_ Git - BearSSL/blob - tools/certs.c

   1 /*
   2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
   3  *
   4  * Permission is hereby granted, free of charge, to any person obtaining
   5  * a copy of this software and associated documentation files (the
   6  * "Software"), to deal in the Software without restriction, including
   7  * without limitation the rights to use, copy, modify, merge, publish,
   8  * distribute, sublicense, and/or sell copies of the Software, and to
   9  * permit persons to whom the Software is furnished to do so, subject to
  10  * the following conditions:
  11  *
  12  * The above copyright notice and this permission notice shall be
  13  * included in all copies or substantial portions of the Software.
  14  *
  15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  22  * SOFTWARE.
  23  */
  24
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27 #include <string.h>
  28 #include <stdint.h>
  29 #include <errno.h>
  30
  31 #include "brssl.h"
  32
  33 static void
  34 dn_append(void *ctx, const void *buf, size_t len)
  35 {
  36         VEC_ADDMANY(*(bvector *)ctx, buf, len);
  37 }
  38
  39 static int
  40 certificate_to_trust_anchor_inner(br_x509_trust_anchor *ta,
  41         br_x509_certificate *xc)
  42 {
  43         br_x509_decoder_context dc;
  44         bvector vdn = VEC_INIT;
  45         br_x509_pkey *pk;
  46
  47         br_x509_decoder_init(&dc, dn_append, &vdn);
  48         br_x509_decoder_push(&dc, xc->data, xc->data_len);
  49         pk = br_x509_decoder_get_pkey(&dc);
  50         if (pk == NULL) {
  51                 fprintf(stderr, "ERROR: CA decoding failed with error %d\n",
  52                         br_x509_decoder_last_error(&dc));
  53                 VEC_CLEAR(vdn);
  54                 return -1;
  55         }
  56         ta->dn = VEC_TOARRAY(vdn);
  57         ta->dn_len = VEC_LEN(vdn);
  58         VEC_CLEAR(vdn);
  59         ta->flags = 0;
  60         if (br_x509_decoder_isCA(&dc)) {
  61                 ta->flags |= BR_X509_TA_CA;
  62         }
  63         switch (pk->key_type) {
  64         case BR_KEYTYPE_RSA:
  65                 ta->pkey.key_type = BR_KEYTYPE_RSA;
  66                 ta->pkey.key.rsa.n = xblobdup(pk->key.rsa.n, pk->key.rsa.nlen);
  67                 ta->pkey.key.rsa.nlen = pk->key.rsa.nlen;
  68                 ta->pkey.key.rsa.e = xblobdup(pk->key.rsa.e, pk->key.rsa.elen);
  69                 ta->pkey.key.rsa.elen = pk->key.rsa.elen;
  70                 break;
  71         case BR_KEYTYPE_EC:
  72                 ta->pkey.key_type = BR_KEYTYPE_EC;
  73                 ta->pkey.key.ec.curve = pk->key.ec.curve;
  74                 ta->pkey.key.ec.q = xblobdup(pk->key.ec.q, pk->key.ec.qlen);
  75                 ta->pkey.key.ec.qlen = pk->key.ec.qlen;
  76                 break;
  77         default:
  78                 fprintf(stderr, "ERROR: unsupported public key type in CA\n");
  79                 xfree(ta->dn);
  80                 return -1;
  81         }
  82         return 0;
  83 }
  84
  85 /* see brssl.h */
  86 br_x509_trust_anchor *
  87 certificate_to_trust_anchor(br_x509_certificate *xc)
  88 {
  89         br_x509_trust_anchor ta;
  90
  91         if (certificate_to_trust_anchor_inner(&ta, xc) < 0) {
  92                 return NULL;
  93         } else {
  94                 return xblobdup(&ta, sizeof ta);
  95         }
  96 }
  97
  98 /* see brssl.h */
  99 void
 100 free_ta_contents(br_x509_trust_anchor *ta)
 101 {
 102         xfree(ta->dn);
 103         switch (ta->pkey.key_type) {
 104         case BR_KEYTYPE_RSA:
 105                 xfree(ta->pkey.key.rsa.n);
 106                 xfree(ta->pkey.key.rsa.e);
 107                 break;
 108         case BR_KEYTYPE_EC:
 109                 xfree(ta->pkey.key.ec.q);
 110                 break;
 111         }
 112 }
 113
 114 /* see brssl.h */
 115 size_t
 116 read_trust_anchors(anchor_list *dst, const char *fname)
 117 {
 118         br_x509_certificate *xcs;
 119         anchor_list tas = VEC_INIT;
 120         size_t u, num;
 121
 122         xcs = read_certificates(fname, &num);
 123         if (xcs == NULL) {
 124                 return 0;
 125         }
 126         for (u = 0; u < num; u ++) {
 127                 br_x509_trust_anchor ta;
 128
 129                 if (certificate_to_trust_anchor_inner(&ta, &xcs[u]) < 0) {
 130                         VEC_CLEAREXT(tas, free_ta_contents);
 131                         return 0;
 132                 }
 133                 VEC_ADD(tas, ta);
 134         }
 135         VEC_ADDMANY(*dst, &VEC_ELT(tas, 0), num);
 136         VEC_CLEAR(tas);
 137         return num;
 138 }
 139
 140 static void
 141 xwc_start_chain(const br_x509_class **ctx,
 142         unsigned expected_key_type, const char *server_name)
 143 {
 144         x509_noanchor_context *xwc;
 145
 146         xwc = (x509_noanchor_context *)ctx;
 147         (*xwc->inner)->start_chain(xwc->inner,
 148                 expected_key_type, server_name);
 149 }
 150
 151 static void
 152 xwc_start_cert(const br_x509_class **ctx, uint32_t length)
 153 {
 154         x509_noanchor_context *xwc;
 155
 156         xwc = (x509_noanchor_context *)ctx;
 157         (*xwc->inner)->start_cert(xwc->inner, length);
 158 }
 159
 160 static void
 161 xwc_append(const br_x509_class **ctx, const unsigned char *buf, size_t len)
 162 {
 163         x509_noanchor_context *xwc;
 164
 165         xwc = (x509_noanchor_context *)ctx;
 166         (*xwc->inner)->append(xwc->inner, buf, len);
 167 }
 168
 169 static void
 170 xwc_end_cert(const br_x509_class **ctx)
 171 {
 172         x509_noanchor_context *xwc;
 173
 174         xwc = (x509_noanchor_context *)ctx;
 175         (*xwc->inner)->end_cert(xwc->inner);
 176 }
 177
 178 static unsigned
 179 xwc_end_chain(const br_x509_class **ctx)
 180 {
 181         x509_noanchor_context *xwc;
 182         unsigned r;
 183
 184         xwc = (x509_noanchor_context *)ctx;
 185         r = (*xwc->inner)->end_chain(xwc->inner);
 186         if (r == BR_ERR_X509_NOT_TRUSTED) {
 187                 r = 0;
 188         }
 189         return r;
 190 }
 191
 192 static const br_x509_pkey *
 193 xwc_get_pkey(const br_x509_class *const *ctx)
 194 {
 195         x509_noanchor_context *xwc;
 196
 197         xwc = (x509_noanchor_context *)ctx;
 198         return (*xwc->inner)->get_pkey(xwc->inner);
 199 }
 200
 201 /* see brssl.h */
 202 const br_x509_class x509_noanchor_vtable = {
 203         sizeof(x509_noanchor_context),
 204         xwc_start_chain,
 205         xwc_start_cert,
 206         xwc_append,
 207         xwc_end_cert,
 208         xwc_end_chain,
 209         xwc_get_pkey
 210 };
 211
 212 /* see brssl.h */
 213 void
 214 x509_noanchor_init(x509_noanchor_context *xwc, const br_x509_class **inner)
 215 {
 216         xwc->vtable = &x509_noanchor_vtable;
 217         xwc->inner = inner;
 218 }