1/* 2 * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * X509Templates.c - Common ASN1 templates for use with libNSSDer. 24 */ 25 26#include "SecAsn1Templates.h" 27#include "X509Templates.h" 28#include "keyTemplates.h" 29#include <assert.h> 30#include <stddef.h> 31 32/* 33 * Validity 34 */ 35/* 36 * NSS_Time Template chooser. 37 */ 38static const NSS_TagChoice timeChoices[] = { 39 { SEC_ASN1_GENERALIZED_TIME, kSecAsn1GeneralizedTimeTemplate} , 40 { SEC_ASN1_UTC_TIME, kSecAsn1UTCTimeTemplate }, 41 { 0, NULL} 42}; 43 44static const SecAsn1Template * NSS_TimeChooser( 45 void *arg, 46 Boolean enc, 47 const char *buf, 48 void *dest) 49{ 50 return SecAsn1TaggedTemplateChooser(arg, enc, buf, dest, timeChoices); 51} 52 53static const SecAsn1TemplateChooserPtr NSS_TimeChooserPtr = NSS_TimeChooser; 54 55const SecAsn1Template kSecAsn1ValidityTemplate[] = { 56 { SEC_ASN1_SEQUENCE, 57 0, NULL, sizeof(NSS_Validity) }, 58 { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, 59 offsetof(NSS_Validity,notBefore.item), 60 &NSS_TimeChooserPtr }, 61 { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, 62 offsetof(NSS_Validity,notAfter.item), 63 &NSS_TimeChooserPtr }, 64 { 0 } 65}; 66 67/* X509 cert extension */ 68const SecAsn1Template kSecAsn1CertExtensionTemplate[] = { 69 { SEC_ASN1_SEQUENCE, 70 0, NULL, sizeof(NSS_CertExtension) }, 71 { SEC_ASN1_OBJECT_ID, 72 offsetof(NSS_CertExtension,extnId) }, 73 { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ 74 offsetof(NSS_CertExtension,critical) }, 75 { SEC_ASN1_OCTET_STRING, 76 offsetof(NSS_CertExtension,value) }, 77 { 0, } 78}; 79 80const SecAsn1Template kSecAsn1SequenceOfCertExtensionTemplate[] = { 81 { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1CertExtensionTemplate } 82}; 83 84/* TBS Cert */ 85const SecAsn1Template kSecAsn1TBSCertificateTemplate[] = { 86 { SEC_ASN1_SEQUENCE, 87 0, NULL, sizeof(NSS_TBSCertificate) }, 88 /* optional version, explicit tag 0, default 0 */ 89 { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 90 SEC_ASN1_CONTEXT_SPECIFIC | 0, /* XXX DER_DEFAULT */ 91 offsetof(NSS_TBSCertificate,version), 92 kSecAsn1IntegerTemplate }, 93 /* serial number is SIGNED integer */ 94 { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, 95 offsetof(NSS_TBSCertificate,serialNumber) }, 96 { SEC_ASN1_INLINE, 97 offsetof(NSS_TBSCertificate,signature), 98 kSecAsn1AlgorithmIDTemplate }, 99 { SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derIssuer) }, 100 { SEC_ASN1_INLINE, 101 offsetof(NSS_TBSCertificate,issuer), 102 kSecAsn1NameTemplate }, 103 { SEC_ASN1_INLINE, 104 offsetof(NSS_TBSCertificate,validity), 105 kSecAsn1ValidityTemplate }, 106 { SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derSubject) }, 107 { SEC_ASN1_INLINE, 108 offsetof(NSS_TBSCertificate,subject), 109 kSecAsn1NameTemplate }, 110 { SEC_ASN1_INLINE, 111 offsetof(NSS_TBSCertificate,subjectPublicKeyInfo), 112 kSecAsn1SubjectPublicKeyInfoTemplate }, 113 { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 114 offsetof(NSS_TBSCertificate,issuerID), 115 kSecAsn1BitStringTemplate }, 116 { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, 117 offsetof(NSS_TBSCertificate,subjectID), 118 kSecAsn1BitStringTemplate }, 119 { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 120 SEC_ASN1_EXPLICIT | 3, 121 offsetof(NSS_TBSCertificate,extensions), 122 kSecAsn1SequenceOfCertExtensionTemplate }, 123 { 0 } 124}; 125 126/* 127 * For signing and verifying only, treating the TBS portion as an 128 * opaque ASN_ANY blob. 129 */ 130const SecAsn1Template kSecAsn1SignedCertOrCRLTemplate[] = 131{ 132 { SEC_ASN1_SEQUENCE, 133 0, NULL, sizeof(NSS_SignedCertOrCRL) }, 134 { SEC_ASN1_ANY, 135 offsetof(NSS_SignedCertOrCRL,tbsBlob) }, 136 { SEC_ASN1_ANY, 137 offsetof(NSS_SignedCertOrCRL,signatureAlgorithm) }, 138 { SEC_ASN1_BIT_STRING, 139 offsetof(NSS_SignedCertOrCRL,signature) }, 140 { 0 } 141}; 142 143/* Fully specified signed certificate */ 144const SecAsn1Template kSecAsn1SignedCertTemplate[] = 145{ 146 { SEC_ASN1_SEQUENCE, 147 0, NULL, sizeof(NSS_Certificate) }, 148 { SEC_ASN1_INLINE, 149 offsetof(NSS_Certificate,tbs), 150 kSecAsn1TBSCertificateTemplate }, 151 { SEC_ASN1_INLINE, 152 offsetof(NSS_Certificate,signatureAlgorithm), 153 kSecAsn1AlgorithmIDTemplate }, 154 { SEC_ASN1_BIT_STRING, 155 offsetof(NSS_Certificate,signature) }, 156 { 0 } 157}; 158 159/* Entry in CRL.revokedCerts */ 160const SecAsn1Template kSecAsn1RevokedCertTemplate[] = { 161 { SEC_ASN1_SEQUENCE, 162 0, NULL, sizeof(NSS_RevokedCert) }, 163 /* serial number - signed itneger, just like in the actual cert */ 164 { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, 165 offsetof(NSS_RevokedCert,userCertificate) }, 166 { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, 167 offsetof(NSS_RevokedCert,revocationDate.item), 168 &NSS_TimeChooserPtr }, 169 { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, 170 offsetof(NSS_RevokedCert,extensions), 171 kSecAsn1CertExtensionTemplate }, 172 { 0, } 173}; 174 175const SecAsn1Template kSecAsn1SequenceOfRevokedCertTemplate[] = { 176 { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1RevokedCertTemplate } 177}; 178 179/* NSS_TBSCrl (unsigned CRL) */ 180const SecAsn1Template kSecAsn1TBSCrlTemplate[] = { 181 { SEC_ASN1_SEQUENCE, 182 0, NULL, sizeof(NSS_TBSCrl) }, 183 /* optional version, default 0 */ 184 { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (NSS_TBSCrl, version) }, 185 { SEC_ASN1_INLINE, 186 offsetof(NSS_TBSCrl,signature), 187 kSecAsn1AlgorithmIDTemplate }, 188 { SEC_ASN1_SAVE, offsetof(NSS_TBSCrl,derIssuer) }, 189 { SEC_ASN1_INLINE, 190 offsetof(NSS_TBSCrl,issuer), 191 kSecAsn1NameTemplate }, 192 { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, 193 offsetof(NSS_TBSCrl,thisUpdate.item), 194 &NSS_TimeChooserPtr }, 195 { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC | SEC_ASN1_OPTIONAL, 196 offsetof(NSS_TBSCrl,nextUpdate), 197 &NSS_TimeChooserPtr }, 198 { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, 199 offsetof(NSS_TBSCrl,revokedCerts), 200 kSecAsn1RevokedCertTemplate }, 201 { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 202 SEC_ASN1_EXPLICIT | 0, 203 offsetof(NSS_TBSCrl,extensions), 204 kSecAsn1SequenceOfCertExtensionTemplate }, 205 { 0, } 206}; 207 208/* Fully specified signed CRL */ 209const SecAsn1Template kSecAsn1SignedCrlTemplate[] = 210{ 211 { SEC_ASN1_SEQUENCE, 212 0, NULL, sizeof(NSS_Crl) }, 213 { SEC_ASN1_INLINE, 214 offsetof(NSS_Crl,tbs), 215 kSecAsn1TBSCrlTemplate }, 216 { SEC_ASN1_INLINE, 217 offsetof(NSS_Crl,signatureAlgorithm), 218 kSecAsn1AlgorithmIDTemplate }, 219 { SEC_ASN1_BIT_STRING, 220 offsetof(NSS_Crl,signature) }, 221 { 0 } 222}; 223