1*1c60b9acSAndroid Build Coastguard Worker /*
2*1c60b9acSAndroid Build Coastguard Worker * libwebsockets - small server side websockets and web server implementation
3*1c60b9acSAndroid Build Coastguard Worker *
4*1c60b9acSAndroid Build Coastguard Worker * Copyright (C) 2010 - 2021 Andy Green <[email protected]>
5*1c60b9acSAndroid Build Coastguard Worker *
6*1c60b9acSAndroid Build Coastguard Worker * Permission is hereby granted, free of charge, to any person obtaining a copy
7*1c60b9acSAndroid Build Coastguard Worker * of this software and associated documentation files (the "Software"), to
8*1c60b9acSAndroid Build Coastguard Worker * deal in the Software without restriction, including without limitation the
9*1c60b9acSAndroid Build Coastguard Worker * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10*1c60b9acSAndroid Build Coastguard Worker * sell copies of the Software, and to permit persons to whom the Software is
11*1c60b9acSAndroid Build Coastguard Worker * furnished to do so, subject to the following conditions:
12*1c60b9acSAndroid Build Coastguard Worker *
13*1c60b9acSAndroid Build Coastguard Worker * The above copyright notice and this permission notice shall be included in
14*1c60b9acSAndroid Build Coastguard Worker * all copies or substantial portions of the Software.
15*1c60b9acSAndroid Build Coastguard Worker *
16*1c60b9acSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17*1c60b9acSAndroid Build Coastguard Worker * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18*1c60b9acSAndroid Build Coastguard Worker * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19*1c60b9acSAndroid Build Coastguard Worker * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20*1c60b9acSAndroid Build Coastguard Worker * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21*1c60b9acSAndroid Build Coastguard Worker * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22*1c60b9acSAndroid Build Coastguard Worker * IN THE SOFTWARE.
23*1c60b9acSAndroid Build Coastguard Worker *
24*1c60b9acSAndroid Build Coastguard Worker * These are additional apis that belong in mbedtls but do not yet exist there.
25*1c60b9acSAndroid Build Coastguard Worker * Alternaives are provided for lws to use that understand additional standard
26*1c60b9acSAndroid Build Coastguard Worker * v3 tls extensions. Error results are simplified to lws style.
27*1c60b9acSAndroid Build Coastguard Worker *
28*1c60b9acSAndroid Build Coastguard Worker * This file includes code taken from mbedtls and modified, and from an as of
29*1c60b9acSAndroid Build Coastguard Worker * 2021-06-11 unaccepted-upstream patch for mbedtls contributed by Gábor Tóth
30*1c60b9acSAndroid Build Coastguard Worker * <[email protected]>. Gabor has graciously allowed use of his patch with more
31*1c60b9acSAndroid Build Coastguard Worker * liberal terms but to not complicate matters I provide it here under the same
32*1c60b9acSAndroid Build Coastguard Worker * Apache 2.0 terms as the mbedtls pieces.
33*1c60b9acSAndroid Build Coastguard Worker *
34*1c60b9acSAndroid Build Coastguard Worker * Those original pieces are licensed Apache-2.0 as follows
35*1c60b9acSAndroid Build Coastguard Worker *
36*1c60b9acSAndroid Build Coastguard Worker * Copyright The Mbed TLS Contributors
37*1c60b9acSAndroid Build Coastguard Worker * SPDX-License-Identifier: Apache-2.0
38*1c60b9acSAndroid Build Coastguard Worker *
39*1c60b9acSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); you may
40*1c60b9acSAndroid Build Coastguard Worker * not use this file except in compliance with the License.
41*1c60b9acSAndroid Build Coastguard Worker * You may obtain a copy of the License at
42*1c60b9acSAndroid Build Coastguard Worker *
43*1c60b9acSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
44*1c60b9acSAndroid Build Coastguard Worker *
45*1c60b9acSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
46*1c60b9acSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
47*1c60b9acSAndroid Build Coastguard Worker * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
48*1c60b9acSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
49*1c60b9acSAndroid Build Coastguard Worker * limitations under the License.
50*1c60b9acSAndroid Build Coastguard Worker */
51*1c60b9acSAndroid Build Coastguard Worker
52*1c60b9acSAndroid Build Coastguard Worker #include "private-lib-core.h"
53*1c60b9acSAndroid Build Coastguard Worker #include "private-lib-tls-mbedtls.h"
54*1c60b9acSAndroid Build Coastguard Worker #include <mbedtls/oid.h>
55*1c60b9acSAndroid Build Coastguard Worker #include <mbedtls/x509.h>
56*1c60b9acSAndroid Build Coastguard Worker
57*1c60b9acSAndroid Build Coastguard Worker /*
58*1c60b9acSAndroid Build Coastguard Worker * This section from mbedtls oid.c
59*1c60b9acSAndroid Build Coastguard Worker */
60*1c60b9acSAndroid Build Coastguard Worker
61*1c60b9acSAndroid Build Coastguard Worker typedef struct {
62*1c60b9acSAndroid Build Coastguard Worker mbedtls_oid_descriptor_t descriptor;
63*1c60b9acSAndroid Build Coastguard Worker int ext_type;
64*1c60b9acSAndroid Build Coastguard Worker } oid_x509_ext_t;
65*1c60b9acSAndroid Build Coastguard Worker
66*1c60b9acSAndroid Build Coastguard Worker #define ADD_LEN(s) s, MBEDTLS_OID_SIZE(s)
67*1c60b9acSAndroid Build Coastguard Worker
68*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } */
69*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } */
70*1c60b9acSAndroid Build Coastguard Worker
71*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
72*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
73*1c60b9acSAndroid Build Coastguard Worker
74*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER LWS_MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER
75*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER LWS_MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER
76*1c60b9acSAndroid Build Coastguard Worker
77*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_X509_SAN_OTHER_NAME 0
78*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_X509_SAN_RFC822_NAME 1
79*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_X509_SAN_DNS_NAME 2
80*1c60b9acSAndroid Build Coastguard Worker
81*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_ASN1_TAG_CLASS_MASK 0xC0
82*1c60b9acSAndroid Build Coastguard Worker #define LWS_MBEDTLS_ASN1_TAG_VALUE_MASK 0x1F
83*1c60b9acSAndroid Build Coastguard Worker
84*1c60b9acSAndroid Build Coastguard Worker static const oid_x509_ext_t oid_x509_ext[] = {
85*1c60b9acSAndroid Build Coastguard Worker { {ADD_LEN( LWS_MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
86*1c60b9acSAndroid Build Coastguard Worker "id-ce-subjectKeyIdentifier",
87*1c60b9acSAndroid Build Coastguard Worker "Subject Key Identifier" },
88*1c60b9acSAndroid Build Coastguard Worker LWS_MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
89*1c60b9acSAndroid Build Coastguard Worker },
90*1c60b9acSAndroid Build Coastguard Worker { {ADD_LEN( LWS_MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
91*1c60b9acSAndroid Build Coastguard Worker "id-ce-authorityKeyIdentifier",
92*1c60b9acSAndroid Build Coastguard Worker "Authority Key Identifier" },
93*1c60b9acSAndroid Build Coastguard Worker LWS_MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
94*1c60b9acSAndroid Build Coastguard Worker },
95*1c60b9acSAndroid Build Coastguard Worker { { NULL, 0, NULL, NULL }, 0 },
96*1c60b9acSAndroid Build Coastguard Worker };
97*1c60b9acSAndroid Build Coastguard Worker
98*1c60b9acSAndroid Build Coastguard Worker #define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST ) \
99*1c60b9acSAndroid Build Coastguard Worker static const TYPE_T * oid_ ## NAME ## _from_asn1( \
100*1c60b9acSAndroid Build Coastguard Worker const mbedtls_asn1_buf *oid ) \
101*1c60b9acSAndroid Build Coastguard Worker { \
102*1c60b9acSAndroid Build Coastguard Worker const TYPE_T *p = (LIST); \
103*1c60b9acSAndroid Build Coastguard Worker const mbedtls_oid_descriptor_t *cur = \
104*1c60b9acSAndroid Build Coastguard Worker (const mbedtls_oid_descriptor_t *) p; \
105*1c60b9acSAndroid Build Coastguard Worker if( p == NULL || oid == NULL ) return( NULL ); \
106*1c60b9acSAndroid Build Coastguard Worker while( cur->MBEDTLS_PRIVATE(asn1) != NULL ) { \
107*1c60b9acSAndroid Build Coastguard Worker if( cur->MBEDTLS_PRIVATE(asn1_len) == oid->MBEDTLS_PRIVATE(len) && \
108*1c60b9acSAndroid Build Coastguard Worker memcmp( cur->MBEDTLS_PRIVATE(asn1), oid->MBEDTLS_PRIVATE(p), oid->MBEDTLS_PRIVATE(len) ) == 0 ) { \
109*1c60b9acSAndroid Build Coastguard Worker return( p ); \
110*1c60b9acSAndroid Build Coastguard Worker } \
111*1c60b9acSAndroid Build Coastguard Worker p++; \
112*1c60b9acSAndroid Build Coastguard Worker cur = (const mbedtls_oid_descriptor_t *) p; \
113*1c60b9acSAndroid Build Coastguard Worker } \
114*1c60b9acSAndroid Build Coastguard Worker return( NULL ); \
115*1c60b9acSAndroid Build Coastguard Worker }
116*1c60b9acSAndroid Build Coastguard Worker
117*1c60b9acSAndroid Build Coastguard Worker
118*1c60b9acSAndroid Build Coastguard Worker #define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
119*1c60b9acSAndroid Build Coastguard Worker int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 ) \
120*1c60b9acSAndroid Build Coastguard Worker { \
121*1c60b9acSAndroid Build Coastguard Worker const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid ); \
122*1c60b9acSAndroid Build Coastguard Worker if (!data) return 1; \
123*1c60b9acSAndroid Build Coastguard Worker *ATTR1 = data->ATTR1; \
124*1c60b9acSAndroid Build Coastguard Worker return 0; \
125*1c60b9acSAndroid Build Coastguard Worker }
126*1c60b9acSAndroid Build Coastguard Worker
127*1c60b9acSAndroid Build Coastguard Worker FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
128*1c60b9acSAndroid Build Coastguard Worker FN_OID_GET_ATTR1(lws_mbedtls_oid_get_x509_ext_type,
129*1c60b9acSAndroid Build Coastguard Worker oid_x509_ext_t, x509_ext, int, ext_type)
130*1c60b9acSAndroid Build Coastguard Worker
131*1c60b9acSAndroid Build Coastguard Worker typedef struct lws_mbedtls_x509_san_other_name
132*1c60b9acSAndroid Build Coastguard Worker {
133*1c60b9acSAndroid Build Coastguard Worker /**
134*1c60b9acSAndroid Build Coastguard Worker * The type_id is an OID as deifned in RFC 5280.
135*1c60b9acSAndroid Build Coastguard Worker * To check the value of the type id, you should use
136*1c60b9acSAndroid Build Coastguard Worker * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
137*1c60b9acSAndroid Build Coastguard Worker */
138*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_buf type_id; /**< The type id. */
139*1c60b9acSAndroid Build Coastguard Worker union
140*1c60b9acSAndroid Build Coastguard Worker {
141*1c60b9acSAndroid Build Coastguard Worker /**
142*1c60b9acSAndroid Build Coastguard Worker * From RFC 4108 section 5:
143*1c60b9acSAndroid Build Coastguard Worker * HardwareModuleName ::= SEQUENCE {
144*1c60b9acSAndroid Build Coastguard Worker * hwType OBJECT IDENTIFIER,
145*1c60b9acSAndroid Build Coastguard Worker * hwSerialNum OCTET STRING }
146*1c60b9acSAndroid Build Coastguard Worker */
147*1c60b9acSAndroid Build Coastguard Worker struct
148*1c60b9acSAndroid Build Coastguard Worker {
149*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_buf oid; /**< The object identifier. */
150*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_buf val; /**< The named value. */
151*1c60b9acSAndroid Build Coastguard Worker }
152*1c60b9acSAndroid Build Coastguard Worker hardware_module_name;
153*1c60b9acSAndroid Build Coastguard Worker }
154*1c60b9acSAndroid Build Coastguard Worker value;
155*1c60b9acSAndroid Build Coastguard Worker }
156*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_san_other_name;
157*1c60b9acSAndroid Build Coastguard Worker
158*1c60b9acSAndroid Build Coastguard Worker
159*1c60b9acSAndroid Build Coastguard Worker typedef struct lws_mbedtls_x509_subject_alternative_name
160*1c60b9acSAndroid Build Coastguard Worker {
161*1c60b9acSAndroid Build Coastguard Worker int type; /**< The SAN type, value of LWS_MBEDTLS_X509_SAN_XXX. */
162*1c60b9acSAndroid Build Coastguard Worker union {
163*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
164*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
165*1c60b9acSAndroid Build Coastguard Worker }
166*1c60b9acSAndroid Build Coastguard Worker san; /**< A union of the supported SAN types */
167*1c60b9acSAndroid Build Coastguard Worker }
168*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_subject_alternative_name;
169*1c60b9acSAndroid Build Coastguard Worker
170*1c60b9acSAndroid Build Coastguard Worker static int
x509_get_skid(uint8_t ** p,const uint8_t * end,mbedtls_x509_buf * skid)171*1c60b9acSAndroid Build Coastguard Worker x509_get_skid(uint8_t **p, const uint8_t *end, mbedtls_x509_buf *skid)
172*1c60b9acSAndroid Build Coastguard Worker {
173*1c60b9acSAndroid Build Coastguard Worker int ret = 1;
174*1c60b9acSAndroid Build Coastguard Worker size_t len = 0u;
175*1c60b9acSAndroid Build Coastguard Worker
176*1c60b9acSAndroid Build Coastguard Worker ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
177*1c60b9acSAndroid Build Coastguard Worker if (ret)
178*1c60b9acSAndroid Build Coastguard Worker return ret;
179*1c60b9acSAndroid Build Coastguard Worker
180*1c60b9acSAndroid Build Coastguard Worker skid->MBEDTLS_PRIVATE(len) = len;
181*1c60b9acSAndroid Build Coastguard Worker skid->MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING;
182*1c60b9acSAndroid Build Coastguard Worker skid->MBEDTLS_PRIVATE(p) = *p;
183*1c60b9acSAndroid Build Coastguard Worker *p += len;
184*1c60b9acSAndroid Build Coastguard Worker
185*1c60b9acSAndroid Build Coastguard Worker return *p != end;
186*1c60b9acSAndroid Build Coastguard Worker }
187*1c60b9acSAndroid Build Coastguard Worker
188*1c60b9acSAndroid Build Coastguard Worker /*
189*1c60b9acSAndroid Build Coastguard Worker * Names may have multiple allocated segments in a linked-list, when the mbedtls
190*1c60b9acSAndroid Build Coastguard Worker * api mbedtls_x509_get_name() fails, it doesn't clean up any already-allocated
191*1c60b9acSAndroid Build Coastguard Worker * segments, wrongly leaving it to the caller to handle. This helper takes care
192*1c60b9acSAndroid Build Coastguard Worker * of the missing cleaning for allocation error path.
193*1c60b9acSAndroid Build Coastguard Worker *
194*1c60b9acSAndroid Build Coastguard Worker * name.next must be set to NULL by user code before calling ...get_name(...,
195*1c60b9acSAndroid Build Coastguard Worker * &name), since not every error exit sets it and it will contain garbage if
196*1c60b9acSAndroid Build Coastguard Worker * defined on stack as is usual.
197*1c60b9acSAndroid Build Coastguard Worker */
198*1c60b9acSAndroid Build Coastguard Worker
199*1c60b9acSAndroid Build Coastguard Worker static void
lws_x509_clean_name(mbedtls_x509_name * name)200*1c60b9acSAndroid Build Coastguard Worker lws_x509_clean_name(mbedtls_x509_name *name)
201*1c60b9acSAndroid Build Coastguard Worker {
202*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_name *n1;
203*1c60b9acSAndroid Build Coastguard Worker
204*1c60b9acSAndroid Build Coastguard Worker if (!name)
205*1c60b9acSAndroid Build Coastguard Worker return;
206*1c60b9acSAndroid Build Coastguard Worker
207*1c60b9acSAndroid Build Coastguard Worker n1 = name->MBEDTLS_PRIVATE(next);
208*1c60b9acSAndroid Build Coastguard Worker
209*1c60b9acSAndroid Build Coastguard Worker while (n1) {
210*1c60b9acSAndroid Build Coastguard Worker name = n1->MBEDTLS_PRIVATE(next);
211*1c60b9acSAndroid Build Coastguard Worker free(n1);
212*1c60b9acSAndroid Build Coastguard Worker n1 = name;
213*1c60b9acSAndroid Build Coastguard Worker }
214*1c60b9acSAndroid Build Coastguard Worker }
215*1c60b9acSAndroid Build Coastguard Worker
216*1c60b9acSAndroid Build Coastguard Worker static int
lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf * name_buf,lws_mbedtls_x509_subject_alternative_name * name)217*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_parse_general_name(const mbedtls_x509_buf *name_buf,
218*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_subject_alternative_name *name)
219*1c60b9acSAndroid Build Coastguard Worker {
220*1c60b9acSAndroid Build Coastguard Worker // mbedtls_x509_name_other_name other_name;
221*1c60b9acSAndroid Build Coastguard Worker uint8_t *bufferPointer, **p, *end;
222*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_name rfc822Name;
223*1c60b9acSAndroid Build Coastguard Worker int ret;
224*1c60b9acSAndroid Build Coastguard Worker
225*1c60b9acSAndroid Build Coastguard Worker switch (name_buf->MBEDTLS_PRIVATE(tag) &
226*1c60b9acSAndroid Build Coastguard Worker (LWS_MBEDTLS_ASN1_TAG_CLASS_MASK |
227*1c60b9acSAndroid Build Coastguard Worker LWS_MBEDTLS_ASN1_TAG_VALUE_MASK)) {
228*1c60b9acSAndroid Build Coastguard Worker
229*1c60b9acSAndroid Build Coastguard Worker #if 0
230*1c60b9acSAndroid Build Coastguard Worker case MBEDTLS_ASN1_CONTEXT_SPECIFIC | LWS_MBEDTLS_X509_SAN_OTHER_NAME:
231*1c60b9acSAndroid Build Coastguard Worker ret = x509_get_other_name( name_buf, &other_name );
232*1c60b9acSAndroid Build Coastguard Worker if (ret)
233*1c60b9acSAndroid Build Coastguard Worker return ret;
234*1c60b9acSAndroid Build Coastguard Worker
235*1c60b9acSAndroid Build Coastguard Worker memset(name, 0, sizeof(*name));
236*1c60b9acSAndroid Build Coastguard Worker name->type = LWS_MBEDTLS_X509_SAN_OTHER_NAME;
237*1c60b9acSAndroid Build Coastguard Worker memcpy(&name->name.other_name, &other_name, sizeof(other_name));
238*1c60b9acSAndroid Build Coastguard Worker return 0;
239*1c60b9acSAndroid Build Coastguard Worker #endif
240*1c60b9acSAndroid Build Coastguard Worker case MBEDTLS_ASN1_SEQUENCE | LWS_MBEDTLS_X509_SAN_RFC822_NAME:
241*1c60b9acSAndroid Build Coastguard Worker
242*1c60b9acSAndroid Build Coastguard Worker bufferPointer = name_buf->MBEDTLS_PRIVATE(p);
243*1c60b9acSAndroid Build Coastguard Worker p = &bufferPointer;
244*1c60b9acSAndroid Build Coastguard Worker end = name_buf->MBEDTLS_PRIVATE(p) +
245*1c60b9acSAndroid Build Coastguard Worker name_buf->MBEDTLS_PRIVATE(len);
246*1c60b9acSAndroid Build Coastguard Worker
247*1c60b9acSAndroid Build Coastguard Worker /* The leading ASN1 tag and length has been processed.
248*1c60b9acSAndroid Build Coastguard Worker * Stepping back with 2 bytes, because mbedtls_x509_get_name
249*1c60b9acSAndroid Build Coastguard Worker * expects the beginning of the SET tag */
250*1c60b9acSAndroid Build Coastguard Worker *p = *p - 2;
251*1c60b9acSAndroid Build Coastguard Worker
252*1c60b9acSAndroid Build Coastguard Worker rfc822Name.MBEDTLS_PRIVATE(next) = NULL;
253*1c60b9acSAndroid Build Coastguard Worker ret = mbedtls_x509_get_name( p, end, &rfc822Name );
254*1c60b9acSAndroid Build Coastguard Worker if (ret) {
255*1c60b9acSAndroid Build Coastguard Worker lws_x509_clean_name(&rfc822Name);
256*1c60b9acSAndroid Build Coastguard Worker return ret;
257*1c60b9acSAndroid Build Coastguard Worker }
258*1c60b9acSAndroid Build Coastguard Worker
259*1c60b9acSAndroid Build Coastguard Worker memset(name, 0, sizeof(*name));
260*1c60b9acSAndroid Build Coastguard Worker name->type = LWS_MBEDTLS_X509_SAN_OTHER_NAME;
261*1c60b9acSAndroid Build Coastguard Worker memcpy(&name->san.other_name,
262*1c60b9acSAndroid Build Coastguard Worker &rfc822Name, sizeof(rfc822Name));
263*1c60b9acSAndroid Build Coastguard Worker return 0;
264*1c60b9acSAndroid Build Coastguard Worker
265*1c60b9acSAndroid Build Coastguard Worker case MBEDTLS_ASN1_CONTEXT_SPECIFIC | LWS_MBEDTLS_X509_SAN_DNS_NAME:
266*1c60b9acSAndroid Build Coastguard Worker memset(name, 0, sizeof(*name));
267*1c60b9acSAndroid Build Coastguard Worker name->type = LWS_MBEDTLS_X509_SAN_DNS_NAME;
268*1c60b9acSAndroid Build Coastguard Worker
269*1c60b9acSAndroid Build Coastguard Worker memcpy(&name->san.unstructured_name,
270*1c60b9acSAndroid Build Coastguard Worker name_buf, sizeof(*name_buf) );
271*1c60b9acSAndroid Build Coastguard Worker return 0;
272*1c60b9acSAndroid Build Coastguard Worker
273*1c60b9acSAndroid Build Coastguard Worker default:
274*1c60b9acSAndroid Build Coastguard Worker return 1;
275*1c60b9acSAndroid Build Coastguard Worker }
276*1c60b9acSAndroid Build Coastguard Worker
277*1c60b9acSAndroid Build Coastguard Worker return 1;
278*1c60b9acSAndroid Build Coastguard Worker }
279*1c60b9acSAndroid Build Coastguard Worker
280*1c60b9acSAndroid Build Coastguard Worker static int
lws_x509_get_general_names(uint8_t ** p,const uint8_t * end,mbedtls_x509_sequence * name)281*1c60b9acSAndroid Build Coastguard Worker lws_x509_get_general_names(uint8_t **p, const uint8_t *end,
282*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_sequence *name )
283*1c60b9acSAndroid Build Coastguard Worker {
284*1c60b9acSAndroid Build Coastguard Worker mbedtls_asn1_sequence *cur = name;
285*1c60b9acSAndroid Build Coastguard Worker mbedtls_asn1_buf *buf;
286*1c60b9acSAndroid Build Coastguard Worker size_t len, tag_len;
287*1c60b9acSAndroid Build Coastguard Worker unsigned char tag;
288*1c60b9acSAndroid Build Coastguard Worker int r;
289*1c60b9acSAndroid Build Coastguard Worker
290*1c60b9acSAndroid Build Coastguard Worker /* Get main sequence tag */
291*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
292*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_SEQUENCE);
293*1c60b9acSAndroid Build Coastguard Worker if (r)
294*1c60b9acSAndroid Build Coastguard Worker return r;
295*1c60b9acSAndroid Build Coastguard Worker
296*1c60b9acSAndroid Build Coastguard Worker if (*p + len != end)
297*1c60b9acSAndroid Build Coastguard Worker return 1;
298*1c60b9acSAndroid Build Coastguard Worker
299*1c60b9acSAndroid Build Coastguard Worker while (*p < end) {
300*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_subject_alternative_name dnb;
301*1c60b9acSAndroid Build Coastguard Worker memset(&dnb, 0, sizeof(dnb));
302*1c60b9acSAndroid Build Coastguard Worker
303*1c60b9acSAndroid Build Coastguard Worker tag = **p;
304*1c60b9acSAndroid Build Coastguard Worker (*p)++;
305*1c60b9acSAndroid Build Coastguard Worker
306*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_len(p, end, &tag_len);
307*1c60b9acSAndroid Build Coastguard Worker if (r)
308*1c60b9acSAndroid Build Coastguard Worker return r;
309*1c60b9acSAndroid Build Coastguard Worker
310*1c60b9acSAndroid Build Coastguard Worker /* Tag shall be CONTEXT_SPECIFIC or SET */
311*1c60b9acSAndroid Build Coastguard Worker if ((tag & LWS_MBEDTLS_ASN1_TAG_CLASS_MASK) !=
312*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONTEXT_SPECIFIC &&
313*1c60b9acSAndroid Build Coastguard Worker (tag & (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) !=
314*1c60b9acSAndroid Build Coastguard Worker (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE))
315*1c60b9acSAndroid Build Coastguard Worker return 1;
316*1c60b9acSAndroid Build Coastguard Worker
317*1c60b9acSAndroid Build Coastguard Worker /*
318*1c60b9acSAndroid Build Coastguard Worker * Check that the name is structured correctly.
319*1c60b9acSAndroid Build Coastguard Worker */
320*1c60b9acSAndroid Build Coastguard Worker r = lws_mbedtls_x509_parse_general_name(
321*1c60b9acSAndroid Build Coastguard Worker &cur->MBEDTLS_PRIVATE(buf), &dnb);
322*1c60b9acSAndroid Build Coastguard Worker /*
323*1c60b9acSAndroid Build Coastguard Worker * In case the extension is malformed, return an error,
324*1c60b9acSAndroid Build Coastguard Worker * and clear the allocated sequences.
325*1c60b9acSAndroid Build Coastguard Worker */
326*1c60b9acSAndroid Build Coastguard Worker if (r && r != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
327*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_sequence *seq_cur = name->MBEDTLS_PRIVATE(next);
328*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_sequence *seq_prv;
329*1c60b9acSAndroid Build Coastguard Worker
330*1c60b9acSAndroid Build Coastguard Worker while( seq_cur != NULL ) {
331*1c60b9acSAndroid Build Coastguard Worker seq_prv = seq_cur;
332*1c60b9acSAndroid Build Coastguard Worker seq_cur = seq_cur->MBEDTLS_PRIVATE(next);
333*1c60b9acSAndroid Build Coastguard Worker lws_explicit_bzero(seq_prv, sizeof(*seq_cur));
334*1c60b9acSAndroid Build Coastguard Worker lws_free(seq_prv);
335*1c60b9acSAndroid Build Coastguard Worker }
336*1c60b9acSAndroid Build Coastguard Worker
337*1c60b9acSAndroid Build Coastguard Worker name->MBEDTLS_PRIVATE(next) = NULL;
338*1c60b9acSAndroid Build Coastguard Worker
339*1c60b9acSAndroid Build Coastguard Worker return r;
340*1c60b9acSAndroid Build Coastguard Worker }
341*1c60b9acSAndroid Build Coastguard Worker
342*1c60b9acSAndroid Build Coastguard Worker /* Allocate and assign next pointer */
343*1c60b9acSAndroid Build Coastguard Worker if (cur->MBEDTLS_PRIVATE(buf).MBEDTLS_PRIVATE(p)) {
344*1c60b9acSAndroid Build Coastguard Worker if (cur->MBEDTLS_PRIVATE(next))
345*1c60b9acSAndroid Build Coastguard Worker return 1;
346*1c60b9acSAndroid Build Coastguard Worker
347*1c60b9acSAndroid Build Coastguard Worker cur->MBEDTLS_PRIVATE(next) =
348*1c60b9acSAndroid Build Coastguard Worker lws_zalloc(sizeof(*cur), __func__);
349*1c60b9acSAndroid Build Coastguard Worker
350*1c60b9acSAndroid Build Coastguard Worker if (!cur->MBEDTLS_PRIVATE(next))
351*1c60b9acSAndroid Build Coastguard Worker return 1;
352*1c60b9acSAndroid Build Coastguard Worker
353*1c60b9acSAndroid Build Coastguard Worker cur = cur->MBEDTLS_PRIVATE(next);
354*1c60b9acSAndroid Build Coastguard Worker }
355*1c60b9acSAndroid Build Coastguard Worker
356*1c60b9acSAndroid Build Coastguard Worker buf = &(cur->MBEDTLS_PRIVATE(buf));
357*1c60b9acSAndroid Build Coastguard Worker buf->MBEDTLS_PRIVATE(tag) = tag;
358*1c60b9acSAndroid Build Coastguard Worker buf->MBEDTLS_PRIVATE(p) = *p;
359*1c60b9acSAndroid Build Coastguard Worker buf->MBEDTLS_PRIVATE(len) = tag_len;
360*1c60b9acSAndroid Build Coastguard Worker
361*1c60b9acSAndroid Build Coastguard Worker *p += buf->MBEDTLS_PRIVATE(len);
362*1c60b9acSAndroid Build Coastguard Worker }
363*1c60b9acSAndroid Build Coastguard Worker
364*1c60b9acSAndroid Build Coastguard Worker /* Set final sequence entry's next pointer to NULL */
365*1c60b9acSAndroid Build Coastguard Worker cur->MBEDTLS_PRIVATE(next) = NULL;
366*1c60b9acSAndroid Build Coastguard Worker
367*1c60b9acSAndroid Build Coastguard Worker return *p != end;
368*1c60b9acSAndroid Build Coastguard Worker }
369*1c60b9acSAndroid Build Coastguard Worker
370*1c60b9acSAndroid Build Coastguard Worker static int
x509_get_akid(uint8_t ** p,uint8_t * end,lws_mbedtls_x509_authority * akid)371*1c60b9acSAndroid Build Coastguard Worker x509_get_akid(uint8_t **p, uint8_t *end, lws_mbedtls_x509_authority *akid)
372*1c60b9acSAndroid Build Coastguard Worker {
373*1c60b9acSAndroid Build Coastguard Worker size_t len = 0u;
374*1c60b9acSAndroid Build Coastguard Worker int r;
375*1c60b9acSAndroid Build Coastguard Worker
376*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
377*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_SEQUENCE);
378*1c60b9acSAndroid Build Coastguard Worker if (r)
379*1c60b9acSAndroid Build Coastguard Worker return r;
380*1c60b9acSAndroid Build Coastguard Worker
381*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONTEXT_SPECIFIC);
382*1c60b9acSAndroid Build Coastguard Worker if (!r) {
383*1c60b9acSAndroid Build Coastguard Worker akid->keyIdentifier.MBEDTLS_PRIVATE(len) = len;
384*1c60b9acSAndroid Build Coastguard Worker akid->keyIdentifier.MBEDTLS_PRIVATE(p) = *p;
385*1c60b9acSAndroid Build Coastguard Worker akid->keyIdentifier.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING;
386*1c60b9acSAndroid Build Coastguard Worker
387*1c60b9acSAndroid Build Coastguard Worker *p += len;
388*1c60b9acSAndroid Build Coastguard Worker }
389*1c60b9acSAndroid Build Coastguard Worker
390*1c60b9acSAndroid Build Coastguard Worker if (*p < end) {
391*1c60b9acSAndroid Build Coastguard Worker /* Getting authorityCertIssuer using the required specific
392*1c60b9acSAndroid Build Coastguard Worker * class tag [1] */
393*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len,
394*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONTEXT_SPECIFIC |
395*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONSTRUCTED | 1 );
396*1c60b9acSAndroid Build Coastguard Worker if (!r) {
397*1c60b9acSAndroid Build Coastguard Worker /* Getting directoryName using the required specific
398*1c60b9acSAndroid Build Coastguard Worker * class tag [4] */
399*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len,
400*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONTEXT_SPECIFIC |
401*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONSTRUCTED | 4);
402*1c60b9acSAndroid Build Coastguard Worker if (r)
403*1c60b9acSAndroid Build Coastguard Worker return(r);
404*1c60b9acSAndroid Build Coastguard Worker
405*1c60b9acSAndroid Build Coastguard Worker /* "end" also includes the CertSerialNumber field
406*1c60b9acSAndroid Build Coastguard Worker * so "len" shall be used */
407*1c60b9acSAndroid Build Coastguard Worker r = lws_x509_get_general_names(p, (*p + len),
408*1c60b9acSAndroid Build Coastguard Worker &akid->authorityCertIssuer);
409*1c60b9acSAndroid Build Coastguard Worker }
410*1c60b9acSAndroid Build Coastguard Worker }
411*1c60b9acSAndroid Build Coastguard Worker
412*1c60b9acSAndroid Build Coastguard Worker if (*p < end) {
413*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(p, end, &len,
414*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONTEXT_SPECIFIC |
415*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_INTEGER );
416*1c60b9acSAndroid Build Coastguard Worker if (r)
417*1c60b9acSAndroid Build Coastguard Worker return r;
418*1c60b9acSAndroid Build Coastguard Worker
419*1c60b9acSAndroid Build Coastguard Worker akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(len) = len;
420*1c60b9acSAndroid Build Coastguard Worker akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(p) = *p;
421*1c60b9acSAndroid Build Coastguard Worker akid->authorityCertSerialNumber.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OCTET_STRING;
422*1c60b9acSAndroid Build Coastguard Worker *p += len;
423*1c60b9acSAndroid Build Coastguard Worker }
424*1c60b9acSAndroid Build Coastguard Worker
425*1c60b9acSAndroid Build Coastguard Worker return *p != end;
426*1c60b9acSAndroid Build Coastguard Worker }
427*1c60b9acSAndroid Build Coastguard Worker
428*1c60b9acSAndroid Build Coastguard Worker /*
429*1c60b9acSAndroid Build Coastguard Worker * Work around lack of this in mbedtls... we don't need to do sanity checks
430*1c60b9acSAndroid Build Coastguard Worker * sanity checks because they will be done at x509 validation time
431*1c60b9acSAndroid Build Coastguard Worker */
432*1c60b9acSAndroid Build Coastguard Worker
433*1c60b9acSAndroid Build Coastguard Worker int
lws_x509_get_crt_ext(mbedtls_x509_crt * crt,mbedtls_x509_buf * skid,lws_mbedtls_x509_authority * akid)434*1c60b9acSAndroid Build Coastguard Worker lws_x509_get_crt_ext(mbedtls_x509_crt *crt, mbedtls_x509_buf *skid,
435*1c60b9acSAndroid Build Coastguard Worker lws_mbedtls_x509_authority *akid)
436*1c60b9acSAndroid Build Coastguard Worker {
437*1c60b9acSAndroid Build Coastguard Worker uint8_t *p = crt->MBEDTLS_PRIVATE(v3_ext).MBEDTLS_PRIVATE(p),
438*1c60b9acSAndroid Build Coastguard Worker *end_ext_data, *end_ext_octet;
439*1c60b9acSAndroid Build Coastguard Worker const uint8_t *end = p + crt->MBEDTLS_PRIVATE(v3_ext).MBEDTLS_PRIVATE(len);
440*1c60b9acSAndroid Build Coastguard Worker size_t len;
441*1c60b9acSAndroid Build Coastguard Worker int r = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
442*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_SEQUENCE);
443*1c60b9acSAndroid Build Coastguard Worker if (r)
444*1c60b9acSAndroid Build Coastguard Worker return r;
445*1c60b9acSAndroid Build Coastguard Worker
446*1c60b9acSAndroid Build Coastguard Worker while (p < end) {
447*1c60b9acSAndroid Build Coastguard Worker mbedtls_x509_buf extn_oid = { 0, 0, NULL };
448*1c60b9acSAndroid Build Coastguard Worker int is_critical = 0; /* DEFAULT FALSE */
449*1c60b9acSAndroid Build Coastguard Worker int ext_type = 0;
450*1c60b9acSAndroid Build Coastguard Worker
451*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(&p, end, &len,
452*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_CONSTRUCTED |
453*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_SEQUENCE);
454*1c60b9acSAndroid Build Coastguard Worker if (r)
455*1c60b9acSAndroid Build Coastguard Worker return r;
456*1c60b9acSAndroid Build Coastguard Worker
457*1c60b9acSAndroid Build Coastguard Worker end_ext_data = p + len;
458*1c60b9acSAndroid Build Coastguard Worker
459*1c60b9acSAndroid Build Coastguard Worker /* Get extension ID */
460*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(&p, end_ext_data, &extn_oid.MBEDTLS_PRIVATE(len),
461*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_OID);
462*1c60b9acSAndroid Build Coastguard Worker if (r)
463*1c60b9acSAndroid Build Coastguard Worker return r;
464*1c60b9acSAndroid Build Coastguard Worker
465*1c60b9acSAndroid Build Coastguard Worker extn_oid.MBEDTLS_PRIVATE(tag) = MBEDTLS_ASN1_OID;
466*1c60b9acSAndroid Build Coastguard Worker extn_oid.MBEDTLS_PRIVATE(p) = p;
467*1c60b9acSAndroid Build Coastguard Worker p += extn_oid.MBEDTLS_PRIVATE(len);
468*1c60b9acSAndroid Build Coastguard Worker
469*1c60b9acSAndroid Build Coastguard Worker /* Get optional critical */
470*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
471*1c60b9acSAndroid Build Coastguard Worker if (r && r != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
472*1c60b9acSAndroid Build Coastguard Worker return r;
473*1c60b9acSAndroid Build Coastguard Worker
474*1c60b9acSAndroid Build Coastguard Worker /* Data should be octet string type */
475*1c60b9acSAndroid Build Coastguard Worker r = mbedtls_asn1_get_tag(&p, end_ext_data, &len,
476*1c60b9acSAndroid Build Coastguard Worker MBEDTLS_ASN1_OCTET_STRING);
477*1c60b9acSAndroid Build Coastguard Worker if (r)
478*1c60b9acSAndroid Build Coastguard Worker return r;
479*1c60b9acSAndroid Build Coastguard Worker
480*1c60b9acSAndroid Build Coastguard Worker end_ext_octet = p + len;
481*1c60b9acSAndroid Build Coastguard Worker
482*1c60b9acSAndroid Build Coastguard Worker if (end_ext_octet != end_ext_data)
483*1c60b9acSAndroid Build Coastguard Worker return 1;
484*1c60b9acSAndroid Build Coastguard Worker
485*1c60b9acSAndroid Build Coastguard Worker r = lws_mbedtls_oid_get_x509_ext_type(&extn_oid, &ext_type);
486*1c60b9acSAndroid Build Coastguard Worker if (r) {
487*1c60b9acSAndroid Build Coastguard Worker p = end_ext_octet;
488*1c60b9acSAndroid Build Coastguard Worker continue;
489*1c60b9acSAndroid Build Coastguard Worker }
490*1c60b9acSAndroid Build Coastguard Worker
491*1c60b9acSAndroid Build Coastguard Worker switch (ext_type) {
492*1c60b9acSAndroid Build Coastguard Worker case LWS_MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER:
493*1c60b9acSAndroid Build Coastguard Worker /* Parse subject key identifier */
494*1c60b9acSAndroid Build Coastguard Worker r = x509_get_skid(&p, end_ext_data, skid);
495*1c60b9acSAndroid Build Coastguard Worker if (r)
496*1c60b9acSAndroid Build Coastguard Worker return r;
497*1c60b9acSAndroid Build Coastguard Worker break;
498*1c60b9acSAndroid Build Coastguard Worker
499*1c60b9acSAndroid Build Coastguard Worker case LWS_MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER:
500*1c60b9acSAndroid Build Coastguard Worker /* Parse authority key identifier */
501*1c60b9acSAndroid Build Coastguard Worker r = x509_get_akid(&p, end_ext_octet, akid);
502*1c60b9acSAndroid Build Coastguard Worker if (r)
503*1c60b9acSAndroid Build Coastguard Worker return r;
504*1c60b9acSAndroid Build Coastguard Worker break;
505*1c60b9acSAndroid Build Coastguard Worker
506*1c60b9acSAndroid Build Coastguard Worker default:
507*1c60b9acSAndroid Build Coastguard Worker p = end_ext_octet;
508*1c60b9acSAndroid Build Coastguard Worker }
509*1c60b9acSAndroid Build Coastguard Worker }
510*1c60b9acSAndroid Build Coastguard Worker
511*1c60b9acSAndroid Build Coastguard Worker return 0;
512*1c60b9acSAndroid Build Coastguard Worker }
513