]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/x509/x_name.c
projects / thirdparty / openssl.git / blob
? search:


1a57b2232d20902605ad000173995ed8e88fedc3
[thirdparty/openssl.git] / crypto / x509 / x_name.c
1 /*
2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include "crypto/ctype.h"
12 #include "internal/cryptlib.h"
13 #include <openssl/asn1t.h>
14 #include <openssl/x509.h>
15 #include "crypto/x509.h"
16 #include "crypto/asn1.h"
17 #include "x509_local.h"
18
19 DEFINE_STACK_OF(ASN1_VALUE)
20
21 /*
22 * Maximum length of X509_NAME: much larger than anything we should
23 * ever see in practice.
24 */
25
26 #define X509_NAME_MAX (1024 * 1024)
27
28 static int x509_name_ex_d2i(ASN1_VALUE **val,
29 const unsigned char **in, long len,
30 const ASN1_ITEM *it,
31 int tag, int aclass, char opt, ASN1_TLC *ctx);
32
33 static int x509_name_ex_i2d(const ASN1_VALUE **val, unsigned char **out,
34 const ASN1_ITEM *it, int tag, int aclass);
35 static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it);
36 static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it);
37
38 static int x509_name_encode(X509_NAME *a);
39 static int x509_name_canon(X509_NAME *a);
40 static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in);
41 static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * intname,
42 unsigned char **in);
43
44 static int x509_name_ex_print(BIO *out, const ASN1_VALUE **pval,
45 int indent,
46 const char *fname, const ASN1_PCTX *pctx);
47
48 ASN1_SEQUENCE(X509_NAME_ENTRY) = {
49 ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT),
50 ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE)
51 } ASN1_SEQUENCE_END(X509_NAME_ENTRY)
52
53 IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY)
54 IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
55
56 /*
57 * For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so
58 * declare two template wrappers for this
59 */
60
61 ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) =
62 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY)
63 static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)
64
65 ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) =
66 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)
67 static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
68
69 /*
70 * Normally that's where it would end: we'd have two nested STACK structures
71 * representing the ASN1. Unfortunately X509_NAME uses a completely different
72 * form and caches encodings so we have to process the internal form and
73 * convert to the external form.
74 */
75
76 static const ASN1_EXTERN_FUNCS x509_name_ff = {
77 NULL,
78 x509_name_ex_new,
79 x509_name_ex_free,
80 0, /* Default clear behaviour is OK */
81 x509_name_ex_d2i,
82 x509_name_ex_i2d,
83 x509_name_ex_print
84 };
85
86 IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff)
87
88 IMPLEMENT_ASN1_FUNCTIONS(X509_NAME)
89
90 IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME)
91
92 static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
93 {
94 X509_NAME *ret = OPENSSL_zalloc(sizeof(*ret));
95
96 if (ret == NULL)
97 goto memerr;
98 if ((ret->entries = sk_X509_NAME_ENTRY_new_null()) == NULL)
99 goto memerr;
100 if ((ret->bytes = BUF_MEM_new()) == NULL)
101 goto memerr;
102 ret->modified = 1;
103 *val = (ASN1_VALUE *)ret;
104 return 1;
105
106 memerr:
107 ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE);
108 if (ret) {
109 sk_X509_NAME_ENTRY_free(ret->entries);
110 OPENSSL_free(ret);
111 }
112 return 0;
113 }
114
115 static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
116 {
117 X509_NAME *a;
118
119 if (pval == NULL || *pval == NULL)
120 return;
121 a = (X509_NAME *)*pval;
122
123 BUF_MEM_free(a->bytes);
124 sk_X509_NAME_ENTRY_pop_free(a->entries, X509_NAME_ENTRY_free);
125 OPENSSL_free(a->canon_enc);
126 OPENSSL_free(a);
127 *pval = NULL;
128 }
129
130 static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
131 {
132 sk_X509_NAME_ENTRY_free(ne);
133 }
134
135 static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
136 {
137 sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
138 }
139
140 static int x509_name_ex_d2i(ASN1_VALUE **val,
141 const unsigned char **in, long len,
142 const ASN1_ITEM *it, int tag, int aclass,
143 char opt, ASN1_TLC *ctx)
144 {
145 const unsigned char *p = *in, *q;
146 union {
147 STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
148 ASN1_VALUE *a;
149 } intname = {
150 NULL
151 };
152 union {
153 X509_NAME *x;
154 ASN1_VALUE *a;
155 } nm = {
156 NULL
157 };
158 int i, j, ret;
159 STACK_OF(X509_NAME_ENTRY) *entries;
160 X509_NAME_ENTRY *entry;
161
162 if (len > X509_NAME_MAX)
163 len = X509_NAME_MAX;
164 q = p;
165
166 /* Get internal representation of Name */
167 ret = ASN1_item_ex_d2i(&intname.a,
168 &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
169 tag, aclass, opt, ctx);
170
171 if (ret <= 0)
172 return ret;
173
174 if (*val)
175 x509_name_ex_free(val, NULL);
176 if (!x509_name_ex_new(&nm.a, NULL))
177 goto err;
178 /* We've decoded it: now cache encoding */
179 if (!BUF_MEM_grow(nm.x->bytes, p - q))
180 goto err;
181 memcpy(nm.x->bytes->data, q, p - q);
182
183 /* Convert internal representation to X509_NAME structure */
184 for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname.s); i++) {
185 entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname.s, i);
186 for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
187 entry = sk_X509_NAME_ENTRY_value(entries, j);
188 entry->set = i;
189 if (!sk_X509_NAME_ENTRY_push(nm.x->entries, entry))
190 goto err;
191 sk_X509_NAME_ENTRY_set(entries, j, NULL);
192 }
193 }
194 ret = x509_name_canon(nm.x);
195 if (!ret)
196 goto err;
197 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
198 local_sk_X509_NAME_ENTRY_free);
199 nm.x->modified = 0;
200 *val = nm.a;
201 *in = p;
202 return ret;
203
204 err:
205 if (nm.x != NULL)
206 X509_NAME_free(nm.x);
207 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
208 local_sk_X509_NAME_ENTRY_pop_free);
209 ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
210 return 0;
211 }
212
213 static int x509_name_ex_i2d(const ASN1_VALUE **val, unsigned char **out,
214 const ASN1_ITEM *it, int tag, int aclass)
215 {
216 int ret;
217 X509_NAME *a = (X509_NAME *)*val;
218
219 if (a->modified) {
220 ret = x509_name_encode(a);
221 if (ret < 0)
222 return ret;
223 ret = x509_name_canon(a);
224 if (ret < 0)
225 return ret;
226 }
227 ret = a->bytes->length;
228 if (out != NULL) {
229 memcpy(*out, a->bytes->data, ret);
230 *out += ret;
231 }
232 return ret;
233 }
234
235 static int x509_name_encode(X509_NAME *a)
236 {
237 union {
238 STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
239 const ASN1_VALUE *a;
240 } intname = {
241 NULL
242 };
243 int len;
244 unsigned char *p;
245 STACK_OF(X509_NAME_ENTRY) *entries = NULL;
246 X509_NAME_ENTRY *entry;
247 int i, set = -1;
248
249 intname.s = sk_STACK_OF_X509_NAME_ENTRY_new_null();
250 if (!intname.s)
251 goto memerr;
252 for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
253 entry = sk_X509_NAME_ENTRY_value(a->entries, i);
254 if (entry->set != set) {
255 entries = sk_X509_NAME_ENTRY_new_null();
256 if (!entries)
257 goto memerr;
258 if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, entries)) {
259 sk_X509_NAME_ENTRY_free(entries);
260 goto memerr;
261 }
262 set = entry->set;
263 }
264 if (!sk_X509_NAME_ENTRY_push(entries, entry))
265 goto memerr;
266 }
267 len = ASN1_item_ex_i2d(&intname.a, NULL,
268 ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
269 if (!BUF_MEM_grow(a->bytes, len))
270 goto memerr;
271 p = (unsigned char *)a->bytes->data;
272 ASN1_item_ex_i2d(&intname.a,
273 &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
274 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
275 local_sk_X509_NAME_ENTRY_free);
276 a->modified = 0;
277 return len;
278 memerr:
279 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
280 local_sk_X509_NAME_ENTRY_free);
281 ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE);
282 return -1;
283 }
284
285 static int x509_name_ex_print(BIO *out, const ASN1_VALUE **pval,
286 int indent,
287 const char *fname, const ASN1_PCTX *pctx)
288 {
289 if (X509_NAME_print_ex(out, (const X509_NAME *)*pval,
290 indent, pctx->nm_flags) <= 0)
291 return 0;
292 return 2;
293 }
294
295 /*
296 * This function generates the canonical encoding of the Name structure. In
297 * it all strings are converted to UTF8, leading, trailing and multiple
298 * spaces collapsed, converted to lower case and the leading SEQUENCE header
299 * removed. In future we could also normalize the UTF8 too. By doing this
300 * comparison of Name structures can be rapidly performed by just using
301 * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name
302 * constraints of type dirName can also be checked with a simple memcmp().
303 */
304
305 static int x509_name_canon(X509_NAME *a)
306 {
307 unsigned char *p;
308 STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname;
309 STACK_OF(X509_NAME_ENTRY) *entries = NULL;
310 X509_NAME_ENTRY *entry, *tmpentry = NULL;
311 int i, set = -1, ret = 0, len;
312
313 OPENSSL_free(a->canon_enc);
314 a->canon_enc = NULL;
315 /* Special case: empty X509_NAME => null encoding */
316 if (sk_X509_NAME_ENTRY_num(a->entries) == 0) {
317 a->canon_enclen = 0;
318 return 1;
319 }
320 intname = sk_STACK_OF_X509_NAME_ENTRY_new_null();
321 if (intname == NULL) {
322 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
323 goto err;
324 }
325 for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
326 entry = sk_X509_NAME_ENTRY_value(a->entries, i);
327 if (entry->set != set) {
328 entries = sk_X509_NAME_ENTRY_new_null();
329 if (entries == NULL)
330 goto err;
331 if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {
332 sk_X509_NAME_ENTRY_free(entries);
333 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
334 goto err;
335 }
336 set = entry->set;
337 }
338 tmpentry = X509_NAME_ENTRY_new();
339 if (tmpentry == NULL) {
340 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
341 goto err;
342 }
343 tmpentry->object = OBJ_dup(entry->object);
344 if (tmpentry->object == NULL) {
345 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
346 goto err;
347 }
348 if (!asn1_string_canon(tmpentry->value, entry->value))
349 goto err;
350 if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) {
351 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
352 goto err;
353 }
354 tmpentry = NULL;
355 }
356
357 /* Finally generate encoding */
358 len = i2d_name_canon(intname, NULL);
359 if (len < 0)
360 goto err;
361 a->canon_enclen = len;
362
363 p = OPENSSL_malloc(a->canon_enclen);
364 if (p == NULL) {
365 X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
366 goto err;
367 }
368
369 a->canon_enc = p;
370
371 i2d_name_canon(intname, &p);
372
373 ret = 1;
374
375 err:
376 X509_NAME_ENTRY_free(tmpentry);
377 sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
378 local_sk_X509_NAME_ENTRY_pop_free);
379 return ret;
380 }
381
382 /* Bitmap of all the types of string that will be canonicalized. */
383
384 #define ASN1_MASK_CANON \
385 (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING \
386 | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \
387 | B_ASN1_VISIBLESTRING)
388
389 static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in)
390 {
391 unsigned char *to, *from;
392 int len, i;
393
394 /* If type not in bitmask just copy string across */
395 if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) {
396 if (!ASN1_STRING_copy(out, in))
397 return 0;
398 return 1;
399 }
400
401 out->type = V_ASN1_UTF8STRING;
402 out->length = ASN1_STRING_to_UTF8(&out->data, in);
403 if (out->length == -1)
404 return 0;
405
406 to = out->data;
407 from = to;
408
409 len = out->length;
410
411 /*
412 * Convert string in place to canonical form. Ultimately we may need to
413 * handle a wider range of characters but for now ignore anything with
414 * MSB set and rely on the ossl_isspace() to fail on bad characters without
415 * needing isascii or range checks as well.
416 */
417
418 /* Ignore leading spaces */
419 while (len > 0 && ossl_isspace(*from)) {
420 from++;
421 len--;
422 }
423
424 to = from + len;
425
426 /* Ignore trailing spaces */
427 while (len > 0 && ossl_isspace(to[-1])) {
428 to--;
429 len--;
430 }
431
432 to = out->data;
433
434 i = 0;
435 while (i < len) {
436 /* If not ASCII set just copy across */
437 if (!ossl_isascii(*from)) {
438 *to++ = *from++;
439 i++;
440 }
441 /* Collapse multiple spaces */
442 else if (ossl_isspace(*from)) {
443 /* Copy one space across */
444 *to++ = ' ';
445 /*
446 * Ignore subsequent spaces. Note: don't need to check len here
447 * because we know the last character is a non-space so we can't
448 * overflow.
449 */
450 do {
451 from++;
452 i++;
453 }
454 while (ossl_isspace(*from));
455 } else {
456 *to++ = ossl_tolower(*from);
457 from++;
458 i++;
459 }
460 }
461
462 out->length = to - out->data;
463
464 return 1;
465
466 }
467
468 static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
469 unsigned char **in)
470 {
471 int i, len, ltmp;
472 const ASN1_VALUE *v;
473 STACK_OF(ASN1_VALUE) *intname = (STACK_OF(ASN1_VALUE) *)_intname;
474
475 len = 0;
476 for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) {
477 v = sk_ASN1_VALUE_value(intname, i);
478 ltmp = ASN1_item_ex_i2d(&v, in,
479 ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
480 if (ltmp < 0)
481 return ltmp;
482 len += ltmp;
483 }
484 return len;
485 }
486
487 int X509_NAME_set(X509_NAME **xn, const X509_NAME *name)
488 {
489 X509_NAME *name_copy;
490
491 if (*xn == name)
492 return *xn != NULL;
493 if ((name_copy = X509_NAME_dup(name)) == NULL)
494 return 0;
495 X509_NAME_free(*xn);
496 *xn = name_copy;
497 return 1;
498 }
499
500 int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
501 {
502 char *s, *c, *b;
503 int l, i;
504
505 l = 80 - 2 - obase;
506
507 b = X509_NAME_oneline(name, NULL, 0);
508 if (b == NULL)
509 return 0;
510 if (*b == '\0') {
511 OPENSSL_free(b);
512 return 1;
513 }
514 s = b + 1; /* skip the first slash */
515
516 c = s;
517 for (;;) {
518 if (((*s == '/') &&
519 (ossl_isupper(s[1]) && ((s[2] == '=') ||
520 (ossl_isupper(s[2]) && (s[3] == '='))
521 ))) || (*s == '\0'))
522 {
523 i = s - c;
524 if (BIO_write(bp, c, i) != i)
525 goto err;
526 c = s + 1; /* skip following slash */
527 if (*s != '\0') {
528 if (BIO_write(bp, ", ", 2) != 2)
529 goto err;
530 }
531 l--;
532 }
533 if (*s == '\0')
534 break;
535 s++;
536 l--;
537 }
538
539 OPENSSL_free(b);
540 return 1;
541 err:
542 X509err(X509_F_X509_NAME_PRINT, ERR_R_BUF_LIB);
543 OPENSSL_free(b);
544 return 0;
545 }
546
547 int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
548 size_t *pderlen)
549 {
550 /* Make sure encoding is valid */
551 if (i2d_X509_NAME(nm, NULL) <= 0)
552 return 0;
553 if (pder != NULL)
554 *pder = (unsigned char *)nm->bytes->data;
555 if (pderlen != NULL)
556 *pderlen = nm->bytes->length;
557 return 1;
558 }
A mirror of the official openssl repository