Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(585)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mozilla/security/nss/lib/certdb/alg1485.c

Issue 14249009: Change the NSS and NSPR source tree to the new directory structure to be (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « mozilla/security/nss/lib/base/tracker.c ('k') | mozilla/security/nss/lib/certdb/cert.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* alg1485.c - implementation of RFCs 1485, 1779 and 2253.
2 *
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "prprf.h"
8 #include "cert.h"
9 #include "certi.h"
10 #include "xconst.h"
11 #include "genname.h"
12 #include "secitem.h"
13 #include "secerr.h"
14
15 typedef struct NameToKindStr {
16 const char * name;
17 unsigned int maxLen; /* max bytes in UTF8 encoded string value */
18 SECOidTag kind;
19 int valueType;
20 } NameToKind;
21
22 /* local type for directory string--could be printable_string or utf8 */
23 #define SEC_ASN1_DS SEC_ASN1_HIGH_TAG_NUMBER
24
25 /* Add new entries to this table, and maybe to function ParseRFC1485AVA */
26 static const NameToKind name2kinds[] = {
27 /* IANA registered type names
28 * (See: http://www.iana.org/assignments/ldap-parameters)
29 */
30 /* RFC 3280, 4630 MUST SUPPORT */
31 { "CN", 64, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS},
32 { "ST", 128, SEC_OID_AVA_STATE_OR_PROVINCE,
33 SEC_ASN1_DS},
34 { "O", 64, SEC_OID_AVA_ORGANIZATION_NAME,
35 SEC_ASN1_DS},
36 { "OU", 64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
37 SEC_ASN1_DS},
38 { "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING} ,
39 { "C", 2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING} ,
40 { "serialNumber", 64, SEC_OID_AVA_SERIAL_NUMBER,SEC_ASN1_PRINTABLE_STRING} ,
41
42 /* RFC 3280, 4630 SHOULD SUPPORT */
43 { "L", 128, SEC_OID_AVA_LOCALITY, SEC_ASN1_DS},
44 { "title", 64, SEC_OID_AVA_TITLE, SEC_ASN1_DS},
45 { "SN", 64, SEC_OID_AVA_SURNAME, SEC_ASN1_DS},
46 { "givenName", 64, SEC_OID_AVA_GIVEN_NAME, SEC_ASN1_DS},
47 { "initials", 64, SEC_OID_AVA_INITIALS, SEC_ASN1_DS},
48 { "generationQualifier",
49 64, SEC_OID_AVA_GENERATION_QUALIFIER,
50 SEC_ASN1_DS},
51 /* RFC 3280, 4630 MAY SUPPORT */
52 { "DC", 128, SEC_OID_AVA_DC, SEC_ASN1_IA5_STRING},
53 { "MAIL", 256, SEC_OID_RFC1274_MAIL, SEC_ASN1_IA5_STRING},
54 { "UID", 256, SEC_OID_RFC1274_UID, SEC_ASN1_DS},
55
56 /* ------------------ "strict" boundary ---------------------------------
57 * In strict mode, cert_NameToAscii does not encode any of the attributes
58 * below this line. The first SECOidTag below this line must be used to
59 * conditionally define the "endKind" in function AppendAVA() below.
60 * Most new attribute names should be added below this line.
61 * Maybe this line should be up higher? Say, after the 3280 MUSTs and
62 * before the 3280 SHOULDs?
63 */
64
65 /* values from draft-ietf-ldapbis-user-schema-05 (not in RFC 3280) */
66 { "postalAddress", 128, SEC_OID_AVA_POSTAL_ADDRESS, SEC_ASN1_DS},
67 { "postalCode", 40, SEC_OID_AVA_POSTAL_CODE, SEC_ASN1_DS},
68 { "postOfficeBox", 40, SEC_OID_AVA_POST_OFFICE_BOX,SEC_ASN1_DS},
69 { "houseIdentifier",64, SEC_OID_AVA_HOUSE_IDENTIFIER,SEC_ASN1_DS},
70 /* end of IANA registered type names */
71
72 /* legacy keywords */
73 { "E", 128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
74 { "STREET", 128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
75 { "pseudonym", 64, SEC_OID_AVA_PSEUDONYM, SEC_ASN1_DS},
76
77 /* values defined by the CAB Forum for EV */
78 { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
79 SEC_ASN1_DS},
80 { "incorporationState", 128, SEC_OID_EV_INCORPORATION_STATE,
81 SEC_ASN1_DS},
82 { "incorporationCountry", 2, SEC_OID_EV_INCORPORATION_COUNTRY,
83 SEC_ASN1_PRINTABLE_STRING},
84 { "businessCategory", 64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
85
86 { 0, 256, SEC_OID_UNKNOWN, 0},
87 };
88
89 /* Table facilitates conversion of ASCII hex to binary. */
90 static const PRInt16 x2b[256] = {
91 /* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
92 /* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
93 /* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
94 /* #3x */ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1,
95 /* #4x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
96 /* #5x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
97 /* #6x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
98 /* #7x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
99 /* #8x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
100 /* #9x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
101 /* #ax */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
102 /* #bx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
103 /* #cx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
104 /* #dx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
105 /* #ex */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
106 /* #fx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
107 };
108
109 #define IS_HEX(c) (x2b[(PRUint8)(c)] >= 0)
110
111 #define C_DOUBLE_QUOTE '\042'
112
113 #define C_BACKSLASH '\134'
114
115 #define C_EQUAL '='
116
117 #define OPTIONAL_SPACE(c) \
118 (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
119
120 #define SPECIAL_CHAR(c) \
121 (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) || \
122 ((c) == '\r') || ((c) == '\n') || ((c) == '+') || \
123 ((c) == '<') || ((c) == '>') || ((c) == '#') || \
124 ((c) == ';') || ((c) == C_BACKSLASH))
125
126
127 #define IS_PRINTABLE(c) \
128 ((((c) >= 'a') && ((c) <= 'z')) || \
129 (((c) >= 'A') && ((c) <= 'Z')) || \
130 (((c) >= '0') && ((c) <= '9')) || \
131 ((c) == ' ') || \
132 ((c) == '\'') || \
133 ((c) == '\050') || /* ( */ \
134 ((c) == '\051') || /* ) */ \
135 (((c) >= '+') && ((c) <= '/')) || /* + , - . / */ \
136 ((c) == ':') || \
137 ((c) == '=') || \
138 ((c) == '?'))
139
140 /* RFC 2253 says we must escape ",+\"\\<>;=" EXCEPT inside a quoted string.
141 * Inside a quoted string, we only need to escape " and \
142 * We choose to quote strings containing any of those special characters,
143 * so we only need to escape " and \
144 */
145 #define NEEDS_ESCAPE(c) \
146 (c == C_DOUBLE_QUOTE || c == C_BACKSLASH)
147
148 #define NEEDS_HEX_ESCAPE(c) \
149 ((PRUint8)c < 0x20 || c == 0x7f)
150
151 int
152 cert_AVAOidTagToMaxLen(SECOidTag tag)
153 {
154 const NameToKind *n2k = name2kinds;
155
156 while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
157 ++n2k;
158 }
159 return (n2k->kind != SEC_OID_UNKNOWN) ? n2k->maxLen : -1;
160 }
161
162 static PRBool
163 IsPrintable(unsigned char *data, unsigned len)
164 {
165 unsigned char ch, *end;
166
167 end = data + len;
168 while (data < end) {
169 ch = *data++;
170 if (!IS_PRINTABLE(ch)) {
171 return PR_FALSE;
172 }
173 }
174 return PR_TRUE;
175 }
176
177 static void
178 skipSpace(const char **pbp, const char *endptr)
179 {
180 const char *bp = *pbp;
181 while (bp < endptr && OPTIONAL_SPACE(*bp)) {
182 bp++;
183 }
184 *pbp = bp;
185 }
186
187 static SECStatus
188 scanTag(const char **pbp, const char *endptr, char *tagBuf, int tagBufSize)
189 {
190 const char *bp;
191 char *tagBufp;
192 int taglen;
193
194 PORT_Assert(tagBufSize > 0);
195
196 /* skip optional leading space */
197 skipSpace(pbp, endptr);
198 if (*pbp == endptr) {
199 /* nothing left */
200 return SECFailure;
201 }
202
203 /* fill tagBuf */
204 taglen = 0;
205 bp = *pbp;
206 tagBufp = tagBuf;
207 while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
208 if (++taglen >= tagBufSize) {
209 *pbp = bp;
210 return SECFailure;
211 }
212 *tagBufp++ = *bp++;
213 }
214 /* null-terminate tagBuf -- guaranteed at least one space left */
215 *tagBufp++ = 0;
216 *pbp = bp;
217
218 /* skip trailing spaces till we hit something - should be an equal sign */
219 skipSpace(pbp, endptr);
220 if (*pbp == endptr) {
221 /* nothing left */
222 return SECFailure;
223 }
224 if (**pbp != C_EQUAL) {
225 /* should be an equal sign */
226 return SECFailure;
227 }
228 /* skip over the equal sign */
229 (*pbp)++;
230
231 return SECSuccess;
232 }
233
234 /* Returns the number of bytes in the value. 0 means failure. */
235 static int
236 scanVal(const char **pbp, const char *endptr, char *valBuf, int valBufSize)
237 {
238 const char *bp;
239 char *valBufp;
240 int vallen = 0;
241 PRBool isQuoted;
242
243 PORT_Assert(valBufSize > 0);
244
245 /* skip optional leading space */
246 skipSpace(pbp, endptr);
247 if(*pbp == endptr) {
248 /* nothing left */
249 return 0;
250 }
251
252 bp = *pbp;
253
254 /* quoted? */
255 if (*bp == C_DOUBLE_QUOTE) {
256 isQuoted = PR_TRUE;
257 /* skip over it */
258 bp++;
259 } else {
260 isQuoted = PR_FALSE;
261 }
262
263 valBufp = valBuf;
264 while (bp < endptr) {
265 char c = *bp;
266 if (c == C_BACKSLASH) {
267 /* escape character */
268 bp++;
269 if (bp >= endptr) {
270 /* escape charater must appear with paired char */
271 *pbp = bp;
272 return 0;
273 }
274 c = *bp;
275 if (IS_HEX(c) && (endptr - bp) >= 2 && IS_HEX(bp[1])) {
276 bp++;
277 c = (char)((x2b[(PRUint8)c] << 4) | x2b[(PRUint8)*bp]);
278 }
279 } else if (c == '#' && bp == *pbp) {
280 /* ignore leading #, quotation not required for it. */
281 } else if (!isQuoted && SPECIAL_CHAR(c)) {
282 /* unescaped special and not within quoted value */
283 break;
284 } else if (c == C_DOUBLE_QUOTE) {
285 /* reached unescaped double quote */
286 break;
287 }
288 /* append character */
289 vallen++;
290 if (vallen >= valBufSize) {
291 *pbp = bp;
292 return 0;
293 }
294 *valBufp++ = c;
295 bp++;
296 }
297
298 /* strip trailing spaces from unquoted values */
299 if (!isQuoted) {
300 while (valBufp > valBuf) {
301 char c = valBufp[-1];
302 if (! OPTIONAL_SPACE(c))
303 break;
304 --valBufp;
305 }
306 vallen = valBufp - valBuf;
307 }
308
309 if (isQuoted) {
310 /* insist that we stopped on a double quote */
311 if (*bp != C_DOUBLE_QUOTE) {
312 *pbp = bp;
313 return 0;
314 }
315 /* skip over the quote and skip optional space */
316 bp++;
317 skipSpace(&bp, endptr);
318 }
319
320 *pbp = bp;
321
322 /* null-terminate valBuf -- guaranteed at least one space left */
323 *valBufp = 0;
324
325 return vallen;
326 }
327
328 /* Caller must set error code upon failure */
329 static SECStatus
330 hexToBin(PLArenaPool *pool, SECItem * destItem, const char * src, int len)
331 {
332 PRUint8 * dest;
333
334 destItem->data = NULL;
335 if (len <= 0 || (len & 1)) {
336 goto loser;
337 }
338 len >>= 1;
339 if (!SECITEM_AllocItem(pool, destItem, len))
340 goto loser;
341 dest = destItem->data;
342 for (; len > 0; len--, src += 2) {
343 PRInt16 bin = (x2b[(PRUint8)src[0]] << 4) | x2b[(PRUint8)src[1]];
344 if (bin < 0)
345 goto loser;
346 *dest++ = (PRUint8)bin;
347 }
348 return SECSuccess;
349 loser:
350 if (!pool)
351 SECITEM_FreeItem(destItem, PR_FALSE);
352 return SECFailure;
353 }
354
355 /* Parses one AVA, starting at *pbp. Stops at endptr.
356 * Advances *pbp past parsed AVA and trailing separator (if present).
357 * On any error, returns NULL and *pbp is undefined.
358 * On success, returns CERTAVA allocated from arena, and (*pbp)[-1] was
359 * the last character parsed. *pbp is either equal to endptr or
360 * points to first character after separator.
361 */
362 static CERTAVA *
363 ParseRFC1485AVA(PRArenaPool *arena, const char **pbp, const char *endptr)
364 {
365 CERTAVA *a;
366 const NameToKind *n2k;
367 const char *bp;
368 int vt = -1;
369 int valLen;
370 SECOidTag kind = SEC_OID_UNKNOWN;
371 SECStatus rv = SECFailure;
372 SECItem derOid = { 0, NULL, 0 };
373 SECItem derVal = { 0, NULL, 0};
374 char sep = 0;
375
376 char tagBuf[32];
377 char valBuf[384];
378
379 PORT_Assert(arena);
380 if (SECSuccess != scanTag(pbp, endptr, tagBuf, sizeof tagBuf) ||
381 !(valLen = scanVal(pbp, endptr, valBuf, sizeof valBuf))) {
382 goto loser;
383 }
384
385 bp = *pbp;
386 if (bp < endptr) {
387 sep = *bp++; /* skip over separator */
388 }
389 *pbp = bp;
390 /* if we haven't finished, insist that we've stopped on a separator */
391 if (sep && sep != ',' && sep != ';' && sep != '+') {
392 goto loser;
393 }
394
395 /* is this a dotted decimal OID attribute type ? */
396 if (!PL_strncasecmp("oid.", tagBuf, 4)) {
397 rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf));
398 } else {
399 for (n2k = name2kinds; n2k->name; n2k++) {
400 SECOidData *oidrec;
401 if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
402 kind = n2k->kind;
403 vt = n2k->valueType;
404 oidrec = SECOID_FindOIDByTag(kind);
405 if (oidrec == NULL)
406 goto loser;
407 derOid = oidrec->oid;
408 break;
409 }
410 }
411 }
412 if (kind == SEC_OID_UNKNOWN && rv != SECSuccess)
413 goto loser;
414
415 /* Is this a hex encoding of a DER attribute value ? */
416 if ('#' == valBuf[0]) {
417 /* convert attribute value from hex to binary */
418 rv = hexToBin(arena, &derVal, valBuf + 1, valLen - 1);
419 if (rv)
420 goto loser;
421 a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal);
422 } else {
423 if (kind == SEC_OID_UNKNOWN)
424 goto loser;
425 if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2)
426 goto loser;
427 if (vt == SEC_ASN1_PRINTABLE_STRING &&
428 !IsPrintable((unsigned char*) valBuf, valLen))
429 goto loser;
430 if (vt == SEC_ASN1_DS) {
431 /* RFC 4630: choose PrintableString or UTF8String */
432 if (IsPrintable((unsigned char*) valBuf, valLen))
433 vt = SEC_ASN1_PRINTABLE_STRING;
434 else
435 vt = SEC_ASN1_UTF8_STRING;
436 }
437
438 derVal.data = (unsigned char*) valBuf;
439 derVal.len = valLen;
440 a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal);
441 }
442 return a;
443
444 loser:
445 /* matched no kind -- invalid tag */
446 PORT_SetError(SEC_ERROR_INVALID_AVA);
447 return 0;
448 }
449
450 static CERTName *
451 ParseRFC1485Name(const char *buf, int len)
452 {
453 SECStatus rv;
454 CERTName *name;
455 const char *bp, *e;
456 CERTAVA *ava;
457 CERTRDN *rdn = NULL;
458
459 name = CERT_CreateName(NULL);
460 if (name == NULL) {
461 return NULL;
462 }
463
464 e = buf + len;
465 bp = buf;
466 while (bp < e) {
467 ava = ParseRFC1485AVA(name->arena, &bp, e);
468 if (ava == 0)
469 goto loser;
470 if (!rdn) {
471 rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0);
472 if (rdn == 0)
473 goto loser;
474 rv = CERT_AddRDN(name, rdn);
475 } else {
476 rv = CERT_AddAVA(name->arena, rdn, ava);
477 }
478 if (rv)
479 goto loser;
480 if (bp[-1] != '+')
481 rdn = NULL; /* done with this RDN */
482 skipSpace(&bp, e);
483 }
484
485 if (name->rdns[0] == 0) {
486 /* empty name -- illegal */
487 goto loser;
488 }
489
490 /* Reverse order of RDNS to comply with RFC */
491 {
492 CERTRDN **firstRdn;
493 CERTRDN **lastRdn;
494 CERTRDN *tmp;
495
496 /* get first one */
497 firstRdn = name->rdns;
498
499 /* find last one */
500 lastRdn = name->rdns;
501 while (*lastRdn) lastRdn++;
502 lastRdn--;
503
504 /* reverse list */
505 for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
506 tmp = *firstRdn;
507 *firstRdn = *lastRdn;
508 *lastRdn = tmp;
509 }
510 }
511
512 /* return result */
513 return name;
514
515 loser:
516 CERT_DestroyName(name);
517 return NULL;
518 }
519
520 CERTName *
521 CERT_AsciiToName(const char *string)
522 {
523 CERTName *name;
524 name = ParseRFC1485Name(string, PORT_Strlen(string));
525 return name;
526 }
527
528 /************************************************************************/
529
530 typedef struct stringBufStr {
531 char *buffer;
532 unsigned offset;
533 unsigned size;
534 } stringBuf;
535
536 #define DEFAULT_BUFFER_SIZE 200
537
538 static SECStatus
539 AppendStr(stringBuf *bufp, char *str)
540 {
541 char *buf;
542 unsigned bufLen, bufSize, len;
543 int size = 0;
544
545 /* Figure out how much to grow buf by (add in the '\0') */
546 buf = bufp->buffer;
547 bufLen = bufp->offset;
548 len = PORT_Strlen(str);
549 bufSize = bufLen + len;
550 if (!buf) {
551 bufSize++;
552 size = PR_MAX(DEFAULT_BUFFER_SIZE,bufSize*2);
553 buf = (char *) PORT_Alloc(size);
554 bufp->size = size;
555 } else if (bufp->size < bufSize) {
556 size = bufSize*2;
557 buf =(char *) PORT_Realloc(buf,size);
558 bufp->size = size;
559 }
560 if (!buf) {
561 PORT_SetError(SEC_ERROR_NO_MEMORY);
562 return SECFailure;
563 }
564 bufp->buffer = buf;
565 bufp->offset = bufSize;
566
567 /* Concatenate str onto buf */
568 buf = buf + bufLen;
569 if (bufLen) buf--; /* stomp on old '\0' */
570 PORT_Memcpy(buf, str, len+1); /* put in new null */
571 return SECSuccess;
572 }
573
574 typedef enum {
575 minimalEscape = 0, /* only hex escapes, and " and \ */
576 minimalEscapeAndQuote, /* as above, plus quoting */
577 fullEscape /* no quoting, full escaping */
578 } EQMode;
579
580 /* Some characters must be escaped as a hex string, e.g. c -> \nn .
581 * Others must be escaped by preceding with a '\', e.g. c -> \c , but
582 * there are certain "special characters" that may be handled by either
583 * escaping them, or by enclosing the entire attribute value in quotes.
584 * A NULL value for pEQMode implies selecting minimalEscape mode.
585 * Some callers will do quoting when needed, others will not.
586 * If a caller selects minimalEscapeAndQuote, and the string does not
587 * need quoting, then this function changes it to minimalEscape.
588 */
589 static int
590 cert_RFC1485_GetRequiredLen(const char *src, int srclen, EQMode *pEQMode)
591 {
592 int i, reqLen=0;
593 EQMode mode = pEQMode ? *pEQMode : minimalEscape;
594 PRBool needsQuoting = PR_FALSE;
595 char lastC = 0;
596
597 /* need to make an initial pass to determine if quoting is needed */
598 for (i = 0; i < srclen; i++) {
599 char c = src[i];
600 reqLen++;
601 if (NEEDS_HEX_ESCAPE(c)) { /* c -> \xx */
602 reqLen += 2;
603 } else if (NEEDS_ESCAPE(c)) { /* c -> \c */
604 reqLen++;
605 } else if (SPECIAL_CHAR(c)) {
606 if (mode == minimalEscapeAndQuote) /* quoting is allowed */
607 needsQuoting = PR_TRUE; /* entirety will need quoting */
608 else if (mode == fullEscape)
609 reqLen++; /* MAY escape this character */
610 } else if (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)) {
611 if (mode == minimalEscapeAndQuote) /* quoting is allowed */
612 needsQuoting = PR_TRUE; /* entirety will need quoting */
613 }
614 lastC = c;
615 }
616 /* if it begins or ends in optional space it needs quoting */
617 if (!needsQuoting && srclen > 0 && mode == minimalEscapeAndQuote &&
618 (OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
619 needsQuoting = PR_TRUE;
620 }
621
622 if (needsQuoting)
623 reqLen += 2;
624 if (pEQMode && mode == minimalEscapeAndQuote && !needsQuoting)
625 *pEQMode = minimalEscape;
626 return reqLen;
627 }
628
629 static const char hexChars[16] = { "0123456789abcdef" };
630
631 static SECStatus
632 escapeAndQuote(char *dst, int dstlen, char *src, int srclen, EQMode *pEQMode)
633 {
634 int i, reqLen=0;
635 EQMode mode = pEQMode ? *pEQMode : minimalEscape;
636
637 /* space for terminal null */
638 reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode) + 1;
639 if (reqLen > dstlen) {
640 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
641 return SECFailure;
642 }
643
644 if (mode == minimalEscapeAndQuote)
645 *dst++ = C_DOUBLE_QUOTE;
646 for (i = 0; i < srclen; i++) {
647 char c = src[i];
648 if (NEEDS_HEX_ESCAPE(c)) {
649 *dst++ = C_BACKSLASH;
650 *dst++ = hexChars[ (c >> 4) & 0x0f ];
651 *dst++ = hexChars[ c & 0x0f ];
652 } else {
653 if (NEEDS_ESCAPE(c) || (SPECIAL_CHAR(c) && mode == fullEscape)) {
654 *dst++ = C_BACKSLASH;
655 }
656 *dst++ = c;
657 }
658 }
659 if (mode == minimalEscapeAndQuote)
660 *dst++ = C_DOUBLE_QUOTE;
661 *dst++ = 0;
662 if (pEQMode)
663 *pEQMode = mode;
664 return SECSuccess;
665 }
666
667 SECStatus
668 CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
669 {
670 EQMode mode = minimalEscapeAndQuote;
671 return escapeAndQuote(dst, dstlen, src, srclen, &mode);
672 }
673
674
675 /* convert an OID to dotted-decimal representation */
676 /* Returns a string that must be freed with PR_smprintf_free(), */
677 char *
678 CERT_GetOidString(const SECItem *oid)
679 {
680 PRUint8 *stop; /* points to first byte after OID string */
681 PRUint8 *first; /* byte of an OID component integer */
682 PRUint8 *last; /* byte of an OID component integer */
683 char *rvString = NULL;
684 char *prefix = NULL;
685
686 #define MAX_OID_LEN 1024 /* bytes */
687
688 if (oid->len > MAX_OID_LEN) {
689 PORT_SetError(SEC_ERROR_INPUT_LEN);
690 return NULL;
691 }
692
693 /* first will point to the next sequence of bytes to decode */
694 first = (PRUint8 *)oid->data;
695 /* stop points to one past the legitimate data */
696 stop = &first[ oid->len ];
697
698 /*
699 * Check for our pseudo-encoded single-digit OIDs
700 */
701 if ((*first == 0x80) && (2 == oid->len)) {
702 /* Funky encoding. The second byte is the number */
703 rvString = PR_smprintf("%lu", (PRUint32)first[1]);
704 if (!rvString) {
705 PORT_SetError(SEC_ERROR_NO_MEMORY);
706 }
707 return rvString;
708 }
709
710 for (; first < stop; first = last + 1) {
711 unsigned int bytesBeforeLast;
712
713 for (last = first; last < stop; last++) {
714 if (0 == (*last & 0x80)) {
715 break;
716 }
717 }
718 bytesBeforeLast = (unsigned int)(last - first);
719 if (bytesBeforeLast <= 3U) { /* 0-28 bit number */
720 PRUint32 n = 0;
721 PRUint32 c;
722
723 #define CGET(i, m) \
724 c = last[-i] & m; \
725 n |= c << (7 * i)
726
727 #define CASE(i, m) \
728 case i: \
729 CGET(i, m); \
730 if (!n) goto unsupported \
731 /* fall-through */
732
733 switch (bytesBeforeLast) {
734 CASE(3, 0x7f);
735 CASE(2, 0x7f);
736 CASE(1, 0x7f);
737 case 0: n |= last[0] & 0x7f;
738 break;
739 }
740 if (last[0] & 0x80)
741 goto unsupported;
742
743 if (!rvString) {
744 /* This is the first number.. decompose it */
745 PRUint32 one = PR_MIN(n/40, 2); /* never > 2 */
746 PRUint32 two = n - (one * 40);
747
748 rvString = PR_smprintf("OID.%lu.%lu", one, two);
749 } else {
750 prefix = rvString;
751 rvString = PR_smprintf("%s.%lu", prefix, n);
752 }
753 } else if (bytesBeforeLast <= 9U) { /* 29-64 bit number */
754 PRUint64 n = 0;
755 PRUint64 c;
756
757 switch (bytesBeforeLast) {
758 CASE(9, 0x01);
759 CASE(8, 0x7f);
760 CASE(7, 0x7f);
761 CASE(6, 0x7f);
762 CASE(5, 0x7f);
763 CASE(4, 0x7f);
764 CGET(3, 0x7f);
765 CGET(2, 0x7f);
766 CGET(1, 0x7f);
767 CGET(0, 0x7f);
768 break;
769 }
770 if (last[0] & 0x80)
771 goto unsupported;
772
773 if (!rvString) {
774 /* This is the first number.. decompose it */
775 PRUint64 one = PR_MIN(n/40, 2); /* never > 2 */
776 PRUint64 two = n - (one * 40);
777
778 rvString = PR_smprintf("OID.%llu.%llu", one, two);
779 } else {
780 prefix = rvString;
781 rvString = PR_smprintf("%s.%llu", prefix, n);
782 }
783 } else {
784 /* More than a 64-bit number, or not minimal encoding. */
785 unsupported:
786 if (!rvString)
787 rvString = PR_smprintf("OID.UNSUPPORTED");
788 else {
789 prefix = rvString;
790 rvString = PR_smprintf("%s.UNSUPPORTED", prefix);
791 }
792 }
793
794 if (prefix) {
795 PR_smprintf_free(prefix);
796 prefix = NULL;
797 }
798 if (!rvString) {
799 PORT_SetError(SEC_ERROR_NO_MEMORY);
800 break;
801 }
802 }
803 return rvString;
804 }
805
806 /* convert DER-encoded hex to a string */
807 static SECItem *
808 get_hex_string(SECItem *data)
809 {
810 SECItem *rv;
811 unsigned int i, j;
812 static const char hex[] = { "0123456789ABCDEF" };
813
814 /* '#' + 2 chars per octet + terminator */
815 rv = SECITEM_AllocItem(NULL, NULL, data->len*2 + 2);
816 if (!rv) {
817 return NULL;
818 }
819 rv->data[0] = '#';
820 rv->len = 1 + 2 * data->len;
821 for (i=0; i<data->len; i++) {
822 j = data->data[i];
823 rv->data[2*i+1] = hex[j >> 4];
824 rv->data[2*i+2] = hex[j & 15];
825 }
826 rv->data[rv->len] = 0;
827 return rv;
828 }
829
830 /* For compliance with RFC 2253, RFC 3280 and RFC 4630, we choose to
831 * use the NAME=STRING form, rather than the OID.N.N=#hexXXXX form,
832 * when both of these conditions are met:
833 * 1) The attribute name OID (kind) has a known name string that is
834 * defined in one of those RFCs, or in RFCs that they cite, AND
835 * 2) The attribute's value encoding is RFC compliant for the kind
836 * (e.g., the value's encoding tag is correct for the kind, and
837 * the value's length is in the range allowed for the kind, and
838 * the value's contents are appropriate for the encoding tag).
839 * Otherwise, we use the OID.N.N=#hexXXXX form.
840 *
841 * If the caller prefers maximum human readability to RFC compliance,
842 * then
843 * - We print the kind in NAME= string form if we know the name
844 * string for the attribute type OID, regardless of whether the
845 * value is correctly encoded or not. else we use the OID.N.N= form.
846 * - We use the non-hex STRING form for the attribute value if the
847 * value can be represented in such a form. Otherwise, we use
848 * the hex string form.
849 * This implies that, for maximum human readability, in addition to
850 * the two forms allowed by the RFC, we allow two other forms of output:
851 * - the OID.N.N=STRING form, and
852 * - the NAME=#hexXXXX form
853 * When the caller prefers maximum human readability, we do not allow
854 * the value of any attribute to exceed the length allowed by the RFC.
855 * If the attribute value exceeds the allowed length, we truncate it to
856 * the allowed length and append "...".
857 * Also in this case, we arbitrarily impose a limit on the length of the
858 * entire AVA encoding, regardless of the form, of 384 bytes per AVA.
859 * This limit includes the trailing NULL character. If the encoded
860 * AVA length exceeds that limit, this function reports failure to encode
861 * the AVA.
862 *
863 * An ASCII representation of an AVA is said to be "invertible" if
864 * conversion back to DER reproduces the original DER encoding exactly.
865 * The RFC 2253 rules do not ensure that all ASCII AVAs derived according
866 * to its rules are invertible. That is because the RFCs allow some
867 * attribute values to be encoded in any of a number of encodings,
868 * and the encoding type information is lost in the non-hex STRING form.
869 * This is particularly true of attributes of type DirectoryString.
870 * The encoding type information is always preserved in the hex string
871 * form, because the hex includes the entire DER encoding of the value.
872 *
873 * So, when the caller perfers maximum invertibility, we apply the
874 * RFC compliance rules stated above, and add a third required
875 * condition on the use of the NAME=STRING form.
876 * 3) The attribute's kind is not is allowed to be encoded in any of
877 * several different encodings, such as DirectoryStrings.
878 *
879 * The chief difference between CERT_N2A_STRICT and CERT_N2A_INVERTIBLE
880 * is that the latter forces DirectoryStrings to be hex encoded.
881 *
882 * As a simplification, we assume the value is correctly encoded for
883 * its encoding type. That is, we do not test that all the characters
884 * in a string encoded type are allowed by that type. We assume it.
885 */
886 static SECStatus
887 AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
888 {
889 #define TMPBUF_LEN 384
890 const NameToKind *pn2k = name2kinds;
891 SECItem *avaValue = NULL;
892 char *unknownTag = NULL;
893 char *encodedAVA = NULL;
894 PRBool useHex = PR_FALSE; /* use =#hexXXXX form */
895 PRBool truncateName = PR_FALSE;
896 PRBool truncateValue = PR_FALSE;
897 SECOidTag endKind;
898 SECStatus rv;
899 unsigned int len;
900 unsigned int nameLen, valueLen;
901 unsigned int maxName, maxValue;
902 EQMode mode = minimalEscapeAndQuote;
903 NameToKind n2k = { NULL, 32767, SEC_OID_UNKNOWN, SEC_ASN1_DS };
904 char tmpBuf[TMPBUF_LEN];
905
906 #define tagName n2k.name /* non-NULL means use NAME= form */
907 #define maxBytes n2k.maxLen
908 #define tag n2k.kind
909 #define vt n2k.valueType
910
911 /* READABLE mode recognizes more names from the name2kinds table
912 * than do STRICT or INVERTIBLE modes. This assignment chooses the
913 * point in the table where the attribute type name scanning stops.
914 */
915 endKind = (strict == CERT_N2A_READABLE) ? SEC_OID_UNKNOWN
916 : SEC_OID_AVA_POSTAL_ADDRESS;
917 tag = CERT_GetAVATag(ava);
918 while (pn2k->kind != tag && pn2k->kind != endKind) {
919 ++pn2k;
920 }
921
922 if (pn2k->kind != endKind ) {
923 n2k = *pn2k;
924 } else if (strict != CERT_N2A_READABLE) {
925 useHex = PR_TRUE;
926 }
927 /* For invertable form, force Directory Strings to use hex form. */
928 if (strict == CERT_N2A_INVERTIBLE && vt == SEC_ASN1_DS) {
929 tagName = NULL; /* must use OID.N form */
930 useHex = PR_TRUE; /* must use hex string */
931 }
932 if (!useHex) {
933 avaValue = CERT_DecodeAVAValue(&ava->value);
934 if (!avaValue) {
935 useHex = PR_TRUE;
936 if (strict != CERT_N2A_READABLE) {
937 tagName = NULL; /* must use OID.N form */
938 }
939 }
940 }
941 if (!tagName) {
942 /* handle unknown attribute types per RFC 2253 */
943 tagName = unknownTag = CERT_GetOidString(&ava->type);
944 if (!tagName) {
945 if (avaValue)
946 SECITEM_FreeItem(avaValue, PR_TRUE);
947 return SECFailure;
948 }
949 }
950 if (useHex) {
951 avaValue = get_hex_string(&ava->value);
952 if (!avaValue) {
953 if (unknownTag)
954 PR_smprintf_free(unknownTag);
955 return SECFailure;
956 }
957 }
958
959 nameLen = strlen(tagName);
960 valueLen = (useHex ? avaValue->len :
961 cert_RFC1485_GetRequiredLen((char *)avaValue->data, avaValue->le n,
962 &mode));
963 len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
964
965 maxName = nameLen;
966 maxValue = valueLen;
967 if (len <= sizeof(tmpBuf)) {
968 encodedAVA = tmpBuf;
969 } else if (strict != CERT_N2A_READABLE) {
970 encodedAVA = PORT_Alloc(len);
971 if (!encodedAVA) {
972 SECITEM_FreeItem(avaValue, PR_TRUE);
973 if (unknownTag)
974 PR_smprintf_free(unknownTag);
975 return SECFailure;
976 }
977 } else {
978 /* Must make output fit in tmpbuf */
979 unsigned int fair = (sizeof tmpBuf)/2 - 1; /* for = and \0 */
980
981 if (nameLen < fair) {
982 /* just truncate the value */
983 maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0",
984 and possibly '"' */
985 } else if (valueLen < fair) {
986 /* just truncate the name */
987 maxName = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */
988 } else {
989 /* truncate both */
990 maxName = maxValue = fair - 3; /* for "..." */
991 }
992 if (nameLen > maxName) {
993 PORT_Assert(unknownTag && unknownTag == tagName);
994 truncateName = PR_TRUE;
995 nameLen = maxName;
996 }
997 encodedAVA = tmpBuf;
998 }
999
1000 memcpy(encodedAVA, tagName, nameLen);
1001 if (truncateName) {
1002 /* If tag name is too long, we know it is an OID form that was
1003 * allocated from the heap, so we can modify it in place
1004 */
1005 encodedAVA[nameLen-1] = '.';
1006 encodedAVA[nameLen-2] = '.';
1007 encodedAVA[nameLen-3] = '.';
1008 }
1009 encodedAVA[nameLen++] = '=';
1010 if (unknownTag)
1011 PR_smprintf_free(unknownTag);
1012
1013 if (strict == CERT_N2A_READABLE && maxValue > maxBytes)
1014 maxValue = maxBytes;
1015 if (valueLen > maxValue) {
1016 valueLen = maxValue;
1017 truncateValue = PR_TRUE;
1018 }
1019 /* escape and quote as necessary - don't quote hex strings */
1020 if (useHex) {
1021 char * end = encodedAVA + nameLen + valueLen;
1022 memcpy(encodedAVA + nameLen, (char *)avaValue->data, valueLen);
1023 end[0] = '\0';
1024 if (truncateValue) {
1025 end[-1] = '.';
1026 end[-2] = '.';
1027 end[-3] = '.';
1028 }
1029 rv = SECSuccess;
1030 } else if (!truncateValue) {
1031 rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen,
1032 (char *)avaValue->data, avaValue->len, &mode);
1033 } else {
1034 /* must truncate the escaped and quoted value */
1035 char bigTmpBuf[TMPBUF_LEN * 3 + 3];
1036 rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf,
1037 (char *)avaValue->data, valueLen, &mode);
1038
1039 bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
1040 /* See if we're in the middle of a multi-byte UTF8 character */
1041 while (((bigTmpBuf[valueLen] & 0xc0) == 0x80) && valueLen > 0) {
1042 bigTmpBuf[valueLen--] = '\0';
1043 }
1044 /* add ellipsis to signify truncation. */
1045 bigTmpBuf[++valueLen] = '.';
1046 bigTmpBuf[++valueLen] = '.';
1047 bigTmpBuf[++valueLen] = '.';
1048 if (bigTmpBuf[0] == '"')
1049 bigTmpBuf[++valueLen] = '"';
1050 bigTmpBuf[++valueLen] = '\0';
1051 PORT_Assert(nameLen + valueLen <= (sizeof tmpBuf) - 1);
1052 memcpy(encodedAVA + nameLen, bigTmpBuf, valueLen+1);
1053 }
1054
1055 SECITEM_FreeItem(avaValue, PR_TRUE);
1056 if (rv == SECSuccess)
1057 rv = AppendStr(bufp, encodedAVA);
1058 if (encodedAVA != tmpBuf)
1059 PORT_Free(encodedAVA);
1060 return rv;
1061 }
1062
1063 #undef tagName
1064 #undef maxBytes
1065 #undef tag
1066 #undef vt
1067
1068 char *
1069 CERT_NameToAsciiInvertible(CERTName *name, CertStrictnessLevel strict)
1070 {
1071 CERTRDN** rdns;
1072 CERTRDN** lastRdn;
1073 CERTRDN** rdn;
1074 PRBool first = PR_TRUE;
1075 stringBuf strBuf = { NULL, 0, 0 };
1076
1077 rdns = name->rdns;
1078 if (rdns == NULL) {
1079 return NULL;
1080 }
1081
1082 /* find last RDN */
1083 lastRdn = rdns;
1084 while (*lastRdn) lastRdn++;
1085 lastRdn--;
1086
1087 /*
1088 * Loop over name contents in _reverse_ RDN order appending to string
1089 */
1090 for (rdn = lastRdn; rdn >= rdns; rdn--) {
1091 CERTAVA** avas = (*rdn)->avas;
1092 CERTAVA* ava;
1093 PRBool newRDN = PR_TRUE;
1094
1095 /*
1096 * XXX Do we need to traverse the AVAs in reverse order, too?
1097 */
1098 while (avas && (ava = *avas++) != NULL) {
1099 SECStatus rv;
1100 /* Put in comma or plus separator */
1101 if (!first) {
1102 /* Use of spaces is deprecated in RFC 2253. */
1103 rv = AppendStr(&strBuf, newRDN ? "," : "+");
1104 if (rv) goto loser;
1105 } else {
1106 first = PR_FALSE;
1107 }
1108
1109 /* Add in tag type plus value into strBuf */
1110 rv = AppendAVA(&strBuf, ava, strict);
1111 if (rv) goto loser;
1112 newRDN = PR_FALSE;
1113 }
1114 }
1115 return strBuf.buffer;
1116 loser:
1117 if (strBuf.buffer) {
1118 PORT_Free(strBuf.buffer);
1119 }
1120 return NULL;
1121 }
1122
1123 char *
1124 CERT_NameToAscii(CERTName *name)
1125 {
1126 return CERT_NameToAsciiInvertible(name, CERT_N2A_READABLE);
1127 }
1128
1129 /*
1130 * Return the string representation of a DER encoded distinguished name
1131 * "dername" - The DER encoded name to convert
1132 */
1133 char *
1134 CERT_DerNameToAscii(SECItem *dername)
1135 {
1136 int rv;
1137 PRArenaPool *arena = NULL;
1138 CERTName name;
1139 char *retstr = NULL;
1140
1141 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1142
1143 if ( arena == NULL) {
1144 goto loser;
1145 }
1146
1147 rv = SEC_QuickDERDecodeItem(arena, &name, CERT_NameTemplate, dername);
1148
1149 if ( rv != SECSuccess ) {
1150 goto loser;
1151 }
1152
1153 retstr = CERT_NameToAscii(&name);
1154
1155 loser:
1156 if ( arena != NULL ) {
1157 PORT_FreeArena(arena, PR_FALSE);
1158 }
1159
1160 return(retstr);
1161 }
1162
1163 static char *
1164 avaToString(PRArenaPool *arena, CERTAVA *ava)
1165 {
1166 char * buf = NULL;
1167 SECItem* avaValue;
1168 int valueLen;
1169
1170 avaValue = CERT_DecodeAVAValue(&ava->value);
1171 if(!avaValue) {
1172 return buf;
1173 }
1174 valueLen = cert_RFC1485_GetRequiredLen((char *)avaValue->data,
1175 avaValue->len, NULL) + 1;
1176 if (arena) {
1177 buf = (char *)PORT_ArenaZAlloc(arena, valueLen);
1178 } else {
1179 buf = (char *)PORT_ZAlloc(valueLen);
1180 }
1181 if (buf) {
1182 SECStatus rv = escapeAndQuote(buf, valueLen, (char *)avaValue->data,
1183 avaValue->len, NULL);
1184 if (rv != SECSuccess) {
1185 if (!arena)
1186 PORT_Free(buf);
1187 buf = NULL;
1188 }
1189 }
1190 SECITEM_FreeItem(avaValue, PR_TRUE);
1191 return buf;
1192 }
1193
1194 /* RDNs are sorted from most general to most specific.
1195 * This code returns the FIRST one found, the most general one found.
1196 */
1197 static char *
1198 CERT_GetNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
1199 {
1200 CERTRDN** rdns = name->rdns;
1201 CERTRDN* rdn;
1202 CERTAVA* ava = NULL;
1203
1204 while (rdns && (rdn = *rdns++) != 0) {
1205 CERTAVA** avas = rdn->avas;
1206 while (avas && (ava = *avas++) != 0) {
1207 int tag = CERT_GetAVATag(ava);
1208 if ( tag == wantedTag ) {
1209 avas = NULL;
1210 rdns = NULL; /* break out of all loops */
1211 }
1212 }
1213 }
1214 return ava ? avaToString(arena, ava) : NULL;
1215 }
1216
1217 /* RDNs are sorted from most general to most specific.
1218 * This code returns the LAST one found, the most specific one found.
1219 * This is particularly appropriate for Common Name. See RFC 2818.
1220 */
1221 static char *
1222 CERT_GetLastNameElement(PRArenaPool *arena, CERTName *name, int wantedTag)
1223 {
1224 CERTRDN** rdns = name->rdns;
1225 CERTRDN* rdn;
1226 CERTAVA* lastAva = NULL;
1227
1228 while (rdns && (rdn = *rdns++) != 0) {
1229 CERTAVA** avas = rdn->avas;
1230 CERTAVA* ava;
1231 while (avas && (ava = *avas++) != 0) {
1232 int tag = CERT_GetAVATag(ava);
1233 if ( tag == wantedTag ) {
1234 lastAva = ava;
1235 }
1236 }
1237 }
1238 return lastAva ? avaToString(arena, lastAva) : NULL;
1239 }
1240
1241 char *
1242 CERT_GetCertificateEmailAddress(CERTCertificate *cert)
1243 {
1244 char *rawEmailAddr = NULL;
1245 SECItem subAltName;
1246 SECStatus rv;
1247 CERTGeneralName *nameList = NULL;
1248 CERTGeneralName *current;
1249 PRArenaPool *arena = NULL;
1250 int i;
1251
1252 subAltName.data = NULL;
1253
1254 rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject),
1255 SEC_OID_PKCS9_EMAIL_ADDRESS);
1256 if ( rawEmailAddr == NULL ) {
1257 rawEmailAddr = CERT_GetNameElement(cert->arena, &(cert->subject),
1258 SEC_OID_RFC1274_MAIL);
1259 }
1260 if ( rawEmailAddr == NULL) {
1261
1262 rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
1263 &subAltName);
1264 if (rv != SECSuccess) {
1265 goto finish;
1266 }
1267 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1268 if (!arena) {
1269 goto finish;
1270 }
1271 nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
1272 if (!nameList ) {
1273 goto finish;
1274 }
1275 if (nameList != NULL) {
1276 do {
1277 if (current->type == certDirectoryName) {
1278 rawEmailAddr = CERT_GetNameElement(cert->arena,
1279 &(current->name.directoryName),
1280 SEC_OID_PKCS9_EMAIL_ADDRESS);
1281 if ( rawEmailAddr == NULL ) {
1282 rawEmailAddr = CERT_GetNameElement(cert->arena,
1283 &(current->name.directoryName), SEC_OID_RFC1274_MAIL);
1284 }
1285 } else if (current->type == certRFC822Name) {
1286 rawEmailAddr = (char*)PORT_ArenaZAlloc(cert->arena,
1287 current->name.other.len + 1);
1288 if (!rawEmailAddr) {
1289 goto finish;
1290 }
1291 PORT_Memcpy(rawEmailAddr, current->name.other.data,
1292 current->name.other.len);
1293 rawEmailAddr[current->name.other.len] = '\0';
1294 }
1295 if (rawEmailAddr) {
1296 break;
1297 }
1298 current = CERT_GetNextGeneralName(current);
1299 } while (current != nameList);
1300 }
1301 }
1302 if (rawEmailAddr) {
1303 for (i = 0; i <= (int) PORT_Strlen(rawEmailAddr); i++) {
1304 rawEmailAddr[i] = tolower(rawEmailAddr[i]);
1305 }
1306 }
1307
1308 finish:
1309
1310 /* Don't free nameList, it's part of the arena. */
1311
1312 if (arena) {
1313 PORT_FreeArena(arena, PR_FALSE);
1314 }
1315
1316 if ( subAltName.data ) {
1317 SECITEM_FreeItem(&subAltName, PR_FALSE);
1318 }
1319
1320 return(rawEmailAddr);
1321 }
1322
1323 static char *
1324 appendStringToBuf(char *dest, char *src, PRUint32 *pRemaining)
1325 {
1326 PRUint32 len;
1327 if (dest && src && src[0] && *pRemaining > (len = PL_strlen(src))) {
1328 PRUint32 i;
1329 for (i = 0; i < len; ++i)
1330 dest[i] = tolower(src[i]);
1331 dest[len] = 0;
1332 dest += len + 1;
1333 *pRemaining -= len + 1;
1334 }
1335 return dest;
1336 }
1337
1338 #undef NEEDS_HEX_ESCAPE
1339 #define NEEDS_HEX_ESCAPE(c) (c < 0x20)
1340
1341 static char *
1342 appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining)
1343 {
1344 if (dest && src && src->data && src->len && src->data[0]) {
1345 PRUint32 len = src->len;
1346 PRUint32 i;
1347 PRUint32 reqLen = len + 1;
1348 /* are there any embedded control characters ? */
1349 for (i = 0; i < len; i++) {
1350 if (NEEDS_HEX_ESCAPE(src->data[i]))
1351 reqLen += 2;
1352 }
1353 if (*pRemaining > reqLen) {
1354 for (i = 0; i < len; ++i) {
1355 PRUint8 c = src->data[i];
1356 if (NEEDS_HEX_ESCAPE(c)) {
1357 *dest++ = C_BACKSLASH;
1358 *dest++ = hexChars[ (c >> 4) & 0x0f ];
1359 *dest++ = hexChars[ c & 0x0f ];
1360 } else {
1361 *dest++ = tolower(c);
1362 }
1363 }
1364 *dest++ = '\0';
1365 *pRemaining -= reqLen;
1366 }
1367 }
1368 return dest;
1369 }
1370
1371 /* Returns a pointer to an environment-like string, a series of
1372 ** null-terminated strings, terminated by a zero-length string.
1373 ** This function is intended to be internal to NSS.
1374 */
1375 char *
1376 cert_GetCertificateEmailAddresses(CERTCertificate *cert)
1377 {
1378 char * rawEmailAddr = NULL;
1379 char * addrBuf = NULL;
1380 char * pBuf = NULL;
1381 PRArenaPool * tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
1382 PRUint32 maxLen = 0;
1383 PRInt32 finalLen = 0;
1384 SECStatus rv;
1385 SECItem subAltName;
1386
1387 if (!tmpArena)
1388 return addrBuf;
1389
1390 subAltName.data = NULL;
1391 maxLen = cert->derCert.len;
1392 PORT_Assert(maxLen);
1393 if (!maxLen)
1394 maxLen = 2000; /* a guess, should never happen */
1395
1396 pBuf = addrBuf = (char *)PORT_ArenaZAlloc(tmpArena, maxLen + 1);
1397 if (!addrBuf)
1398 goto loser;
1399
1400 rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject,
1401 SEC_OID_PKCS9_EMAIL_ADDRESS);
1402 pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
1403
1404 rawEmailAddr = CERT_GetNameElement(tmpArena, &cert->subject,
1405 SEC_OID_RFC1274_MAIL);
1406 pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
1407
1408 rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
1409 &subAltName);
1410 if (rv == SECSuccess && subAltName.data) {
1411 CERTGeneralName *nameList = NULL;
1412
1413 if (!!(nameList = CERT_DecodeAltNameExtension(tmpArena, &subAltName))) {
1414 CERTGeneralName *current = nameList;
1415 do {
1416 if (current->type == certDirectoryName) {
1417 rawEmailAddr = CERT_GetNameElement(tmpArena,
1418 &current->name.directoryName,
1419 SEC_OID_PKCS9_EMAIL_ADDRESS);
1420 pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
1421
1422 rawEmailAddr = CERT_GetNameElement(tmpArena,
1423 &current->name.directoryName,
1424 SEC_OID_RFC1274_MAIL);
1425 pBuf = appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
1426 } else if (current->type == certRFC822Name) {
1427 pBuf = appendItemToBuf(pBuf, &current->name.other, &maxLen);
1428 }
1429 current = CERT_GetNextGeneralName(current);
1430 } while (current != nameList);
1431 }
1432 SECITEM_FreeItem(&subAltName, PR_FALSE);
1433 /* Don't free nameList, it's part of the tmpArena. */
1434 }
1435 /* now copy superstring to cert's arena */
1436 finalLen = (pBuf - addrBuf) + 1;
1437 pBuf = NULL;
1438 if (finalLen > 1) {
1439 pBuf = PORT_ArenaAlloc(cert->arena, finalLen);
1440 if (pBuf) {
1441 PORT_Memcpy(pBuf, addrBuf, finalLen);
1442 }
1443 }
1444 loser:
1445 if (tmpArena)
1446 PORT_FreeArena(tmpArena, PR_FALSE);
1447
1448 return pBuf;
1449 }
1450
1451 /* returns pointer to storage in cert's arena. Storage remains valid
1452 ** as long as cert's reference count doesn't go to zero.
1453 ** Caller should strdup or otherwise copy.
1454 */
1455 const char * /* const so caller won't muck with it. */
1456 CERT_GetFirstEmailAddress(CERTCertificate * cert)
1457 {
1458 if (cert && cert->emailAddr && cert->emailAddr[0])
1459 return (const char *)cert->emailAddr;
1460 return NULL;
1461 }
1462
1463 /* returns pointer to storage in cert's arena. Storage remains valid
1464 ** as long as cert's reference count doesn't go to zero.
1465 ** Caller should strdup or otherwise copy.
1466 */
1467 const char * /* const so caller won't muck with it. */
1468 CERT_GetNextEmailAddress(CERTCertificate * cert, const char * prev)
1469 {
1470 if (cert && prev && prev[0]) {
1471 PRUint32 len = PL_strlen(prev);
1472 prev += len + 1;
1473 if (prev && prev[0])
1474 return prev;
1475 }
1476 return NULL;
1477 }
1478
1479 /* This is seriously bogus, now that certs store their email addresses in
1480 ** subject Alternative Name extensions.
1481 ** Returns a string allocated by PORT_StrDup, which the caller must free.
1482 */
1483 char *
1484 CERT_GetCertEmailAddress(CERTName *name)
1485 {
1486 char *rawEmailAddr;
1487 char *emailAddr;
1488
1489
1490 rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_PKCS9_EMAIL_ADDRESS);
1491 if ( rawEmailAddr == NULL ) {
1492 rawEmailAddr = CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_MAIL);
1493 }
1494 emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
1495 if ( rawEmailAddr ) {
1496 PORT_Free(rawEmailAddr);
1497 }
1498 return(emailAddr);
1499 }
1500
1501 /* The return value must be freed with PORT_Free. */
1502 char *
1503 CERT_GetCommonName(CERTName *name)
1504 {
1505 return(CERT_GetLastNameElement(NULL, name, SEC_OID_AVA_COMMON_NAME));
1506 }
1507
1508 char *
1509 CERT_GetCountryName(CERTName *name)
1510 {
1511 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_COUNTRY_NAME));
1512 }
1513
1514 char *
1515 CERT_GetLocalityName(CERTName *name)
1516 {
1517 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_LOCALITY));
1518 }
1519
1520 char *
1521 CERT_GetStateName(CERTName *name)
1522 {
1523 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_STATE_OR_PROVINCE));
1524 }
1525
1526 char *
1527 CERT_GetOrgName(CERTName *name)
1528 {
1529 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATION_NAME));
1530 }
1531
1532 char *
1533 CERT_GetDomainComponentName(CERTName *name)
1534 {
1535 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DC));
1536 }
1537
1538 char *
1539 CERT_GetOrgUnitName(CERTName *name)
1540 {
1541 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME) );
1542 }
1543
1544 char *
1545 CERT_GetDnQualifier(CERTName *name)
1546 {
1547 return(CERT_GetNameElement(NULL, name, SEC_OID_AVA_DN_QUALIFIER));
1548 }
1549
1550 char *
1551 CERT_GetCertUid(CERTName *name)
1552 {
1553 return(CERT_GetNameElement(NULL, name, SEC_OID_RFC1274_UID));
1554 }
1555
OLDNEW
« no previous file with comments | « mozilla/security/nss/lib/base/tracker.c ('k') | mozilla/security/nss/lib/certdb/cert.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698