2 * Copyright (c) 2004 - 2009 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 * @page page_name PKIX/X.509 Names
41 * There are several names in PKIX/X.509, GeneralName and Name.
43 * A Name consists of an ordered list of Relative Distinguished Names
44 * (RDN). Each RDN consists of an unordered list of typed strings. The
45 * types are defined by OID and have long and short description. For
46 * example id-at-commonName (2.5.4.3) have the long name CommonName
47 * and short name CN. The string itself can be of several encoding,
48 * UTF8, UTF16, Teltex string, etc. The type limit what encoding
51 * GeneralName is a broader nametype that can contains al kind of
52 * stuff like Name, IP addresses, partial Name, etc.
54 * Name is mapped into a hx509_name object.
56 * Parse and string name into a hx509_name object with hx509_parse_name(),
57 * make it back into string representation with hx509_name_to_string().
59 * Name string are defined rfc2253, rfc1779 and X.501.
61 * See the library functions here: @ref hx509_name
67 wind_profile_flags flags;
69 { "C", &asn1_oid_id_at_countryName },
70 { "CN", &asn1_oid_id_at_commonName },
71 { "DC", &asn1_oid_id_domainComponent },
72 { "L", &asn1_oid_id_at_localityName },
73 { "O", &asn1_oid_id_at_organizationName },
74 { "OU", &asn1_oid_id_at_organizationalUnitName },
75 { "S", &asn1_oid_id_at_stateOrProvinceName },
76 { "STREET", &asn1_oid_id_at_streetAddress },
77 { "UID", &asn1_oid_id_Userid },
78 { "emailAddress", &asn1_oid_id_pkcs9_emailAddress },
79 { "serialNumber", &asn1_oid_id_at_serialNumber }
83 quote_string(const char *f, size_t len, int flags, size_t *rlen)
86 const unsigned char *from = (const unsigned char *)f;
94 for (i = 0, j = 0; i < len; i++) {
95 unsigned char map = char_map[from[i]] & flags;
96 if (i == 0 && (map & Q_RFC2253_QUOTE_FIRST)) {
99 } else if ((i + 1) == len && (map & Q_RFC2253_QUOTE_LAST)) {
103 } else if (map & Q_RFC2253_QUOTE) {
106 } else if (map & Q_RFC2253_HEX) {
107 int l = snprintf((char *)&to[j], tolen - j - 1,
108 "#%02x", (unsigned char)from[i]);
122 append_string(char **str, size_t *total_len, const char *ss,
123 size_t len, int quote)
128 qs = quote_string(ss, len, Q_RFC2253, &len);
132 s = realloc(*str, len + *total_len + 1);
134 _hx509_abort("allocation failure"); /* XXX */
135 memcpy(s + *total_len, qs, len);
138 s[*total_len + len] = '\0';
145 oidtostring(const heim_oid *type)
150 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
151 if (der_heim_oid_cmp(no[i].o, type) == 0)
152 return strdup(no[i].n);
154 if (der_print_heim_oid(type, '.', &s) != 0)
160 stringtooid(const char *name, size_t len, heim_oid *oid)
165 memset(oid, 0, sizeof(*oid));
167 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
168 if (strncasecmp(no[i].n, name, len) == 0)
169 return der_copy_oid(no[i].o, oid);
174 memcpy(s, name, len);
176 ret = der_parse_heim_oid(s, ".", oid);
182 * Convert the hx509 name object into a printable string.
183 * The resulting string should be freed with free().
185 * @param name name to print
186 * @param str the string to return
188 * @return An hx509 error code, see hx509_get_error_string().
190 * @ingroup hx509_name
194 hx509_name_to_string(const hx509_name name, char **str)
196 return _hx509_Name_to_string(&name->der_name, str);
200 _hx509_Name_to_string(const Name *n, char **str)
202 size_t total_len = 0;
209 for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
212 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
213 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
217 oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
219 switch(ds->element) {
220 case choice_DirectoryString_ia5String:
221 ss = ds->u.ia5String.data;
222 len = ds->u.ia5String.length;
224 case choice_DirectoryString_printableString:
225 ss = ds->u.printableString.data;
226 len = ds->u.printableString.length;
228 case choice_DirectoryString_utf8String:
229 ss = ds->u.utf8String;
232 case choice_DirectoryString_bmpString: {
233 const uint16_t *bmp = ds->u.bmpString.data;
234 size_t bmplen = ds->u.bmpString.length;
237 ret = wind_ucs2utf8_length(bmp, bmplen, &k);
243 _hx509_abort("allocation failure"); /* XXX */
244 ret = wind_ucs2utf8(bmp, bmplen, ss, NULL);
253 case choice_DirectoryString_teletexString:
254 ss = ds->u.teletexString;
257 case choice_DirectoryString_universalString: {
258 const uint32_t *uni = ds->u.universalString.data;
259 size_t unilen = ds->u.universalString.length;
262 ret = wind_ucs4utf8_length(uni, unilen, &k);
268 _hx509_abort("allocation failure"); /* XXX */
269 ret = wind_ucs4utf8(uni, unilen, ss, NULL);
279 _hx509_abort("unknown directory type: %d", ds->element);
282 append_string(str, &total_len, oidname, strlen(oidname), 0);
284 append_string(str, &total_len, "=", 1, 0);
285 append_string(str, &total_len, ss, len, 1);
286 if (ds->element == choice_DirectoryString_bmpString ||
287 ds->element == choice_DirectoryString_universalString)
291 if (j + 1 < n->u.rdnSequence.val[i].len)
292 append_string(str, &total_len, "+", 1, 0);
296 append_string(str, &total_len, ",", 1, 0);
301 #define COPYCHARARRAY(_ds,_el,_l,_n) \
302 (_l) = strlen(_ds->u._el); \
303 (_n) = malloc((_l) * sizeof((_n)[0])); \
306 for (i = 0; i < (_l); i++) \
307 (_n)[i] = _ds->u._el[i]
310 #define COPYVALARRAY(_ds,_el,_l,_n) \
311 (_l) = _ds->u._el.length; \
312 (_n) = malloc((_l) * sizeof((_n)[0])); \
315 for (i = 0; i < (_l); i++) \
316 (_n)[i] = _ds->u._el.data[i]
318 #define COPYVOIDARRAY(_ds,_el,_l,_n) \
319 (_l) = _ds->u._el.length; \
320 (_n) = malloc((_l) * sizeof((_n)[0])); \
323 for (i = 0; i < (_l); i++) \
324 (_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
329 dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
331 wind_profile_flags flags;
339 switch(ds->element) {
340 case choice_DirectoryString_ia5String:
341 flags = WIND_PROFILE_LDAP;
342 COPYVOIDARRAY(ds, ia5String, len, name);
344 case choice_DirectoryString_printableString:
345 flags = WIND_PROFILE_LDAP;
346 flags |= WIND_PROFILE_LDAP_CASE_EXACT_ATTRIBUTE;
347 COPYVOIDARRAY(ds, printableString, len, name);
349 case choice_DirectoryString_teletexString:
350 flags = WIND_PROFILE_LDAP_CASE;
351 COPYCHARARRAY(ds, teletexString, len, name);
353 case choice_DirectoryString_bmpString:
354 flags = WIND_PROFILE_LDAP;
355 COPYVALARRAY(ds, bmpString, len, name);
357 case choice_DirectoryString_universalString:
358 flags = WIND_PROFILE_LDAP;
359 COPYVALARRAY(ds, universalString, len, name);
361 case choice_DirectoryString_utf8String:
362 flags = WIND_PROFILE_LDAP;
363 ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
366 name = malloc(len * sizeof(name[0]));
369 ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
376 _hx509_abort("unknown directory type: %d", ds->element);
380 /* try a couple of times to get the length right, XXX gross */
381 for (i = 0; i < 4; i++) {
383 *rname = malloc(*rlen * sizeof((*rname)[0]));
385 ret = wind_stringprep(name, len, *rname, rlen, flags);
386 if (ret == WIND_ERR_OVERRUN) {
406 _hx509_name_ds_cmp(const DirectoryString *ds1,
407 const DirectoryString *ds2,
410 uint32_t *ds1lp, *ds2lp;
411 size_t ds1len, ds2len, i;
414 ret = dsstringprep(ds1, &ds1lp, &ds1len);
417 ret = dsstringprep(ds2, &ds2lp, &ds2len);
423 if (ds1len != ds2len)
424 *diff = ds1len - ds2len;
426 for (i = 0; i < ds1len; i++) {
427 *diff = ds1lp[i] - ds2lp[i];
439 _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
443 *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
447 for (i = 0 ; i < n1->u.rdnSequence.len; i++) {
448 *c = n1->u.rdnSequence.val[i].len - n2->u.rdnSequence.val[i].len;
452 for (j = 0; j < n1->u.rdnSequence.val[i].len; j++) {
453 *c = der_heim_oid_cmp(&n1->u.rdnSequence.val[i].val[j].type,
454 &n1->u.rdnSequence.val[i].val[j].type);
458 ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
459 &n2->u.rdnSequence.val[i].val[j].value,
472 * Compare to hx509 name object, useful for sorting.
474 * @param n1 a hx509 name object.
475 * @param n2 a hx509 name object.
477 * @return 0 the objects are the same, returns > 0 is n2 is "larger"
478 * then n2, < 0 if n1 is "smaller" then n2.
480 * @ingroup hx509_name
484 hx509_name_cmp(hx509_name n1, hx509_name n2)
487 ret = _hx509_name_cmp(&n1->der_name, &n2->der_name, &diff);
495 _hx509_name_from_Name(const Name *n, hx509_name *name)
498 *name = calloc(1, sizeof(**name));
501 ret = copy_Name(n, &(*name)->der_name);
510 _hx509_name_modify(hx509_context context,
516 RelativeDistinguishedName *rdn;
520 ptr = realloc(name->u.rdnSequence.val,
521 sizeof(name->u.rdnSequence.val[0]) *
522 (name->u.rdnSequence.len + 1));
524 hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
527 name->u.rdnSequence.val = ptr;
530 rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
532 memmove(&name->u.rdnSequence.val[1],
533 &name->u.rdnSequence.val[0],
534 name->u.rdnSequence.len *
535 sizeof(name->u.rdnSequence.val[0]));
537 rdn = &name->u.rdnSequence.val[0];
539 rdn->val = malloc(sizeof(rdn->val[0]));
540 if (rdn->val == NULL)
543 ret = der_copy_oid(oid, &rdn->val[0].type);
546 rdn->val[0].value.element = choice_DirectoryString_utf8String;
547 rdn->val[0].value.u.utf8String = strdup(str);
548 if (rdn->val[0].value.u.utf8String == NULL)
550 name->u.rdnSequence.len += 1;
556 * Parse a string into a hx509 name object.
558 * @param context A hx509 context.
559 * @param str a string to parse.
560 * @param name the resulting object, NULL in case of error.
562 * @return An hx509 error code, see hx509_get_error_string().
564 * @ingroup hx509_name
568 hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
577 n = calloc(1, sizeof(*n));
579 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
583 n->der_name.element = choice_Name_rdnSequence;
587 while (p != NULL && *p != '\0') {
602 ret = HX509_PARSING_NAME_FAILED;
603 hx509_set_error_string(context, 0, ret, "missing = in %s", p);
607 ret = HX509_PARSING_NAME_FAILED;
608 hx509_set_error_string(context, 0, ret,
609 "missing name before = in %s", p);
614 ret = HX509_PARSING_NAME_FAILED;
615 hx509_set_error_string(context, 0, ret, " = after , in %s", p);
619 ret = stringtooid(p, q - p, &oid);
621 ret = HX509_PARSING_NAME_FAILED;
622 hx509_set_error_string(context, 0, ret,
623 "unknown type: %.*s", (int)(q - p), p);
628 size_t pstr_len = len - (q - p) - 1;
629 const char *pstr = p + (q - p) + 1;
632 r = malloc(pstr_len + 1);
636 hx509_set_error_string(context, 0, ret, "out of memory");
639 memcpy(r, pstr, pstr_len);
642 ret = _hx509_name_modify(context, &n->der_name, 0, &oid, r);
656 return HX509_NAME_MALFORMED;
660 * Copy a hx509 name object.
662 * @param context A hx509 cotext.
663 * @param from the name to copy from
664 * @param to the name to copy to
666 * @return An hx509 error code, see hx509_get_error_string().
668 * @ingroup hx509_name
672 hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
676 *to = calloc(1, sizeof(**to));
679 ret = copy_Name(&from->der_name, &(*to)->der_name);
689 * Convert a hx509_name into a Name.
691 * @param from the name to copy from
692 * @param to the name to copy to
694 * @return An hx509 error code, see hx509_get_error_string().
696 * @ingroup hx509_name
700 hx509_name_to_Name(const hx509_name from, Name *to)
702 return copy_Name(&from->der_name, to);
706 hx509_name_normalize(hx509_context context, hx509_name name)
712 * Expands variables in the name using env. Variables are on the form
713 * ${name}. Useful when dealing with certificate templates.
715 * @param context A hx509 cotext.
716 * @param name the name to expand.
717 * @param env environment variable to expand.
719 * @return An hx509 error code, see hx509_get_error_string().
721 * @ingroup hx509_name
725 hx509_name_expand(hx509_context context,
729 Name *n = &name->der_name;
735 if (n->element != choice_Name_rdnSequence) {
736 hx509_set_error_string(context, 0, EINVAL, "RDN not of supported type");
740 for (i = 0 ; i < n->u.rdnSequence.len; i++) {
741 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
742 /** Only UTF8String rdnSequence names are allowed */
744 THIS SHOULD REALLY BE:
745 COMP = n->u.rdnSequence.val[i].val[j];
746 normalize COMP to utf8
747 check if there are variables
749 convert back to orignal format, store in COMP
750 free normalized utf8 string
752 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
754 struct rk_strpool *strpool = NULL;
756 if (ds->element != choice_DirectoryString_utf8String) {
757 hx509_set_error_string(context, 0, EINVAL, "unsupported type");
760 p = strstr(ds->u.utf8String, "${");
762 strpool = rk_strpoolprintf(strpool, "%.*s",
763 (int)(p - ds->u.utf8String),
765 if (strpool == NULL) {
766 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
771 /* expand variables */
775 hx509_set_error_string(context, 0, EINVAL, "missing }");
776 rk_strpoolfree(strpool);
780 value = hx509_env_lfind(context, env, p, p2 - p);
782 hx509_set_error_string(context, 0, EINVAL,
783 "variable %.*s missing",
785 rk_strpoolfree(strpool);
788 strpool = rk_strpoolprintf(strpool, "%s", value);
789 if (strpool == NULL) {
790 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
795 p = strstr(p2, "${");
797 strpool = rk_strpoolprintf(strpool, "%.*s",
800 strpool = rk_strpoolprintf(strpool, "%s", p2);
801 if (strpool == NULL) {
802 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
807 free(ds->u.utf8String);
808 ds->u.utf8String = rk_strpoolcollect(strpool);
809 if (ds->u.utf8String == NULL) {
810 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
820 * Free a hx509 name object, upond return *name will be NULL.
822 * @param name a hx509 name object to be freed.
824 * @ingroup hx509_name
828 hx509_name_free(hx509_name *name)
830 free_Name(&(*name)->der_name);
831 memset(*name, 0, sizeof(**name));
837 * Convert a DER encoded name info a string.
839 * @param data data to a DER/BER encoded name
840 * @param length length of data
841 * @param str the resulting string, is NULL on failure.
843 * @return An hx509 error code, see hx509_get_error_string().
845 * @ingroup hx509_name
849 hx509_unparse_der_name(const void *data, size_t length, char **str)
856 ret = decode_Name(data, length, &name, NULL);
859 ret = _hx509_Name_to_string(&name, str);
865 * Convert a hx509_name object to DER encoded name.
867 * @param name name to concert
868 * @param os data to a DER encoded name, free the resulting octet
869 * string with hx509_xfree(os->data).
871 * @return An hx509 error code, see hx509_get_error_string().
873 * @ingroup hx509_name
877 hx509_name_binary(const hx509_name name, heim_octet_string *os)
882 ASN1_MALLOC_ENCODE(Name, os->data, os->length, &name->der_name, &size, ret);
885 if (os->length != size)
886 _hx509_abort("internal ASN.1 encoder error");
892 _hx509_unparse_Name(const Name *aname, char **str)
897 ret = _hx509_name_from_Name(aname, &name);
901 ret = hx509_name_to_string(name, str);
902 hx509_name_free(&name);
907 * Unparse the hx509 name in name into a string.
909 * @param name the name to check if its empty/null.
911 * @return non zero if the name is empty/null.
913 * @ingroup hx509_name
917 hx509_name_is_null_p(const hx509_name name)
919 return name->der_name.u.rdnSequence.len == 0;
923 * Unparse the hx509 name in name into a string.
925 * @param name the name to print
926 * @param str an allocated string returns the name in string form
928 * @return An hx509 error code, see hx509_get_error_string().
930 * @ingroup hx509_name
934 hx509_general_name_unparse(GeneralName *name, char **str)
936 struct rk_strpool *strpool = NULL;
940 switch (name->element) {
941 case choice_GeneralName_otherName: {
943 hx509_oid_sprint(&name->u.otherName.type_id, &oid);
946 strpool = rk_strpoolprintf(strpool, "otherName: %s", oid);
950 case choice_GeneralName_rfc822Name:
951 strpool = rk_strpoolprintf(strpool, "rfc822Name: %.*s\n",
952 (int)name->u.rfc822Name.length,
953 (char *)name->u.rfc822Name.data);
955 case choice_GeneralName_dNSName:
956 strpool = rk_strpoolprintf(strpool, "dNSName: %.*s\n",
957 (int)name->u.dNSName.length,
958 (char *)name->u.dNSName.data);
960 case choice_GeneralName_directoryName: {
964 memset(&dir, 0, sizeof(dir));
965 dir.element = name->u.directoryName.element;
966 dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
967 ret = _hx509_unparse_Name(&dir, &s);
970 strpool = rk_strpoolprintf(strpool, "directoryName: %s", s);
974 case choice_GeneralName_uniformResourceIdentifier:
975 strpool = rk_strpoolprintf(strpool, "URI: %.*s",
976 (int)name->u.uniformResourceIdentifier.length,
977 (char *)name->u.uniformResourceIdentifier.data);
979 case choice_GeneralName_iPAddress: {
980 unsigned char *a = name->u.iPAddress.data;
982 strpool = rk_strpoolprintf(strpool, "IPAddress: ");
985 if (name->u.iPAddress.length == 4)
986 strpool = rk_strpoolprintf(strpool, "%d.%d.%d.%d",
987 a[0], a[1], a[2], a[3]);
988 else if (name->u.iPAddress.length == 16)
989 strpool = rk_strpoolprintf(strpool,
990 "%02X:%02X:%02X:%02X:"
991 "%02X:%02X:%02X:%02X:"
992 "%02X:%02X:%02X:%02X:"
993 "%02X:%02X:%02X:%02X",
994 a[0], a[1], a[2], a[3],
995 a[4], a[5], a[6], a[7],
996 a[8], a[9], a[10], a[11],
997 a[12], a[13], a[14], a[15]);
999 strpool = rk_strpoolprintf(strpool,
1000 "unknown IP address of length %lu",
1001 (unsigned long)name->u.iPAddress.length);
1004 case choice_GeneralName_registeredID: {
1006 hx509_oid_sprint(&name->u.registeredID, &oid);
1009 strpool = rk_strpoolprintf(strpool, "registeredID: %s", oid);
1016 if (strpool == NULL)
1019 *str = rk_strpoolcollect(strpool);
git.samba.org / samba.git / blob