49  * @cert: Certificate to be freed
51 void x509_certificate_free(struct x509_certificate *cert)
53 	if (cert == NULL)
55 	if (cert->next) {
58 			   cert, cert->next);
60 	x509_free_name(&cert->issuer);
61 	x509_free_name(&cert->subject);
62 	os_free(cert->public_key);
63 	os_free(cert->sign_value);
64 	os_free(cert);
70  * @cert: Pointer to the first certificate in the chain
72 void x509_certificate_chain_free(struct x509_certificate *cert)
76 	while (cert) {
77 		next = cert->next;
78 		cert->next = NULL;
79 		x509_certificate_free(cert);
80 		cert = next;
226 				 struct x509_certificate *cert,
258 					    &cert->public_key_alg, &pos))
282 	os_free(cert->public_key);
283 	cert->public_key = os_malloc(hdr.length - 1);
284 	if (cert->public_key == NULL) {
289 	os_memcpy(cert->public_key, pos + 1, hdr.length - 1);
290 	cert->public_key_len = hdr.length - 1;
292 		    cert->public_key, cert->public_key_len);
658 			       struct x509_certificate *cert, const u8 **next)
695 			    &cert->not_before) < 0) {
707 			    &cert->not_after) < 0) {
714 		   (unsigned long) cert->not_before,
715 		   (unsigned long) cert->not_after);
731 static int x509_parse_ext_key_usage(struct x509_certificate *cert,
759 	cert->extensions_present |= X509_EXT_KEY_USAGE;
760 	cert->key_usage = asn1_bit_string_to_long(hdr.payload, hdr.length);
762 	wpa_printf(MSG_DEBUG, "X509: KeyUsage 0x%lx", cert->key_usage);
768 static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
790 	cert->extensions_present |= X509_EXT_BASIC_CONSTRAINTS;
809 		cert->ca = hdr.payload[0];
813 				   cert->ca);
842 	cert->path_len_constraint = value;
843 	cert->extensions_present |= X509_EXT_PATH_LEN_CONSTRAINT;
847 		   cert->ca, cert->path_len_constraint);
1030 static int x509_parse_ext_subject_alt_name(struct x509_certificate *cert,
1047 	cert->extensions_present |= X509_EXT_SUBJECT_ALT_NAME;
1052 	return x509_parse_ext_alt_name(&cert->subject, hdr.payload,
1057 static int x509_parse_ext_issuer_alt_name(struct x509_certificate *cert,
1074 	cert->extensions_present |= X509_EXT_ISSUER_ALT_NAME;
1079 	return x509_parse_ext_alt_name(&cert->issuer, hdr.payload,
1084 static int x509_parse_extension_data(struct x509_certificate *cert,
1100 		return x509_parse_ext_key_usage(cert, pos, len);
1102 		return x509_parse_ext_subject_alt_name(cert, pos, len);
1104 		return x509_parse_ext_issuer_alt_name(cert, pos, len);
1106 		return x509_parse_ext_basic_constraints(cert, pos, len);
1113 static int x509_parse_extension(struct x509_certificate *cert,
1182 	res = x509_parse_extension_data(cert, &oid, hdr.payload, hdr.length);
1195 static int x509_parse_extensions(struct x509_certificate *cert,
1216 		if (x509_parse_extension(cert, pos, end - pos, &pos)
1226 				      struct x509_certificate *cert,
1280 		cert->version = value;
1281 		if (cert->version != X509_CERT_V1 &&
1282 		    cert->version != X509_CERT_V2 &&
1283 		    cert->version != X509_CERT_V3) {
1285 				   cert->version + 1);
1292 		cert->version = X509_CERT_V1;
1293 	wpa_printf(MSG_MSGDUMP, "X509: Version X.509v%d", cert->version + 1);
1307 		cert->serial_number <<= 8;
1308 		cert->serial_number |= *pos++;
1311 	wpa_printf(MSG_MSGDUMP, "X509: serialNumber %lu", cert->serial_number);
1314 	if (x509_parse_algorithm_identifier(pos, end - pos, &cert->signature,
1319 	if (x509_parse_name(pos, end - pos, &cert->issuer, &pos))
1321 	x509_name_string(&cert->issuer, sbuf, sizeof(sbuf));
1325 	if (x509_parse_validity(pos, end - pos, cert, &pos))
1329 	if (x509_parse_name(pos, end - pos, &cert->subject, &pos))
1331 	x509_name_string(&cert->subject, sbuf, sizeof(sbuf));
1335 	if (x509_parse_public_key(pos, end - pos, cert, &pos))
1341 	if (cert->version == X509_CERT_V1)
1398 	if (cert->version != X509_CERT_V3) {
1401 			   "version 3", cert->version + 1);
1405 	if (x509_parse_extensions(cert, hdr.payload, hdr.length) < 0)
1485 	struct x509_certificate *cert;
1487 	cert = os_zalloc(sizeof(*cert) + len);
1488 	if (cert == NULL)
1490 	os_memcpy(cert + 1, buf, len);
1491 	cert->cert_start = (u8 *) (cert + 1);
1492 	cert->cert_len = len;
1506 		x509_certificate_free(cert);
1512 		x509_certificate_free(cert);
1524 	cert->tbs_cert_start = cert->cert_start + (hash_start - buf);
1525 	if (x509_parse_tbs_certificate(pos, end - pos, cert, &pos)) {
1526 		x509_certificate_free(cert);
1529 	cert->tbs_cert_len = pos - hash_start;
1533 					    &cert->signature_alg, &pos)) {
1534 		x509_certificate_free(cert);
1545 		x509_certificate_free(cert);
1549 		x509_certificate_free(cert);
1560 		x509_certificate_free(cert);
1563 	os_free(cert->sign_value);
1564 	cert->sign_value = os_malloc(hdr.length - 1);
1565 	if (cert->sign_value == NULL) {
1568 		x509_certificate_free(cert);
1571 	os_memcpy(cert->sign_value, pos + 1, hdr.length - 1);
1572 	cert->sign_value_len = hdr.length - 1;
1574 		    cert->sign_value, cert->sign_value_len);
1576 	return cert;
1583  * @cert: Certificate to be verified
1584  * Returns: 0 if cert has a valid signature that was signed by the issuer,
1588 				     struct x509_certificate *cert)
1599 	if (!x509_pkcs_oid(&cert->signature.oid) ||
1600 	    cert->signature.oid.len != 7 ||
1601 	    cert->signature.oid.oid[5] != 1 /* pkcs-1 */) {
1612 	data_len = cert->sign_value_len;
1619 	if (crypto_public_key_decrypt_pkcs1(pk, cert->sign_value,
1620 					    cert->sign_value_len, data,
1683 		if (cert->signature.oid.oid[6] !=
1688 				   cert->signature.oid.oid[6]);
1696 		if (cert->signature.oid.oid[6] !=
1701 				   cert->signature.oid.oid[6]);
1715 		if (cert->signature.oid.oid[6] != 4 /* md5WithRSAEncryption */)
1720 				   cert->signature.oid.oid[6]);
1751 	switch (cert->signature.oid.oid[6]) {
1753 		md5_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len,
1760 		sha1_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len,
1767 		sha256_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len,
1778 			   "algorithm (%lu)", cert->signature.oid.oid[6]);
1800 static int x509_valid_issuer(const struct x509_certificate *cert)
1802 	if ((cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS) &&
1803 	    !cert->ca) {
1809 	if (cert->version == X509_CERT_V3 &&
1810 	    !(cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS)) {
1816 	if ((cert->extensions_present & X509_EXT_KEY_USAGE) &&
1817 	    !(cert->key_usage & X509_KEY_USAGE_KEY_CERT_SIGN)) {
1841 	struct x509_certificate *cert, *trust;
1850 	for (cert = chain, idx = 0; cert; cert = cert->next, idx++) {
1851 		x509_name_string(&cert->subject, buf, sizeof(buf)); 
1858 		    (unsigned long) cert->not_before ||
1860 		    (unsigned long) cert->not_after) {
1863 				   now.sec, cert->not_before, cert->not_after);
1868 		if (cert->next) {
1869 			if (x509_name_compare(&cert->issuer,
1870 					      &cert->next->subject) != 0) {
1873 				x509_name_string(&cert->issuer, buf,
1875 				wpa_printf(MSG_DEBUG, "X509: cert issuer: %s",
1877 				x509_name_string(&cert->next->subject, buf,
1879 				wpa_printf(MSG_DEBUG, "X509: next cert "
1885 			if (x509_valid_issuer(cert->next) < 0) {
1890 			if ((cert->next->extensions_present &
1892 			    idx > cert->next->path_len_constraint) {
1896 					   cert->next->path_len_constraint);
1901 			if (x509_certificate_check_signature(cert->next, cert)
1912 			if (x509_name_compare(&cert->issuer, &trust->subject)
1925 			if (x509_certificate_check_signature(trust, cert) < 0)
1967 	struct x509_certificate *cert;
1969 	for (cert = chain; cert; cert = cert->next) {
1970 		if (x509_name_compare(&cert->subject, name) == 0)
1971 			return cert;
1979  * @cert: Certificate
1982 int x509_certificate_self_signed(struct x509_certificate *cert)
1984 	return x509_name_compare(&cert->issuer, &cert->subject) == 0;

Indexes created Wed Sep 11 23:09:49 MDT 2024