1 /* cert.c - main function for the certificate handling
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2012 g10 Code GmbH
4 * This file is part of KSBA.
6 * KSBA is free software; you can redistribute it and/or modify
7 * it under the terms of either
9 * - the GNU Lesser General Public License as published by the Free
10 * Software Foundation; either version 3 of the License, or (at
11 * your option) any later version.
15 * - the GNU General Public License as published by the Free
16 * Software Foundation; either version 2 of the License, or (at
17 * your option) any later version.
19 * or both in parallel, as here.
21 * KSBA is distributed in the hope that it will be useful, but WITHOUT
22 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
23 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
24 * License for more details.
26 * You should have received a copies of the GNU General Public License
27 * and the GNU Lesser General Public License along with this program;
28 * if not, see <http://www.gnu.org/licenses/>.
39 #include "ber-decoder.h"
43 #include "sexp-parse.h"
47 static const char oidstr_subjectKeyIdentifier[] = "2.5.29.14";
48 static const char oidstr_keyUsage[] = "2.5.29.15";
49 static const char oidstr_subjectAltName[] = "2.5.29.17";
50 static const char oidstr_issuerAltName[] = "2.5.29.18";
51 static const char oidstr_basicConstraints[] = "2.5.29.19";
52 static const char oidstr_crlDistributionPoints[] = "2.5.29.31";
53 static const char oidstr_certificatePolicies[] = "2.5.29.32";
54 static const char oidstr_authorityKeyIdentifier[] = "2.5.29.35";
55 static const char oidstr_extKeyUsage[] = "2.5.29.37";
56 static const char oidstr_authorityInfoAccess[] = "1.3.6.1.5.5.7.1.1";
57 static const char oidstr_subjectInfoAccess[] = "1.3.6.1.5.5.7.1.11";
63 * Create a new and empty certificate object
65 * Return value: 0 on success or error code. For a successful
66 * operation, ACERT is set to the new certifixate obbject, otherwise
70 ksba_cert_new (ksba_cert_t *acert)
72 *acert = xtrycalloc (1, sizeof **acert);
74 return gpg_error_from_errno (errno);
75 (*acert)->ref_count++;
81 ksba_cert_ref (ksba_cert_t cert)
84 fprintf (stderr, "BUG: ksba_cert_ref for NULL\n");
91 * @cert: A certificate object
93 * Release a certificate object.
96 ksba_cert_release (ksba_cert_t cert)
102 if (cert->ref_count < 1)
104 fprintf (stderr, "BUG: trying to release an already released cert\n");
107 if (--cert->ref_count)
112 struct cert_user_data *ud = cert->udata;
116 struct cert_user_data *ud2 = ud->next;
117 if (ud->data && ud->data != ud->databuf)
125 xfree (cert->cache.digest_algo);
126 if (cert->cache.extns_valid)
128 for (i=0; i < cert->cache.n_extns; i++)
129 xfree (cert->cache.extns[i].oid);
130 xfree (cert->cache.extns);
133 _ksba_asn_release_nodes (cert->root);
134 ksba_asn_tree_release (cert->asn_tree);
142 /* Store arbitrary data along with a certificate. The DATA of length
143 DATALEN will be stored under the string KEY. If some data is
144 already stored under this key it will be replaced by the new data.
145 Using NULL for DATA will effectivly delete the data.
147 On error (i.e. out or memory) an already existing data object
148 stored under KEY may get deleted.
150 This function is not thread safe because we don't employ any
153 ksba_cert_set_user_data (ksba_cert_t cert,
154 const char *key, const void *data, size_t datalen)
156 struct cert_user_data *ud;
158 if (!cert || !key || !*key)
159 return gpg_error (GPG_ERR_INV_VALUE);
161 for (ud=cert->udata; ud; ud = ud->next)
162 if (!strcmp (ud->key, key))
164 if (ud) /* Update the data stored under this key or reuse this item. */
166 if (ud->data && ud->data != ud->databuf)
169 if (data && datalen <= sizeof ud->databuf)
171 memcpy (ud->databuf, data, datalen);
172 ud->data = ud->databuf;
173 ud->datalen = datalen;
177 ud->data = xtrymalloc (datalen);
179 return gpg_error_from_errno (errno);
180 memcpy (ud->data, data, datalen);
181 ud->datalen = datalen;
184 else if (data) /* Insert as a new item. */
186 ud = xtrycalloc (1, sizeof *ud + strlen (key));
188 return gpg_error_from_errno (errno);
189 strcpy (ud->key, key);
190 if (datalen <= sizeof ud->databuf)
192 memcpy (ud->databuf, data, datalen);
193 ud->data = ud->databuf;
194 ud->datalen = datalen;
198 ud->data = xtrymalloc (datalen);
202 return gpg_error_from_errno (errno);
204 memcpy (ud->data, data, datalen);
205 ud->datalen = datalen;
207 ud->next = cert->udata;
216 /* Return user data for certificate CERT stored under the string
217 KEY. The caller needs to provide a suitable large BUFFER and pass
218 the usable length of the buffer in BUFFERLEN. If DATALEN is not
219 NULL, the length of the data stored at BUFFER will be stored there.
221 If BUFFER is NULL, BUFFERLEN will be ignored and the required
222 length of the buffer will be returned at DATALEN.
224 On success 0 is returned. If no data is stored under KEY
225 GPG_ERR_NOT_FOUND is returned. If the provided buffer is too
226 short, GPG_ERR_BUFFER_TOO_SHORT will be returned (note, that this
227 is not the case if BUFFER is NULL).
230 ksba_cert_get_user_data (ksba_cert_t cert, const char *key,
231 void *buffer, size_t bufferlen, size_t *datalen)
233 struct cert_user_data *ud;
235 if (!cert || !key || !*key)
236 return gpg_error (GPG_ERR_INV_VALUE);
238 for (ud=cert->udata; ud; ud = ud->next)
239 if (!strcmp (ud->key, key))
241 if (!ud || !ud->data)
242 return gpg_error (GPG_ERR_NOT_FOUND);
244 *datalen = ud->datalen;
247 if (ud->datalen > bufferlen)
248 return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
249 memcpy (buffer, ud->data, ud->datalen);
256 * ksba_cert_read_der:
257 * @cert: An unitialized certificate object
258 * @reader: A KSBA Reader object
260 * Read the next certificate from the reader and store it in the
261 * certificate object for future access. The certificate is parsed
262 * and rejected if it has any syntactical or semantical error
263 * (i.e. does not match the ASN.1 description).
265 * Return value: 0 on success or an error value
268 ksba_cert_read_der (ksba_cert_t cert, ksba_reader_t reader)
271 BerDecoder decoder = NULL;
273 if (!cert || !reader)
274 return gpg_error (GPG_ERR_INV_VALUE);
275 if (cert->initialized)
276 return gpg_error (GPG_ERR_CONFLICT); /* Fixme: should remove the old one */
278 _ksba_asn_release_nodes (cert->root);
279 ksba_asn_tree_release (cert->asn_tree);
281 cert->asn_tree = NULL;
283 err = ksba_asn_create_tree ("tmttv2", &cert->asn_tree);
287 decoder = _ksba_ber_decoder_new ();
290 err = gpg_error (GPG_ERR_ENOMEM);
294 err = _ksba_ber_decoder_set_reader (decoder, reader);
298 err = _ksba_ber_decoder_set_module (decoder, cert->asn_tree);
302 err = _ksba_ber_decoder_decode (decoder, "TMTTv2.Certificate", 0,
303 &cert->root, &cert->image, &cert->imagelen);
305 cert->initialized = 1;
308 _ksba_ber_decoder_release (decoder);
315 ksba_cert_init_from_mem (ksba_cert_t cert, const void *buffer, size_t length)
318 ksba_reader_t reader;
320 err = ksba_reader_new (&reader);
323 err = ksba_reader_set_mem (reader, buffer, length);
326 ksba_reader_release (reader);
329 err = ksba_cert_read_der (cert, reader);
330 ksba_reader_release (reader);
336 const unsigned char *
337 ksba_cert_get_image (ksba_cert_t cert, size_t *r_length )
343 if (!cert->initialized)
346 n = _ksba_asn_find_node (cert->root, "Certificate");
352 /* fputs ("ksba_cert_get_image problem at node:\n", stderr); */
353 /* _ksba_asn_node_dump_all (n, stderr); */
357 /* Due to minor problems in our parser we might hit the assertion
358 below. Thus we better return a error, proper. */
359 if ( !(n->nhdr + n->len + n->off <= cert->imagelen) )
361 fprintf (stderr,"\nOops, ksba_cert_get_image failed: "
362 "imagelen=%lu hdr=%d len=%d off=%d\n",
363 (unsigned long)cert->imagelen, n->nhdr, (int)n->len, n->off);
366 /*assert (n->nhdr + n->len + n->off <= cert->imagelen);*/
369 *r_length = n->nhdr + n->len;
370 return cert->image + n->off;
373 /* Check whether certificates A and B are identical and return o in
376 _ksba_cert_cmp (ksba_cert_t a, ksba_cert_t b)
378 const unsigned char *img_a, *img_b;
381 img_a = ksba_cert_get_image (a, &len_a);
384 img_b = ksba_cert_get_image (b, &len_b);
387 return !(len_a == len_b && !memcmp (img_a, img_b, len_a));
394 ksba_cert_hash (ksba_cert_t cert, int what,
395 void (*hasher)(void *, const void *, size_t length),
400 if (!cert /*|| !hasher*/)
401 return gpg_error (GPG_ERR_INV_VALUE);
402 if (!cert->initialized)
403 return gpg_error (GPG_ERR_NO_DATA);
405 n = _ksba_asn_find_node (cert->root,
406 what == 1? "Certificate.tbsCertificate"
409 return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
412 /* fputs ("ksba_cert_hash problem at node:\n", stderr); */
413 /* _ksba_asn_node_dump_all (n, stderr); */
414 return gpg_error (GPG_ERR_NO_VALUE);
417 hasher (hasher_arg, cert->image + n->off, n->nhdr + n->len);
426 * ksba_cert_get_digest_algo:
427 * @cert: Initialized certificate object
429 * Figure out the the digest algorithm used for the signature and
432 * This function is intended as a helper for the ksba_cert_hash().
434 * Return value: NULL for error otherwise a constant string with the OID.
435 * This string is valid as long the certificate object is valid.
438 ksba_cert_get_digest_algo (ksba_cert_t cert)
446 return NULL; /* Ooops (can't set cert->last_error :-(). */
448 if (!cert->initialized)
450 cert->last_error = gpg_error (GPG_ERR_NO_DATA);
454 if (cert->cache.digest_algo)
455 return cert->cache.digest_algo;
457 /* n = _ksba_asn_find_node (cert->root, */
458 /* "Certificate.signatureAlgorithm.algorithm"); */
459 /* algo = _ksba_oid_node_to_str (cert->image, n); */
461 /* cert->last_error = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM); */
463 /* cert->cache.digest_algo = algo; */
465 n = _ksba_asn_find_node (cert->root, "Certificate.signatureAlgorithm");
466 if (!n || n->off == -1)
469 err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
472 err = _ksba_parse_algorithm_identifier (cert->image + n->off,
473 n->nhdr + n->len, &nread, &algo);
475 cert->last_error = err;
477 cert->cache.digest_algo = algo;
486 * ksba_cert_get_serial:
487 * @cert: certificate object
489 * This function returnes the serial number of the certificate. The
490 * serial number is an integer returned as an canonical encoded
491 * S-expression with just one element.
493 * Return value: An allocated S-Exp or NULL for no value.
496 ksba_cert_get_serial (ksba_cert_t cert)
503 if (!cert || !cert->initialized)
506 n = _ksba_asn_find_node (cert->root,
507 "Certificate.tbsCertificate.serialNumber");
509 return NULL; /* oops - should be there */
513 /* fputs ("get_serial problem at node:\n", stderr); */
514 /* _ksba_asn_node_dump_all (n, stderr); */
518 sprintf (numbuf,"(%u:", (unsigned int)n->len);
519 numbuflen = strlen (numbuf);
520 p = xtrymalloc (numbuflen + n->len + 2);
524 memcpy (p+numbuflen, cert->image + n->off + n->nhdr, n->len);
525 p[numbuflen + n->len] = ')';
526 p[numbuflen + n->len + 1] = 0;
531 /* Return a pointer to the DER encoding of the serial number in CERT in
532 PTR and the length of that field in LENGTH. */
534 _ksba_cert_get_serial_ptr (ksba_cert_t cert,
535 unsigned char const **ptr, size_t *length)
539 if (!cert || !cert->initialized || !ptr || !length)
540 return gpg_error (GPG_ERR_INV_VALUE);
541 n = _ksba_asn_find_node (cert->root,
542 "Certificate.tbsCertificate.serialNumber");
543 if (!n || n->off == -1)
544 return gpg_error (GPG_ERR_NO_VALUE);
546 *ptr = cert->image + n->off + n->nhdr;
553 /* Return a pointer to the DER encoding of the subject's DN in CERT in
554 PTR and the length of that object in LENGTH. */
556 _ksba_cert_get_subject_dn_ptr (ksba_cert_t cert,
557 unsigned char const **ptr, size_t *length)
561 if (!cert || !cert->initialized || !ptr || !length)
562 return gpg_error (GPG_ERR_INV_VALUE);
564 n = _ksba_asn_find_node (cert->root, "Certificate.tbsCertificate.subject");
566 return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
567 n = n->down; /* dereference the choice node */
569 return gpg_error (GPG_ERR_NO_VALUE);
570 *ptr = cert->image + n->off;
571 *length = n->nhdr + n->len;
577 /* Worker function for get_isssuer and get_subject. */
579 get_name (ksba_cert_t cert, int idx, int use_subject, char **result)
586 const unsigned char *der;
587 size_t off, derlen, seqlen;
589 if (!cert || !cert->initialized || !result)
590 return gpg_error (GPG_ERR_INV_VALUE);
592 return gpg_error (GPG_ERR_INV_INDEX);
596 { /* Get the required DN */
599 n = _ksba_asn_find_node (cert->root,
601 "Certificate.tbsCertificate.subject":
602 "Certificate.tbsCertificate.issuer") );
604 return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
605 n = n->down; /* dereference the choice node */
607 return gpg_error (GPG_ERR_NO_VALUE);
609 err = _ksba_dn_to_str (cert->image, n, &p);
616 /* get {issuer,subject}AltName */
617 for (i=0; !(err=ksba_cert_get_extension (cert, i, &oid, NULL,
618 &off, &derlen)); i++)
620 if (!strcmp (oid, (use_subject?
621 oidstr_subjectAltName:oidstr_issuerAltName)))
625 return err; /* no alt name or error*/
627 der = cert->image + off;
630 /* FIXME: We should use _ksba_name_new_from_der and ksba_name_enum here */
632 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
635 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
636 && ti.is_constructed) )
637 return gpg_error (GPG_ERR_INV_CERT_OBJ);
639 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
642 return gpg_error (GPG_ERR_BAD_BER);
644 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* empty sequence is not allowed */
648 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
651 if (ti.class != CLASS_CONTEXT)
652 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
654 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
655 if (seqlen < ti.nhdr)
656 return gpg_error (GPG_ERR_BAD_BER);
658 if (seqlen < ti.length)
659 return gpg_error (GPG_ERR_BAD_BER);
661 if (derlen < ti.length)
662 return gpg_error (GPG_ERR_BAD_BER);
663 if (!(ti.tag == 1 || ti.tag == 2 || ti.tag == 6))
664 ; /* Not a supported tag: Do not change IDX. */
666 ; /* not yet at the desired index */
667 else if (ti.tag == 1)
668 { /* rfc822Name - this is an implicit IA5_STRING */
669 p = xtrymalloc (ti.length+3);
671 return gpg_error (GPG_ERR_ENOMEM);
673 memcpy (p+1, der, ti.length);
674 p[ti.length+1] = '>';
679 else if (ti.tag == 2 || ti.tag == 6)
680 { /* dNSName or URI - this are implicit IA5_STRINGs */
681 char numbuf[20], *numbufp;
684 numbufp = smklen (numbuf, DIM(numbuf), ti.length, &numbuflen);
685 p = xtrymalloc (11 + numbuflen + ti.length + 3);
687 return gpg_error (GPG_ERR_ENOMEM);
689 p = stpcpy (p, ti.tag == 2? "(8:dns-name" : "(3:uri");
690 p = stpcpy (p, numbufp);
691 memcpy (p, der, ti.length);
698 /* advance pointer */
703 return gpg_error (GPG_ERR_EOF);
709 * ksba_cert_get_issuer:
710 * @cert: certificate object
712 * With @idx == 0 this function returns the Distinguished Name (DN) of
713 * the certificate issuer which in most cases is a CA. The format of
714 * the returned string is in accordance with RFC-2253. NULL is
715 * returned if the DN is not available which is an error and should
716 * have been catched by the certificate reading function.
718 * With @idx > 0 the function may be used to enumerate alternate
719 * issuer names. The function returns NULL if there are no more
720 * alternate names. The function does only return alternate names
721 * which are recognized by libksba and ignores others. The format of
722 * the returned name is either a RFC-2253 formated one which can be
723 * detected by checking whether the first character is letter or
724 * digit. rfc-2822 conform email addresses are returned enclosed in
725 * angle brackets, the opening angle bracket should be used to
726 * indicate this. Other formats are returned as an S-Expression in
727 * canonical format, so a opening parenthesis may be used to detect
728 * this encoding, the name may include binary null characters, so
729 * strlen may return a length shorther than actually used, the real
730 * length is implictly given by the structure of the S-Exp, an extra
731 * null is appended for safety reasons.
733 * The caller must free the returned string using ksba_free() or the
734 * function he has registered as a replacement.
736 * Return value: An allocated string or NULL for error.
739 ksba_cert_get_issuer (ksba_cert_t cert, int idx)
744 err = get_name (cert, idx, 0, &name);
747 cert->last_error = err;
753 /* See ..get_issuer */
755 ksba_cert_get_subject (ksba_cert_t cert, int idx)
760 err = get_name (cert, idx, 1, &name);
763 cert->last_error = err;
772 * ksba_cert_get_valididy:
773 * @cert: certificate object
774 * @what: 0 for notBefore, 1 for notAfter
775 * @timebuf: Returns the time.
777 * Return the validity object from the certificate. If no value is
778 * available 0 is returned because we can safely assume that this is
781 * Return value: The time value an 0 or an error code.
784 ksba_cert_get_validity (ksba_cert_t cert, int what, ksba_isotime_t timebuf)
788 if (!cert || what < 0 || what > 1)
789 return gpg_error (GPG_ERR_INV_VALUE);
791 if (!cert->initialized)
792 return gpg_error (GPG_ERR_NO_DATA);
794 n = _ksba_asn_find_node (cert->root,
795 what == 0? "Certificate.tbsCertificate.validity.notBefore"
796 : "Certificate.tbsCertificate.validity.notAfter");
798 return 0; /* no value available */
800 /* Fixme: We should remove the choice node and don't use this ugly hack */
801 for (n2=n->down; n2; n2 = n2->right)
803 if ((n2->type == TYPE_UTC_TIME || n2->type == TYPE_GENERALIZED_TIME)
809 return 0; /* no value available */
811 return_val_if_fail (n->off != -1, gpg_error (GPG_ERR_BUG));
813 return _ksba_asntime_to_iso (cert->image + n->off + n->nhdr, n->len,
814 n->type == TYPE_UTC_TIME, timebuf);
820 ksba_cert_get_public_key (ksba_cert_t cert)
828 if (!cert->initialized)
831 n = _ksba_asn_find_node (cert->root,
833 ".tbsCertificate.subjectPublicKeyInfo");
836 cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
840 err = _ksba_keyinfo_to_sexp (cert->image + n->off, n->nhdr + n->len,
844 cert->last_error = err;
851 /* Return a pointer to the DER encoding of the actual public key
852 (i.e. the bit string) in PTR and the length of that object in
855 _ksba_cert_get_public_key_ptr (ksba_cert_t cert,
856 unsigned char const **ptr, size_t *length)
860 if (!cert || !cert->initialized || !ptr || !length)
861 return gpg_error (GPG_ERR_INV_VALUE);
863 n = _ksba_asn_find_node (cert->root,
864 "Certificate.tbsCertificate.subjectPublicKeyInfo");
865 if (!n || !n->down || !n->down->right)
866 return gpg_error (GPG_ERR_NO_VALUE); /* oops - should be there */
869 return gpg_error (GPG_ERR_NO_VALUE);
870 *ptr = cert->image + n->off + n->nhdr;
872 /* Somehow we end up at the preceding NULL value, and not at a
873 sequence, we hack it way here. */
874 if (*length && !**ptr)
886 ksba_cert_get_sig_val (ksba_cert_t cert)
894 if (!cert->initialized)
897 n = _ksba_asn_find_node (cert->root,
898 "Certificate.signatureAlgorithm");
901 cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
906 /* fputs ("ksba_cert_get_sig_val problem at node:\n", stderr); */
907 /* _ksba_asn_node_dump_all (n, stderr); */
908 cert->last_error = gpg_error (GPG_ERR_NO_VALUE);
913 err = _ksba_sigval_to_sexp (cert->image + n->off,
915 + ((!n2||n2->off == -1)? 0:(n2->nhdr+n2->len)),
919 cert->last_error = err;
927 /* Read all extensions into the cache */
929 read_extensions (ksba_cert_t cert)
934 assert (!cert->cache.extns_valid);
935 assert (!cert->cache.extns);
937 start = _ksba_asn_find_node (cert->root,
938 "Certificate.tbsCertificate.extensions..");
939 for (count=0, n=start; n; n = n->right)
943 cert->cache.n_extns = 0;
944 cert->cache.extns_valid = 1;
945 return 0; /* no extensions at all */
947 cert->cache.extns = xtrycalloc (count, sizeof *cert->cache.extns);
948 if (!cert->cache.extns)
949 return gpg_error (GPG_ERR_ENOMEM);
950 cert->cache.n_extns = count;
953 for (count=0; start; start = start->right, count++)
956 if (!n || n->type != TYPE_OBJECT_ID)
959 cert->cache.extns[count].oid = _ksba_oid_node_to_str (cert->image, n);
960 if (!cert->cache.extns[count].oid)
964 if (n && n->type == TYPE_BOOLEAN)
966 if (n->off != -1 && n->len && cert->image[n->off + n->nhdr])
967 cert->cache.extns[count].crit = 1;
971 if (!n || n->type != TYPE_OCTET_STRING || n->off == -1)
974 cert->cache.extns[count].off = n->off + n->nhdr;
975 cert->cache.extns[count].len = n->len;
978 assert (count == cert->cache.n_extns);
979 cert->cache.extns_valid = 1;
983 for (count=0; count < cert->cache.n_extns; count++)
984 xfree (cert->cache.extns[count].oid);
985 xfree (cert->cache.extns);
986 cert->cache.extns = NULL;
987 return gpg_error (GPG_ERR_NO_VALUE);
992 /* Return information about the IDX nth extension */
994 ksba_cert_get_extension (ksba_cert_t cert, int idx,
995 char const **r_oid, int *r_crit,
996 size_t *r_deroff, size_t *r_derlen)
1001 return gpg_error (GPG_ERR_INV_VALUE);
1002 if (!cert->initialized)
1003 return gpg_error (GPG_ERR_NO_DATA);
1005 if (!cert->cache.extns_valid)
1007 err = read_extensions (cert);
1010 assert (cert->cache.extns_valid);
1013 if (idx == cert->cache.n_extns)
1014 return gpg_error (GPG_ERR_EOF); /* No more extensions. */
1016 if (idx < 0 || idx >= cert->cache.n_extns)
1017 return gpg_error (GPG_ERR_INV_INDEX);
1020 *r_oid = cert->cache.extns[idx].oid;
1022 *r_crit = cert->cache.extns[idx].crit;
1024 *r_deroff = cert->cache.extns[idx].off;
1026 *r_derlen = cert->cache.extns[idx].len;
1032 /* Return information on the basicConstraint (2.5.19.19) of CERT.
1033 R_CA receives true if this is a CA and only in that case R_PATHLEN
1034 is set to the maximim certification path length or -1 if there is
1035 nosuch limitation */
1037 ksba_cert_is_ca (ksba_cert_t cert, int *r_ca, int *r_pathlen)
1042 size_t off, derlen, seqlen;
1043 const unsigned char *der;
1045 unsigned long value;
1047 /* set default values */
1052 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1053 &off, &derlen)); idx++)
1055 if (!strcmp (oid, oidstr_basicConstraints))
1058 if (gpg_err_code (err) == GPG_ERR_EOF)
1059 return 0; /* no such constraint */
1063 /* check that there is only one */
1064 for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1065 NULL, NULL)); idx++)
1067 if (!strcmp (oid, oidstr_basicConstraints))
1068 return gpg_error (GPG_ERR_DUP_VALUE);
1071 der = cert->image + off;
1073 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1076 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1077 && ti.is_constructed) )
1078 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1080 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1082 if (seqlen > derlen)
1083 return gpg_error (GPG_ERR_BAD_BER);
1085 return 0; /* an empty sequence is allowed because both elements
1088 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1091 if (seqlen < ti.nhdr)
1092 return gpg_error (GPG_ERR_BAD_BER);
1094 if (seqlen < ti.length)
1095 return gpg_error (GPG_ERR_BAD_BER);
1096 seqlen -= ti.length;
1098 if (ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BOOLEAN)
1101 return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1106 return 0; /* ready (no pathlength) */
1108 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1111 if (seqlen < ti.nhdr)
1112 return gpg_error (GPG_ERR_BAD_BER);
1114 if (seqlen < ti.length)
1115 return gpg_error (GPG_ERR_BAD_BER);
1116 seqlen -= ti.length;
1119 if (!(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_INTEGER))
1120 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1122 for (value=0; ti.length; ti.length--)
1125 value |= (*der++) & 0xff;
1131 /* if the extension is marked as critical and any stuff is still
1132 left we better return an error */
1134 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1141 /* Get the key usage flags. The function returns Ksba_No_Data if no
1142 key usage is specified. */
1144 ksba_cert_get_key_usage (ksba_cert_t cert, unsigned int *r_flags)
1150 const unsigned char *der;
1152 unsigned int bits, mask;
1153 int i, unused, full;
1156 return gpg_error (GPG_ERR_INV_VALUE);
1158 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1159 &off, &derlen)); idx++)
1161 if (!strcmp (oid, oidstr_keyUsage))
1164 if (gpg_err_code (err) == GPG_ERR_EOF
1165 || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1166 return gpg_error (GPG_ERR_NO_DATA); /* no key usage */
1170 /* check that there is only one */
1171 for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1172 NULL, NULL)); idx++)
1174 if (!strcmp (oid, oidstr_keyUsage))
1175 return gpg_error (GPG_ERR_DUP_VALUE);
1178 der = cert->image + off;
1180 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1183 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BIT_STRING
1184 && !ti.is_constructed) )
1185 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1187 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1188 if (!ti.length || ti.length > derlen)
1189 return gpg_error (GPG_ERR_ENCODING_PROBLEM); /* number of unused bits missing */
1190 unused = *der++; derlen--;
1192 if ((!ti.length && unused) || unused/8 > ti.length)
1193 return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1195 full = ti.length - (unused+7)/8;
1198 for (i=1; unused; i <<= 1, unused--)
1201 /* the first octet */
1203 return 0; /* no bits set */
1204 bits = *der++; derlen--; ti.length--;
1212 *r_flags |= KSBA_KEYUSAGE_DIGITAL_SIGNATURE;
1214 *r_flags |= KSBA_KEYUSAGE_NON_REPUDIATION;
1216 *r_flags |= KSBA_KEYUSAGE_KEY_ENCIPHERMENT;
1218 *r_flags |= KSBA_KEYUSAGE_DATA_ENCIPHERMENT;
1220 *r_flags |= KSBA_KEYUSAGE_KEY_AGREEMENT;
1222 *r_flags |= KSBA_KEYUSAGE_KEY_CERT_SIGN;
1224 *r_flags |= KSBA_KEYUSAGE_CRL_SIGN;
1226 *r_flags |= KSBA_KEYUSAGE_ENCIPHER_ONLY;
1228 /* the second octet */
1230 return 0; /* no bits set */
1231 bits = *der++; derlen--; ti.length--;
1239 *r_flags |= KSBA_KEYUSAGE_DECIPHER_ONLY;
1246 /* Note, that this helper is also used for ext_key_usage. */
1248 append_cert_policy (char **policies, const char *oid, int crit)
1254 *policies = xtrymalloc (strlen (oid) + 4);
1256 return gpg_error (GPG_ERR_ENOMEM);
1261 char *tmp = xtryrealloc (*policies,
1262 strlen(*policies) + 1 + strlen (oid) + 4);
1264 return gpg_error (GPG_ERR_ENOMEM);
1266 p = stpcpy (tmp+strlen (tmp), "\n");;
1269 strcpy (stpcpy (p, oid), crit? ":C:": ":N:");
1274 /* Return a string with the certificatePolicies delimited by
1275 linefeeds. The return values may be extended to carry more
1276 information er line, so the caller should only use the first
1277 white-space delimited token per line. The function returns
1278 GPG_ERR_NO_DATA when this extension is not used. Caller must free
1279 the returned value. */
1281 ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies)
1286 size_t off, derlen, seqlen;
1287 const unsigned char *der;
1290 if (!cert || !r_policies)
1291 return gpg_error (GPG_ERR_INV_VALUE);
1294 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1295 &off, &derlen)); idx++)
1297 if (!strcmp (oid, oidstr_certificatePolicies))
1301 der = cert->image + off;
1303 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1306 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1307 && ti.is_constructed) )
1309 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1314 err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1318 if (seqlen > derlen)
1320 err = gpg_error (GPG_ERR_BAD_BER);
1327 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1330 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1331 && ti.is_constructed) )
1333 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1338 err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1341 if (ti.length > derlen)
1343 err = gpg_error (GPG_ERR_BAD_BER);
1348 /* We do not accept an empty inner SEQ */
1349 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1352 if (ti.nhdr+ti.length > seqlen)
1354 err = gpg_error (GPG_ERR_BAD_BER);
1357 seqlen -= ti.nhdr + ti.length;
1358 seqseqlen = ti.length;
1360 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1363 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID))
1365 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1368 if (ti.length > derlen)
1370 err = gpg_error (GPG_ERR_BAD_BER);
1373 if (ti.nhdr+ti.length > seqseqlen)
1375 err = gpg_error (GPG_ERR_BAD_BER);
1378 seqseqlen -= ti.nhdr;
1380 suboid = ksba_oid_to_str (der, ti.length);
1383 err = gpg_error (GPG_ERR_ENOMEM);
1387 derlen -= ti.length;
1388 seqseqlen -= ti.length;
1390 err = append_cert_policy (r_policies, suboid, crit);
1395 /* skip the rest of the seq which is more or less optional */
1397 derlen -= seqseqlen;
1402 if (gpg_err_code (err) == GPG_ERR_EOF)
1404 if (!*r_policies || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1405 err = gpg_error (GPG_ERR_NO_DATA);
1410 xfree (*r_policies);
1417 /* Return a string with the extendedKeyUsageOIDs delimited by
1418 linefeeds. The return values may be extended to carry more
1419 information per line, so the caller should only use the first
1420 white-space delimited token per line. The function returns
1421 GPG_ERR_NO_DATA when this extension is not used. Caller must free
1422 the returned value. */
1424 ksba_cert_get_ext_key_usages (ksba_cert_t cert, char **result)
1430 const unsigned char *der;
1433 if (!cert || !result)
1434 return gpg_error (GPG_ERR_INV_VALUE);
1437 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1438 &off, &derlen)); idx++)
1440 if (!strcmp (oid, oidstr_extKeyUsage))
1444 der = cert->image + off;
1446 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1449 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1450 && ti.is_constructed) )
1452 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1457 err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1460 if (ti.length > derlen)
1462 err = gpg_error (GPG_ERR_BAD_BER);
1467 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1470 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID))
1472 err = gpg_error (GPG_ERR_INV_CERT_OBJ);
1477 err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
1480 if (ti.length > derlen)
1482 err = gpg_error (GPG_ERR_BAD_BER);
1486 suboid = ksba_oid_to_str (der, ti.length);
1489 err = gpg_error (GPG_ERR_ENOMEM);
1493 derlen -= ti.length;
1495 err = append_cert_policy (result, suboid, crit);
1503 if (gpg_err_code (err) == GPG_ERR_EOF)
1505 if (!*result || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1506 err = gpg_error (GPG_ERR_NO_DATA);
1520 /* Helper function for ksba_cert_get_crl_dist_point */
1522 parse_distribution_point (const unsigned char *der, size_t derlen,
1523 ksba_name_t *distpoint, ksba_name_t *issuer,
1524 ksba_crl_reason_t *reason)
1529 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1532 if (ti.class != CLASS_CONTEXT)
1533 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1535 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1536 if (derlen < ti.length)
1537 return gpg_error (GPG_ERR_BAD_BER);
1539 if (ti.tag == 0 && derlen)
1540 { /* distributionPointName */
1541 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1544 if (ti.class != CLASS_CONTEXT)
1545 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1547 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1548 if (derlen < ti.nhdr)
1549 return gpg_error (GPG_ERR_BAD_BER);
1550 if (derlen < ti.length)
1551 return gpg_error (GPG_ERR_BAD_BER);
1557 err = _ksba_name_new_from_der (distpoint, der, ti.length);
1564 /* We don't support nameRelativeToCRLIssuer yet*/
1567 derlen -= ti.length;
1572 /* read the next optional element */
1573 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1576 if (ti.class != CLASS_CONTEXT)
1577 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1579 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1580 if (derlen < ti.length)
1581 return gpg_error (GPG_ERR_BAD_BER);
1584 if (ti.tag == 1 && derlen)
1586 unsigned int bits, mask;
1587 int i, unused, full;
1589 unused = *der++; derlen--;
1591 if ((!ti.length && unused) || unused/8 > ti.length)
1592 return gpg_error (GPG_ERR_ENCODING_PROBLEM);
1594 full = ti.length - (unused+7)/8;
1597 for (i=1; unused; i <<= 1, unused--)
1600 /* we are only required to look at the first octect */
1601 if (ti.length && reason)
1612 *reason |= KSBA_CRLREASON_UNSPECIFIED;
1614 *reason |= KSBA_CRLREASON_KEY_COMPROMISE;
1616 *reason |= KSBA_CRLREASON_CA_COMPROMISE;
1618 *reason |= KSBA_CRLREASON_AFFILIATION_CHANGED;
1620 *reason |= KSBA_CRLREASON_SUPERSEDED;
1622 *reason |= KSBA_CRLREASON_CESSATION_OF_OPERATION;
1624 *reason |= KSBA_CRLREASON_CERTIFICATE_HOLD;
1628 derlen -= ti.length;
1633 /* read the next optional element */
1634 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1637 if (ti.class != CLASS_CONTEXT)
1638 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1640 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1641 if (derlen < ti.length)
1642 return gpg_error (GPG_ERR_BAD_BER);
1645 if (ti.tag == 2 && derlen)
1649 err = _ksba_name_new_from_der (issuer, der, ti.length);
1655 derlen -= ti.length;
1659 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1664 /* Return the CRLDistPoints given in the cert extension. IDX should
1665 be iterated started from 0 until the function returns -1.
1666 R_DISTPOINT returns a ksba_name_t object with the distribution point
1667 name(s) the return value may be NULL to indicate that this name is
1668 not available. R_ISSUER returns the CRL issuer; if the returned
1669 value is NULL the caller should assume that the CRL issuer is the
1670 same as the certificate issuer. R_REASON returns the reason for
1671 the CRL. This is a bit encoded value with no bit set if this has
1672 not been specified in the cert.
1674 The caller may pass NULL to any of the pointer arguments if he is
1675 not interested in this value. The return values for R_DISTPOINT
1676 and R_ISSUER must be released by the caller using
1677 ksba_name_release(). */
1680 ksba_cert_get_crl_dist_point (ksba_cert_t cert, int idx,
1681 ksba_name_t *r_distpoint,
1682 ksba_name_t *r_issuer,
1683 ksba_crl_reason_t *r_reason)
1691 *r_distpoint = NULL;
1697 for (myidx=0; !(err=ksba_cert_get_extension (cert, myidx, &oid, &crit,
1698 &off, &derlen)); myidx++)
1700 if (!strcmp (oid, oidstr_crlDistributionPoints))
1702 const unsigned char *der;
1706 der = cert->image + off;
1708 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1711 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1712 && ti.is_constructed) )
1713 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1715 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1717 if (seqlen > derlen)
1718 return gpg_error (GPG_ERR_BAD_BER);
1720 /* Note: an empty sequence is actually not allowed but we
1721 better don't care */
1725 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1728 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1729 && ti.is_constructed) )
1730 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1731 if (derlen < ti.length)
1732 return gpg_error (GPG_ERR_BAD_BER);
1733 if (seqlen < ti.nhdr)
1734 return gpg_error (GPG_ERR_BAD_BER);
1736 if (seqlen < ti.length)
1737 return gpg_error (GPG_ERR_BAD_BER);
1740 { /* skip because we are not yet at the desired index */
1742 derlen -= ti.length;
1743 seqlen -= ti.length;
1751 err = parse_distribution_point (der, ti.length,
1752 r_distpoint, r_issuer, r_reason);
1753 if (err && r_distpoint)
1755 ksba_name_release (*r_distpoint);
1756 *r_distpoint = NULL;
1758 if (err && r_issuer)
1760 ksba_name_release (*r_issuer);
1763 if (err && r_reason)
1775 /* Return the authorityKeyIdentifier in R_NAME and R_SERIAL or/and in
1776 R_KEYID. GPG_ERR_NO_DATA is returned if no authorityKeyIdentifier
1777 or only one using the keyIdentifier method is available and R_KEYID
1780 ksba_cert_get_auth_key_id (ksba_cert_t cert,
1781 ksba_sexp_t *r_keyid,
1782 ksba_name_t *r_name,
1783 ksba_sexp_t *r_serial)
1788 const unsigned char *der;
1789 const unsigned char *keyid_der = NULL;
1790 size_t keyid_derlen = 0;
1798 if (!r_name || !r_serial)
1799 return gpg_error (GPG_ERR_INV_VALUE);
1803 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &oid, &crit,
1804 &off, &derlen)); idx++)
1806 if (!strcmp (oid, oidstr_authorityKeyIdentifier))
1809 if (gpg_err_code (err) == GPG_ERR_EOF
1810 || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1811 return gpg_error (GPG_ERR_NO_DATA); /* not available */
1815 /* check that there is only one */
1816 for (idx++; !(err=ksba_cert_get_extension (cert, idx, &oid, NULL,
1817 NULL, NULL)); idx++)
1819 if (!strcmp (oid, oidstr_authorityKeyIdentifier))
1820 return gpg_error (GPG_ERR_DUP_VALUE);
1823 der = cert->image + off;
1825 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1828 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
1829 && ti.is_constructed) )
1830 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1832 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1833 if (ti.length > derlen)
1834 return gpg_error (GPG_ERR_BAD_BER);
1836 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1839 if (ti.class != CLASS_CONTEXT)
1840 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1842 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1843 if (derlen < ti.length)
1844 return gpg_error (GPG_ERR_BAD_BER);
1847 { /* keyIdentifier: Save it away and skip over it. */
1849 keyid_derlen = ti.length;
1852 derlen -= ti.length;
1853 /* If the keyid has been requested but no other data follows, we
1854 directly jump to the end. */
1855 if (r_keyid && !derlen)
1858 return gpg_error (GPG_ERR_NO_DATA); /* not available */
1859 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1862 if (ti.class != CLASS_CONTEXT)
1863 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1865 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1866 if (derlen < ti.length)
1867 return gpg_error (GPG_ERR_BAD_BER);
1870 if (ti.tag != 1 || !derlen)
1871 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1873 err = _ksba_name_new_from_der (r_name, der, ti.length);
1878 derlen -= ti.length;
1880 /* fixme: we should release r_name before returning on error */
1881 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1884 if (ti.class != CLASS_CONTEXT)
1885 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* we expected a tag */
1887 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1888 if (derlen < ti.length)
1889 return gpg_error (GPG_ERR_BAD_BER);
1891 if (ti.tag != 2 || !derlen)
1892 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1894 sprintf (numbuf,"(%u:", (unsigned int)ti.length);
1895 numbuflen = strlen (numbuf);
1896 *r_serial = xtrymalloc (numbuflen + ti.length + 2);
1898 return gpg_error (GPG_ERR_ENOMEM);
1899 strcpy (*r_serial, numbuf);
1900 memcpy (*r_serial+numbuflen, der, ti.length);
1901 (*r_serial)[numbuflen + ti.length] = ')';
1902 (*r_serial)[numbuflen + ti.length + 1] = 0;
1905 if (r_keyid && keyid_der && keyid_derlen)
1907 sprintf (numbuf,"(%u:", (unsigned int)keyid_derlen);
1908 numbuflen = strlen (numbuf);
1909 *r_keyid = xtrymalloc (numbuflen + keyid_derlen + 2);
1911 return gpg_error (GPG_ERR_ENOMEM);
1912 strcpy (*r_keyid, numbuf);
1913 memcpy (*r_keyid+numbuflen, keyid_der, keyid_derlen);
1914 (*r_keyid)[numbuflen + keyid_derlen] = ')';
1915 (*r_keyid)[numbuflen + keyid_derlen + 1] = 0;
1921 /* Return a simple octet string extension at the object identifier OID
1922 from certificate CERT. The data is return as a simple S-expression
1923 and stored at R_DATA. Returns 0 on success or an error code.
1924 common error codes are: GPG_ERR_NO_DATA if no such extension is
1925 available, GPG_ERR_DUP_VALUE if more than one is available. If
1926 R_CRIT is not NULL, the critical extension flag will be stored at
1929 get_simple_octet_string_ext (ksba_cert_t cert, const char *oid,
1930 int *r_crit, ksba_sexp_t *r_data)
1935 const unsigned char *der;
1942 return gpg_error (GPG_ERR_INV_VALUE);
1945 for (idx=0; !(err=ksba_cert_get_extension (cert, idx, &tmpoid, &crit,
1946 &off, &derlen)); idx++)
1948 if (!strcmp (tmpoid, oid))
1953 if (gpg_err_code (err) == GPG_ERR_EOF
1954 || gpg_err_code (err) == GPG_ERR_NO_VALUE)
1955 return gpg_error (GPG_ERR_NO_DATA);
1959 /* Check that there is only one */
1960 for (idx++; !(err=ksba_cert_get_extension (cert, idx, &tmpoid, NULL,
1961 NULL, NULL)); idx++)
1963 if (!strcmp (tmpoid, oid))
1964 return gpg_error (GPG_ERR_DUP_VALUE);
1967 der = cert->image + off;
1969 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
1972 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OCTET_STRING
1973 && !ti.is_constructed) )
1974 return gpg_error (GPG_ERR_INV_CERT_OBJ);
1976 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
1977 if (ti.length > derlen)
1978 return gpg_error (GPG_ERR_BAD_BER);
1979 if (ti.length != derlen)
1980 return gpg_error (GPG_ERR_INV_CERT_OBJ); /* Garbage follows. */
1982 sprintf (numbuf,"(%u:", (unsigned int)ti.length);
1983 numbuflen = strlen (numbuf);
1984 *r_data = xtrymalloc (numbuflen + ti.length + 2);
1986 return gpg_error (GPG_ERR_ENOMEM);
1987 strcpy (*r_data, numbuf);
1988 memcpy (*r_data+numbuflen, der, ti.length);
1989 (*r_data)[numbuflen + ti.length] = ')';
1990 (*r_data)[numbuflen + ti.length + 1] = 0;
1997 /* Return the subjectKeyIdentifier extension as a simple allocated
1998 S-expression at the address of R_KEYID. 0 is returned on success,
1999 GPG_ERR_NO_DATA if no such extension is available or any other
2000 error code. If R_CRIT is not passed as NULL, the criticla flag of
2001 this is extension is stored there. */
2003 ksba_cert_get_subj_key_id (ksba_cert_t cert, int *r_crit, ksba_sexp_t *r_keyid)
2005 return get_simple_octet_string_ext (cert, oidstr_subjectKeyIdentifier,
2011 /* MODE 0 := authorityInfoAccess
2012 1 := subjectInfoAccess
2014 Caller must release METHOD and LOCATION if the function returned
2015 with success; on error both variables will point to NULL.
2018 get_info_access (ksba_cert_t cert, int idx, int mode,
2019 char **method, ksba_name_t *location)
2029 if (!cert || !cert->initialized)
2030 return gpg_error (GPG_ERR_INV_VALUE);
2032 return gpg_error (GPG_ERR_INV_INDEX);
2034 for (myidx=0; !(err=ksba_cert_get_extension (cert, myidx, &oid, &crit,
2035 &off, &derlen)); myidx++)
2037 if (!strcmp (oid,(mode == 0)? oidstr_authorityInfoAccess
2038 : oidstr_subjectInfoAccess) )
2040 const unsigned char *der;
2044 der = cert->image + off;
2046 /* What we are going to parse is:
2048 * AuthorityInfoAccessSyntax ::=
2049 * SEQUENCE SIZE (1..MAX) OF AccessDescription
2051 * AccessDescription ::= SEQUENCE {
2052 * accessMethod OBJECT IDENTIFIER,
2053 * accessLocation GeneralName }
2055 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2058 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
2059 && ti.is_constructed) )
2060 return gpg_error (GPG_ERR_INV_CERT_OBJ);
2062 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
2064 if (seqlen > derlen)
2065 return gpg_error (GPG_ERR_BAD_BER);
2067 /* Note: an empty sequence is actually not allowed but we
2068 better don't care. */
2072 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2075 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_SEQUENCE
2076 && ti.is_constructed) )
2077 return gpg_error (GPG_ERR_INV_CERT_OBJ);
2078 if (derlen < ti.length)
2079 return gpg_error (GPG_ERR_BAD_BER);
2080 if (seqlen < ti.nhdr)
2081 return gpg_error (GPG_ERR_BAD_BER);
2083 if (seqlen < ti.length)
2084 return gpg_error (GPG_ERR_BAD_BER);
2087 { /* Skip because we are not yet at the desired index. */
2089 derlen -= ti.length;
2090 seqlen -= ti.length;
2094 /* We only need the next object, thus we can (and
2095 actually need to) limit the DERLEN to the length of
2096 the current sequence. */
2099 return gpg_error (GPG_ERR_INV_CERT_OBJ);
2101 err = _ksba_ber_parse_tl (&der, &derlen, &ti);
2105 if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID
2106 && !ti.is_constructed))
2107 return gpg_error (GPG_ERR_INV_CERT_OBJ);
2109 return gpg_error (GPG_ERR_NOT_DER_ENCODED);
2110 if (derlen < ti.length)
2111 return gpg_error (GPG_ERR_BAD_BER);
2113 *method = ksba_oid_to_str (der, ti.length);
2115 return gpg_error (GPG_ERR_ENOMEM);
2117 derlen -= ti.length;
2119 err = _ksba_name_new_from_der (location, der, derlen);
2122 ksba_free (*method);
2135 /* Return the authorityInfoAccess attributes. IDX should be iterated
2136 starting from 0 until the function returns GPG_ERR_EOF. R_METHOD
2137 returns an allocated string with the OID of one item and R_LOCATION
2138 return the GeneralName for that OID. The return values for
2139 R_METHOD and R_LOCATION must be released by the caller unless the
2140 function returned an error; the function will however make sure
2141 that R_METHOD and R_LOCATION will point to NULL if the function
2142 returns an error. See RFC 2459, section 4.2.2.1 */
2144 ksba_cert_get_authority_info_access (ksba_cert_t cert, int idx,
2145 char **r_method, ksba_name_t *r_location)
2147 if (!r_method || !r_location)
2148 return gpg_error (GPG_ERR_INV_VALUE);
2149 return get_info_access (cert, idx, 0, r_method, r_location);
2152 /* Return the subjectInfoAccess attributes. IDX should be iterated
2153 starting from 0 until the function returns GPG_ERR_EOF. R_METHOD
2154 returns an allocated string with the OID of one item and R_LOCATION
2155 return the GeneralName for that OID. The return values for
2156 R_METHOD and R_LOCATION must be released by the caller unless the
2157 function returned an error; the function will however make sure
2158 that R_METHOD and R_LOCATION will point to NULL if the function
2159 returns an error. See RFC 2459, section 4.2.2.2 */
2161 ksba_cert_get_subject_info_access (ksba_cert_t cert, int idx,
2162 char **r_method, ksba_name_t *r_location)
2164 if (!r_method || !r_location)
2165 return gpg_error (GPG_ERR_INV_VALUE);
2166 return get_info_access (cert, idx, 1, r_method, r_location);