2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: name.c 22432 2008-01-13 14:08:03Z lha $");
38 * @page page_name PKIX/X.509 Names
40 * There are several names in PKIX/X.509, GeneralName and Name.
42 * A Name consists of an ordered list of Relative Distinguished Names
43 * (RDN). Each RDN consists of an unordered list of typed strings. The
44 * types are defined by OID and have long and short description. For
45 * example id-at-commonName (2.5.4.3) have the long name CommonName
46 * and short name CN. The string itself can be of serveral encoding,
47 * UTF8, UTF16, Teltex string, etc. The type limit what encoding
50 * GeneralName is a broader nametype that can contains al kind of
51 * stuff like Name, IP addresses, partial Name, etc.
53 * Name is mapped into a hx509_name object.
55 * Parse and string name into a hx509_name object with hx509_parse_name(),
56 * make it back into string representation with hx509_name_to_string().
58 * Name string are defined rfc2253, rfc1779 and X.501.
60 * See the library functions here: @ref hx509_name
65 const heim_oid *(*o)(void);
67 { "C", oid_id_at_countryName },
68 { "CN", oid_id_at_commonName },
69 { "DC", oid_id_domainComponent },
70 { "L", oid_id_at_localityName },
71 { "O", oid_id_at_organizationName },
72 { "OU", oid_id_at_organizationalUnitName },
73 { "S", oid_id_at_stateOrProvinceName },
74 { "STREET", oid_id_at_streetAddress },
75 { "UID", oid_id_Userid },
76 { "emailAddress", oid_id_pkcs9_emailAddress },
77 { "serialNumber", oid_id_at_serialNumber }
81 quote_string(const char *f, size_t len, size_t *rlen)
92 for (i = 0, j = 0; i < len; i++) {
93 if (from[i] == ' ' && i + 1 < len)
95 else if (from[i] == ',' || from[i] == '=' || from[i] == '+' ||
96 from[i] == '<' || from[i] == '>' || from[i] == '#' ||
97 from[i] == ';' || from[i] == ' ')
101 } else if (((unsigned char)from[i]) >= 32 && ((unsigned char)from[i]) <= 127) {
104 int l = snprintf(&to[j], tolen - j - 1,
105 "#%02x", (unsigned char)from[i]);
117 append_string(char **str, size_t *total_len, const char *ss,
118 size_t len, int quote)
123 qs = quote_string(ss, len, &len);
127 s = realloc(*str, len + *total_len + 1);
129 _hx509_abort("allocation failure"); /* XXX */
130 memcpy(s + *total_len, qs, len);
133 s[*total_len + len] = '\0';
140 oidtostring(const heim_oid *type)
145 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
146 if (der_heim_oid_cmp((*no[i].o)(), type) == 0)
147 return strdup(no[i].n);
149 if (der_print_heim_oid(type, '.', &s) != 0)
155 stringtooid(const char *name, size_t len, heim_oid *oid)
160 memset(oid, 0, sizeof(*oid));
162 for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) {
163 if (strncasecmp(no[i].n, name, len) == 0)
164 return der_copy_oid((*no[i].o)(), oid);
169 memcpy(s, name, len);
171 ret = der_parse_heim_oid(s, ".", oid);
177 * Convert the hx509 name object into a printable string.
178 * The resulting string should be freed with free().
180 * @param name name to print
181 * @param str the string to return
183 * @return An hx509 error code, see hx509_get_error_string().
185 * @ingroup hx509_name
189 hx509_name_to_string(const hx509_name name, char **str)
191 return _hx509_Name_to_string(&name->der_name, str);
195 _hx509_Name_to_string(const Name *n, char **str)
197 size_t total_len = 0;
204 for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
207 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
208 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
212 oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
214 switch(ds->element) {
215 case choice_DirectoryString_ia5String:
216 ss = ds->u.ia5String;
218 case choice_DirectoryString_printableString:
219 ss = ds->u.printableString;
221 case choice_DirectoryString_utf8String:
222 ss = ds->u.utf8String;
224 case choice_DirectoryString_bmpString: {
225 uint16_t *bmp = ds->u.bmpString.data;
226 size_t bmplen = ds->u.bmpString.length;
229 ss = malloc(bmplen + 1);
231 _hx509_abort("allocation failure"); /* XXX */
232 for (k = 0; k < bmplen; k++)
233 ss[k] = bmp[k] & 0xff; /* XXX */
237 case choice_DirectoryString_teletexString:
238 ss = malloc(ds->u.teletexString.length + 1);
240 _hx509_abort("allocation failure"); /* XXX */
241 memcpy(ss, ds->u.teletexString.data, ds->u.teletexString.length);
242 ss[ds->u.teletexString.length] = '\0';
244 case choice_DirectoryString_universalString: {
245 uint32_t *uni = ds->u.universalString.data;
246 size_t unilen = ds->u.universalString.length;
249 ss = malloc(unilen + 1);
251 _hx509_abort("allocation failure"); /* XXX */
252 for (k = 0; k < unilen; k++)
253 ss[k] = uni[k] & 0xff; /* XXX */
258 _hx509_abort("unknown directory type: %d", ds->element);
261 append_string(str, &total_len, oidname, strlen(oidname), 0);
263 append_string(str, &total_len, "=", 1, 0);
265 append_string(str, &total_len, ss, len, 1);
266 if (ds->element == choice_DirectoryString_universalString ||
267 ds->element == choice_DirectoryString_bmpString ||
268 ds->element == choice_DirectoryString_teletexString)
272 if (j + 1 < n->u.rdnSequence.val[i].len)
273 append_string(str, &total_len, "+", 1, 0);
277 append_string(str, &total_len, ",", 1, 0);
283 * XXX this function is broken, it needs to compare code points, not
288 prune_space(const unsigned char **s)
295 _hx509_name_ds_cmp(const DirectoryString *ds1, const DirectoryString *ds2)
299 c = ds1->element - ds2->element;
303 switch(ds1->element) {
304 case choice_DirectoryString_ia5String:
305 c = strcmp(ds1->u.ia5String, ds2->u.ia5String);
307 case choice_DirectoryString_teletexString:
308 c = der_heim_octet_string_cmp(&ds1->u.teletexString,
309 &ds2->u.teletexString);
311 case choice_DirectoryString_printableString: {
312 const unsigned char *s1 = (unsigned char*)ds1->u.printableString;
313 const unsigned char *s2 = (unsigned char*)ds2->u.printableString;
314 prune_space(&s1); prune_space(&s2);
316 if (toupper(*s1) != toupper(*s2)) {
317 c = toupper(*s1) - toupper(*s2);
320 if (*s1 == ' ') { prune_space(&s1); prune_space(&s2); }
323 prune_space(&s1); prune_space(&s2);
327 case choice_DirectoryString_utf8String:
328 c = strcmp(ds1->u.utf8String, ds2->u.utf8String);
330 case choice_DirectoryString_universalString:
331 c = der_heim_universal_string_cmp(&ds1->u.universalString,
332 &ds2->u.universalString);
334 case choice_DirectoryString_bmpString:
335 c = der_heim_bmp_string_cmp(&ds1->u.bmpString,
346 _hx509_name_cmp(const Name *n1, const Name *n2)
350 c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
354 for (i = 0 ; i < n1->u.rdnSequence.len; i++) {
355 c = n1->u.rdnSequence.val[i].len - n2->u.rdnSequence.val[i].len;
359 for (j = 0; j < n1->u.rdnSequence.val[i].len; j++) {
360 c = der_heim_oid_cmp(&n1->u.rdnSequence.val[i].val[j].type,
361 &n1->u.rdnSequence.val[i].val[j].type);
365 c = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
366 &n2->u.rdnSequence.val[i].val[j].value);
375 * Compare to hx509 name object, useful for sorting.
377 * @param n1 a hx509 name object.
378 * @param n2 a hx509 name object.
380 * @return 0 the objects are the same, returns > 0 is n2 is "larger"
381 * then n2, < 0 if n1 is "smaller" then n2.
383 * @ingroup hx509_name
387 hx509_name_cmp(hx509_name n1, hx509_name n2)
389 return _hx509_name_cmp(&n1->der_name, &n2->der_name);
394 _hx509_name_from_Name(const Name *n, hx509_name *name)
397 *name = calloc(1, sizeof(**name));
400 ret = copy_Name(n, &(*name)->der_name);
409 _hx509_name_modify(hx509_context context,
415 RelativeDistinguishedName *rdn;
419 ptr = realloc(name->u.rdnSequence.val,
420 sizeof(name->u.rdnSequence.val[0]) *
421 (name->u.rdnSequence.len + 1));
423 hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
426 name->u.rdnSequence.val = ptr;
429 rdn = &name->u.rdnSequence.val[name->u.rdnSequence.len];
431 memmove(&name->u.rdnSequence.val[1],
432 &name->u.rdnSequence.val[0],
433 name->u.rdnSequence.len *
434 sizeof(name->u.rdnSequence.val[0]));
436 rdn = &name->u.rdnSequence.val[0];
438 rdn->val = malloc(sizeof(rdn->val[0]));
439 if (rdn->val == NULL)
442 ret = der_copy_oid(oid, &rdn->val[0].type);
445 rdn->val[0].value.element = choice_DirectoryString_utf8String;
446 rdn->val[0].value.u.utf8String = strdup(str);
447 if (rdn->val[0].value.u.utf8String == NULL)
449 name->u.rdnSequence.len += 1;
455 * Parse a string into a hx509 name object.
457 * @param context A hx509 context.
458 * @param str a string to parse.
459 * @param name the resulting object, NULL in case of error.
461 * @return An hx509 error code, see hx509_get_error_string().
463 * @ingroup hx509_name
467 hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
476 n = calloc(1, sizeof(*n));
478 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
482 n->der_name.element = choice_Name_rdnSequence;
486 while (p != NULL && *p != '\0') {
501 ret = HX509_PARSING_NAME_FAILED;
502 hx509_set_error_string(context, 0, ret, "missing = in %s", p);
506 ret = HX509_PARSING_NAME_FAILED;
507 hx509_set_error_string(context, 0, ret,
508 "missing name before = in %s", p);
513 ret = HX509_PARSING_NAME_FAILED;
514 hx509_set_error_string(context, 0, ret, " = after , in %s", p);
518 ret = stringtooid(p, q - p, &oid);
520 ret = HX509_PARSING_NAME_FAILED;
521 hx509_set_error_string(context, 0, ret,
522 "unknown type: %.*s", (int)(q - p), p);
527 size_t pstr_len = len - (q - p) - 1;
528 const char *pstr = p + (q - p) + 1;
531 r = malloc(pstr_len + 1);
535 hx509_set_error_string(context, 0, ret, "out of memory");
538 memcpy(r, pstr, pstr_len);
541 ret = _hx509_name_modify(context, &n->der_name, 0, &oid, r);
555 return HX509_NAME_MALFORMED;
559 * Copy a hx509 name object.
561 * @param context A hx509 cotext.
562 * @param from the name to copy from
563 * @param to the name to copy to
565 * @return An hx509 error code, see hx509_get_error_string().
567 * @ingroup hx509_name
571 hx509_name_copy(hx509_context context, const hx509_name from, hx509_name *to)
575 *to = calloc(1, sizeof(**to));
578 ret = copy_Name(&from->der_name, &(*to)->der_name);
588 * Convert a hx509_name into a Name.
590 * @param from the name to copy from
591 * @param to the name to copy to
593 * @return An hx509 error code, see hx509_get_error_string().
595 * @ingroup hx509_name
599 hx509_name_to_Name(const hx509_name from, Name *to)
601 return copy_Name(&from->der_name, to);
605 hx509_name_normalize(hx509_context context, hx509_name name)
611 * Expands variables in the name using env. Variables are on the form
612 * ${name}. Useful when dealing with certificate templates.
614 * @param context A hx509 cotext.
615 * @param name the name to expand.
616 * @param env environment variable to expand.
618 * @return An hx509 error code, see hx509_get_error_string().
620 * @ingroup hx509_name
624 hx509_name_expand(hx509_context context,
628 Name *n = &name->der_name;
634 if (n->element != choice_Name_rdnSequence) {
635 hx509_set_error_string(context, 0, EINVAL, "RDN not of supported type");
639 for (i = 0 ; i < n->u.rdnSequence.len; i++) {
640 for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
641 /** Only UTF8String rdnSequence names are allowed */
643 THIS SHOULD REALLY BE:
644 COMP = n->u.rdnSequence.val[i].val[j];
645 normalize COMP to utf8
646 check if there are variables
648 convert back to orignal format, store in COMP
649 free normalized utf8 string
651 DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
653 struct rk_strpool *strpool = NULL;
655 if (ds->element != choice_DirectoryString_utf8String) {
656 hx509_set_error_string(context, 0, EINVAL, "unsupported type");
659 p = strstr(ds->u.utf8String, "${");
661 strpool = rk_strpoolprintf(strpool, "%.*s",
662 (int)(p - ds->u.utf8String),
664 if (strpool == NULL) {
665 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
670 /* expand variables */
674 hx509_set_error_string(context, 0, EINVAL, "missing }");
675 rk_strpoolfree(strpool);
679 value = hx509_env_lfind(context, env, p, p2 - p);
681 hx509_set_error_string(context, 0, EINVAL,
682 "variable %.*s missing",
684 rk_strpoolfree(strpool);
687 strpool = rk_strpoolprintf(strpool, "%s", value);
688 if (strpool == NULL) {
689 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
694 p = strstr(p2, "${");
696 strpool = rk_strpoolprintf(strpool, "%.*s",
699 strpool = rk_strpoolprintf(strpool, "%s", p2);
700 if (strpool == NULL) {
701 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
706 free(ds->u.utf8String);
707 ds->u.utf8String = rk_strpoolcollect(strpool);
708 if (ds->u.utf8String == NULL) {
709 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
719 * Free a hx509 name object, upond return *name will be NULL.
721 * @param name a hx509 name object to be freed.
723 * @ingroup hx509_name
727 hx509_name_free(hx509_name *name)
729 free_Name(&(*name)->der_name);
730 memset(*name, 0, sizeof(**name));
736 * Convert a DER encoded name info a string.
738 * @param data data to a DER/BER encoded name
739 * @param length length of data
740 * @param str the resulting string, is NULL on failure.
742 * @return An hx509 error code, see hx509_get_error_string().
744 * @ingroup hx509_name
748 hx509_unparse_der_name(const void *data, size_t length, char **str)
755 ret = decode_Name(data, length, &name, NULL);
758 ret = _hx509_Name_to_string(&name, str);
764 * Convert a hx509_name object to DER encoded name.
766 * @param name name to concert
767 * @param os data to a DER encoded name, free the resulting octet
768 * string with hx509_xfree(os->data).
770 * @return An hx509 error code, see hx509_get_error_string().
772 * @ingroup hx509_name
776 hx509_name_binary(const hx509_name name, heim_octet_string *os)
781 ASN1_MALLOC_ENCODE(Name, os->data, os->length, &name->der_name, &size, ret);
784 if (os->length != size)
785 _hx509_abort("internal ASN.1 encoder error");
791 _hx509_unparse_Name(const Name *aname, char **str)
796 ret = _hx509_name_from_Name(aname, &name);
800 ret = hx509_name_to_string(name, str);
801 hx509_name_free(&name);
806 * Unparse the hx509 name in name into a string.
808 * @param name the name to check if its empty/null.
810 * @return non zero if the name is empty/null.
812 * @ingroup hx509_name
816 hx509_name_is_null_p(const hx509_name name)
818 return name->der_name.u.rdnSequence.len == 0;
822 * Unparse the hx509 name in name into a string.
824 * @param name the name to print
825 * @param str an allocated string returns the name in string form
827 * @return An hx509 error code, see krb5_get_error_string().
829 * @ingroup hx509_name
833 hx509_general_name_unparse(GeneralName *name, char **str)
835 struct rk_strpool *strpool = NULL;
839 switch (name->element) {
840 case choice_GeneralName_otherName: {
842 hx509_oid_sprint(&name->u.otherName.type_id, &str);
845 strpool = rk_strpoolprintf(strpool, "otherName: %s", str);
849 case choice_GeneralName_rfc822Name:
850 strpool = rk_strpoolprintf(strpool, "rfc822Name: %s\n",
853 case choice_GeneralName_dNSName:
854 strpool = rk_strpoolprintf(strpool, "dNSName: %s\n",
857 case choice_GeneralName_directoryName: {
861 memset(&dir, 0, sizeof(dir));
862 dir.element = name->u.directoryName.element;
863 dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
864 ret = _hx509_unparse_Name(&dir, &s);
867 strpool = rk_strpoolprintf(strpool, "directoryName: %s", s);
871 case choice_GeneralName_uniformResourceIdentifier:
872 strpool = rk_strpoolprintf(strpool, "URI: %s",
873 name->u.uniformResourceIdentifier);
875 case choice_GeneralName_iPAddress: {
876 unsigned char *a = name->u.iPAddress.data;
878 strpool = rk_strpoolprintf(strpool, "IPAddress: ");
881 if (name->u.iPAddress.length == 4)
882 strpool = rk_strpoolprintf(strpool, "%d.%d.%d.%d",
883 a[0], a[1], a[2], a[3]);
884 else if (name->u.iPAddress.length == 16)
885 strpool = rk_strpoolprintf(strpool,
886 "%02X:%02X:%02X:%02X:"
887 "%02X:%02X:%02X:%02X:"
888 "%02X:%02X:%02X:%02X:"
889 "%02X:%02X:%02X:%02X",
890 a[0], a[1], a[2], a[3],
891 a[4], a[5], a[6], a[7],
892 a[8], a[9], a[10], a[11],
893 a[12], a[13], a[14], a[15]);
895 strpool = rk_strpoolprintf(strpool,
896 "unknown IP address of length %lu",
897 (unsigned long)name->u.iPAddress.length);
900 case choice_GeneralName_registeredID: {
902 hx509_oid_sprint(&name->u.registeredID, &str);
905 strpool = rk_strpoolprintf(strpool, "registeredID: %s", str);
915 *str = rk_strpoolcollect(strpool);
projects / FreeBSD / releng / 9.2.git / blob