x_name.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/ctype.h"
  11. #include "internal/cryptlib.h"
  12. #include <openssl/asn1t.h>
  13. #include <openssl/x509.h>
  14. #include "internal/x509_int.h"
  15. #include "internal/asn1_int.h"
  16. #include "x509_lcl.h"
  17. /*
  18. * Maximum length of X509_NAME: much larger than anything we should
  19. * ever see in practice.
  20. */
  21. #define X509_NAME_MAX (1024 * 1024)
  22. static int x509_name_ex_d2i(ASN1_VALUE **val,
  23. const unsigned char **in, long len,
  24. const ASN1_ITEM *it,
  25. int tag, int aclass, char opt, ASN1_TLC *ctx);
  26. static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
  27. const ASN1_ITEM *it, int tag, int aclass);
  28. static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it);
  29. static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it);
  30. static int x509_name_encode(X509_NAME *a);
  31. static int x509_name_canon(X509_NAME *a);
  32. static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in);
  33. static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * intname,
  34. unsigned char **in);
  35. static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
  36. int indent,
  37. const char *fname, const ASN1_PCTX *pctx);
  38. ASN1_SEQUENCE(X509_NAME_ENTRY) = {
  39. ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT),
  40. ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE)
  41. } ASN1_SEQUENCE_END(X509_NAME_ENTRY)
  42. IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY)
  43. IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
  44. /*
  45. * For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so
  46. * declare two template wrappers for this
  47. */
  48. ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) =
  49. ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY)
  50. static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)
  51. ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) =
  52. ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)
  53. static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
  54. /*
  55. * Normally that's where it would end: we'd have two nested STACK structures
  56. * representing the ASN1. Unfortunately X509_NAME uses a completely different
  57. * form and caches encodings so we have to process the internal form and
  58. * convert to the external form.
  59. */
  60. static const ASN1_EXTERN_FUNCS x509_name_ff = {
  61. NULL,
  62. x509_name_ex_new,
  63. x509_name_ex_free,
  64. 0, /* Default clear behaviour is OK */
  65. x509_name_ex_d2i,
  66. x509_name_ex_i2d,
  67. x509_name_ex_print
  68. };
  69. IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff)
  70. IMPLEMENT_ASN1_FUNCTIONS(X509_NAME)
  71. IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME)
  72. static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
  73. {
  74. X509_NAME *ret = OPENSSL_zalloc(sizeof(*ret));
  75. if (ret == NULL)
  76. goto memerr;
  77. if ((ret->entries = sk_X509_NAME_ENTRY_new_null()) == NULL)
  78. goto memerr;
  79. if ((ret->bytes = BUF_MEM_new()) == NULL)
  80. goto memerr;
  81. ret->modified = 1;
  82. *val = (ASN1_VALUE *)ret;
  83. return 1;
  84. memerr:
  85. ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE);
  86. if (ret) {
  87. sk_X509_NAME_ENTRY_free(ret->entries);
  88. OPENSSL_free(ret);
  89. }
  90. return 0;
  91. }
  92. static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
  93. {
  94. X509_NAME *a;
  95. if (!pval || !*pval)
  96. return;
  97. a = (X509_NAME *)*pval;
  98. BUF_MEM_free(a->bytes);
  99. sk_X509_NAME_ENTRY_pop_free(a->entries, X509_NAME_ENTRY_free);
  100. OPENSSL_free(a->canon_enc);
  101. OPENSSL_free(a);
  102. *pval = NULL;
  103. }
  104. static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
  105. {
  106. sk_X509_NAME_ENTRY_free(ne);
  107. }
  108. static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
  109. {
  110. sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
  111. }
  112. static int x509_name_ex_d2i(ASN1_VALUE **val,
  113. const unsigned char **in, long len,
  114. const ASN1_ITEM *it, int tag, int aclass,
  115. char opt, ASN1_TLC *ctx)
  116. {
  117. const unsigned char *p = *in, *q;
  118. union {
  119. STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
  120. ASN1_VALUE *a;
  121. } intname = {
  122. NULL
  123. };
  124. union {
  125. X509_NAME *x;
  126. ASN1_VALUE *a;
  127. } nm = {
  128. NULL
  129. };
  130. int i, j, ret;
  131. STACK_OF(X509_NAME_ENTRY) *entries;
  132. X509_NAME_ENTRY *entry;
  133. if (len > X509_NAME_MAX)
  134. len = X509_NAME_MAX;
  135. q = p;
  136. /* Get internal representation of Name */
  137. ret = ASN1_item_ex_d2i(&intname.a,
  138. &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
  139. tag, aclass, opt, ctx);
  140. if (ret <= 0)
  141. return ret;
  142. if (*val)
  143. x509_name_ex_free(val, NULL);
  144. if (!x509_name_ex_new(&nm.a, NULL))
  145. goto err;
  146. /* We've decoded it: now cache encoding */
  147. if (!BUF_MEM_grow(nm.x->bytes, p - q))
  148. goto err;
  149. memcpy(nm.x->bytes->data, q, p - q);
  150. /* Convert internal representation to X509_NAME structure */
  151. for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname.s); i++) {
  152. entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname.s, i);
  153. for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
  154. entry = sk_X509_NAME_ENTRY_value(entries, j);
  155. entry->set = i;
  156. if (!sk_X509_NAME_ENTRY_push(nm.x->entries, entry))
  157. goto err;
  158. sk_X509_NAME_ENTRY_set(entries, j, NULL);
  159. }
  160. }
  161. ret = x509_name_canon(nm.x);
  162. if (!ret)
  163. goto err;
  164. sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
  165. local_sk_X509_NAME_ENTRY_free);
  166. nm.x->modified = 0;
  167. *val = nm.a;
  168. *in = p;
  169. return ret;
  170. err:
  171. if (nm.x != NULL)
  172. X509_NAME_free(nm.x);
  173. sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
  174. local_sk_X509_NAME_ENTRY_pop_free);
  175. ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
  176. return 0;
  177. }
  178. static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
  179. const ASN1_ITEM *it, int tag, int aclass)
  180. {
  181. int ret;
  182. X509_NAME *a = (X509_NAME *)*val;
  183. if (a->modified) {
  184. ret = x509_name_encode(a);
  185. if (ret < 0)
  186. return ret;
  187. ret = x509_name_canon(a);
  188. if (ret < 0)
  189. return ret;
  190. }
  191. ret = a->bytes->length;
  192. if (out != NULL) {
  193. memcpy(*out, a->bytes->data, ret);
  194. *out += ret;
  195. }
  196. return ret;
  197. }
  198. static int x509_name_encode(X509_NAME *a)
  199. {
  200. union {
  201. STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
  202. ASN1_VALUE *a;
  203. } intname = {
  204. NULL
  205. };
  206. int len;
  207. unsigned char *p;
  208. STACK_OF(X509_NAME_ENTRY) *entries = NULL;
  209. X509_NAME_ENTRY *entry;
  210. int i, set = -1;
  211. intname.s = sk_STACK_OF_X509_NAME_ENTRY_new_null();
  212. if (!intname.s)
  213. goto memerr;
  214. for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
  215. entry = sk_X509_NAME_ENTRY_value(a->entries, i);
  216. if (entry->set != set) {
  217. entries = sk_X509_NAME_ENTRY_new_null();
  218. if (!entries)
  219. goto memerr;
  220. if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, entries)) {
  221. sk_X509_NAME_ENTRY_free(entries);
  222. goto memerr;
  223. }
  224. set = entry->set;
  225. }
  226. if (!sk_X509_NAME_ENTRY_push(entries, entry))
  227. goto memerr;
  228. }
  229. len = ASN1_item_ex_i2d(&intname.a, NULL,
  230. ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
  231. if (!BUF_MEM_grow(a->bytes, len))
  232. goto memerr;
  233. p = (unsigned char *)a->bytes->data;
  234. ASN1_item_ex_i2d(&intname.a,
  235. &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
  236. sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
  237. local_sk_X509_NAME_ENTRY_free);
  238. a->modified = 0;
  239. return len;
  240. memerr:
  241. sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
  242. local_sk_X509_NAME_ENTRY_free);
  243. ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE);
  244. return -1;
  245. }
  246. static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
  247. int indent,
  248. const char *fname, const ASN1_PCTX *pctx)
  249. {
  250. if (X509_NAME_print_ex(out, (const X509_NAME *)*pval,
  251. indent, pctx->nm_flags) <= 0)
  252. return 0;
  253. return 2;
  254. }
  255. /*
  256. * This function generates the canonical encoding of the Name structure. In
  257. * it all strings are converted to UTF8, leading, trailing and multiple
  258. * spaces collapsed, converted to lower case and the leading SEQUENCE header
  259. * removed. In future we could also normalize the UTF8 too. By doing this
  260. * comparison of Name structures can be rapidly performed by just using
  261. * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name
  262. * constraints of type dirName can also be checked with a simple memcmp().
  263. */
  264. static int x509_name_canon(X509_NAME *a)
  265. {
  266. unsigned char *p;
  267. STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname;
  268. STACK_OF(X509_NAME_ENTRY) *entries = NULL;
  269. X509_NAME_ENTRY *entry, *tmpentry = NULL;
  270. int i, set = -1, ret = 0, len;
  271. OPENSSL_free(a->canon_enc);
  272. a->canon_enc = NULL;
  273. /* Special case: empty X509_NAME => null encoding */
  274. if (sk_X509_NAME_ENTRY_num(a->entries) == 0) {
  275. a->canon_enclen = 0;
  276. return 1;
  277. }
  278. intname = sk_STACK_OF_X509_NAME_ENTRY_new_null();
  279. if (intname == NULL) {
  280. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  281. goto err;
  282. }
  283. for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
  284. entry = sk_X509_NAME_ENTRY_value(a->entries, i);
  285. if (entry->set != set) {
  286. entries = sk_X509_NAME_ENTRY_new_null();
  287. if (entries == NULL)
  288. goto err;
  289. if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {
  290. sk_X509_NAME_ENTRY_free(entries);
  291. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  292. goto err;
  293. }
  294. set = entry->set;
  295. }
  296. tmpentry = X509_NAME_ENTRY_new();
  297. if (tmpentry == NULL) {
  298. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  299. goto err;
  300. }
  301. tmpentry->object = OBJ_dup(entry->object);
  302. if (tmpentry->object == NULL) {
  303. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  304. goto err;
  305. }
  306. if (!asn1_string_canon(tmpentry->value, entry->value))
  307. goto err;
  308. if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) {
  309. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  310. goto err;
  311. }
  312. tmpentry = NULL;
  313. }
  314. /* Finally generate encoding */
  315. len = i2d_name_canon(intname, NULL);
  316. if (len < 0)
  317. goto err;
  318. a->canon_enclen = len;
  319. p = OPENSSL_malloc(a->canon_enclen);
  320. if (p == NULL) {
  321. X509err(X509_F_X509_NAME_CANON, ERR_R_MALLOC_FAILURE);
  322. goto err;
  323. }
  324. a->canon_enc = p;
  325. i2d_name_canon(intname, &p);
  326. ret = 1;
  327. err:
  328. X509_NAME_ENTRY_free(tmpentry);
  329. sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
  330. local_sk_X509_NAME_ENTRY_pop_free);
  331. return ret;
  332. }
  333. /* Bitmap of all the types of string that will be canonicalized. */
  334. #define ASN1_MASK_CANON \
  335. (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING \
  336. | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \
  337. | B_ASN1_VISIBLESTRING)
  338. static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in)
  339. {
  340. unsigned char *to, *from;
  341. int len, i;
  342. /* If type not in bitmask just copy string across */
  343. if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) {
  344. if (!ASN1_STRING_copy(out, in))
  345. return 0;
  346. return 1;
  347. }
  348. out->type = V_ASN1_UTF8STRING;
  349. out->length = ASN1_STRING_to_UTF8(&out->data, in);
  350. if (out->length == -1)
  351. return 0;
  352. to = out->data;
  353. from = to;
  354. len = out->length;
  355. /*
  356. * Convert string in place to canonical form. Ultimately we may need to
  357. * handle a wider range of characters but for now ignore anything with
  358. * MSB set and rely on the ossl_isspace() to fail on bad characters without
  359. * needing isascii or range checks as well.
  360. */
  361. /* Ignore leading spaces */
  362. while (len > 0 && ossl_isspace(*from)) {
  363. from++;
  364. len--;
  365. }
  366. to = from + len;
  367. /* Ignore trailing spaces */
  368. while (len > 0 && ossl_isspace(to[-1])) {
  369. to--;
  370. len--;
  371. }
  372. to = out->data;
  373. i = 0;
  374. while (i < len) {
  375. /* If not ASCII set just copy across */
  376. if (!ossl_isascii(*from)) {
  377. *to++ = *from++;
  378. i++;
  379. }
  380. /* Collapse multiple spaces */
  381. else if (ossl_isspace(*from)) {
  382. /* Copy one space across */
  383. *to++ = ' ';
  384. /*
  385. * Ignore subsequent spaces. Note: don't need to check len here
  386. * because we know the last character is a non-space so we can't
  387. * overflow.
  388. */
  389. do {
  390. from++;
  391. i++;
  392. }
  393. while (ossl_isspace(*from));
  394. } else {
  395. *to++ = ossl_tolower(*from);
  396. from++;
  397. i++;
  398. }
  399. }
  400. out->length = to - out->data;
  401. return 1;
  402. }
  403. static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
  404. unsigned char **in)
  405. {
  406. int i, len, ltmp;
  407. ASN1_VALUE *v;
  408. STACK_OF(ASN1_VALUE) *intname = (STACK_OF(ASN1_VALUE) *)_intname;
  409. len = 0;
  410. for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) {
  411. v = sk_ASN1_VALUE_value(intname, i);
  412. ltmp = ASN1_item_ex_i2d(&v, in,
  413. ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
  414. if (ltmp < 0)
  415. return ltmp;
  416. len += ltmp;
  417. }
  418. return len;
  419. }
  420. int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
  421. {
  422. if (*xn == name)
  423. return *xn != NULL;
  424. if ((name = X509_NAME_dup(name)) == NULL)
  425. return 0;
  426. X509_NAME_free(*xn);
  427. *xn = name;
  428. return 1;
  429. }
  430. int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
  431. {
  432. char *s, *c, *b;
  433. int l, i;
  434. l = 80 - 2 - obase;
  435. b = X509_NAME_oneline(name, NULL, 0);
  436. if (!b)
  437. return 0;
  438. if (!*b) {
  439. OPENSSL_free(b);
  440. return 1;
  441. }
  442. s = b + 1; /* skip the first slash */
  443. c = s;
  444. for (;;) {
  445. if (((*s == '/') &&
  446. (ossl_isupper(s[1]) && ((s[2] == '=') ||
  447. (ossl_isupper(s[2]) && (s[3] == '='))
  448. ))) || (*s == '\0'))
  449. {
  450. i = s - c;
  451. if (BIO_write(bp, c, i) != i)
  452. goto err;
  453. c = s + 1; /* skip following slash */
  454. if (*s != '\0') {
  455. if (BIO_write(bp, ", ", 2) != 2)
  456. goto err;
  457. }
  458. l--;
  459. }
  460. if (*s == '\0')
  461. break;
  462. s++;
  463. l--;
  464. }
  465. OPENSSL_free(b);
  466. return 1;
  467. err:
  468. X509err(X509_F_X509_NAME_PRINT, ERR_R_BUF_LIB);
  469. OPENSSL_free(b);
  470. return 0;
  471. }
  472. int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
  473. size_t *pderlen)
  474. {
  475. /* Make sure encoding is valid */
  476. if (i2d_X509_NAME(nm, NULL) <= 0)
  477. return 0;
  478. if (pder != NULL)
  479. *pder = (unsigned char *)nm->bytes->data;
  480. if (pderlen != NULL)
  481. *pderlen = nm->bytes->length;
  482. return 1;
  483. }