43  * @cert: Certificate to be freed
45 void x509_certificate_free(struct x509_certificate *cert)
47 	if (cert == NULL)
49 	if (cert->next) {
52 			   cert, cert->next);
54 	x509_free_name(&cert->issuer);
55 	x509_free_name(&cert->subject);
56 	os_free(cert->public_key);
57 	os_free(cert->sign_value);
58 	os_free(cert->subject_dn);
59 	os_free(cert);
65  * @cert: Pointer to the first certificate in the chain
67 void x509_certificate_chain_free(struct x509_certificate *cert)
71 	while (cert) {
72 		next = cert->next;
73 		cert->next = NULL;
74 		x509_certificate_free(cert);
75 		cert = next;
220 				 struct x509_certificate *cert,
252 					    &cert->public_key_alg, &pos))
276 	os_free(cert->public_key);
277 	cert->public_key = os_memdup(pos + 1, hdr.length - 1);
278 	if (cert->public_key == NULL) {
283 	cert->public_key_len = hdr.length - 1;
285 		    cert->public_key, cert->public_key_len);
693 			       struct x509_certificate *cert, const u8 **next)
730 			    &cert->not_before) < 0) {
742 			    &cert->not_after) < 0) {
749 		   (unsigned long) cert->not_before,
750 		   (unsigned long) cert->not_after);
775 static int x509_parse_ext_key_usage(struct x509_certificate *cert,
803 	cert->extensions_present |= X509_EXT_KEY_USAGE;
804 	cert->key_usage = asn1_bit_string_to_long(hdr.payload, hdr.length);
806 	wpa_printf(MSG_DEBUG, "X509: KeyUsage 0x%lx", cert->key_usage);
812 static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,
835 	cert->extensions_present |= X509_EXT_BASIC_CONSTRAINTS;
849 		cert->ca = hdr.payload[0];
855 				   cert->ca);
882 	cert->path_len_constraint = value;
883 	cert->extensions_present |= X509_EXT_PATH_LEN_CONSTRAINT;
887 		   cert->ca, cert->path_len_constraint);
1069 static int x509_parse_ext_subject_alt_name(struct x509_certificate *cert,
1086 	cert->extensions_present |= X509_EXT_SUBJECT_ALT_NAME;
1091 	return x509_parse_ext_alt_name(&cert->subject, hdr.payload,
1096 static int x509_parse_ext_issuer_alt_name(struct x509_certificate *cert,
1113 	cert->extensions_present |= X509_EXT_ISSUER_ALT_NAME;
1118 	return x509_parse_ext_alt_name(&cert->issuer, hdr.payload,
1172 static int x509_parse_ext_ext_key_usage(struct x509_certificate *cert,
1207 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_ANY;
1210 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_SERVER_AUTH;
1213 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_CLIENT_AUTH;
1216 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_OCSP;
1223 	cert->extensions_present |= X509_EXT_EXT_KEY_USAGE;
1229 static int x509_parse_extension_data(struct x509_certificate *cert,
1244 		return x509_parse_ext_key_usage(cert, pos, len);
1246 		return x509_parse_ext_subject_alt_name(cert, pos, len);
1248 		return x509_parse_ext_issuer_alt_name(cert, pos, len);
1250 		return x509_parse_ext_basic_constraints(cert, pos, len);
1252 		return x509_parse_ext_ext_key_usage(cert, pos, len);
1259 static int x509_parse_extension(struct x509_certificate *cert,
1323 	res = x509_parse_extension_data(cert, &oid, hdr.payload, hdr.length);
1336 static int x509_parse_extensions(struct x509_certificate *cert,
1357 		if (x509_parse_extension(cert, pos, end - pos, &pos)
1367 				      struct x509_certificate *cert,
1422 		cert->version = value;
1423 		if (cert->version != X509_CERT_V1 &&
1424 		    cert->version != X509_CERT_V2 &&
1425 		    cert->version != X509_CERT_V3) {
1427 				   cert->version + 1);
1434 		cert->version = X509_CERT_V1;
1435 	wpa_printf(MSG_MSGDUMP, "X509: Version X.509v%d", cert->version + 1);
1452 	os_memcpy(cert->serial_number, hdr.payload, hdr.length);
1453 	cert->serial_number_len = hdr.length;
1454 	wpa_hexdump(MSG_MSGDUMP, "X509: serialNumber", cert->serial_number,
1455 		    cert->serial_number_len);
1458 	if (x509_parse_algorithm_identifier(pos, end - pos, &cert->signature,
1463 	if (x509_parse_name(pos, end - pos, &cert->issuer, &pos))
1465 	x509_name_string(&cert->issuer, sbuf, sizeof(sbuf));
1469 	if (x509_parse_validity(pos, end - pos, cert, &pos))
1474 	if (x509_parse_name(pos, end - pos, &cert->subject, &pos))
1476 	cert->subject_dn = os_malloc(pos - subject_dn);
1477 	if (!cert->subject_dn)
1479 	cert->subject_dn_len = pos - subject_dn;
1480 	os_memcpy(cert->subject_dn, subject_dn, cert->subject_dn_len);
1481 	x509_name_string(&cert->subject, sbuf, sizeof(sbuf));
1485 	if (x509_parse_public_key(pos, end - pos, cert, &pos))
1491 	if (cert->version == X509_CERT_V1)
1550 	if (cert->version != X509_CERT_V3) {
1553 			   "version 3", cert->version + 1);
1557 	if (x509_parse_extensions(cert, hdr.payload, hdr.length) < 0)
1657 	struct x509_certificate *cert;
1659 	cert = os_zalloc(sizeof(*cert) + len);
1660 	if (cert == NULL)
1662 	os_memcpy(cert + 1, buf, len);
1663 	cert->cert_start = (u8 *) (cert + 1);
1664 	cert->cert_len = len;
1678 		x509_certificate_free(cert);
1684 		x509_certificate_free(cert);
1696 	cert->tbs_cert_start = cert->cert_start + (hash_start - buf);
1697 	if (x509_parse_tbs_certificate(pos, end - pos, cert, &pos)) {
1698 		x509_certificate_free(cert);
1701 	cert->tbs_cert_len = pos - hash_start;
1705 					    &cert->signature_alg, &pos)) {
1706 		x509_certificate_free(cert);
1717 		x509_certificate_free(cert);
1721 		x509_certificate_free(cert);
1732 		x509_certificate_free(cert);
1735 	os_free(cert->sign_value);
1736 	cert->sign_value = os_memdup(pos + 1, hdr.length - 1);
1737 	if (cert->sign_value == NULL) {
1740 		x509_certificate_free(cert);
1743 	cert->sign_value_len = hdr.length - 1;
1745 		    cert->sign_value, cert->sign_value_len);
1747 	return cert;
1754  * @cert: Certificate to be verified
1755  * Returns: 0 if cert has a valid signature that was signed by the issuer,
1759 				     struct x509_certificate *cert)
1761 	return x509_check_signature(issuer, &cert->signature,
1762 				    cert->sign_value, cert->sign_value_len,
1763 				    cert->tbs_cert_start, cert->tbs_cert_len);
2022 static int x509_valid_issuer(const struct x509_certificate *cert)
2024 	if ((cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS) &&
2025 	    !cert->ca) {
2031 	if (cert->version == X509_CERT_V3 &&
2032 	    !(cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS)) {
2038 	if ((cert->extensions_present & X509_EXT_KEY_USAGE) &&
2039 	    !(cert->key_usage & X509_KEY_USAGE_KEY_CERT_SIGN)) {
2063 	struct x509_certificate *cert, *trust;
2072 	for (cert = chain, idx = 0; cert; cert = cert->next, idx++) {
2073 		cert->issuer_trusted = 0;
2074 		x509_name_string(&cert->subject, buf, sizeof(buf));
2082 		     (unsigned long) cert->not_before ||
2084 		     (unsigned long) cert->not_after)) {
2087 				   now.sec, cert->not_before, cert->not_after);
2092 		if (cert->next) {
2093 			if (x509_name_compare(&cert->issuer,
2094 					      &cert->next->subject) != 0) {
2097 				x509_name_string(&cert->issuer, buf,
2099 				wpa_printf(MSG_DEBUG, "X509: cert issuer: %s",
2101 				x509_name_string(&cert->next->subject, buf,
2103 				wpa_printf(MSG_DEBUG, "X509: next cert "
2109 			if (x509_valid_issuer(cert->next) < 0) {
2114 			if ((cert->next->extensions_present &
2116 			    idx > cert->next->path_len_constraint) {
2120 					   cert->next->path_len_constraint);
2125 			if (x509_certificate_check_signature(cert->next, cert)
2136 			if (x509_name_compare(&cert->issuer, &trust->subject)
2149 			if (x509_certificate_check_signature(trust, cert) < 0)
2159 			cert->issuer_trusted = 1;
2192 	struct x509_certificate *cert;
2194 	for (cert = chain; cert; cert = cert->next) {
2195 		if (x509_name_compare(&cert->subject, name) == 0)
2196 			return cert;
2204  * @cert: Certificate
2207 int x509_certificate_self_signed(struct x509_certificate *cert)
2209 	return x509_name_compare(&cert->issuer, &cert->subject) == 0;

Indexes created Thu Jun 20 12:38:36 MDT 2024