1
1
/* schema_init.c - init builtin schema */
2
/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.33 2009/05/08 00:27:00 quanah Exp $ */
2
/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.36 2009/08/13 00:35:54 quanah Exp $ */
3
3
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5
5
* Copyright 1998-2009 The OpenLDAP Foundation.
275
275
/* X.509 certificate list validation */
277
checkTime( struct berval *in, struct berval *out );
277
280
certificateListValidate( Syntax *syntax, struct berval *in )
279
282
BerElementBuffer berbuf;
280
283
BerElement *ber = (BerElement *)&berbuf;
285
ber_len_t len, wrapper_len;
283
288
ber_int_t version = SLAP_X509_V1;
289
struct berval bvdn, bvtu;
285
291
ber_init2( ber, in, LBER_USE_DER );
286
tag = ber_skip_tag( ber, &len ); /* Signed wrapper */
292
tag = ber_skip_tag( ber, &wrapper_len ); /* Signed wrapper */
287
293
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
294
wrapper_start = ber->ber_ptr;
288
295
tag = ber_skip_tag( ber, &len ); /* Sequence */
289
296
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
290
297
tag = ber_peek_tag( ber, &len );
297
304
tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
298
305
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
299
306
ber_skip_data( ber, len );
300
tag = ber_skip_tag( ber, &len ); /* Issuer DN */
307
tag = ber_peek_tag( ber, &len ); /* Issuer DN */
301
308
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
309
len = ber_ptrlen( ber );
310
bvdn.bv_val = in->bv_val + len;
311
bvdn.bv_len = in->bv_len - len;
312
tag = ber_skip_tag( ber, &len );
302
313
ber_skip_data( ber, len );
303
314
tag = ber_skip_tag( ber, &len ); /* thisUpdate */
304
315
/* Time is a CHOICE { UTCTime, GeneralizedTime } */
305
316
if ( tag != SLAP_TAG_UTCTIME && tag != SLAP_TAG_GENERALIZEDTIME ) return LDAP_INVALID_SYNTAX;
317
bvtu.bv_val = (char *)ber->ber_ptr;
306
319
ber_skip_data( ber, len );
307
320
/* Optional nextUpdate */
308
321
tag = ber_skip_tag( ber, &len );
319
332
tag = ber_skip_tag( ber, &len );
322
/* Optional Extensions */
335
/* Optional Extensions - Sequence of Sequence */
323
336
if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */
324
338
if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
325
tag = ber_skip_tag( ber, &len );
339
tag = ber_peek_tag( ber, &seqlen );
326
340
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
327
341
ber_skip_data( ber, len );
328
342
tag = ber_skip_tag( ber, &len );
335
349
if ( tag != LBER_BITSTRING ) return LDAP_INVALID_SYNTAX;
336
350
ber_skip_data( ber, len );
351
if ( ber->ber_ptr == wrapper_start + wrapper_len ) wrapper_ok = 1;
337
352
tag = ber_skip_tag( ber, &len );
338
353
/* Must be at end now */
339
if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX;
354
/* NOTE: OpenSSL tolerates CL with garbage past the end */
355
if ( len || tag != LBER_DEFAULT ) {
356
struct berval issuer_dn = BER_BVNULL, thisUpdate;
357
char tubuf[STRLENOF("YYYYmmddHHMMSSZ") + 1];
360
if ( ! wrapper_ok ) {
361
return LDAP_INVALID_SYNTAX;
364
rc = dnX509normalize( &bvdn, &issuer_dn );
365
if ( rc != LDAP_SUCCESS ) {
366
rc = LDAP_INVALID_SYNTAX;
370
thisUpdate.bv_val = tubuf;
371
thisUpdate.bv_len = sizeof(tubuf);
372
if ( checkTime( &bvtu, &thisUpdate ) ) {
373
rc = LDAP_INVALID_SYNTAX;
377
Debug( LDAP_DEBUG_ANY,
378
"certificateListValidate issuer=\"%s\", thisUpdate=%s: extra cruft past end of certificateList\n",
379
issuer_dn.bv_val, thisUpdate.bv_val, 0 );
382
if ( ! BER_BVISNULL( &issuer_dn ) ) {
383
ber_memfree( issuer_dn.bv_val );
340
389
return LDAP_SUCCESS;
388
437
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
389
438
ber_skip_data( ber, len );
391
ber_peek_tag( ber, &len );
440
tag = ber_peek_tag( ber, &len );
393
442
if ( tag == LBER_BITSTRING ) { /* issuerUniqueID */
394
443
tag = ber_skip_tag( ber, &len );
3617
3666
rc = generalizedTimeValidate( NULL, &bv );
3618
3667
if ( rc == LDAP_SUCCESS && out != NULL ) {
3668
if ( out->bv_len > bv.bv_len ) {
3669
out->bv_val[ bv.bv_len ] = '\0';
3619
3671
out->bv_len = bv.bv_len;
6626
6678
{"( 1.3.6.1.4.1.4203.666.11.2.3 NAME 'CSNOrderingMatch' "
6627
6679
"SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 )",
6628
6680
SLAP_MR_HIDE | SLAP_MR_ORDERING | SLAP_MR_ORDERED_INDEX, NULL,
6629
NULL, NULL, csnOrderingMatch,
6681
NULL, csnNormalize, csnOrderingMatch,