
*out
, const ASN1_STRING
*in
)
391 unsigned char *to
, *from
;
394 /* If type not in bitmask just copy string across */
395 if (!(ASN1_tag2bit(in
->type
) & ASN1_MASK_CANON
)) {
396 if (!ASN1_STRING_copy(out
, in
))
401 out
->type
= V_ASN1_UTF8STRING
;
402 out
->length
= ASN1_STRING_to_UTF8(&out
->data
, in
);
403 if (out
->length
== -1)
412 * Convert string in place to canonical form. Ultimately we may need to
413 * handle a wider range of characters but for now ignore anything with
414 * MSB set and rely on the ossl_isspace() to fail on bad characters without
415 * needing isascii or range checks as well.
418 /* Ignore leading spaces */
419 while (len
> 0 && ossl_isspace(*from
)) {
426 /* Ignore trailing spaces */
427 while (len
> 0 && ossl_isspace(to
[-1])) {
436 /* If not ASCII set just copy across */
437 if (!ossl_isascii(*from
)) {
441 /* Collapse multiple spaces */
442 else if (ossl_isspace(*from
)) {
443 /* Copy one space across */
446 * Ignore subsequent spaces. Note: don't need to check len here
447 * because we know the last character is a non-space so we can't
454 while (ossl_isspace(*from
));
456 *to
++ = ossl_tolower(*from
);
462 out
->length
= to
- out
->data
;
468 static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY
) * _intname
,
473 STACK_OF(ASN1_VALUE
) *intname
= (STACK_OF(ASN1_VALUE
) *)_intname
;
476 for (i
= 0; i
< sk_ASN1_VALUE_num(intname
); i
++) {
477 v
= sk_ASN1_VALUE_value(intname
, i
);
478 ltmp
= ASN1_item_ex_i2d(&v
, in
,
479 ASN1_ITEM_rptr(X509_NAME_ENTRIES
), -1, -1);
487 int X509_NAME_set(X509_NAME
**xn
, const X509_NAME
*name
)
489 X509_NAME
*name_copy
;
493 if ((name_copy
= X509_NAME_dup(name
)) == NULL
)
500 int X509_NAME_print(BIO
*bp
, const X509_NAME
*name
, int obase
)
507 b
= X509_NAME_oneline(name
, NULL
, 0);
514 s
= b
+ 1; /* skip the first slash */
519 (ossl_isupper(s
[1]) && ((s
[2] == '=') ||
520 (ossl_isupper(s
[2]) && (s
[3] == '='))
524 if (BIO_write(bp
, c
, i
) != i
)
526 c
= s
+ 1; /* skip following slash */
528 if (BIO_write(bp
, ", ", 2) != 2)
542 X509err(X509_F_X509_NAME_PRINT
, ERR_R_BUF_LIB
);
547 int X509_NAME_get0_der(const X509_NAME
*nm
, const unsigned char **pder
,
550 /* Make sure encoding is valid */
551 if (i2d_X509_NAME(nm
, NULL
) <= 0)
554 *pder
= (unsigned char *)nm
->bytes
->data
;
556 *pderlen
= nm
->bytes
->length
;