1/*
2 * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * X509Templates.c - Common ASN1 templates for use with libNSSDer.
24 */
25
26#include "SecAsn1Templates.h"
27#include "X509Templates.h"
28#include "keyTemplates.h"
29#include <assert.h>
30#include <stddef.h>
31
32/*
33 * Validity
34 */
35/*
36 * NSS_Time Template chooser.
37 */
38static const NSS_TagChoice timeChoices[] = {
39	{ SEC_ASN1_GENERALIZED_TIME, kSecAsn1GeneralizedTimeTemplate} ,
40	{ SEC_ASN1_UTC_TIME, kSecAsn1UTCTimeTemplate },
41	{ 0, NULL}
42};
43
44static const SecAsn1Template * NSS_TimeChooser(
45	void *arg,
46	Boolean enc,
47	const char *buf,
48	void *dest)
49{
50	return SecAsn1TaggedTemplateChooser(arg, enc, buf, dest, timeChoices);
51}
52
53static const SecAsn1TemplateChooserPtr NSS_TimeChooserPtr = NSS_TimeChooser;
54
55const SecAsn1Template kSecAsn1ValidityTemplate[] = {
56    { SEC_ASN1_SEQUENCE,
57	  0, NULL, sizeof(NSS_Validity) },
58    { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC,
59	  offsetof(NSS_Validity,notBefore.item),
60	  &NSS_TimeChooserPtr },
61    { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC,
62	  offsetof(NSS_Validity,notAfter.item),
63	  &NSS_TimeChooserPtr },
64    { 0 }
65};
66
67/* X509 cert extension */
68const SecAsn1Template kSecAsn1CertExtensionTemplate[] = {
69    { SEC_ASN1_SEQUENCE,
70	  0, NULL, sizeof(NSS_CertExtension) },
71    { SEC_ASN1_OBJECT_ID,
72	  offsetof(NSS_CertExtension,extnId) },
73    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
74	  offsetof(NSS_CertExtension,critical) },
75    { SEC_ASN1_OCTET_STRING,
76	  offsetof(NSS_CertExtension,value) },
77    { 0, }
78};
79
80const SecAsn1Template kSecAsn1SequenceOfCertExtensionTemplate[] = {
81    { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1CertExtensionTemplate }
82};
83
84/* TBS Cert */
85const SecAsn1Template kSecAsn1TBSCertificateTemplate[] = {
86    { SEC_ASN1_SEQUENCE,
87      0, NULL, sizeof(NSS_TBSCertificate) },
88	/* optional version, explicit tag 0, default 0 */
89    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
90	  SEC_ASN1_CONTEXT_SPECIFIC | 0, 		/* XXX DER_DEFAULT */
91	  offsetof(NSS_TBSCertificate,version),
92	  kSecAsn1IntegerTemplate },
93	/* serial number is SIGNED integer */
94    { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT,
95	  offsetof(NSS_TBSCertificate,serialNumber) },
96    { SEC_ASN1_INLINE,
97	  offsetof(NSS_TBSCertificate,signature),
98	  kSecAsn1AlgorithmIDTemplate },
99	{ SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derIssuer) },
100    { SEC_ASN1_INLINE,
101	  offsetof(NSS_TBSCertificate,issuer),
102	  kSecAsn1NameTemplate },
103    { SEC_ASN1_INLINE,
104	  offsetof(NSS_TBSCertificate,validity),
105	  kSecAsn1ValidityTemplate },
106	{ SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derSubject) },
107    { SEC_ASN1_INLINE,
108	  offsetof(NSS_TBSCertificate,subject),
109	  kSecAsn1NameTemplate },
110    { SEC_ASN1_INLINE,
111	  offsetof(NSS_TBSCertificate,subjectPublicKeyInfo),
112	  kSecAsn1SubjectPublicKeyInfoTemplate },
113    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
114	  offsetof(NSS_TBSCertificate,issuerID),
115	  kSecAsn1BitStringTemplate },
116    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
117	  offsetof(NSS_TBSCertificate,subjectID),
118	  kSecAsn1BitStringTemplate },
119    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
120			SEC_ASN1_EXPLICIT | 3,
121	  offsetof(NSS_TBSCertificate,extensions),
122	  kSecAsn1SequenceOfCertExtensionTemplate },
123    { 0 }
124};
125
126/*
127 * For signing and verifying only, treating the TBS portion as an
128 * opaque ASN_ANY blob.
129 */
130const SecAsn1Template kSecAsn1SignedCertOrCRLTemplate[] =
131{
132    { SEC_ASN1_SEQUENCE,
133	  0, NULL, sizeof(NSS_SignedCertOrCRL) },
134    { SEC_ASN1_ANY,
135	  offsetof(NSS_SignedCertOrCRL,tbsBlob) },
136    { SEC_ASN1_ANY,
137	  offsetof(NSS_SignedCertOrCRL,signatureAlgorithm) },
138    { SEC_ASN1_BIT_STRING,
139	  offsetof(NSS_SignedCertOrCRL,signature) },
140    { 0 }
141};
142
143/* Fully specified signed certificate */
144const SecAsn1Template kSecAsn1SignedCertTemplate[] =
145{
146    { SEC_ASN1_SEQUENCE,
147	  0, NULL, sizeof(NSS_Certificate) },
148    { SEC_ASN1_INLINE,
149	  offsetof(NSS_Certificate,tbs),
150	  kSecAsn1TBSCertificateTemplate },
151    { SEC_ASN1_INLINE,
152	  offsetof(NSS_Certificate,signatureAlgorithm),
153	  kSecAsn1AlgorithmIDTemplate },
154    { SEC_ASN1_BIT_STRING,
155	  offsetof(NSS_Certificate,signature) },
156    { 0 }
157};
158
159/* Entry in CRL.revokedCerts */
160const SecAsn1Template kSecAsn1RevokedCertTemplate[] = {
161    { SEC_ASN1_SEQUENCE,
162	  0, NULL, sizeof(NSS_RevokedCert) },
163	  /* serial number - signed itneger, just like in the actual cert */
164    { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT,
165	  offsetof(NSS_RevokedCert,userCertificate) },
166    { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC,
167	  offsetof(NSS_RevokedCert,revocationDate.item),
168	  &NSS_TimeChooserPtr },
169    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
170	  offsetof(NSS_RevokedCert,extensions),
171	  kSecAsn1CertExtensionTemplate },
172    { 0, }
173};
174
175const SecAsn1Template kSecAsn1SequenceOfRevokedCertTemplate[] = {
176    { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1RevokedCertTemplate }
177};
178
179/* NSS_TBSCrl (unsigned CRL) */
180const SecAsn1Template kSecAsn1TBSCrlTemplate[] = {
181    { SEC_ASN1_SEQUENCE,
182      0, NULL, sizeof(NSS_TBSCrl) },
183	/* optional version, default 0 */
184    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (NSS_TBSCrl, version) },
185    { SEC_ASN1_INLINE,
186	  offsetof(NSS_TBSCrl,signature),
187	  kSecAsn1AlgorithmIDTemplate },
188	{ SEC_ASN1_SAVE, offsetof(NSS_TBSCrl,derIssuer) },
189    { SEC_ASN1_INLINE,
190	  offsetof(NSS_TBSCrl,issuer),
191	  kSecAsn1NameTemplate },
192    { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC,
193	  offsetof(NSS_TBSCrl,thisUpdate.item),
194	  &NSS_TimeChooserPtr },
195    { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC | SEC_ASN1_OPTIONAL,
196	  offsetof(NSS_TBSCrl,nextUpdate),
197	  &NSS_TimeChooserPtr },
198    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
199	  offsetof(NSS_TBSCrl,revokedCerts),
200	  kSecAsn1RevokedCertTemplate },
201    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
202			SEC_ASN1_EXPLICIT | 0,
203	  offsetof(NSS_TBSCrl,extensions),
204	  kSecAsn1SequenceOfCertExtensionTemplate },
205    { 0, }
206};
207
208/* Fully specified signed CRL */
209const SecAsn1Template kSecAsn1SignedCrlTemplate[] =
210{
211    { SEC_ASN1_SEQUENCE,
212	  0, NULL, sizeof(NSS_Crl) },
213    { SEC_ASN1_INLINE,
214	  offsetof(NSS_Crl,tbs),
215	  kSecAsn1TBSCrlTemplate },
216    { SEC_ASN1_INLINE,
217	  offsetof(NSS_Crl,signatureAlgorithm),
218	  kSecAsn1AlgorithmIDTemplate },
219    { SEC_ASN1_BIT_STRING,
220	  offsetof(NSS_Crl,signature) },
221    { 0 }
222};
223