libksba  1.6.0
About: KSBA is a library to make the tasks of working with X.509 certificates, CMS data and related objects more easy.
  Fossies Dox: libksba-1.6.0.tar.bz2  ("unofficial" and yet experimental doxygen-generated source code documentation)  

cert.c
Go to the documentation of this file.
1 /* cert.c - main function for the certificate handling
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2012 g10 Code GmbH
3  *
4  * This file is part of KSBA.
5  *
6  * KSBA is free software; you can redistribute it and/or modify
7  * it under the terms of either
8  *
9  * - the GNU Lesser General Public License as published by the Free
10  * Software Foundation; either version 3 of the License, or (at
11  * your option) any later version.
12  *
13  * or
14  *
15  * - the GNU General Public License as published by the Free
16  * Software Foundation; either version 2 of the License, or (at
17  * your option) any later version.
18  *
19  * or both in parallel, as here.
20  *
21  * KSBA is distributed in the hope that it will be useful, but WITHOUT
22  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
23  * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
24  * License for more details.
25  *
26  * You should have received a copies of the GNU General Public License
27  * and the GNU Lesser General Public License along with this program;
28  * if not, see <http://www.gnu.org/licenses/>.
29  */
30 
31 #include <config.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <assert.h>
36 #include <errno.h>
37 
38 #include "util.h"
39 #include "ber-decoder.h"
40 #include "ber-help.h"
41 #include "convert.h"
42 #include "keyinfo.h"
43 #include "sexp-parse.h"
44 #include "cert.h"
45 
46 
47 static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14";
48 static const char oidstr_keyUsage[] = "2.5.29.15";
49 static const char oidstr_subjectAltName[] = "2.5.29.17";
50 static const char oidstr_issuerAltName[] = "2.5.29.18";
51 static const char oidstr_basicConstraints[] = "2.5.29.19";
52 static const char oidstr_crlDistributionPoints[] = "2.5.29.31";
53 static const char oidstr_certificatePolicies[] = "2.5.29.32";
54 static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
55 static const char oidstr_extKeyUsage[] = "2.5.29.37";
56 static const char oidstr_authorityInfoAccess[] = "1.3.6.1.5.5.7.1.1";
57 static const char oidstr_subjectInfoAccess[] = "1.3.6.1.5.5.7.1.11";
58 
59 
60 /**
61  * ksba_cert_new:
62  *
63  * Create a new and empty certificate object
64  *
65  * Return value: 0 on success or error code. For a successful
66  * operation, ACERT is set to the new certifixate obbject, otherwise
67  * it is set to NULL.
68  **/
69 gpg_error_t
71 {
72  *acert = xtrycalloc (1, sizeof **acert);
73  if (!*acert)
74  return gpg_error_from_errno (errno);
75  (*acert)->ref_count++;
76 
77  return 0;
78 }
79 
80 void
82 {
83  if (!cert)
84  fprintf (stderr, "BUG: ksba_cert_ref for NULL\n");
85  else
86  ++cert->ref_count;
87 }
88 
89 /**
90  * ksba_cert_release:
91  * @cert: A certificate object
92  *
93  * Release a certificate object.
94  **/
95 void
97 {
98  int i;
99 
100  if (!cert)
101  return;
102  if (cert->ref_count < 1)
103  {
104  fprintf (stderr, "BUG: trying to release an already released cert\n");
105  return;
106  }
107  if (--cert->ref_count)
108  return;
109 
110  if (cert->udata)
111  {
112  struct cert_user_data *ud = cert->udata;
113  cert->udata = NULL;
114  do
115  {
116  struct cert_user_data *ud2 = ud->next;
117  if (ud->data && ud->data != ud->databuf)
118  xfree (ud->data);
119  xfree (ud);
120  ud = ud2;
121  }
122  while (ud);
123  }
124 
125  xfree (cert->cache.digest_algo);
126  if (cert->cache.extns_valid)
127  {
128  for (i=0; i < cert->cache.n_extns; i++)
129  xfree (cert->cache.extns[i].oid);
130  xfree (cert->cache.extns);
131  }
132 
135 
136  xfree (cert->image);
137 
138  xfree (cert);
139 }
140 
141 
142 /* Store arbitrary data along with a certificate. The DATA of length
143  DATALEN will be stored under the string KEY. If some data is
144  already stored under this key it will be replaced by the new data.
145  Using NULL for DATA will effectivly delete the data.
146 
147  On error (i.e. out or memory) an already existing data object
148  stored under KEY may get deleted.
149 
150  This function is not thread safe because we don't employ any
151  locking. */
152 gpg_error_t
154  const char *key, const void *data, size_t datalen)
155 {
156  struct cert_user_data *ud;
157 
158  if (!cert || !key || !*key)
159  return gpg_error (GPG_ERR_INV_VALUE);
160 
161  for (ud=cert->udata; ud; ud = ud->next)
162  if (!strcmp (ud->key, key))
163  break;
164  if (ud) /* Update the data stored under this key or reuse this item. */
165  {
166  if (ud->data && ud->data != ud->databuf)
167  xfree (ud->data);
168  ud->data = NULL;
169  if (data && datalen <= sizeof ud->databuf)
170  {
171  memcpy (ud->databuf, data, datalen);
172  ud->data = ud->databuf;
173  ud->datalen = datalen;
174  }
175  else if (data)
176  {
177  ud->data = xtrymalloc (datalen);
178  if (!ud->data)
179  return gpg_error_from_errno (errno);
180  memcpy (ud->data, data, datalen);
181  ud->datalen = datalen;
182  }
183  }
184  else if (data) /* Insert as a new item. */
185  {
186  ud = xtrycalloc (1, sizeof *ud + strlen (key));
187  if (!ud)
188  return gpg_error_from_errno (errno);
189  strcpy (ud->key, key);
190  if (datalen <= sizeof ud->databuf)
191  {
192  memcpy (ud->databuf, data, datalen);
193  ud->data = ud->databuf;
194  ud->datalen = datalen;
195  }
196  else
197  {
198  ud->data = xtrymalloc (datalen);
199  if (!ud->data)
200  {
201  xfree (ud);
202  return gpg_error_from_errno (errno);
203  }
204  memcpy (ud->data, data, datalen);
205  ud->datalen = datalen;
206  }
207  ud->next = cert->udata;
208  cert->udata = ud;
209  }
210 
211  return 0;
212 }
213 
214 
215 
216 /* Return user data for certificate CERT stored under the string
217  KEY. The caller needs to provide a suitable large BUFFER and pass
218  the usable length of the buffer in BUFFERLEN. If DATALEN is not
219  NULL, the length of the data stored at BUFFER will be stored there.
220 
221  If BUFFER is NULL, BUFFERLEN will be ignored and the required
222  length of the buffer will be returned at DATALEN.
223 
224  On success 0 is returned. If no data is stored under KEY
225  GPG_ERR_NOT_FOUND is returned. If the provided buffer is too
226  short, GPG_ERR_BUFFER_TOO_SHORT will be returned (note, that this
227  is not the case if BUFFER is NULL).
228 */
229 gpg_error_t
231  void *buffer, size_t bufferlen, size_t *datalen)
232 {
233  struct cert_user_data *ud;
234 
235  if (!cert || !key || !*key)
236  return gpg_error (GPG_ERR_INV_VALUE);
237 
238  for (ud=cert->udata; ud; ud = ud->next)
239  if (!strcmp (ud->key, key))
240  break;
241  if (!ud || !ud->data)
242  return gpg_error (GPG_ERR_NOT_FOUND);
243  if (datalen)
244  *datalen = ud->datalen;
245  if (buffer)
246  {
247  if (ud->datalen > bufferlen)
248  return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
249  memcpy (buffer, ud->data, ud->datalen);
250  }
251  return 0;
252 }
253 
254 
255 /**
256  * ksba_cert_read_der:
257  * @cert: An unitialized certificate object
258  * @reader: A KSBA Reader object
259  *
260  * Read the next certificate from the reader and store it in the
261  * certificate object for future access. The certificate is parsed
262  * and rejected if it has any syntactical or semantical error
263  * (i.e. does not match the ASN.1 description).
264  *
265  * Return value: 0 on success or an error value
266  **/
267 gpg_error_t
269 {
270  gpg_error_t err = 0;
271  BerDecoder decoder = NULL;
272 
273  if (!cert || !reader)
274  return gpg_error (GPG_ERR_INV_VALUE);
275  if (cert->initialized)
276  return gpg_error (GPG_ERR_CONFLICT); /* Fixme: should remove the old one */
277 
280  cert->root = NULL;
281  cert->asn_tree = NULL;
282 
283  err = ksba_asn_create_tree ("tmttv2", &cert->asn_tree);
284  if (err)
285  goto leave;
286 
287  decoder = _ksba_ber_decoder_new ();
288  if (!decoder)
289  {
290  err = gpg_error (GPG_ERR_ENOMEM);
291  goto leave;
292  }
293 
294  err = _ksba_ber_decoder_set_reader (decoder, reader);
295  if (err)
296  goto leave;
297 
298  err = _ksba_ber_decoder_set_module (decoder, cert->asn_tree);
299  if (err)
300  goto leave;
301 
302  err = _ksba_ber_decoder_decode (decoder, "TMTTv2.Certificate", 0,
303  &cert->root, &cert->image, &cert->imagelen);
304  if (!err)
305  cert->initialized = 1;
306 
307  leave:
308  _ksba_ber_decoder_release (decoder);
309 
310  return err;
311 }
312 
313 
314 gpg_error_t
315 ksba_cert_init_from_mem (ksba_cert_t cert, const void *buffer, size_t length)
316 {
317  gpg_error_t err;
318  ksba_reader_t reader;
319 
320  err = ksba_reader_new (&reader);
321  if (err)
322  return err;
323  err = ksba_reader_set_mem (reader, buffer, length);
324  if (err)
325  {
326  ksba_reader_release (reader);
327  return err;
328  }
329  err = ksba_cert_read_der (cert, reader);
330  ksba_reader_release (reader);
331  return err;
332 }
333 
334 
335 
336 const unsigned char *
337 ksba_cert_get_image (ksba_cert_t cert, size_t *r_length )
338 {
339  AsnNode n;
340 
341  if (!cert)
342  return NULL;
343  if (!cert->initialized)
344  return NULL;
345 
346  n = _ksba_asn_find_node (cert->root, "Certificate");
347  if (!n)
348  return NULL;
349 
350  if (n->off == -1)
351  {
352 /* fputs ("ksba_cert_get_image problem at node:\n", stderr); */
353 /* _ksba_asn_node_dump_all (n, stderr); */
354  return NULL;
355  }
356 
357  /* Due to minor problems in our parser we might hit the assertion
358  below. Thus we better return a error, proper. */
359  if ( !(n->nhdr + n->len + n->off <= cert->imagelen) )
360  {
361  fprintf (stderr,"\nOops, ksba_cert_get_image failed: "
362  "imagelen=%lu hdr=%d len=%d off=%d\n",
363  (unsigned long)cert->imagelen, n->nhdr, (int)n->len, n->off);
364  return NULL;
365  }
366  /*assert (n->nhdr + n->len + n->off <= cert->imagelen);*/
367 
368  if (r_length)
369  *r_length = n->nhdr + n->len;
370  return cert->image + n->off;
371 }
372 
373 /* Check whether certificates A and B are identical and return o in
374  this case. */
375 int
377 {
378  const unsigned char *img_a, *img_b;
379  size_t len_a, len_b;
380 
381  img_a = ksba_cert_get_image (a, &len_a);
382  if (!img_a)
383  return 1;
384  img_b = ksba_cert_get_image (b, &len_b);
385  if (!img_b)
386  return 1;
387  return !(len_a == len_b && !memcmp (img_a, img_b, len_a));
388 }
389 
390 
391 
392 
393 gpg_error_t
394 ksba_cert_hash (ksba_cert_t cert, int what,
395  void (*hasher)(void *, const void *, size_t length),
396  void *hasher_arg)
397 {
398  AsnNode n;
399 
400  if (!cert /*|| !hasher*/)
401  return gpg_error (GPG_ERR_INV_VALUE);
402  if (!cert->initialized)
403  return gpg_error (GPG_ERR_NO_DATA);
404 
405  n = _ksba_asn_find_node (cert->root,
406  what == 1? "Certificate.tbsCertificate"
407  : "Certificate");
408  if (!n)
409  return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
410  if (n->off == -1)
411  {
412 /* fputs ("ksba_cert_hash problem at node:\n", stderr); */
413 /* _ksba_asn_node_dump_all (n, stderr); */
414  return gpg_error (GPG_ERR_NO_VALUE);
415  }
416 
417  hasher (hasher_arg, cert->image + n->off, n->nhdr + n->len);
418 
419 
420  return 0;
421 }
422 
423 
424 
425 /**
426  * ksba_cert_get_digest_algo:
427  * @cert: Initialized certificate object
428  *
429  * Figure out the digest algorithm used for the signature and return
430  * its OID. Note that in the case of rsaPSS the returned value is the
431  * OID of rsaPSS (1.2.840.113549.1.1.10) and not the hash algorithm to
432  * use. The hash algorithm needs to be extracted from the S-expression
433  * returned by ksba_cert_get_sig_val.
434  *
435  * This function is intended as a helper for the ksba_cert_hash().
436  *
437  * Return value: NULL for error otherwise a constant string with the OID.
438  * This string is valid as long the certificate object is valid.
439  **/
440 const char *
442 {
443  gpg_error_t err;
444  AsnNode n;
445  char *algo;
446  size_t nread;
447 
448  if (!cert)
449  return NULL; /* Ooops (can't set cert->last_error :-(). */
450 
451  if (!cert->initialized)
452  {
453  cert->last_error = gpg_error (GPG_ERR_NO_DATA);
454  return NULL;
455  }
456 
457  if (cert->cache.digest_algo)
458  return cert->cache.digest_algo;
459 
460 /* n = _ksba_asn_find_node (cert->root, */
461 /* "Certificate.signatureAlgorithm.algorithm"); */
462 /* algo = _ksba_oid_node_to_str (cert->image, n); */
463 /* if (!algo) */
464 /* cert->last_error = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); */
465 /* else */
466 /* cert->cache.digest_algo = algo; */
467 
468  n = _ksba_asn_find_node (cert->root, "Certificate.signatureAlgorithm");
469  if (!n || n->off == -1)
470  {
471  algo = NULL;
472  err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
473  }
474  else
475  err = _ksba_parse_algorithm_identifier (cert->image + n->off,
476  n->nhdr + n->len, &nread, &algo);
477  if (err)
478  cert->last_error = err;
479  else
480  cert->cache.digest_algo = algo;
481 
482  return algo;
483 }
484 
485 
486 
487 
488 /**
489  * ksba_cert_get_serial:
490  * @cert: certificate object
491  *
492  * This function returnes the serial number of the certificate. The
493  * serial number is an integer returned as an canonical encoded
494  * S-expression with just one element.
495  *
496  * Return value: An allocated S-Exp or NULL for no value.
497  **/
500 {
501  AsnNode n;
502  char *p;
503  char numbuf[22];
504  int numbuflen;
505 
506  if (!cert || !cert->initialized)
507  return NULL;
508 
509  n = _ksba_asn_find_node (cert->root,
510  "Certificate.tbsCertificate.serialNumber");
511  if (!n)
512  return NULL; /* oops - should be there */
513 
514  if (n->off == -1)
515  {
516 /* fputs ("get_serial problem at node:\n", stderr); */
517 /* _ksba_asn_node_dump_all (n, stderr); */
518  return NULL;
519  }
520 
521  sprintf (numbuf,"(%u:", (unsigned int)n->len);
522  numbuflen = strlen (numbuf);
523  p = xtrymalloc (numbuflen + n->len + 2);
524  if (!p)
525  return NULL;
526  strcpy (p, numbuf);
527  memcpy (p+numbuflen, cert->image + n->off + n->nhdr, n->len);
528  p[numbuflen + n->len] = ')';
529  p[numbuflen + n->len + 1] = 0;
530  return p;
531 }
532 
533 
534 /* Return a pointer to the DER encoding of the serial number in CERT in
535  PTR and the length of that field in LENGTH. */
536 gpg_error_t
538  unsigned char const **ptr, size_t *length)
539 {
540  asn_node_t n;
541 
542  if (!cert || !cert->initialized || !ptr || !length)
543  return gpg_error (GPG_ERR_INV_VALUE);
544  n = _ksba_asn_find_node (cert->root,
545  "Certificate.tbsCertificate.serialNumber");
546  if (!n || n->off == -1)
547  return gpg_error (GPG_ERR_NO_VALUE);
548 
549  *ptr = cert->image + n->off;
550  *length = n->nhdr + n->len;
551  return 0;
552 }
553 
554 
555 
556 /* Return a pointer to the DER encoding of the issuer's DN in CERT in
557  PTR and the length of that object in LENGTH. */
558 gpg_error_t
560  unsigned char const **ptr, size_t *length)
561 {
562  asn_node_t n;
563 
564  if (!cert || !cert->initialized || !ptr || !length)
565  return gpg_error (GPG_ERR_INV_VALUE);
566 
567  n = _ksba_asn_find_node (cert->root, "Certificate.tbsCertificate.issuer");
568  if (!n || !n->down)
569  return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
570  n = n->down; /* dereference the choice node */
571  if (n->off == -1)
572  return gpg_error (GPG_ERR_NO_VALUE);
573  *ptr = cert->image + n->off;
574  *length = n->nhdr + n->len;
575  return 0;
576 }
577 
578 
579 
580 /* Return a pointer to the DER encoding of the subject's DN in CERT in
581  PTR and the length of that object in LENGTH. */
582 gpg_error_t
584  unsigned char const **ptr, size_t *length)
585 {
586  asn_node_t n;
587 
588  if (!cert || !cert->initialized || !ptr || !length)
589  return gpg_error (GPG_ERR_INV_VALUE);
590 
591  n = _ksba_asn_find_node (cert->root, "Certificate.tbsCertificate.subject");
592  if (!n || !n->down)
593  return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
594  n = n->down; /* dereference the choice node */
595  if (n->off == -1)
596  return gpg_error (GPG_ERR_NO_VALUE);
597  *ptr = cert->image + n->off;
598  *length = n->nhdr + n->len;
599  return 0;
600 }
601 
602 
603 
604 /* Worker function for get_isssuer and get_subject. */
605 static gpg_error_t
606 get_name (ksba_cert_t cert, int idx, int use_subject, char **result)
607 {
608  gpg_error_t err;
609  char *p;
610  int i;
611  const char *oid;
612  struct tag_info ti;
613  const unsigned char *der;
614  size_t off, derlen, seqlen;
615 
616  if (!cert || !cert->initialized || !result)
617  return gpg_error (GPG_ERR_INV_VALUE);
618  if (idx < 0)
619  return gpg_error (GPG_ERR_INV_INDEX);
620 
621  *result = NULL;
622  if (!idx)
623  { /* Get the required DN */
624  AsnNode n;
625 
626  n = _ksba_asn_find_node (cert->root,
627  (use_subject?
628  "Certificate.tbsCertificate.subject":
629  "Certificate.tbsCertificate.issuer") );
630  if (!n || !n->down)
631  return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
632  n = n->down; /* dereference the choice node */
633  if (n->off == -1)
634  return gpg_error (GPG_ERR_NO_VALUE);
635 
636  err = _ksba_dn_to_str (cert->image, n, &p);
637  if (err)
638  return err;
639  *result = p;
640  return 0;
641  }
642 
643  /* get {issuer,subject}AltName */
644  for (i=0; !(err=ksba_cert_get_extension (cert, i, &oid, NULL,
645  &off, &derlen)); i++)
646  {
647  if (!strcmp (oid, (use_subject?
649  break;
650  }
651  if (err)
652  return err; /* no alt name or error*/
653 
654  der = cert->image + off;
655 
656 
657  /* FIXME: We should use _ksba_name_new_from_der and ksba_name_enum here */
658 
659  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
660  if (err)
661  return err;
662  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
663  && ti.is_constructed) )
664  return gpg_error (GPG_ERR_INV_CERT_OBJ);
665  if (ti.ndef)
666  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
667  seqlen = ti.length;
668  if (seqlen > derlen)
669  return gpg_error (GPG_ERR_BAD_BER);
670  if (!seqlen)
671  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* empty sequence is not allowed */
672 
673  while (seqlen)
674  {
675  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
676  if (err)
677  return err;
678  if (ti.class != CLASS_CONTEXT)
679  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
680  if (ti.ndef)
681  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
682  if (seqlen < ti.nhdr)
683  return gpg_error (GPG_ERR_BAD_BER);
684  seqlen -= ti.nhdr;
685  if (seqlen < ti.length)
686  return gpg_error (GPG_ERR_BAD_BER);
687  seqlen -= ti.length;
688  if (derlen < ti.length)
689  return gpg_error (GPG_ERR_BAD_BER);
690  if (!(ti.tag == 1 || ti.tag == 2 || ti.tag == 6))
691  ; /* Not a supported tag: Do not change IDX. */
692  else if (--idx)
693  ; /* not yet at the desired index */
694  else if (ti.tag == 1)
695  { /* rfc822Name - this is an implicit IA5_STRING */
696  p = xtrymalloc (ti.length+3);
697  if (!p)
698  return gpg_error (GPG_ERR_ENOMEM);
699  *p = '<';
700  memcpy (p+1, der, ti.length);
701  p[ti.length+1] = '>';
702  p[ti.length+2] = 0;
703  *result = p;
704  return 0;
705  }
706  else if (ti.tag == 2 || ti.tag == 6)
707  { /* dNSName or URI - this are implicit IA5_STRINGs */
708  char numbuf[20], *numbufp;
709  size_t numbuflen;
710 
711  numbufp = smklen (numbuf, DIM(numbuf), ti.length, &numbuflen);
712  p = xtrymalloc (11 + numbuflen + ti.length + 3);
713  if (!p)
714  return gpg_error (GPG_ERR_ENOMEM);
715  *result = p;
716  p = stpcpy (p, ti.tag == 2? "(8:dns-name" : "(3:uri");
717  p = stpcpy (p, numbufp);
718  memcpy (p, der, ti.length);
719  p += ti.length;
720  *p++ = ')';
721  *p = 0;
722  return 0;
723  }
724 
725  /* advance pointer */
726  der += ti.length;
727  derlen -= ti.length;
728  }
729 
730  return gpg_error (GPG_ERR_EOF);
731 }
732 
733 
734 
735 /**
736  * ksba_cert_get_issuer:
737  * @cert: certificate object
738  *
739  * With @idx == 0 this function returns the Distinguished Name (DN) of
740  * the certificate issuer which in most cases is a CA. The format of
741  * the returned string is in accordance with RFC-2253. NULL is
742  * returned if the DN is not available which is an error and should
743  * have been catched by the certificate reading function.
744  *
745  * With @idx > 0 the function may be used to enumerate alternate
746  * issuer names. The function returns NULL if there are no more
747  * alternate names. The function does only return alternate names
748  * which are recognized by libksba and ignores others. The format of
749  * the returned name is either a RFC-2253 formated one which can be
750  * detected by checking whether the first character is letter or
751  * digit. rfc-2822 conform email addresses are returned enclosed in
752  * angle brackets, the opening angle bracket should be used to
753  * indicate this. Other formats are returned as an S-Expression in
754  * canonical format, so a opening parenthesis may be used to detect
755  * this encoding, the name may include binary null characters, so
756  * strlen may return a length shorther than actually used, the real
757  * length is implictly given by the structure of the S-Exp, an extra
758  * null is appended for safety reasons.
759  *
760  * The caller must free the returned string using ksba_free() or the
761  * function he has registered as a replacement.
762  *
763  * Return value: An allocated string or NULL for error.
764  **/
765 char *
767 {
768  gpg_error_t err;
769  char *name;
770 
771  err = get_name (cert, idx, 0, &name);
772  if (err)
773  {
774  cert->last_error = err;
775  return NULL;
776  }
777  return name;
778 }
779 
780 /* See ..get_issuer */
781 char *
783 {
784  gpg_error_t err;
785  char *name;
786 
787  err = get_name (cert, idx, 1, &name);
788  if (err)
789  {
790  cert->last_error = err;
791  return NULL;
792  }
793  return name;
794 }
795 
796 
797 
798 /**
799  * ksba_cert_get_valididy:
800  * @cert: certificate object
801  * @what: 0 for notBefore, 1 for notAfter
802  * @timebuf: Returns the time.
803  *
804  * Return the validity object from the certificate. If no value is
805  * available 0 is returned because we can safely assume that this is
806  * not a valid date.
807  *
808  * Return value: The time value an 0 or an error code.
809  **/
810 gpg_error_t
812 {
813  AsnNode n, n2;
814 
815  if (!cert || what < 0 || what > 1)
816  return gpg_error (GPG_ERR_INV_VALUE);
817  *timebuf = 0;
818  if (!cert->initialized)
819  return gpg_error (GPG_ERR_NO_DATA);
820 
821  n = _ksba_asn_find_node (cert->root,
822  what == 0? "Certificate.tbsCertificate.validity.notBefore"
823  : "Certificate.tbsCertificate.validity.notAfter");
824  if (!n)
825  return 0; /* no value available */
826 
827  /* Fixme: We should remove the choice node and don't use this ugly hack */
828  for (n2=n->down; n2; n2 = n2->right)
829  {
830  if ((n2->type == TYPE_UTC_TIME || n2->type == TYPE_GENERALIZED_TIME)
831  && n2->off != -1)
832  break;
833  }
834  n = n2;
835  if (!n)
836  return 0; /* no value available */
837 
839 
840  return _ksba_asntime_to_iso (cert->image + n->off + n->nhdr, n->len,
841  n->type == TYPE_UTC_TIME, timebuf);
842 }
843 
844 
845 
848 {
849  AsnNode n;
850  gpg_error_t err;
851  ksba_sexp_t string;
852 
853  if (!cert)
854  return NULL;
855  if (!cert->initialized)
856  return NULL;
857 
858  n = _ksba_asn_find_node (cert->root,
859  "Certificate"
860  ".tbsCertificate.subjectPublicKeyInfo");
861  if (!n)
862  {
863  cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
864  return NULL;
865  }
866 
867  err = _ksba_keyinfo_to_sexp (cert->image + n->off, n->nhdr + n->len,
868  &string);
869  if (err)
870  {
871  cert->last_error = err;
872  return NULL;
873  }
874 
875  return string;
876 }
877 
878 /* Return a pointer to the DER encoding of the actual public key
879  (i.e. the bit string) in PTR and the length of that object in
880  LENGTH. */
881 gpg_error_t
883  unsigned char const **ptr, size_t *length)
884 {
885  asn_node_t n;
886 
887  if (!cert || !cert->initialized || !ptr || !length)
888  return gpg_error (GPG_ERR_INV_VALUE);
889 
890  n = _ksba_asn_find_node (cert->root,
891  "Certificate.tbsCertificate.subjectPublicKeyInfo");
892  if (!n || !n->down || !n->down->right)
893  return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
894  n = n->down->right;
895  if (n->off == -1)
896  return gpg_error (GPG_ERR_NO_VALUE);
897  *ptr = cert->image + n->off + n->nhdr;
898  *length = n->len;
899  /* Somehow we end up at the preceding NULL value, and not at a
900  sequence, we hack it way here. */
901  if (*length && !**ptr)
902  {
903  (*length)--;
904  (*ptr)++;
905  }
906 
907  return 0;
908 }
909 
910 
911 
914 {
915  AsnNode n, n2;
916  gpg_error_t err;
917  ksba_sexp_t string;
918 
919  if (!cert)
920  return NULL;
921  if (!cert->initialized)
922  return NULL;
923 
924  n = _ksba_asn_find_node (cert->root,
925  "Certificate.signatureAlgorithm");
926  if (!n)
927  {
928  cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
929  return NULL;
930  }
931  if (n->off == -1)
932  {
933 /* fputs ("ksba_cert_get_sig_val problem at node:\n", stderr); */
934 /* _ksba_asn_node_dump_all (n, stderr); */
935  cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
936  return NULL;
937  }
938 
939  n2 = n->right;
940  err = _ksba_sigval_to_sexp (cert->image + n->off,
941  n->nhdr + n->len
942  + ((!n2||n2->off == -1)? 0:(n2->nhdr+n2->len)),
943  &string);
944  if (err)
945  {
946  cert->last_error = err;
947  return NULL;
948  }
949 
950  return string;
951 }
952 
953 ␌
954 /* Read all extensions into the cache */
955 static gpg_error_t
957 {
958  AsnNode start, n;
959  int count;
960 
961  assert (!cert->cache.extns_valid);
962  assert (!cert->cache.extns);
963 
964  start = _ksba_asn_find_node (cert->root,
965  "Certificate.tbsCertificate.extensions..");
966  for (count=0, n=start; n; n = n->right)
967  count++;
968  if (!count)
969  {
970  cert->cache.n_extns = 0;
971  cert->cache.extns_valid = 1;
972  return 0; /* no extensions at all */
973  }
974  cert->cache.extns = xtrycalloc (count, sizeof *cert->cache.extns);
975  if (!cert->cache.extns)
976  return gpg_error (GPG_ERR_ENOMEM);
977  cert->cache.n_extns = count;
978 
979  {
980  for (count=0; start; start = start->right, count++)
981  {
982  n = start->down;
983  if (!n || n->type != TYPE_OBJECT_ID)
984  goto no_value;
985 
986  cert->cache.extns[count].oid = _ksba_oid_node_to_str (cert->image, n);
987  if (!cert->cache.extns[count].oid)
988  goto no_value;
989 
990  n = n->right;
991  if (n && n->type == TYPE_BOOLEAN)
992  {
993  if (n->off != -1 && n->len && cert->image[n->off + n->nhdr])
994  cert->cache.extns[count].crit = 1;
995  n = n->right;
996  }
997 
998  if (!n || n->type != TYPE_OCTET_STRING || n->off == -1)
999  goto no_value;
1000 
1001  cert->cache.extns[count].off = n->off + n->nhdr;
1002  cert->cache.extns[count].len = n->len;
1003  }
1004 
1005  assert (count == cert->cache.n_extns);
1006  cert->cache.extns_valid = 1;
1007  return 0;
1008 
1009  no_value:
1010  for (count=0; count < cert->cache.n_extns; count++)
1011  xfree (cert->cache.extns[count].oid);
1012  xfree (cert->cache.extns);
1013  cert->cache.extns = NULL;
1014  return gpg_error (GPG_ERR_NO_VALUE);
1015  }
1016 }
1017 
1018 
1019 /* Return information about the IDX nth extension */
1020 gpg_error_t
1022  char const **r_oid, int *r_crit,
1023  size_t *r_deroff, size_t *r_derlen)
1024 {
1025  gpg_error_t err;
1026 
1027  if (!cert)
1028  return gpg_error (GPG_ERR_INV_VALUE);
1029  if (!cert->initialized)
1030  return gpg_error (GPG_ERR_NO_DATA);
1031 
1032  if (!cert->cache.extns_valid)
1033  {
1034  err = read_extensions (cert);
1035  if (err)
1036  return err;
1037  assert (cert->cache.extns_valid);
1038  }
1039 
1040  if (idx == cert->cache.n_extns)
1041  return gpg_error (GPG_ERR_EOF); /* No more extensions. */
1042 
1043  if (idx < 0 || idx >= cert->cache.n_extns)
1044  return gpg_error (GPG_ERR_INV_INDEX);
1045 
1046  if (r_oid)
1047  *r_oid = cert->cache.extns[idx].oid;
1048  if (r_crit)
1049  *r_crit = cert->cache.extns[idx].crit;
1050  if (r_deroff)
1051  *r_deroff = cert->cache.extns[idx].off;
1052  if (r_derlen)
1053  *r_derlen = cert->cache.extns[idx].len;
1054  return 0;
1055 }
1056 
1057 
1058 ␌
1059 /* Return information on the basicConstraint (2.5.19.19) of CERT.
1060  R_CA receives true if this is a CA and only in that case R_PATHLEN
1061  is set to the maximim certification path length or -1 if there is
1062  nosuch limitation */
1063 gpg_error_t
1064 ksba_cert_is_ca (ksba_cert_t cert, int *r_ca, int *r_pathlen)
1065 {
1066  gpg_error_t err;
1067  const char *oid;
1068  int idx, crit;
1069  size_t off, derlen, seqlen;
1070  const unsigned char *der;
1071  struct tag_info ti;
1072  unsigned long value;
1073 
1074  /* set default values */
1075  if (r_ca)
1076  *r_ca = 0;
1077  if (r_pathlen)
1078  *r_pathlen = -1;
1079  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1080  &off, &derlen)); idx++)
1081  {
1082  if (!strcmp (oid, oidstr_basicConstraints))
1083  break;
1084  }
1085  if (gpg_err_code (err) == GPG_ERR_EOF)
1086  return 0; /* no such constraint */
1087  if (err)
1088  return err;
1089 
1090  /* check that there is only one */
1091  for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1092  NULL, NULL)); idx++)
1093  {
1094  if (!strcmp (oid, oidstr_basicConstraints))
1095  return gpg_error (GPG_ERR_DUP_VALUE);
1096  }
1097 
1098  der = cert->image + off;
1099 
1100  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1101  if (err)
1102  return err;
1103  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1104  && ti.is_constructed) )
1105  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1106  if (ti.ndef)
1107  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1108  seqlen = ti.length;
1109  if (seqlen > derlen)
1110  return gpg_error (GPG_ERR_BAD_BER);
1111  if (!seqlen)
1112  return 0; /* an empty sequence is allowed because both elements
1113  are optional */
1114 
1115  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1116  if (err)
1117  return err;
1118  if (seqlen < ti.nhdr)
1119  return gpg_error (GPG_ERR_BAD_BER);
1120  seqlen -= ti.nhdr;
1121  if (seqlen < ti.length)
1122  return gpg_error (GPG_ERR_BAD_BER);
1123  seqlen -= ti.length;
1124 
1125  if (ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BOOLEAN)
1126  {
1127  if (ti.length != 1)
1128  return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1129  if (r_ca)
1130  *r_ca = !!*der;
1131  der++; derlen--;
1132  if (!seqlen)
1133  return 0; /* ready (no pathlength) */
1134 
1135  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1136  if (err)
1137  return err;
1138  if (seqlen < ti.nhdr)
1139  return gpg_error (GPG_ERR_BAD_BER);
1140  seqlen -= ti.nhdr;
1141  if (seqlen < ti.length)
1142  return gpg_error (GPG_ERR_BAD_BER);
1143  seqlen -= ti.length;
1144  }
1145 
1146  if (!(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_INTEGER))
1147  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1148 
1149  for (value=0; ti.length; ti.length--)
1150  {
1151  value <<= 8;
1152  value |= (*der++) & 0xff;
1153  derlen--;
1154  }
1155  if (r_pathlen)
1156  *r_pathlen = value;
1157 
1158  /* if the extension is marked as critical and any stuff is still
1159  left we better return an error */
1160  if (crit && seqlen)
1161  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1162 
1163  return 0;
1164 }
1165 
1166 
1167 ␌
1168 /* Get the key usage flags. The function returns Ksba_No_Data if no
1169  key usage is specified. */
1170 gpg_error_t
1171 ksba_cert_get_key_usage (ksba_cert_t cert, unsigned int *r_flags)
1172 {
1173  gpg_error_t err;
1174  const char *oid;
1175  int idx, crit;
1176  size_t off, derlen;
1177  const unsigned char *der;
1178  struct tag_info ti;
1179  unsigned int bits, mask;
1180  int i, unused, full;
1181 
1182  if (!r_flags)
1183  return gpg_error (GPG_ERR_INV_VALUE);
1184  *r_flags = 0;
1185  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1186  &off, &derlen)); idx++)
1187  {
1188  if (!strcmp (oid, oidstr_keyUsage))
1189  break;
1190  }
1191  if (gpg_err_code (err) == GPG_ERR_EOF
1192  || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1193  return gpg_error (GPG_ERR_NO_DATA); /* no key usage */
1194  if (err)
1195  return err;
1196 
1197  /* check that there is only one */
1198  for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1199  NULL, NULL)); idx++)
1200  {
1201  if (!strcmp (oid, oidstr_keyUsage))
1202  return gpg_error (GPG_ERR_DUP_VALUE);
1203  }
1204 
1205  der = cert->image + off;
1206 
1207  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1208  if (err)
1209  return err;
1210  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BIT_STRING
1211  && !ti.is_constructed) )
1212  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1213  if (ti.ndef)
1214  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1215  if (!ti.length || ti.length > derlen)
1216  return gpg_error (GPG_ERR_ENCODING_PROBLEM); /* number of unused bits missing */
1217  unused = *der++; derlen--;
1218  ti.length--;
1219  if ((!ti.length && unused) || unused/8 > ti.length)
1220  return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1221 
1222  full = ti.length - (unused+7)/8;
1223  unused %= 8;
1224  mask = 0;
1225  for (i=1; unused; i <<= 1, unused--)
1226  mask |= i;
1227 
1228  /* the first octet */
1229  if (!ti.length)
1230  return 0; /* no bits set */
1231  bits = *der++; derlen--; ti.length--;
1232  if (full)
1233  full--;
1234  else {
1235  bits &= ~~mask;
1236  mask = 0;
1237  }
1238  if (bits & 0x80)
1239  *r_flags |= KSBA_KEYUSAGE_DIGITAL_SIGNATURE;
1240  if (bits & 0x40)
1241  *r_flags |= KSBA_KEYUSAGE_NON_REPUDIATION;
1242  if (bits & 0x20)
1243  *r_flags |= KSBA_KEYUSAGE_KEY_ENCIPHERMENT;
1244  if (bits & 0x10)
1245  *r_flags |= KSBA_KEYUSAGE_DATA_ENCIPHERMENT;
1246  if (bits & 0x08)
1247  *r_flags |= KSBA_KEYUSAGE_KEY_AGREEMENT;
1248  if (bits & 0x04)
1249  *r_flags |= KSBA_KEYUSAGE_KEY_CERT_SIGN;
1250  if (bits & 0x02)
1251  *r_flags |= KSBA_KEYUSAGE_CRL_SIGN;
1252  if (bits & 0x01)
1253  *r_flags |= KSBA_KEYUSAGE_ENCIPHER_ONLY;
1254 
1255  /* the second octet */
1256  if (!ti.length)
1257  return 0; /* no bits set */
1258  bits = *der++; derlen--; ti.length--;
1259  if (full)
1260  full--;
1261  else {
1262  bits &= mask;
1263  mask = ~0;
1264  }
1265  if (bits & 0x80)
1266  *r_flags |= KSBA_KEYUSAGE_DECIPHER_ONLY;
1267 
1268  return 0;
1269 }
1270 
1271 
1272 ␌
1273 /* Note, that this helper is also used for ext_key_usage. */
1274 static gpg_error_t
1275 append_cert_policy (char **policies, const char *oid, int crit)
1276 {
1277  char *p;
1278 
1279  if (!*policies)
1280  {
1281  *policies = xtrymalloc (strlen (oid) + 4);
1282  if (!*policies)
1283  return gpg_error (GPG_ERR_ENOMEM);
1284  p = *policies;
1285  }
1286  else
1287  {
1288  char *tmp = xtryrealloc (*policies,
1289  strlen(*policies) + 1 + strlen (oid) + 4);
1290  if (!tmp)
1291  return gpg_error (GPG_ERR_ENOMEM);
1292  *policies = tmp;
1293  p = stpcpy (tmp+strlen (tmp), "\n");;
1294  }
1295 
1296  strcpy (stpcpy (p, oid), crit? ":C:": ":N:");
1297  return 0;
1298 }
1299 
1300 
1301 /* Return a string with the certificatePolicies delimited by
1302  linefeeds. The return values may be extended to carry more
1303  information er line, so the caller should only use the first
1304  white-space delimited token per line. The function returns
1305  GPG_ERR_NO_DATA when this extension is not used. Caller must free
1306  the returned value. */
1307 gpg_error_t
1308 ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies)
1309 {
1310  gpg_error_t err;
1311  const char *oid;
1312  int idx, crit;
1313  size_t off, derlen, seqlen;
1314  const unsigned char *der;
1315  struct tag_info ti;
1316 
1317  if (!cert || !r_policies)
1318  return gpg_error (GPG_ERR_INV_VALUE);
1319  *r_policies = NULL;
1320 
1321  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1322  &off, &derlen)); idx++)
1323  {
1324  if (!strcmp (oid, oidstr_certificatePolicies))
1325  {
1326  char *suboid;
1327 
1328  der = cert->image + off;
1329 
1330  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1331  if (err)
1332  goto leave;
1333  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1334  && ti.is_constructed) )
1335  {
1336  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1337  goto leave;
1338  }
1339  if (ti.ndef)
1340  {
1341  err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1342  goto leave;
1343  }
1344  seqlen = ti.length;
1345  if (seqlen > derlen)
1346  {
1347  err = gpg_error (GPG_ERR_BAD_BER);
1348  goto leave;
1349  }
1350  while (seqlen)
1351  {
1352  size_t seqseqlen;
1353 
1354  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1355  if (err)
1356  goto leave;
1357  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1358  && ti.is_constructed) )
1359  {
1360  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1361  goto leave;
1362  }
1363  if (ti.ndef)
1364  {
1365  err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1366  goto leave;
1367  }
1368  if (ti.length > derlen)
1369  {
1370  err = gpg_error (GPG_ERR_BAD_BER);
1371  goto leave;
1372  }
1373  if (!ti.length)
1374  {
1375  /* We do not accept an empty inner SEQ */
1376  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1377  goto leave;
1378  }
1379  if (ti.nhdr+ti.length > seqlen)
1380  {
1381  err = gpg_error (GPG_ERR_BAD_BER);
1382  goto leave;
1383  }
1384  seqlen -= ti.nhdr + ti.length;
1385  seqseqlen = ti.length;
1386 
1387  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1388  if (err)
1389  goto leave;
1390  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID))
1391  {
1392  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1393  goto leave;
1394  }
1395  if (ti.length > derlen)
1396  {
1397  err = gpg_error (GPG_ERR_BAD_BER);
1398  goto leave;
1399  }
1400  if (ti.nhdr+ti.length > seqseqlen)
1401  {
1402  err = gpg_error (GPG_ERR_BAD_BER);
1403  goto leave;
1404  }
1405  seqseqlen -= ti.nhdr;
1406 
1407  suboid = ksba_oid_to_str (der, ti.length);
1408  if (!suboid)
1409  {
1410  err = gpg_error (GPG_ERR_ENOMEM);
1411  goto leave;
1412  }
1413  der += ti.length;
1414  derlen -= ti.length;
1415  seqseqlen -= ti.length;
1416 
1417  err = append_cert_policy (r_policies, suboid, crit);
1418  xfree (suboid);
1419  if (err)
1420  goto leave;
1421 
1422  /* skip the rest of the seq which is more or less optional */
1423  der += seqseqlen;
1424  derlen -= seqseqlen;
1425  }
1426  }
1427  }
1428 
1429  if (gpg_err_code (err) == GPG_ERR_EOF)
1430  err = 0;
1431  if (!*r_policies || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1432  err = gpg_error (GPG_ERR_NO_DATA);
1433 
1434  leave:
1435  if (err)
1436  {
1437  xfree (*r_policies);
1438  *r_policies = NULL;
1439  }
1440  return err;
1441 }
1442 
1443 
1444 /* Return a string with the extendedKeyUsageOIDs delimited by
1445  linefeeds. The return values may be extended to carry more
1446  information per line, so the caller should only use the first
1447  white-space delimited token per line. The function returns
1448  GPG_ERR_NO_DATA when this extension is not used. Caller must free
1449  the returned value. */
1450 gpg_error_t
1452 {
1453  gpg_error_t err;
1454  const char *oid;
1455  int idx, crit;
1456  size_t off, derlen;
1457  const unsigned char *der;
1458  struct tag_info ti;
1459 
1460  if (!cert || !result)
1461  return gpg_error (GPG_ERR_INV_VALUE);
1462  *result = NULL;
1463 
1464  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1465  &off, &derlen)); idx++)
1466  {
1467  if (!strcmp (oid, oidstr_extKeyUsage))
1468  {
1469  char *suboid;
1470 
1471  der = cert->image + off;
1472 
1473  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1474  if (err)
1475  goto leave;
1476  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1477  && ti.is_constructed) )
1478  {
1479  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1480  goto leave;
1481  }
1482  if (ti.ndef)
1483  {
1484  err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1485  goto leave;
1486  }
1487  if (ti.length > derlen)
1488  {
1489  err = gpg_error (GPG_ERR_BAD_BER);
1490  goto leave;
1491  }
1492  while (derlen)
1493  {
1494  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1495  if (err)
1496  goto leave;
1497  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID))
1498  {
1499  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1500  goto leave;
1501  }
1502  if (ti.ndef)
1503  {
1504  err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1505  goto leave;
1506  }
1507  if (ti.length > derlen)
1508  {
1509  err = gpg_error (GPG_ERR_BAD_BER);
1510  goto leave;
1511  }
1512 
1513  suboid = ksba_oid_to_str (der, ti.length);
1514  if (!suboid)
1515  {
1516  err = gpg_error (GPG_ERR_ENOMEM);
1517  goto leave;
1518  }
1519  der += ti.length;
1520  derlen -= ti.length;
1521 
1522  err = append_cert_policy (result, suboid, crit);
1523  xfree (suboid);
1524  if (err)
1525  goto leave;
1526  }
1527  }
1528  }
1529 
1530  if (gpg_err_code (err) == GPG_ERR_EOF)
1531  err = 0;
1532  if (!*result || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1533  err = gpg_error (GPG_ERR_NO_DATA);
1534 
1535  leave:
1536  if (err)
1537  {
1538  xfree (*result);
1539  *result = NULL;
1540  }
1541  return err;
1542 }
1543 
1544 
1545 
1546 ␌
1547 /* Helper function for ksba_cert_get_crl_dist_point */
1548 static gpg_error_t
1549 parse_distribution_point (const unsigned char *der, size_t derlen,
1550  ksba_name_t *distpoint, ksba_name_t *issuer,
1551  ksba_crl_reason_t *reason)
1552 {
1553  gpg_error_t err;
1554  struct tag_info ti;
1555 
1556  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1557  if (err)
1558  return err;
1559  if (ti.class != CLASS_CONTEXT)
1560  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1561  if (ti.ndef)
1562  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1563  if (derlen < ti.length)
1564  return gpg_error (GPG_ERR_BAD_BER);
1565 
1566  if (ti.tag == 0 && derlen)
1567  { /* distributionPointName */
1568  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1569  if (err)
1570  return err;
1571  if (ti.class != CLASS_CONTEXT)
1572  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1573  if (ti.ndef)
1574  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1575  if (derlen < ti.nhdr)
1576  return gpg_error (GPG_ERR_BAD_BER);
1577  if (derlen < ti.length)
1578  return gpg_error (GPG_ERR_BAD_BER);
1579 
1580  if (ti.tag == 0)
1581  {
1582  if (distpoint)
1583  {
1584  err = _ksba_name_new_from_der (distpoint, der, ti.length);
1585  if (err)
1586  return err;
1587  }
1588  }
1589  else
1590  {
1591  /* We don't support nameRelativeToCRLIssuer yet*/
1592  }
1593  der += ti.length;
1594  derlen -= ti.length;
1595 
1596  if (!derlen)
1597  return 0;
1598 
1599  /* read the next optional element */
1600  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1601  if (err)
1602  return err;
1603  if (ti.class != CLASS_CONTEXT)
1604  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1605  if (ti.ndef)
1606  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1607  if (derlen < ti.length)
1608  return gpg_error (GPG_ERR_BAD_BER);
1609  }
1610 
1611  if (ti.tag == 1 && derlen)
1612  { /* reasonFlags */
1613  unsigned int bits, mask;
1614  int i, unused, full;
1615 
1616  if (!ti.length || ti.length > derlen)
1617  return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1618  unused = *der++; derlen--;
1619  ti.length--;
1620  if ((!ti.length && unused) || unused/8 > ti.length)
1621  return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1622 
1623  full = ti.length - (unused+7)/8;
1624  unused %= 8;
1625  mask = 0;
1626  for (i=1; unused; i <<= 1, unused--)
1627  mask |= i;
1628 
1629  /* we are only required to look at the first octect */
1630  if (ti.length && reason)
1631  {
1632  bits = *der;
1633  if (full)
1634  full--;
1635  else {
1636  bits &= ~~mask;
1637  mask = 0;
1638  }
1639 
1640  if (bits & 0x80)
1641  *reason |= KSBA_CRLREASON_UNSPECIFIED;
1642  if (bits & 0x40)
1643  *reason |= KSBA_CRLREASON_KEY_COMPROMISE;
1644  if (bits & 0x20)
1645  *reason |= KSBA_CRLREASON_CA_COMPROMISE;
1646  if (bits & 0x10)
1648  if (bits & 0x08)
1649  *reason |= KSBA_CRLREASON_SUPERSEDED;
1650  if (bits & 0x04)
1652  if (bits & 0x02)
1654  }
1655 
1656  der += ti.length;
1657  derlen -= ti.length;
1658 
1659  if (!derlen)
1660  return 0;
1661 
1662  /* read the next optional element */
1663  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1664  if (err)
1665  return err;
1666  if (ti.class != CLASS_CONTEXT)
1667  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1668  if (ti.ndef)
1669  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1670  if (derlen < ti.length)
1671  return gpg_error (GPG_ERR_BAD_BER);
1672  }
1673 
1674  if (ti.tag == 2 && derlen)
1675  { /* crlIssuer */
1676  if (issuer)
1677  {
1678  err = _ksba_name_new_from_der (issuer, der, ti.length);
1679  if (err)
1680  return err;
1681  }
1682 
1683  der += ti.length;
1684  derlen -= ti.length;
1685  }
1686 
1687  if (derlen)
1688  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1689 
1690  return 0;
1691 }
1692 
1693 /* Return the CRLDistPoints given in the cert extension. IDX should
1694  be iterated started from 0 until the function returns -1.
1695  R_DISTPOINT returns a ksba_name_t object with the distribution point
1696  name(s) the return value may be NULL to indicate that this name is
1697  not available. R_ISSUER returns the CRL issuer; if the returned
1698  value is NULL the caller should assume that the CRL issuer is the
1699  same as the certificate issuer. R_REASON returns the reason for
1700  the CRL. This is a bit encoded value with no bit set if this has
1701  not been specified in the cert.
1702 
1703  The caller may pass NULL to any of the pointer arguments if he is
1704  not interested in this value. The return values for R_DISTPOINT
1705  and R_ISSUER must be released by the caller using
1706  ksba_name_release(). */
1707 
1708 gpg_error_t
1710  ksba_name_t *r_distpoint,
1711  ksba_name_t *r_issuer,
1712  ksba_crl_reason_t *r_reason)
1713 {
1714  gpg_error_t err;
1715  const char *oid;
1716  size_t off, derlen;
1717  int myidx, crit;
1718 
1719  if (r_distpoint)
1720  *r_distpoint = NULL;
1721  if (r_issuer)
1722  *r_issuer = NULL;
1723  if (r_reason)
1724  *r_reason = 0;
1725 
1726  for (myidx=0; !(err=ksba_cert_get_extension (cert, myidx, &oid, &crit,
1727  &off, &derlen)); myidx++)
1728  {
1729  if (!strcmp (oid, oidstr_crlDistributionPoints))
1730  {
1731  const unsigned char *der;
1732  struct tag_info ti;
1733  size_t seqlen;
1734 
1735  der = cert->image + off;
1736 
1737  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1738  if (err)
1739  return err;
1740  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1741  && ti.is_constructed) )
1742  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1743  if (ti.ndef)
1744  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1745  seqlen = ti.length;
1746  if (seqlen > derlen)
1747  return gpg_error (GPG_ERR_BAD_BER);
1748 
1749  /* Note: an empty sequence is actually not allowed but we
1750  better don't care */
1751 
1752  while (seqlen)
1753  {
1754  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1755  if (err)
1756  return err;
1757  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1758  && ti.is_constructed) )
1759  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1760  if (derlen < ti.length)
1761  return gpg_error (GPG_ERR_BAD_BER);
1762  if (seqlen < ti.nhdr)
1763  return gpg_error (GPG_ERR_BAD_BER);
1764  seqlen -= ti.nhdr;
1765  if (seqlen < ti.length)
1766  return gpg_error (GPG_ERR_BAD_BER);
1767 
1768  if (idx)
1769  { /* skip because we are not yet at the desired index */
1770  der += ti.length;
1771  derlen -= ti.length;
1772  seqlen -= ti.length;
1773  idx--;
1774  continue;
1775  }
1776 
1777  if (!ti.length)
1778  return 0;
1779 
1780  err = parse_distribution_point (der, ti.length,
1781  r_distpoint, r_issuer, r_reason);
1782  if (err && r_distpoint)
1783  {
1784  ksba_name_release (*r_distpoint);
1785  *r_distpoint = NULL;
1786  }
1787  if (err && r_issuer)
1788  {
1789  ksba_name_release (*r_issuer);
1790  *r_issuer = NULL;
1791  }
1792  if (err && r_reason)
1793  *r_reason = 0;
1794 
1795  return err;
1796  }
1797  }
1798  }
1799 
1800  return err;
1801 }
1802 
1803 ␌
1804 /* Return the authorityKeyIdentifier in R_NAME and R_SERIAL or/and in
1805  R_KEYID. GPG_ERR_NO_DATA is returned if no authorityKeyIdentifier
1806  or only one using the keyIdentifier method is available and R_KEYID
1807  is NULL. */
1808 gpg_error_t
1810  ksba_sexp_t *r_keyid,
1811  ksba_name_t *r_name,
1812  ksba_sexp_t *r_serial)
1813 {
1814  gpg_error_t err;
1815  const char *oid;
1816  size_t off, derlen;
1817  const unsigned char *der;
1818  const unsigned char *keyid_der = NULL;
1819  size_t keyid_derlen = 0;
1820  int idx, crit;
1821  struct tag_info ti;
1822  char numbuf[30];
1823  size_t numbuflen;
1824 
1825  if (r_keyid)
1826  *r_keyid = NULL;
1827  if (!r_name || !r_serial)
1828  return gpg_error (GPG_ERR_INV_VALUE);
1829  *r_name = NULL;
1830  *r_serial = NULL;
1831 
1832  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1833  &off, &derlen)); idx++)
1834  {
1835  if (!strcmp (oid, oidstr_authorityKeyIdentifier))
1836  break;
1837  }
1838  if (gpg_err_code (err) == GPG_ERR_EOF
1839  || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1840  return gpg_error (GPG_ERR_NO_DATA); /* not available */
1841  if (err)
1842  return err;
1843 
1844  /* check that there is only one */
1845  for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1846  NULL, NULL)); idx++)
1847  {
1848  if (!strcmp (oid, oidstr_authorityKeyIdentifier))
1849  return gpg_error (GPG_ERR_DUP_VALUE);
1850  }
1851 
1852  der = cert->image + off;
1853 
1854  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1855  if (err)
1856  return err;
1857  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1858  && ti.is_constructed) )
1859  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1860  if (ti.ndef)
1861  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1862  if (ti.length > derlen)
1863  return gpg_error (GPG_ERR_BAD_BER);
1864 
1865  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1866  if (err)
1867  return err;
1868  if (ti.class != CLASS_CONTEXT)
1869  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1870  if (ti.ndef)
1871  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1872  if (derlen < ti.length)
1873  return gpg_error (GPG_ERR_BAD_BER);
1874 
1875  if (ti.tag == 0)
1876  { /* keyIdentifier: Save it away and skip over it. */
1877  keyid_der = der;
1878  keyid_derlen = ti.length;
1879 
1880  der += ti.length;
1881  derlen -= ti.length;
1882  /* If the keyid has been requested but no other data follows, we
1883  directly jump to the end. */
1884  if (r_keyid && !derlen)
1885  goto build_keyid;
1886  if (!derlen)
1887  return gpg_error (GPG_ERR_NO_DATA); /* not available */
1888  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1889  if (err)
1890  return err;
1891  if (ti.class != CLASS_CONTEXT)
1892  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1893  if (ti.ndef)
1894  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1895  if (derlen < ti.length)
1896  return gpg_error (GPG_ERR_BAD_BER);
1897  }
1898 
1899  if (ti.tag != 1 || !derlen)
1900  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1901 
1902  err = _ksba_name_new_from_der (r_name, der, ti.length);
1903  if (err)
1904  return err;
1905 
1906  der += ti.length;
1907  derlen -= ti.length;
1908 
1909  /* fixme: we should release r_name before returning on error */
1910  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1911  if (err)
1912  return err;
1913  if (ti.class != CLASS_CONTEXT)
1914  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1915  if (ti.ndef)
1916  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1917  if (derlen < ti.length)
1918  return gpg_error (GPG_ERR_BAD_BER);
1919 
1920  if (ti.tag != 2 || !derlen)
1921  return gpg_error (GPG_ERR_INV_CERT_OBJ);
1922 
1923  sprintf (numbuf,"(%u:", (unsigned int)ti.length);
1924  numbuflen = strlen (numbuf);
1925  *r_serial = xtrymalloc (numbuflen + ti.length + 2);
1926  if (!*r_serial)
1927  return gpg_error (GPG_ERR_ENOMEM);
1928  strcpy (*r_serial, numbuf);
1929  memcpy (*r_serial+numbuflen, der, ti.length);
1930  (*r_serial)[numbuflen + ti.length] = ')';
1931  (*r_serial)[numbuflen + ti.length + 1] = 0;
1932 
1933  build_keyid:
1934  if (r_keyid && keyid_der && keyid_derlen)
1935  {
1936  sprintf (numbuf,"(%u:", (unsigned int)keyid_derlen);
1937  numbuflen = strlen (numbuf);
1938  *r_keyid = xtrymalloc (numbuflen + keyid_derlen + 2);
1939  if (!*r_keyid)
1940  return gpg_error (GPG_ERR_ENOMEM);
1941  strcpy (*r_keyid, numbuf);
1942  memcpy (*r_keyid+numbuflen, keyid_der, keyid_derlen);
1943  (*r_keyid)[numbuflen + keyid_derlen] = ')';
1944  (*r_keyid)[numbuflen + keyid_derlen + 1] = 0;
1945  }
1946  return 0;
1947 }
1948 
1949 
1950 /* Return a simple octet string extension at the object identifier OID
1951  from certificate CERT. The data is return as a simple S-expression
1952  and stored at R_DATA. Returns 0 on success or an error code.
1953  common error codes are: GPG_ERR_NO_DATA if no such extension is
1954  available, GPG_ERR_DUP_VALUE if more than one is available. If
1955  R_CRIT is not NULL, the critical extension flag will be stored at
1956  that address. */
1957 static gpg_error_t
1959  int *r_crit, ksba_sexp_t *r_data)
1960 {
1961  gpg_error_t err;
1962  const char *tmpoid;
1963  size_t off, derlen;
1964  const unsigned char *der;
1965  int idx, crit;
1966  struct tag_info ti;
1967  char numbuf[30];
1968  size_t numbuflen;
1969 
1970  if (!r_data)
1971  return gpg_error (GPG_ERR_INV_VALUE);
1972  *r_data = NULL;
1973 
1974  for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &tmpoid, &crit,
1975  &off, &derlen)); idx++)
1976  {
1977  if (!strcmp (tmpoid, oid))
1978  break;
1979  }
1980  if (err)
1981  {
1982  if (gpg_err_code (err) == GPG_ERR_EOF
1983  || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1984  return gpg_error (GPG_ERR_NO_DATA);
1985  return err;
1986  }
1987 
1988  /* Check that there is only one */
1989  for (idx++; !(err=ksba_cert_get_extension (cert, idx, &tmpoid, NULL,
1990  NULL, NULL)); idx++)
1991  {
1992  if (!strcmp (tmpoid, oid))
1993  return gpg_error (GPG_ERR_DUP_VALUE);
1994  }
1995 
1996  der = cert->image + off;
1997 
1998  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1999  if (err)
2000  return err;
2001  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OCTET_STRING
2002  && !ti.is_constructed) )
2003  return gpg_error (GPG_ERR_INV_CERT_OBJ);
2004  if (ti.ndef)
2005  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
2006  if (ti.length > derlen)
2007  return gpg_error (GPG_ERR_BAD_BER);
2008  if (ti.length != derlen)
2009  return gpg_error (GPG_ERR_INV_CERT_OBJ); /* Garbage follows. */
2010 
2011  sprintf (numbuf,"(%u:", (unsigned int)ti.length);
2012  numbuflen = strlen (numbuf);
2013  *r_data = xtrymalloc (numbuflen + ti.length + 2);
2014  if (!*r_data)
2015  return gpg_error (GPG_ERR_ENOMEM);
2016  strcpy (*r_data, numbuf);
2017  memcpy (*r_data+numbuflen, der, ti.length);
2018  (*r_data)[numbuflen + ti.length] = ')';
2019  (*r_data)[numbuflen + ti.length + 1] = 0;
2020  if (r_crit)
2021  *r_crit = crit;
2022  return 0;
2023 }
2024 
2025 
2026 /* Return the subjectKeyIdentifier extension as a simple allocated
2027  S-expression at the address of R_KEYID. 0 is returned on success,
2028  GPG_ERR_NO_DATA if no such extension is available or any other
2029  error code. If R_CRIT is not passed as NULL, the critical flag of
2030  this is extension is stored there. */
2031 gpg_error_t
2033 {
2035  r_crit, r_keyid);
2036 }
2037 
2038 
2039 ␌
2040 /* MODE 0 := authorityInfoAccess
2041  1 := subjectInfoAccess
2042 
2043  Caller must release METHOD and LOCATION if the function returned
2044  with success; on error both variables will point to NULL.
2045  */
2046 static gpg_error_t
2047 get_info_access (ksba_cert_t cert, int idx, int mode,
2048  char **method, ksba_name_t *location)
2049 {
2050  gpg_error_t err;
2051  const char *oid;
2052  size_t off, derlen;
2053  int myidx, crit;
2054 
2055  *method = NULL;
2056  *location = NULL;
2057 
2058  if (!cert || !cert->initialized)
2059  return gpg_error (GPG_ERR_INV_VALUE);
2060  if (idx < 0)
2061  return gpg_error (GPG_ERR_INV_INDEX);
2062 
2063  for (myidx=0; !(err=ksba_cert_get_extension (cert, myidx, &oid, &crit,
2064  &off, &derlen)); myidx++)
2065  {
2066  if (!strcmp (oid,(mode == 0)? oidstr_authorityInfoAccess
2068  {
2069  const unsigned char *der;
2070  struct tag_info ti;
2071  size_t seqlen;
2072 
2073  der = cert->image + off;
2074 
2075  /* What we are going to parse is:
2076  *
2077  * AuthorityInfoAccessSyntax ::=
2078  * SEQUENCE SIZE (1..MAX) OF AccessDescription
2079  *
2080  * AccessDescription ::= SEQUENCE {
2081  * accessMethod OBJECT IDENTIFIER,
2082  * accessLocation GeneralName }
2083  */
2084  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2085  if (err)
2086  return err;
2087  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
2088  && ti.is_constructed) )
2089  return gpg_error (GPG_ERR_INV_CERT_OBJ);
2090  if (ti.ndef)
2091  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
2092  seqlen = ti.length;
2093  if (seqlen > derlen)
2094  return gpg_error (GPG_ERR_BAD_BER);
2095 
2096  /* Note: an empty sequence is actually not allowed but we
2097  better don't care. */
2098 
2099  while (seqlen)
2100  {
2101  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2102  if (err)
2103  return err;
2104  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
2105  && ti.is_constructed) )
2106  return gpg_error (GPG_ERR_INV_CERT_OBJ);
2107  if (derlen < ti.length)
2108  return gpg_error (GPG_ERR_BAD_BER);
2109  if (seqlen < ti.nhdr)
2110  return gpg_error (GPG_ERR_BAD_BER);
2111  seqlen -= ti.nhdr;
2112  if (seqlen < ti.length)
2113  return gpg_error (GPG_ERR_BAD_BER);
2114 
2115  if (idx)
2116  { /* Skip because we are not yet at the desired index. */
2117  der += ti.length;
2118  derlen -= ti.length;
2119  seqlen -= ti.length;
2120  idx--;
2121  continue;
2122  }
2123  /* We only need the next object, thus we can (and
2124  actually need to) limit the DERLEN to the length of
2125  the current sequence. */
2126  derlen = ti.length;
2127  if (!derlen)
2128  return gpg_error (GPG_ERR_INV_CERT_OBJ);
2129 
2130  err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2131  if (err)
2132  return err;
2133 
2134  if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID
2135  && !ti.is_constructed))
2136  return gpg_error (GPG_ERR_INV_CERT_OBJ);
2137  if (ti.ndef)
2138  return gpg_error (GPG_ERR_NOT_DER_ENCODED);
2139  if (derlen < ti.length)
2140  return gpg_error (GPG_ERR_BAD_BER);
2141 
2142  *method = ksba_oid_to_str (der, ti.length);
2143  if (!*method)
2144  return gpg_error (GPG_ERR_ENOMEM);
2145  der += ti.length;
2146  derlen -= ti.length;
2147 
2148  err = _ksba_name_new_from_der (location, der, derlen);
2149  if (err)
2150  {
2151  ksba_free (*method);
2152  *method = NULL;
2153  return err;
2154  }
2155  return 0;
2156  }
2157  }
2158  }
2159 
2160  return err;
2161 }
2162 
2163 
2164 /* Return the authorityInfoAccess attributes. IDX should be iterated
2165  starting from 0 until the function returns GPG_ERR_EOF. R_METHOD
2166  returns an allocated string with the OID of one item and R_LOCATION
2167  return the GeneralName for that OID. The return values for
2168  R_METHOD and R_LOCATION must be released by the caller unless the
2169  function returned an error; the function will however make sure
2170  that R_METHOD and R_LOCATION will point to NULL if the function
2171  returns an error. See RFC 5280, section 4.2.2.1 */
2172 gpg_error_t
2174  char **r_method, ksba_name_t *r_location)
2175 {
2176  if (!r_method || !r_location)
2177  return gpg_error (GPG_ERR_INV_VALUE);
2178  return get_info_access (cert, idx, 0, r_method, r_location);
2179 }
2180 
2181 
2182 /* Return the subjectInfoAccess attributes. IDX should be iterated
2183  starting from 0 until the function returns GPG_ERR_EOF. R_METHOD
2184  returns an allocated string with the OID of one item and R_LOCATION
2185  return the GeneralName for that OID. The return values for
2186  R_METHOD and R_LOCATION must be released by the caller unless the
2187  function returned an error; the function will however make sure
2188  that R_METHOD and R_LOCATION will point to NULL if the function
2189  returns an error. See RFC 5280, section 4.2.2.2 */
2190 gpg_error_t
2192  char **r_method, ksba_name_t *r_location)
2193 {
2194  if (!r_method || !r_location)
2195  return gpg_error (GPG_ERR_INV_VALUE);
2196  return get_info_access (cert, idx, 1, r_method, r_location);
2197 }
@ TYPE_OCTET_STRING
@ TYPE_GENERALIZED_TIME
@ TYPE_OBJECT_ID
@ TYPE_BOOLEAN
@ TYPE_INTEGER
@ TYPE_SEQUENCE
@ TYPE_UTC_TIME
@ TYPE_BIT_STRING
@ CLASS_CONTEXT
@ CLASS_UNIVERSAL
AsnNode _ksba_asn_find_node(AsnNode root, const char *name)
Definition: asn1-func.c:383
void _ksba_asn_release_nodes(AsnNode node)
Definition: asn1-parse.c:2886
gpg_error_t _ksba_ber_decoder_decode(BerDecoder d, const char *start_name, unsigned int flags, AsnNode *r_root, unsigned char **r_image, size_t *r_imagelen)
Definition: ber-decoder.c:1203
gpg_error_t _ksba_ber_decoder_set_module(BerDecoder d, ksba_asn_tree_t module)
Definition: ber-decoder.c:373
BerDecoder _ksba_ber_decoder_new(void)
Definition: ber-decoder.c:344
void _ksba_ber_decoder_release(BerDecoder d)
Definition: ber-decoder.c:356
gpg_error_t _ksba_ber_decoder_set_reader(BerDecoder d, ksba_reader_t r)
Definition: ber-decoder.c:386
gpg_error_t _ksba_ber_parse_tl(unsigned char const **buffer, size_t *size, struct tag_info *ti)
Definition: ber-help.c:200
static gpg_error_t read_extensions(ksba_cert_t cert)
Definition: cert.c:956
static gpg_error_t parse_distribution_point(const unsigned char *der, size_t derlen, ksba_name_t *distpoint, ksba_name_t *issuer, ksba_crl_reason_t *reason)
Definition: cert.c:1549
static const char oidstr_crlDistributionPoints[]
Definition: cert.c:52
static gpg_error_t get_info_access(ksba_cert_t cert, int idx, int mode, char **method, ksba_name_t *location)
Definition: cert.c:2047
int _ksba_cert_cmp(ksba_cert_t a, ksba_cert_t b)
Definition: cert.c:376
gpg_error_t _ksba_cert_get_subject_dn_ptr(ksba_cert_t cert, unsigned char const **ptr, size_t *length)
Definition: cert.c:583
gpg_error_t _ksba_cert_get_public_key_ptr(ksba_cert_t cert, unsigned char const **ptr, size_t *length)
Definition: cert.c:882
gpg_error_t _ksba_cert_get_issuer_dn_ptr(ksba_cert_t cert, unsigned char const **ptr, size_t *length)
Definition: cert.c:559
static const char oidstr_authorityInfoAccess[]
Definition: cert.c:56
static const char oidstr_certificatePolicies[]
Definition: cert.c:53
static const char oidstr_subjectKeyIdentifier[]
Definition: cert.c:47
static const char oidstr_basicConstraints[]
Definition: cert.c:51
static const char oidstr_keyUsage[]
Definition: cert.c:48
gpg_error_t _ksba_cert_get_serial_ptr(ksba_cert_t cert, unsigned char const **ptr, size_t *length)
Definition: cert.c:537
static const char oidstr_subjectAltName[]
Definition: cert.c:49
static const char oidstr_subjectInfoAccess[]
Definition: cert.c:57
static gpg_error_t append_cert_policy(char **policies, const char *oid, int crit)
Definition: cert.c:1275
static const char oidstr_authorityKeyIdentifier[]
Definition: cert.c:54
static gpg_error_t get_simple_octet_string_ext(ksba_cert_t cert, const char *oid, int *r_crit, ksba_sexp_t *r_data)
Definition: cert.c:1958
static gpg_error_t get_name(ksba_cert_t cert, int idx, int use_subject, char **result)
Definition: cert.c:606
static const char oidstr_extKeyUsage[]
Definition: cert.c:55
static const char oidstr_issuerAltName[]
Definition: cert.c:50
const char * oid
Definition: cms.c:71
gpg_error_t _ksba_dn_to_str(const unsigned char *image, AsnNode node, char **r_string)
Definition: dn.c:551
char * _ksba_oid_node_to_str(const unsigned char *image, AsnNode node)
Definition: oid.c:133
gpg_error_t _ksba_name_new_from_der(ksba_name_t *r_name, const unsigned char *image, size_t imagelen)
Definition: name.c:100
gpg_error_t _ksba_asntime_to_iso(const char *buffer, size_t length, int is_utctime, ksba_isotime_t timebuf)
Definition: time.c:52
const char * name
Definition: dn.c:47
#define DIM(v)
Definition: gen-help.h:46
#define stpcpy(a, b)
Definition: gen-help.h:41
#define GPG_ERR_BUG
Definition: gen-help.h:83
#define GPG_ERR_INV_VALUE
Definition: gen-help.h:82
#define xtrymalloc(a)
Definition: gen-help.h:38
#define gpg_error(a)
Definition: gen-help.h:87
#define return_val_if_fail(expr, val)
Definition: gen-help.h:67
gpg_error_t _ksba_sigval_to_sexp(const unsigned char *der, size_t derlen, ksba_sexp_t *r_string)
Definition: keyinfo.c:1702
const unsigned char * der
Definition: keyinfo.c:367
unsigned int derlen
Definition: keyinfo.c:366
gpg_error_t _ksba_parse_algorithm_identifier(const unsigned char *der, size_t derlen, size_t *r_nread, char **r_oid)
Definition: keyinfo.c:679
gpg_error_t _ksba_keyinfo_to_sexp(const unsigned char *der, size_t derlen, ksba_sexp_t *r_string)
Definition: keyinfo.c:798
@ KSBA_KEYUSAGE_CRL_SIGN
Definition: ksba.h:204
@ KSBA_KEYUSAGE_KEY_ENCIPHERMENT
Definition: ksba.h:200
@ KSBA_KEYUSAGE_ENCIPHER_ONLY
Definition: ksba.h:205
@ KSBA_KEYUSAGE_DIGITAL_SIGNATURE
Definition: ksba.h:198
@ KSBA_KEYUSAGE_DATA_ENCIPHERMENT
Definition: ksba.h:201
@ KSBA_KEYUSAGE_NON_REPUDIATION
Definition: ksba.h:199
@ KSBA_KEYUSAGE_KEY_CERT_SIGN
Definition: ksba.h:203
@ KSBA_KEYUSAGE_DECIPHER_ONLY
Definition: ksba.h:206
@ KSBA_KEYUSAGE_KEY_AGREEMENT
Definition: ksba.h:202
gpg_error_t ksba_cert_hash(ksba_cert_t cert, int what, void(*hasher)(void *, const void *, size_t length), void *hasher_arg)
void ksba_reader_release(ksba_reader_t r)
gpg_error_t ksba_cert_init_from_mem(ksba_cert_t cert, const void *buffer, size_t length)
const char * ksba_cert_get_digest_algo(ksba_cert_t cert)
gpg_error_t ksba_cert_get_crl_dist_point(ksba_cert_t cert, int idx, ksba_name_t *r_distpoint, ksba_name_t *r_issuer, ksba_crl_reason_t *r_reason)
void ksba_cert_ref(ksba_cert_t cert)
ksba_crl_reason_t
Definition: ksba.h:156
@ KSBA_CRLREASON_CESSATION_OF_OPERATION
Definition: ksba.h:162
@ KSBA_CRLREASON_SUPERSEDED
Definition: ksba.h:161
@ KSBA_CRLREASON_CA_COMPROMISE
Definition: ksba.h:159
@ KSBA_CRLREASON_UNSPECIFIED
Definition: ksba.h:157
@ KSBA_CRLREASON_AFFILIATION_CHANGED
Definition: ksba.h:160
@ KSBA_CRLREASON_KEY_COMPROMISE
Definition: ksba.h:158
@ KSBA_CRLREASON_CERTIFICATE_HOLD
Definition: ksba.h:163
unsigned char * ksba_sexp_t
Definition: ksba.h:273
gpg_error_t ksba_cert_read_der(ksba_cert_t cert, ksba_reader_t reader)
gpg_error_t ksba_cert_get_authority_info_access(ksba_cert_t cert, int idx, char **r_method, ksba_name_t *r_location)
gpg_error_t ksba_cert_get_ext_key_usages(ksba_cert_t cert, char **result)
gpg_error_t ksba_cert_new(ksba_cert_t *acert)
char ksba_isotime_t[16]
Definition: ksba.h:212
gpg_error_t ksba_cert_is_ca(ksba_cert_t cert, int *r_ca, int *r_pathlen)
gpg_error_t ksba_reader_set_mem(ksba_reader_t r, const void *buffer, size_t length)
char * ksba_oid_to_str(const char *buffer, size_t length)
void ksba_name_release(ksba_name_t name)
gpg_error_t ksba_cert_get_subject_info_access(ksba_cert_t cert, int idx, char **r_method, ksba_name_t *r_location)
gpg_error_t ksba_cert_set_user_data(ksba_cert_t cert, const char *key, const void *data, size_t datalen)
gpg_error_t ksba_cert_get_extension(ksba_cert_t cert, int idx, char const **r_oid, int *r_crit, size_t *r_deroff, size_t *r_derlen)
gpg_error_t ksba_cert_get_subj_key_id(ksba_cert_t cert, int *r_crit, ksba_sexp_t *r_keyid)
const unsigned char * ksba_cert_get_image(ksba_cert_t cert, size_t *r_length)
gpg_error_t ksba_asn_create_tree(const char *mod_name, ksba_asn_tree_t *result)
gpg_error_t ksba_cert_get_cert_policies(ksba_cert_t cert, char **r_policies)
gpg_error_t ksba_cert_get_user_data(ksba_cert_t cert, const char *key, void *buffer, size_t bufferlen, size_t *datalen)
gpg_error_t ksba_cert_get_auth_key_id(ksba_cert_t cert, ksba_sexp_t *r_keyid, ksba_name_t *r_name, ksba_sexp_t *r_serial)
void ksba_free(void *a)
void ksba_cert_release(ksba_cert_t cert)
gpg_error_t ksba_cert_get_validity(ksba_cert_t cert, int what, ksba_isotime_t r_time)
ksba_sexp_t ksba_cert_get_sig_val(ksba_cert_t cert)
void ksba_asn_tree_release(ksba_asn_tree_t tree)
char * ksba_cert_get_issuer(ksba_cert_t cert, int idx)
char * ksba_cert_get_subject(ksba_cert_t cert, int idx)
gpg_error_t ksba_cert_get_key_usage(ksba_cert_t cert, unsigned int *r_flags)
ksba_sexp_t ksba_cert_get_public_key(ksba_cert_t cert)
gpg_error_t ksba_reader_new(ksba_reader_t *r_r)
ksba_sexp_t ksba_cert_get_serial(ksba_cert_t cert)
static char * smklen(char *help_buffer, size_t help_buflen, size_t value, size_t *length)
Definition: sexp-parse.h:119
AsnNode right
Definition: asn1-func.h:111
AsnNode down
Definition: asn1-func.h:110
node_type_t type
Definition: asn1-func.h:100
char * oid
Definition: cert.h:39
int off
Definition: cert.h:41
int len
Definition: cert.h:41
int crit
Definition: cert.h:40
char key[1]
Definition: cert.h:66
void * data
Definition: cert.h:58
size_t datalen
Definition: cert.h:53
struct cert_user_data * next
Definition: cert.h:50
char databuf[sizeof(int)]
Definition: cert.h:62
AsnNode root
Definition: cert.h:92
gpg_error_t last_error
Definition: cert.h:97
struct cert_user_data * udata
Definition: cert.h:78
size_t imagelen
Definition: cert.h:95
int initialized
Definition: cert.h:83
int n_extns
Definition: cert.h:101
int extns_valid
Definition: cert.h:100
unsigned char * image
Definition: cert.h:94
struct ksba_cert_s::@5 cache
int ref_count
Definition: cert.h:89
ksba_asn_tree_t asn_tree
Definition: cert.h:91
char * digest_algo
Definition: cert.h:99
struct cert_extn_info * extns
Definition: cert.h:102
unsigned long tag
Definition: ber-help.h:38
int is_constructed
Definition: ber-help.h:37
unsigned long length
Definition: ber-help.h:39
int ndef
Definition: ber-help.h:40
enum tag_class class
Definition: ber-help.h:36
size_t nhdr
Definition: ber-help.h:41
#define xfree(a)
Definition: util.h:58
#define xtryrealloc(a, b)
Definition: util.h:56
#define xtrycalloc(a, b)
Definition: util.h:55