2
* Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3
* (Royal Institute of Technology, Stockholm, Sweden).
6
* Redistribution and use in source and binary forms, with or without
7
* modification, are permitted provided that the following conditions
10
* 1. Redistributions of source code must retain the above copyright
11
* notice, this list of conditions and the following disclaimer.
13
* 2. Redistributions in binary form must reproduce the above copyright
14
* notice, this list of conditions and the following disclaimer in the
15
* documentation and/or other materials provided with the distribution.
17
* 3. Neither the name of the Institute nor the names of its contributors
18
* may be used to endorse or promote products derived from this software
19
* without specific prior written permission.
21
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39
* @page page_name PKIX/X.509 Names
41
* There are several names in PKIX/X.509, GeneralName and Name.
43
* A Name consists of an ordered list of Relative Distinguished Names
44
* (RDN). Each RDN consists of an unordered list of typed strings. The
45
* types are defined by OID and have long and short description. For
46
* example id-at-commonName (2.5.4.3) have the long name CommonName
47
* and short name CN. The string itself can be of serveral encoding,
48
* UTF8, UTF16, Teltex string, etc. The type limit what encoding
51
* GeneralName is a broader nametype that can contains al kind of
52
* stuff like Name, IP addresses, partial Name, etc.
54
* Name is mapped into a hx509_name object.
56
* Parse and string name into a hx509_name object with hx509_parse_name(),
57
* make it back into string representation with hx509_name_to_string().
59
* Name string are defined rfc2253, rfc1779 and X.501.
61
* See the library functions here: @ref hx509_name
66
const heim_oid *(*o)(void);
67
wind_profile_flags flags;
69
{ "C", oid_id_at_countryName },
70
{ "CN", oid_id_at_commonName },
71
{ "DC", oid_id_domainComponent },
72
{ "L", oid_id_at_localityName },
73
{ "O", oid_id_at_organizationName },
74
{ "OU", oid_id_at_organizationalUnitName },
75
{ "S", oid_id_at_stateOrProvinceName },
76
{ "STREET", oid_id_at_streetAddress },
77
{ "UID", oid_id_Userid },
78
{ "emailAddress", oid_id_pkcs9_emailAddress },
79
{ "serialNumber", oid_id_at_serialNumber }
83
quote_string(const char *f, size_t len, size_t *rlen)
94
for (i = 0, j = 0; i < len; i++) {
95
if (from[i] == ' ' && i + 1 < len)
97
else if (from[i] == ',' || from[i] == '=' || from[i] == '+' ||
98
from[i] == '<' || from[i] == '>' || from[i] == '#' ||
99
from[i] == ';' || from[i] == ' ')
103
} else if (((unsigned char)from[i]) >= 32 && ((unsigned char)from[i]) <= 127) {
106
int l = snprintf(&to[j], tolen - j - 1,
107
"#%02x", (unsigned char)from[i]);
119
append_string(char **str, size_t *total_len, const char *ss,
120
size_t len, int quote)
125
qs = quote_string(ss, len, &len);
129
s = realloc(*str, len + *total_len + 1);
131
_hx509_abort("allocation failure"); /* XXX */
132
memcpy(s + *total_len, qs, len);
135
s[*total_len + len] = '\0';
142
oidtostring(const heim_oid *type)
147
for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
148
if (der_heim_oid_cmp((*no[i].o)(), type) == 0)
149
return strdup(no[i].n);
151
if (der_print_heim_oid(type, '.', &s) != 0)
157
stringtooid(const char *name, size_t len, heim_oid *oid)
162
memset(oid, 0, sizeof(*oid));
164
for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
165
if (strncasecmp(no[i].n, name, len) == 0)
166
return der_copy_oid((*no[i].o)(), oid);
171
memcpy(s, name, len);
173
ret = der_parse_heim_oid(s, ".", oid);
179
* Convert the hx509 name object into a printable string.
180
* The resulting string should be freed with free().
182
* @param name name to print
183
* @param str the string to return
185
* @return An hx509 error code, see hx509_get_error_string().
187
* @ingroup hx509_name
191
hx509_name_to_string(const hx509_name name, char **str)
193
return _hx509_Name_to_string(&name->der_name, str);
197
_hx509_Name_to_string(const Name *n, char **str)
199
size_t total_len = 0;
206
for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
209
for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
210
DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
214
oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
216
switch(ds->element) {
217
case choice_DirectoryString_ia5String:
218
ss = ds->u.ia5String;
220
case choice_DirectoryString_printableString:
221
ss = ds->u.printableString;
223
case choice_DirectoryString_utf8String:
224
ss = ds->u.utf8String;
226
case choice_DirectoryString_bmpString: {
227
uint16_t *bmp = ds->u.bmpString.data;
228
size_t bmplen = ds->u.bmpString.length;
231
ss = malloc(bmplen + 1);
233
_hx509_abort("allocation failure"); /* XXX */
234
for (k = 0; k < bmplen; k++)
235
ss[k] = bmp[k] & 0xff; /* XXX */
239
case choice_DirectoryString_teletexString:
240
ss = malloc(ds->u.teletexString.length + 1);
242
_hx509_abort("allocation failure"); /* XXX */
243
memcpy(ss, ds->u.teletexString.data, ds->u.teletexString.length);
244
ss[ds->u.teletexString.length] = '\0';
246
case choice_DirectoryString_universalString: {
247
uint32_t *uni = ds->u.universalString.data;
248
size_t unilen = ds->u.universalString.length;
251
ss = malloc(unilen + 1);
253
_hx509_abort("allocation failure"); /* XXX */
254
for (k = 0; k < unilen; k++)
255
ss[k] = uni[k] & 0xff; /* XXX */
260
_hx509_abort("unknown directory type: %d", ds->element);
263
append_string(str, &total_len, oidname, strlen(oidname), 0);
265
append_string(str, &total_len, "=", 1, 0);
267
append_string(str, &total_len, ss, len, 1);
268
if (ds->element == choice_DirectoryString_universalString ||
269
ds->element == choice_DirectoryString_bmpString ||
270
ds->element == choice_DirectoryString_teletexString)
274
if (j + 1 < n->u.rdnSequence.val[i].len)
275
append_string(str, &total_len, "+", 1, 0);
279
append_string(str, &total_len, ",", 1, 0);
284
#define COPYCHARARRAY(_ds,_el,_l,_n) \
285
(_l) = strlen(_ds->u._el); \
286
(_n) = malloc((_l) * sizeof((_n)[0])); \
289
for (i = 0; i < (_l); i++) \
290
(_n)[i] = _ds->u._el[i]
293
#define COPYVALARRAY(_ds,_el,_l,_n) \
294
(_l) = _ds->u._el.length; \
295
(_n) = malloc((_l) * sizeof((_n)[0])); \
298
for (i = 0; i < (_l); i++) \
299
(_n)[i] = _ds->u._el.data[i]
301
#define COPYVOIDARRAY(_ds,_el,_l,_n) \
302
(_l) = _ds->u._el.length; \
303
(_n) = malloc((_l) * sizeof((_n)[0])); \
306
for (i = 0; i < (_l); i++) \
307
(_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
312
dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
314
wind_profile_flags flags = 0;
322
switch(ds->element) {
323
case choice_DirectoryString_ia5String:
324
COPYCHARARRAY(ds, ia5String, len, name);
326
case choice_DirectoryString_printableString:
327
flags = WIND_PROFILE_LDAP_CASE_EXACT_ATTRIBUTE;
328
COPYCHARARRAY(ds, printableString, len, name);
330
case choice_DirectoryString_teletexString:
331
COPYVOIDARRAY(ds, teletexString, len, name);
333
case choice_DirectoryString_bmpString:
334
COPYVALARRAY(ds, bmpString, len, name);
336
case choice_DirectoryString_universalString:
337
COPYVALARRAY(ds, universalString, len, name);
339
case choice_DirectoryString_utf8String:
340
ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
343
name = malloc(len * sizeof(name[0]));
346
ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
351
_hx509_abort("unknown directory type: %d", ds->element);
355
/* try a couple of times to get the length right, XXX gross */
356
for (i = 0; i < 4; i++) {
358
*rname = malloc(*rlen * sizeof((*rname)[0]));
360
ret = wind_stringprep(name, len, *rname, rlen,
361
WIND_PROFILE_LDAP|flags);
362
if (ret == WIND_ERR_OVERRUN) {
382
_hx509_name_ds_cmp(const DirectoryString *ds1,
383
const DirectoryString *ds2,
386
uint32_t *ds1lp, *ds2lp;
387
size_t ds1len, ds2len;
390
ret = dsstringprep(ds1, &ds1lp, &ds1len);
393
ret = dsstringprep(ds2, &ds2lp, &ds2len);
399
if (ds1len != ds2len)
400
*diff = ds1len - ds2len;
402
*diff = memcmp(ds1lp, ds2lp, ds1len * sizeof(ds1lp[0]));
411
_hx509_name_cmp(const Name *n1, const Name *n2, int *c)
415
*c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
419
for (i = 0 ; i < n1->u.rdnSequence.len; i++) {
420
*c = n1->u.rdnSequence.val[i].len - n2->u.rdnSequence.val[i].len;
424
for (j = 0; j < n1->u.rdnSequence.val[i].len; j++) {
425
*c = der_heim_oid_cmp(&n1->u.rdnSequence.val[i].val[j].type,
426
&n1->u.rdnSequence.val[i].val[j].type);
430
ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
431
&n2->u.rdnSequence.val[i].val[j].value,
444
* Compare to hx509 name object, useful for sorting.
446
* @param n1 a hx509 name object.
447
* @param n2 a hx509 name object.
449
* @return 0 the objects are the same, returns > 0 is n2 is "larger"
450
* then n2, < 0 if n1 is "smaller" then n2.
452
* @ingroup hx509_name
456
hx509_name_cmp(hx509_name n1, hx509_name n2)
459
ret = _hx509_name_cmp(&n1->der_name, &n2->der_name, &diff);
467
_hx509_name_from_Name(const Name *n, hx509_name *name)
470
*name = calloc(1, sizeof(**name));
473
ret = copy_Name(n, &(*name)->der_name);
482
_hx509_name_modify(hx509_context context,
488
RelativeDistinguishedName *rdn;
492
ptr = realloc(name->u.rdnSequence.val,
493
sizeof(name->u.rdnSequence.val[0]) *
494
(name->u.rdnSequence.len + 1));
496
hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
499
name->u.rdnSequence.val = ptr;
502
rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
504
memmove(&name->u.rdnSequence.val[1],
505
&name->u.rdnSequence.val[0],
506
name->u.rdnSequence.len *
507
sizeof(name->u.rdnSequence.val[0]));
509
rdn = &name->u.rdnSequence.val[0];
511
rdn->val = malloc(sizeof(rdn->val[0]));
512
if (rdn->val == NULL)
515
ret = der_copy_oid(oid, &rdn->val[0].type);
518
rdn->val[0].value.element = choice_DirectoryString_utf8String;
519
rdn->val[0].value.u.utf8String = strdup(str);
520
if (rdn->val[0].value.u.utf8String == NULL)
522
name->u.rdnSequence.len += 1;
528
* Parse a string into a hx509 name object.
530
* @param context A hx509 context.
531
* @param str a string to parse.
532
* @param name the resulting object, NULL in case of error.
534
* @return An hx509 error code, see hx509_get_error_string().
536
* @ingroup hx509_name
540
hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
549
n = calloc(1, sizeof(*n));
551
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
555
n->der_name.element = choice_Name_rdnSequence;
559
while (p != NULL && *p != '\0') {
574
ret = HX509_PARSING_NAME_FAILED;
575
hx509_set_error_string(context, 0, ret, "missing = in %s", p);
579
ret = HX509_PARSING_NAME_FAILED;
580
hx509_set_error_string(context, 0, ret,
581
"missing name before = in %s", p);
586
ret = HX509_PARSING_NAME_FAILED;
587
hx509_set_error_string(context, 0, ret, " = after , in %s", p);
591
ret = stringtooid(p, q - p, &oid);
593
ret = HX509_PARSING_NAME_FAILED;
594
hx509_set_error_string(context, 0, ret,
595
"unknown type: %.*s", (int)(q - p), p);
600
size_t pstr_len = len - (q - p) - 1;
601
const char *pstr = p + (q - p) + 1;
604
r = malloc(pstr_len + 1);
608
hx509_set_error_string(context, 0, ret, "out of memory");
611
memcpy(r, pstr, pstr_len);
614
ret = _hx509_name_modify(context, &n->der_name, 0, &oid, r);
628
return HX509_NAME_MALFORMED;
632
* Copy a hx509 name object.
634
* @param context A hx509 cotext.
635
* @param from the name to copy from
636
* @param to the name to copy to
638
* @return An hx509 error code, see hx509_get_error_string().
640
* @ingroup hx509_name
644
hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
648
*to = calloc(1, sizeof(**to));
651
ret = copy_Name(&from->der_name, &(*to)->der_name);
661
* Convert a hx509_name into a Name.
663
* @param from the name to copy from
664
* @param to the name to copy to
666
* @return An hx509 error code, see hx509_get_error_string().
668
* @ingroup hx509_name
672
hx509_name_to_Name(const hx509_name from, Name *to)
674
return copy_Name(&from->der_name, to);
678
hx509_name_normalize(hx509_context context, hx509_name name)
684
* Expands variables in the name using env. Variables are on the form
685
* ${name}. Useful when dealing with certificate templates.
687
* @param context A hx509 cotext.
688
* @param name the name to expand.
689
* @param env environment variable to expand.
691
* @return An hx509 error code, see hx509_get_error_string().
693
* @ingroup hx509_name
697
hx509_name_expand(hx509_context context,
701
Name *n = &name->der_name;
707
if (n->element != choice_Name_rdnSequence) {
708
hx509_set_error_string(context, 0, EINVAL, "RDN not of supported type");
712
for (i = 0 ; i < n->u.rdnSequence.len; i++) {
713
for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
714
/** Only UTF8String rdnSequence names are allowed */
716
THIS SHOULD REALLY BE:
717
COMP = n->u.rdnSequence.val[i].val[j];
718
normalize COMP to utf8
719
check if there are variables
721
convert back to orignal format, store in COMP
722
free normalized utf8 string
724
DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
726
struct rk_strpool *strpool = NULL;
728
if (ds->element != choice_DirectoryString_utf8String) {
729
hx509_set_error_string(context, 0, EINVAL, "unsupported type");
732
p = strstr(ds->u.utf8String, "${");
734
strpool = rk_strpoolprintf(strpool, "%.*s",
735
(int)(p - ds->u.utf8String),
737
if (strpool == NULL) {
738
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
743
/* expand variables */
747
hx509_set_error_string(context, 0, EINVAL, "missing }");
748
rk_strpoolfree(strpool);
752
value = hx509_env_lfind(context, env, p, p2 - p);
754
hx509_set_error_string(context, 0, EINVAL,
755
"variable %.*s missing",
757
rk_strpoolfree(strpool);
760
strpool = rk_strpoolprintf(strpool, "%s", value);
761
if (strpool == NULL) {
762
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
767
p = strstr(p2, "${");
769
strpool = rk_strpoolprintf(strpool, "%.*s",
772
strpool = rk_strpoolprintf(strpool, "%s", p2);
773
if (strpool == NULL) {
774
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
779
free(ds->u.utf8String);
780
ds->u.utf8String = rk_strpoolcollect(strpool);
781
if (ds->u.utf8String == NULL) {
782
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
792
* Free a hx509 name object, upond return *name will be NULL.
794
* @param name a hx509 name object to be freed.
796
* @ingroup hx509_name
800
hx509_name_free(hx509_name *name)
802
free_Name(&(*name)->der_name);
803
memset(*name, 0, sizeof(**name));
809
* Convert a DER encoded name info a string.
811
* @param data data to a DER/BER encoded name
812
* @param length length of data
813
* @param str the resulting string, is NULL on failure.
815
* @return An hx509 error code, see hx509_get_error_string().
817
* @ingroup hx509_name
821
hx509_unparse_der_name(const void *data, size_t length, char **str)
828
ret = decode_Name(data, length, &name, NULL);
831
ret = _hx509_Name_to_string(&name, str);
837
* Convert a hx509_name object to DER encoded name.
839
* @param name name to concert
840
* @param os data to a DER encoded name, free the resulting octet
841
* string with hx509_xfree(os->data).
843
* @return An hx509 error code, see hx509_get_error_string().
845
* @ingroup hx509_name
849
hx509_name_binary(const hx509_name name, heim_octet_string *os)
854
ASN1_MALLOC_ENCODE(Name, os->data, os->length, &name->der_name, &size, ret);
857
if (os->length != size)
858
_hx509_abort("internal ASN.1 encoder error");
864
_hx509_unparse_Name(const Name *aname, char **str)
869
ret = _hx509_name_from_Name(aname, &name);
873
ret = hx509_name_to_string(name, str);
874
hx509_name_free(&name);
879
* Unparse the hx509 name in name into a string.
881
* @param name the name to check if its empty/null.
883
* @return non zero if the name is empty/null.
885
* @ingroup hx509_name
889
hx509_name_is_null_p(const hx509_name name)
891
return name->der_name.u.rdnSequence.len == 0;
895
* Unparse the hx509 name in name into a string.
897
* @param name the name to print
898
* @param str an allocated string returns the name in string form
900
* @return An hx509 error code, see hx509_get_error_string().
902
* @ingroup hx509_name
906
hx509_general_name_unparse(GeneralName *name, char **str)
908
struct rk_strpool *strpool = NULL;
912
switch (name->element) {
913
case choice_GeneralName_otherName: {
915
hx509_oid_sprint(&name->u.otherName.type_id, &str);
918
strpool = rk_strpoolprintf(strpool, "otherName: %s", str);
922
case choice_GeneralName_rfc822Name:
923
strpool = rk_strpoolprintf(strpool, "rfc822Name: %s\n",
926
case choice_GeneralName_dNSName:
927
strpool = rk_strpoolprintf(strpool, "dNSName: %s\n",
930
case choice_GeneralName_directoryName: {
934
memset(&dir, 0, sizeof(dir));
935
dir.element = name->u.directoryName.element;
936
dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
937
ret = _hx509_unparse_Name(&dir, &s);
940
strpool = rk_strpoolprintf(strpool, "directoryName: %s", s);
944
case choice_GeneralName_uniformResourceIdentifier:
945
strpool = rk_strpoolprintf(strpool, "URI: %s",
946
name->u.uniformResourceIdentifier);
948
case choice_GeneralName_iPAddress: {
949
unsigned char *a = name->u.iPAddress.data;
951
strpool = rk_strpoolprintf(strpool, "IPAddress: ");
954
if (name->u.iPAddress.length == 4)
955
strpool = rk_strpoolprintf(strpool, "%d.%d.%d.%d",
956
a[0], a[1], a[2], a[3]);
957
else if (name->u.iPAddress.length == 16)
958
strpool = rk_strpoolprintf(strpool,
959
"%02X:%02X:%02X:%02X:"
960
"%02X:%02X:%02X:%02X:"
961
"%02X:%02X:%02X:%02X:"
962
"%02X:%02X:%02X:%02X",
963
a[0], a[1], a[2], a[3],
964
a[4], a[5], a[6], a[7],
965
a[8], a[9], a[10], a[11],
966
a[12], a[13], a[14], a[15]);
968
strpool = rk_strpoolprintf(strpool,
969
"unknown IP address of length %lu",
970
(unsigned long)name->u.iPAddress.length);
973
case choice_GeneralName_registeredID: {
975
hx509_oid_sprint(&name->u.registeredID, &str);
978
strpool = rk_strpoolprintf(strpool, "registeredID: %s", str);
988
*str = rk_strpoolcollect(strpool);