/*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include "hx_locl.h"
#include <pkinit_asn1.h>
-RCSID("$Id: ca.c 22456 2008-01-15 20:22:53Z lha $");
/**
* @page page_ca Hx509 CA functions
hx509_name_free(&tbs->subject);
ret = hx509_cert_get_subject(cert, &tbs->subject);
if (ret) {
- hx509_set_error_string(context, 0, ret,
+ hx509_set_error_string(context, 0, ret,
"Failed to get subject from template");
return ret;
}
ret = hx509_cert_get_serialnumber(cert, &tbs->serial);
tbs->flags.serial = !ret;
if (ret) {
- hx509_set_error_string(context, 0, ret,
+ hx509_set_error_string(context, 0, ret,
"Failed to copy serial number");
return ret;
}
int ret;
memset(&dp, 0, sizeof(dp));
-
+
dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));
{
gn.element = choice_GeneralName_uniformResourceIdentifier;
gn.u.uniformResourceIdentifier = rk_UNCONST(uri);
- ASN1_MALLOC_ENCODE(DistributionPointName,
- dp.distributionPoint->data,
+ ASN1_MALLOC_ENCODE(DistributionPointName,
+ dp.distributionPoint->data,
dp.distributionPoint->length,
&name, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, EINVAL,
"CRLDistributionPoints.name.issuername not yet supported");
return EINVAL;
-#else
+#else
GeneralNames *crlissuer;
GeneralName gn;
Name n;
gn.element = choice_GeneralName_otherName;
gn.u.otherName.type_id = *oid;
gn.u.otherName.value = *os;
-
+
return add_GeneralNames(&tbs->san, &gn);
}
if(*str=='\\'){
if(str[1] == '\0' || str[1] == '@') {
ret = HX509_PARSING_NAME_FAILED;
- hx509_set_error_string(context, 0, ret,
+ hx509_set_error_string(context, 0, ret,
"trailing \\ in principal name");
goto out;
}
} else if(*str == '/')
n++;
}
- p.principalName.name_string.val =
+ p.principalName.name_string.val =
calloc(n, sizeof(*p.principalName.name_string.val));
if (p.principalName.name_string.val == NULL) {
ret = ENOMEM;
*q++ = '\0';
}
}
-
+
ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
}
if (size != os.length)
_hx509_abort("internal ASN.1 encoder error");
-
+
ret = hx509_ca_tbs_add_san_otherName(context,
tbs,
- oid_id_pkinit_san(),
+ &asn1_oid_id_pkinit_san,
&os);
free(os.data);
out:
free(s);
return ret;
}
-
+
/*
*
*/
const heim_oid *oid,
const char *string)
{
- const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
+ const PKIXXmppAddr ustring = string;
heim_octet_string os;
size_t size;
int ret;
}
if (size != os.length)
_hx509_abort("internal ASN.1 encoder error");
-
+
ret = hx509_ca_tbs_add_san_otherName(context,
tbs,
oid,
hx509_ca_tbs tbs,
const char *principal)
{
- return add_utf8_san(context, tbs, oid_id_pkinit_ms_san(), principal);
+ return add_utf8_san(context, tbs, &asn1_oid_id_pkinit_ms_san, principal);
}
/**
hx509_ca_tbs tbs,
const char *jid)
{
- return add_utf8_san(context, tbs, oid_id_pkix_on_xmppAddr(), jid);
+ return add_utf8_san(context, tbs, &asn1_oid_id_pkix_on_xmppAddr, jid);
}
memset(&gn, 0, sizeof(gn));
gn.element = choice_GeneralName_dNSName;
gn.u.dNSName = rk_UNCONST(dnsname);
-
+
return add_GeneralNames(&tbs->san, &gn);
}
memset(&gn, 0, sizeof(gn));
gn.element = choice_GeneralName_rfc822Name;
gn.u.rfc822Name = rk_UNCONST(rfc822Name);
-
+
return add_GeneralNames(&tbs->san, &gn);
}
return ENOMEM;
}
/* prefix with CN=<ts>,...*/
- ret = _hx509_name_modify(context, subject, 1, oid_id_at_commonName(), tstr);
+ ret = _hx509_name_modify(context, subject, 1, &asn1_oid_id_at_commonName, tstr);
free(tstr);
if (ret)
free_Name(subject);
return EINVAL;
}
if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
- hx509_set_error_string(context, 0, EINVAL,
+ hx509_set_error_string(context, 0, EINVAL,
"NULL subject and no SubjectAltNames");
return EINVAL;
}
}
if (tbs->flags.proxy) {
if (tbs->san.len > 0) {
- hx509_set_error_string(context, 0, EINVAL,
+ hx509_set_error_string(context, 0, EINVAL,
"Proxy certificate is not allowed "
"to have SubjectAltNames");
return EINVAL;
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
-
+
/* Add the text BMP string Domaincontroller to the cert */
if (tbs->flags.domaincontroller) {
data.data = rk_UNCONST("\x1e\x20\x00\x44\x00\x6f\x00\x6d"
data.length = 34;
ret = add_extension(context, tbsc, 0,
- oid_id_ms_cert_enroll_domaincontroller(),
+ &asn1_oid_id_ms_cert_enroll_domaincontroller,
&data);
if (ret)
goto out;
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 1,
- oid_id_x509_ce_keyUsage(), &data);
+ &asn1_oid_id_x509_ce_keyUsage, &data);
free(data.data);
if (ret)
goto out;
/* add ExtendedKeyUsage */
if (tbs->eku.len > 0) {
- ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
+ ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,
&tbs->eku, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
- oid_id_x509_ce_extKeyUsage(), &data);
+ &asn1_oid_id_x509_ce_extKeyUsage, &data);
free(data.data);
if (ret)
goto out;
/* add Subject Alternative Name */
if (tbs->san.len > 0) {
- ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
+ ASN1_MALLOC_ENCODE(GeneralNames, data.data, data.length,
&tbs->san, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
- oid_id_x509_ce_subjectAltName(),
+ &asn1_oid_id_x509_ce_subjectAltName,
&data);
free(data.data);
if (ret)
/* Add Authority Key Identifier */
if (ai) {
- ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
+ ASN1_MALLOC_ENCODE(AuthorityKeyIdentifier, data.data, data.length,
ai, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
- oid_id_x509_ce_authorityKeyIdentifier(),
+ &asn1_oid_id_x509_ce_authorityKeyIdentifier,
&data);
free(data.data);
if (ret)
{
SHA_CTX m;
-
+
SHA1_Init(&m);
SHA1_Update(&m, tbs->spki.subjectPublicKey.data,
tbs->spki.subjectPublicKey.length / 8);
si.data = hash;
si.length = sizeof(hash);
- ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
+ ASN1_MALLOC_ENCODE(SubjectKeyIdentifier, data.data, data.length,
&si, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
- oid_id_x509_ce_subjectKeyIdentifier(),
+ &asn1_oid_id_x509_ce_subjectKeyIdentifier,
&data);
free(data.data);
if (ret)
goto out;
}
- /* Add BasicConstraints */
+ /* Add BasicConstraints */
{
BasicConstraints bc;
int aCA = 1;
- uint32_t path;
+ unsigned int path;
memset(&bc, 0, sizeof(bc));
}
}
- ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
+ ASN1_MALLOC_ENCODE(BasicConstraints, data.data, data.length,
&bc, &size, ret);
if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
_hx509_abort("internal ASN.1 encoder error");
/* Critical if this is a CA */
ret = add_extension(context, tbsc, tbs->flags.ca,
- oid_id_x509_ce_basicConstraints(),
+ &asn1_oid_id_x509_ce_basicConstraints,
&data);
free(data.data);
if (ret)
memset(&info, 0, sizeof(info));
if (tbs->pathLenConstraint >= 0) {
- info.pCPathLenConstraint =
+ info.pCPathLenConstraint =
malloc(sizeof(*info.pCPathLenConstraint));
if (info.pCPathLenConstraint == NULL) {
ret = ENOMEM;
*info.pCPathLenConstraint = tbs->pathLenConstraint;
}
- ret = der_copy_oid(oid_id_pkix_ppl_inheritAll(),
+ ret = der_copy_oid(&asn1_oid_id_pkix_ppl_inheritAll,
&info.proxyPolicy.policyLanguage);
if (ret) {
free_ProxyCertInfo(&info);
goto out;
}
- ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
+ ASN1_MALLOC_ENCODE(ProxyCertInfo, data.data, data.length,
&info, &size, ret);
free_ProxyCertInfo(&info);
if (ret) {
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, 0,
- oid_id_pkix_pe_proxyCertInfo(),
+ &asn1_oid_id_pkix_pe_proxyCertInfo,
&data);
free(data.data);
if (ret)
if (size != data.length)
_hx509_abort("internal ASN.1 encoder error");
ret = add_extension(context, tbsc, FALSE,
- oid_id_x509_ce_cRLDistributionPoints(),
+ &asn1_oid_id_x509_ce_cRLDistributionPoints,
&data);
free(data.data);
if (ret)
memset(&gns, 0, sizeof(gns));
memset(&name, 0, sizeof(name));
- ai->authorityCertIssuer =
+ ai->authorityCertIssuer =
calloc(1, sizeof(*ai->authorityCertIssuer));
if (ai->authorityCertIssuer == NULL) {
ret = ENOMEM;
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
- ai->authorityCertSerialNumber =
+ ai->authorityCertSerialNumber =
calloc(1, sizeof(*ai->authorityCertSerialNumber));
if (ai->authorityCertSerialNumber == NULL) {
ret = ENOMEM;
goto out;
}
- /*
+ /*
* XXX unbreak when asn1 compiler handle IMPLICIT
*
* This is so horrible.
*/
ret = copy_Name(&certificate->tbsCertificate.subject, &name);
- if (ai->authorityCertSerialNumber == NULL) {
- ret = ENOMEM;
+ if (ret) {
hx509_set_error_string(context, 0, ret, "Out of memory");
goto out;
}
memset(&gn, 0, sizeof(gn));
gn.element = choice_GeneralName_directoryName;
- gn.u.directoryName.element =
+ gn.u.directoryName.element =
choice_GeneralName_directoryName_rdnSequence;
gn.u.directoryName.u.rdnSequence = name.u.rdnSequence;
/**
- * Sign a to-be-signed certificate object with a issuer certificate.
+ * Sign a to-be-signed certificate object with a issuer certificate.
*
* The caller needs to at least have called the following functions on the
* to-be-signed certificate object:
goto out;
ret = ca_sign(context,
- tbs,
+ tbs,
_hx509_cert_private_key(signer),
&ai,
&signer_cert->tbsCertificate.subject,
hx509_cert *certificate)
{
return ca_sign(context,
- tbs,
+ tbs,
signer,
NULL,
NULL,