2 * Copyright (c) 2004 - 2009 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * @page page_name PKIX/X.509 Names
40 * There are several names in PKIX/X.509, GeneralName and Name.
42 * A Name consists of an ordered list of Relative Distinguished Names
43 * (RDN). Each RDN consists of an unordered list of typed strings. The
44 * types are defined by OID and have long and short description. For
45 * example id-at-commonName (2.5.4.3) have the long name CommonName
46 * and short name CN. The string itself can be of serveral encoding,
47 * UTF8, UTF16, Teltex string, etc. The type limit what encoding
50 * GeneralName is a broader nametype that can contains al kind of
51 * stuff like Name, IP addresses, partial Name, etc.
53 * Name is mapped into a hx509_name object.
55 * Parse and string name into a hx509_name object with hx509_parse_name(),
56 * make it back into string representation with hx509_name_to_string().
58 * Name string are defined rfc2253, rfc1779 and X.501.
60 * See the library functions here: @ref hx509_name
66 wind_profile_flags flags;
68 { "C", &asn1_oid_id_at_countryName },
69 { "CN", &asn1_oid_id_at_commonName },
70 { "DC", &asn1_oid_id_domainComponent },
71 { "L", &asn1_oid_id_at_localityName },
72 { "O", &asn1_oid_id_at_organizationName },
73 { "OU", &asn1_oid_id_at_organizationalUnitName },
74 { "S", &asn1_oid_id_at_stateOrProvinceName },
75 { "STREET", &asn1_oid_id_at_streetAddress },
76 { "UID", &asn1_oid_id_Userid },
77 { "emailAddress", &asn1_oid_id_pkcs9_emailAddress },
78 { "serialNumber", &asn1_oid_id_at_serialNumber }
82 quote_string(const char *f, size_t len, size_t *rlen)
93 for (i = 0, j = 0; i < len; i++) {
94 if (from[i] == ' ' && i + 1 < len)
96 else if (from[i] == ',' || from[i] == '=' || from[i] == '+' ||
97 from[i] == '<' || from[i] == '>' || from[i] == '#' ||
98 from[i] == ';' || from[i] == ' ')
102 } else if (((unsigned char)from[i]) >= 32 && ((unsigned char)from[i]) <= 127) {
105 int l = snprintf(&to[j], tolen - j - 1,
106 "#%02x", (unsigned char)from[i]);
118 append_string(char **str, size_t *total_len, const char *ss,
119 size_t len, int quote)
124 qs = quote_string(ss, len, &len);
128 s = realloc(*str, len + *total_len + 1);
130 _hx509_abort("allocation failure"); /* XXX */
131 memcpy(s + *total_len, qs, len);
134 s[*total_len + len] = '\0';
141 oidtostring(const heim_oid *type)
146 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
147 if (der_heim_oid_cmp(no[i].o, type) == 0)
148 return strdup(no[i].n);
150 if (der_print_heim_oid(type, '.', &s) != 0)
156 stringtooid(const char *name, size_t len, heim_oid *oid)
161 memset(oid, 0, sizeof(*oid));
163 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
164 if (strncasecmp(no[i].n, name, len) == 0)
165 return der_copy_oid(no[i].o, oid);
170 memcpy(s, name, len);
172 ret = der_parse_heim_oid(s, ".", oid);
178 * Convert the hx509 name object into a printable string.
179 * The resulting string should be freed with free().
181 * @param name name to print
182 * @param str the string to return
184 * @return An hx509 error code, see hx509_get_error_string().
186 * @ingroup hx509_name
190 hx509_name_to_string(const hx509_name name, char **str)
192 return _hx509_Name_to_string(&name->der_name, str);
196 _hx509_Name_to_string(const Name *n, char **str)
198 size_t total_len = 0;
205 for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
208 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
209 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
213 oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
215 switch(ds->element) {
216 case choice_DirectoryString_ia5String:
217 ss = ds->u.ia5String;
219 case choice_DirectoryString_printableString:
220 ss = ds->u.printableString;
222 case choice_DirectoryString_utf8String:
223 ss = ds->u.utf8String;
225 case choice_DirectoryString_bmpString: {
226 const uint16_t *bmp = ds->u.bmpString.data;
227 size_t bmplen = ds->u.bmpString.length;
230 ret = wind_ucs2utf8_length(bmp, bmplen, &k);
236 _hx509_abort("allocation failure"); /* XXX */
237 ret = wind_ucs2utf8(bmp, bmplen, ss, NULL);
245 case choice_DirectoryString_teletexString:
246 ss = malloc(ds->u.teletexString.length + 1);
248 _hx509_abort("allocation failure"); /* XXX */
249 memcpy(ss, ds->u.teletexString.data, ds->u.teletexString.length);
250 ss[ds->u.teletexString.length] = '\0';
252 case choice_DirectoryString_universalString: {
253 const uint32_t *uni = ds->u.universalString.data;
254 size_t unilen = ds->u.universalString.length;
257 ret = wind_ucs4utf8_length(uni, unilen, &k);
263 _hx509_abort("allocation failure"); /* XXX */
264 ret = wind_ucs4utf8(uni, unilen, ss, NULL);
273 _hx509_abort("unknown directory type: %d", ds->element);
276 append_string(str, &total_len, oidname, strlen(oidname), 0);
278 append_string(str, &total_len, "=", 1, 0);
280 append_string(str, &total_len, ss, len, 1);
281 if (ds->element == choice_DirectoryString_universalString ||
282 ds->element == choice_DirectoryString_bmpString ||
283 ds->element == choice_DirectoryString_teletexString)
287 if (j + 1 < n->u.rdnSequence.val[i].len)
288 append_string(str, &total_len, "+", 1, 0);
292 append_string(str, &total_len, ",", 1, 0);
297 #define COPYCHARARRAY(_ds,_el,_l,_n) \
298 (_l) = strlen(_ds->u._el); \
299 (_n) = malloc((_l) * sizeof((_n)[0])); \
302 for (i = 0; i < (_l); i++) \
303 (_n)[i] = _ds->u._el[i]
306 #define COPYVALARRAY(_ds,_el,_l,_n) \
307 (_l) = _ds->u._el.length; \
308 (_n) = malloc((_l) * sizeof((_n)[0])); \
311 for (i = 0; i < (_l); i++) \
312 (_n)[i] = _ds->u._el.data[i]
314 #define COPYVOIDARRAY(_ds,_el,_l,_n) \
315 (_l) = _ds->u._el.length; \
316 (_n) = malloc((_l) * sizeof((_n)[0])); \
319 for (i = 0; i < (_l); i++) \
320 (_n)[i] = ((unsigned char *)_ds->u._el.data)[i]
325 dsstringprep(const DirectoryString *ds, uint32_t **rname, size_t *rlen)
327 wind_profile_flags flags = 0;
335 switch(ds->element) {
336 case choice_DirectoryString_ia5String:
337 COPYCHARARRAY(ds, ia5String, len, name);
339 case choice_DirectoryString_printableString:
340 flags = WIND_PROFILE_LDAP_CASE_EXACT_ATTRIBUTE;
341 COPYCHARARRAY(ds, printableString, len, name);
343 case choice_DirectoryString_teletexString:
344 COPYVOIDARRAY(ds, teletexString, len, name);
346 case choice_DirectoryString_bmpString:
347 COPYVALARRAY(ds, bmpString, len, name);
349 case choice_DirectoryString_universalString:
350 COPYVALARRAY(ds, universalString, len, name);
352 case choice_DirectoryString_utf8String:
353 ret = wind_utf8ucs4_length(ds->u.utf8String, &len);
356 name = malloc(len * sizeof(name[0]));
359 ret = wind_utf8ucs4(ds->u.utf8String, name, &len);
366 _hx509_abort("unknown directory type: %d", ds->element);
370 /* try a couple of times to get the length right, XXX gross */
371 for (i = 0; i < 4; i++) {
373 *rname = malloc(*rlen * sizeof((*rname)[0]));
375 ret = wind_stringprep(name, len, *rname, rlen,
376 WIND_PROFILE_LDAP|flags);
377 if (ret == WIND_ERR_OVERRUN) {
397 _hx509_name_ds_cmp(const DirectoryString *ds1,
398 const DirectoryString *ds2,
401 uint32_t *ds1lp, *ds2lp;
402 size_t ds1len, ds2len, i;
405 ret = dsstringprep(ds1, &ds1lp, &ds1len);
408 ret = dsstringprep(ds2, &ds2lp, &ds2len);
414 if (ds1len != ds2len)
415 *diff = ds1len - ds2len;
417 for (i = 0; i < ds1len; i++) {
418 *diff = ds1lp[i] - ds2lp[i];
430 _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
434 *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
438 for (i = 0 ; i < n1->u.rdnSequence.len; i++) {
439 *c = n1->u.rdnSequence.val[i].len - n2->u.rdnSequence.val[i].len;
443 for (j = 0; j < n1->u.rdnSequence.val[i].len; j++) {
444 *c = der_heim_oid_cmp(&n1->u.rdnSequence.val[i].val[j].type,
445 &n1->u.rdnSequence.val[i].val[j].type);
449 ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
450 &n2->u.rdnSequence.val[i].val[j].value,
463 * Compare to hx509 name object, useful for sorting.
465 * @param n1 a hx509 name object.
466 * @param n2 a hx509 name object.
468 * @return 0 the objects are the same, returns > 0 is n2 is "larger"
469 * then n2, < 0 if n1 is "smaller" then n2.
471 * @ingroup hx509_name
475 hx509_name_cmp(hx509_name n1, hx509_name n2)
478 ret = _hx509_name_cmp(&n1->der_name, &n2->der_name, &diff);
486 _hx509_name_from_Name(const Name *n, hx509_name *name)
489 *name = calloc(1, sizeof(**name));
492 ret = copy_Name(n, &(*name)->der_name);
501 _hx509_name_modify(hx509_context context,
507 RelativeDistinguishedName *rdn;
511 ptr = realloc(name->u.rdnSequence.val,
512 sizeof(name->u.rdnSequence.val[0]) *
513 (name->u.rdnSequence.len + 1));
515 hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
518 name->u.rdnSequence.val = ptr;
521 rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
523 memmove(&name->u.rdnSequence.val[1],
524 &name->u.rdnSequence.val[0],
525 name->u.rdnSequence.len *
526 sizeof(name->u.rdnSequence.val[0]));
528 rdn = &name->u.rdnSequence.val[0];
530 rdn->val = malloc(sizeof(rdn->val[0]));
531 if (rdn->val == NULL)
534 ret = der_copy_oid(oid, &rdn->val[0].type);
537 rdn->val[0].value.element = choice_DirectoryString_utf8String;
538 rdn->val[0].value.u.utf8String = strdup(str);
539 if (rdn->val[0].value.u.utf8String == NULL)
541 name->u.rdnSequence.len += 1;
547 * Parse a string into a hx509 name object.
549 * @param context A hx509 context.
550 * @param str a string to parse.
551 * @param name the resulting object, NULL in case of error.
553 * @return An hx509 error code, see hx509_get_error_string().
555 * @ingroup hx509_name
559 hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
568 n = calloc(1, sizeof(*n));
570 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
574 n->der_name.element = choice_Name_rdnSequence;
578 while (p != NULL && *p != '\0') {
593 ret = HX509_PARSING_NAME_FAILED;
594 hx509_set_error_string(context, 0, ret, "missing = in %s", p);
598 ret = HX509_PARSING_NAME_FAILED;
599 hx509_set_error_string(context, 0, ret,
600 "missing name before = in %s", p);
605 ret = HX509_PARSING_NAME_FAILED;
606 hx509_set_error_string(context, 0, ret, " = after , in %s", p);
610 ret = stringtooid(p, q - p, &oid);
612 ret = HX509_PARSING_NAME_FAILED;
613 hx509_set_error_string(context, 0, ret,
614 "unknown type: %.*s", (int)(q - p), p);
619 size_t pstr_len = len - (q - p) - 1;
620 const char *pstr = p + (q - p) + 1;
623 r = malloc(pstr_len + 1);
627 hx509_set_error_string(context, 0, ret, "out of memory");
630 memcpy(r, pstr, pstr_len);
633 ret = _hx509_name_modify(context, &n->der_name, 0, &oid, r);
647 return HX509_NAME_MALFORMED;
651 * Copy a hx509 name object.
653 * @param context A hx509 cotext.
654 * @param from the name to copy from
655 * @param to the name to copy to
657 * @return An hx509 error code, see hx509_get_error_string().
659 * @ingroup hx509_name
663 hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
667 *to = calloc(1, sizeof(**to));
670 ret = copy_Name(&from->der_name, &(*to)->der_name);
680 * Convert a hx509_name into a Name.
682 * @param from the name to copy from
683 * @param to the name to copy to
685 * @return An hx509 error code, see hx509_get_error_string().
687 * @ingroup hx509_name
691 hx509_name_to_Name(const hx509_name from, Name *to)
693 return copy_Name(&from->der_name, to);
697 hx509_name_normalize(hx509_context context, hx509_name name)
703 * Expands variables in the name using env. Variables are on the form
704 * ${name}. Useful when dealing with certificate templates.
706 * @param context A hx509 cotext.
707 * @param name the name to expand.
708 * @param env environment variable to expand.
710 * @return An hx509 error code, see hx509_get_error_string().
712 * @ingroup hx509_name
716 hx509_name_expand(hx509_context context,
720 Name *n = &name->der_name;
726 if (n->element != choice_Name_rdnSequence) {
727 hx509_set_error_string(context, 0, EINVAL, "RDN not of supported type");
731 for (i = 0 ; i < n->u.rdnSequence.len; i++) {
732 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
733 /** Only UTF8String rdnSequence names are allowed */
735 THIS SHOULD REALLY BE:
736 COMP = n->u.rdnSequence.val[i].val[j];
737 normalize COMP to utf8
738 check if there are variables
740 convert back to orignal format, store in COMP
741 free normalized utf8 string
743 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
745 struct rk_strpool *strpool = NULL;
747 if (ds->element != choice_DirectoryString_utf8String) {
748 hx509_set_error_string(context, 0, EINVAL, "unsupported type");
751 p = strstr(ds->u.utf8String, "${");
753 strpool = rk_strpoolprintf(strpool, "%.*s",
754 (int)(p - ds->u.utf8String),
756 if (strpool == NULL) {
757 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
762 /* expand variables */
766 hx509_set_error_string(context, 0, EINVAL, "missing }");
767 rk_strpoolfree(strpool);
771 value = hx509_env_lfind(context, env, p, p2 - p);
773 hx509_set_error_string(context, 0, EINVAL,
774 "variable %.*s missing",
776 rk_strpoolfree(strpool);
779 strpool = rk_strpoolprintf(strpool, "%s", value);
780 if (strpool == NULL) {
781 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
786 p = strstr(p2, "${");
788 strpool = rk_strpoolprintf(strpool, "%.*s",
791 strpool = rk_strpoolprintf(strpool, "%s", p2);
792 if (strpool == NULL) {
793 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
798 free(ds->u.utf8String);
799 ds->u.utf8String = rk_strpoolcollect(strpool);
800 if (ds->u.utf8String == NULL) {
801 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
811 * Free a hx509 name object, upond return *name will be NULL.
813 * @param name a hx509 name object to be freed.
815 * @ingroup hx509_name
819 hx509_name_free(hx509_name *name)
821 free_Name(&(*name)->der_name);
822 memset(*name, 0, sizeof(**name));
828 * Convert a DER encoded name info a string.
830 * @param data data to a DER/BER encoded name
831 * @param length length of data
832 * @param str the resulting string, is NULL on failure.
834 * @return An hx509 error code, see hx509_get_error_string().
836 * @ingroup hx509_name
840 hx509_unparse_der_name(const void *data, size_t length, char **str)
847 ret = decode_Name(data, length, &name, NULL);
850 ret = _hx509_Name_to_string(&name, str);
856 * Convert a hx509_name object to DER encoded name.
858 * @param name name to concert
859 * @param os data to a DER encoded name, free the resulting octet
860 * string with hx509_xfree(os->data).
862 * @return An hx509 error code, see hx509_get_error_string().
864 * @ingroup hx509_name
868 hx509_name_binary(const hx509_name name, heim_octet_string *os)
873 ASN1_MALLOC_ENCODE(Name, os->data, os->length, &name->der_name, &size, ret);
876 if (os->length != size)
877 _hx509_abort("internal ASN.1 encoder error");
883 _hx509_unparse_Name(const Name *aname, char **str)
888 ret = _hx509_name_from_Name(aname, &name);
892 ret = hx509_name_to_string(name, str);
893 hx509_name_free(&name);
898 * Unparse the hx509 name in name into a string.
900 * @param name the name to check if its empty/null.
902 * @return non zero if the name is empty/null.
904 * @ingroup hx509_name
908 hx509_name_is_null_p(const hx509_name name)
910 return name->der_name.u.rdnSequence.len == 0;
914 * Unparse the hx509 name in name into a string.
916 * @param name the name to print
917 * @param str an allocated string returns the name in string form
919 * @return An hx509 error code, see hx509_get_error_string().
921 * @ingroup hx509_name
925 hx509_general_name_unparse(GeneralName *name, char **str)
927 struct rk_strpool *strpool = NULL;
931 switch (name->element) {
932 case choice_GeneralName_otherName: {
934 hx509_oid_sprint(&name->u.otherName.type_id, &str2);
937 strpool = rk_strpoolprintf(strpool, "otherName: %s", str2);
941 case choice_GeneralName_rfc822Name:
942 strpool = rk_strpoolprintf(strpool, "rfc822Name: %s\n",
945 case choice_GeneralName_dNSName:
946 strpool = rk_strpoolprintf(strpool, "dNSName: %s\n",
949 case choice_GeneralName_directoryName: {
953 memset(&dir, 0, sizeof(dir));
954 dir.element = name->u.directoryName.element;
955 dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
956 ret = _hx509_unparse_Name(&dir, &s);
959 strpool = rk_strpoolprintf(strpool, "directoryName: %s", s);
963 case choice_GeneralName_uniformResourceIdentifier:
964 strpool = rk_strpoolprintf(strpool, "URI: %s",
965 name->u.uniformResourceIdentifier);
967 case choice_GeneralName_iPAddress: {
968 unsigned char *a = name->u.iPAddress.data;
970 strpool = rk_strpoolprintf(strpool, "IPAddress: ");
973 if (name->u.iPAddress.length == 4)
974 strpool = rk_strpoolprintf(strpool, "%d.%d.%d.%d",
975 a[0], a[1], a[2], a[3]);
976 else if (name->u.iPAddress.length == 16)
977 strpool = rk_strpoolprintf(strpool,
978 "%02X:%02X:%02X:%02X:"
979 "%02X:%02X:%02X:%02X:"
980 "%02X:%02X:%02X:%02X:"
981 "%02X:%02X:%02X:%02X",
982 a[0], a[1], a[2], a[3],
983 a[4], a[5], a[6], a[7],
984 a[8], a[9], a[10], a[11],
985 a[12], a[13], a[14], a[15]);
987 strpool = rk_strpoolprintf(strpool,
988 "unknown IP address of length %lu",
989 (unsigned long)name->u.iPAddress.length);
992 case choice_GeneralName_registeredID: {
994 hx509_oid_sprint(&name->u.registeredID, &str2);
997 strpool = rk_strpoolprintf(strpool, "registeredID: %s", str2);
1004 if (strpool == NULL)
1007 *str = rk_strpoolcollect(strpool);