Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(174)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: mozilla/security/nss/lib/pkcs7/certread.c

Issue 14249009: Change the NSS and NSPR source tree to the new directory structure to be (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/secpkcs5.h ('k') | mozilla/security/nss/lib/pkcs7/p7common.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #include "cert.h"
6 #include "secpkcs7.h"
7 #include "base64.h"
8 #include "secitem.h"
9 #include "secder.h"
10 #include "secasn1.h"
11 #include "secoid.h"
12 #include "secerr.h"
13
14 SEC_ASN1_MKSUB(SEC_AnyTemplate)
15
16 SECStatus
17 SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
18 {
19 SEC_PKCS7ContentInfo *contentInfo = NULL;
20 SECStatus rv;
21 SECItem **certs;
22 int count;
23
24 contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL,
25 NULL, NULL);
26 if ( contentInfo == NULL ) {
27 goto loser;
28 }
29
30 if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
31 goto loser;
32 }
33
34 certs = contentInfo->content.signedData->rawCerts;
35 if ( certs ) {
36 count = 0;
37
38 while ( *certs ) {
39 count++;
40 certs++;
41 }
42 rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
43 }
44
45 rv = SECSuccess;
46
47 goto done;
48 loser:
49 rv = SECFailure;
50
51 done:
52 if ( contentInfo ) {
53 SEC_PKCS7DestroyContentInfo(contentInfo);
54 }
55
56 return(rv);
57 }
58
59 const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
60 { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
61 };
62
63 SECStatus
64 SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
65 {
66 SECStatus rv;
67 SECItem **certs;
68 int count;
69 SECItem **rawCerts = NULL;
70 PRArenaPool *arena;
71 SEC_PKCS7ContentInfo *contentInfo = NULL;
72
73 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
74 if (arena == NULL) {
75 return SECFailure;
76 }
77
78 contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL,
79 NULL, NULL);
80 if ( contentInfo == NULL ) {
81 goto loser;
82 }
83
84 if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
85 goto loser;
86 }
87
88
89 rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
90 contentInfo->content.data);
91
92 if (rv != SECSuccess) {
93 goto loser;
94 }
95
96 certs = rawCerts;
97 if ( certs ) {
98 count = 0;
99
100 while ( *certs ) {
101 count++;
102 certs++;
103 }
104 rv = (* f)(arg, rawCerts, count);
105 }
106
107 rv = SECSuccess;
108
109 goto done;
110 loser:
111 rv = SECFailure;
112
113 done:
114 if ( contentInfo ) {
115 SEC_PKCS7DestroyContentInfo(contentInfo);
116 }
117
118 if ( arena ) {
119 PORT_FreeArena(arena, PR_FALSE);
120 }
121
122 return(rv);
123 }
124
125 CERTCertificate *
126 CERT_ConvertAndDecodeCertificate(char *certstr)
127 {
128 CERTCertificate *cert;
129 SECStatus rv;
130 SECItem der;
131
132 rv = ATOB_ConvertAsciiToItem(&der, certstr);
133 if (rv != SECSuccess)
134 return NULL;
135
136 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
137 &der, NULL, PR_FALSE, PR_TRUE);
138
139 PORT_Free(der.data);
140 return cert;
141 }
142
143 static const char NS_CERT_HEADER[] = "-----BEGIN CERTIFICATE-----";
144 static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
145 #define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
146 #define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
147
148 /*
149 * read an old style ascii or binary certificate chain
150 */
151 SECStatus
152 CERT_DecodeCertPackage(char *certbuf,
153 int certlen,
154 CERTImportCertificateFunc f,
155 void *arg)
156 {
157 unsigned char *cp;
158 unsigned char *bincert = NULL;
159 char * ascCert = NULL;
160 SECStatus rv;
161
162 if ( certbuf == NULL ) {
163 PORT_SetError(SEC_ERROR_INVALID_ARGS);
164 return(SECFailure);
165 }
166 /*
167 * Make sure certlen is long enough to handle the longest possible
168 * reference in the code below:
169 * 0x30 0x84 l1 l2 l3 l4 +
170 * tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
171 * 6 + 11 = 17. 17 bytes is clearly too small to code any kind of
172 * certificate (a 128 bit ECC certificate contains at least an 8 byte
173 * key and a 16 byte signature, plus coding overhead). Typically a cert
174 * is much larger. So it's safe to require certlen to be at least 17
175 * bytes.
176 */
177 if (certlen < 17) {
178 PORT_SetError(SEC_ERROR_INPUT_LEN);
179 return(SECFailure);
180 }
181
182 cp = (unsigned char *)certbuf;
183
184 /* is a DER encoded certificate of some type? */
185 if ( ( *cp & 0x1f ) == SEC_ASN1_SEQUENCE ) {
186 SECItem certitem;
187 SECItem *pcertitem = &certitem;
188 int seqLen, seqLenLen;
189
190 cp++;
191
192 if ( *cp & 0x80) {
193 /* Multibyte length */
194 seqLenLen = cp[0] & 0x7f;
195
196 switch (seqLenLen) {
197 case 4:
198 seqLen = ((unsigned long)cp[1]<<24) |
199 ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
200 break;
201 case 3:
202 seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
203 break;
204 case 2:
205 seqLen = (cp[1]<<8) | cp[2];
206 break;
207 case 1:
208 seqLen = cp[1];
209 break;
210 case 0:
211 /* indefinite length */
212 seqLen = 0;
213 break;
214 default:
215 goto notder;
216 }
217 cp += ( seqLenLen + 1 );
218
219 } else {
220 seqLenLen = 0;
221 seqLen = *cp;
222 cp++;
223 }
224
225 /* check entire length if definite length */
226 if ( seqLen || seqLenLen ) {
227 if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
228 if (certlen > ( seqLen + seqLenLen + 2 ))
229 PORT_SetError(SEC_ERROR_EXTRA_INPUT);
230 else
231 PORT_SetError(SEC_ERROR_INPUT_LEN);
232 goto notder;
233 }
234 }
235
236 /* check the type oid */
237 if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
238 SECOidData *oiddata;
239 SECItem oiditem;
240 /* XXX - assume DER encoding of OID len!! */
241 oiditem.len = cp[1];
242 /* if we add an oid below that is longer than 9 bytes, then we
243 * need to change the certlen check at the top of the function
244 * to prevent a buffer overflow
245 */
246 if ( oiditem.len > 9 ) {
247 PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
248 return(SECFailure);
249 }
250 oiditem.data = (unsigned char *)&cp[2];
251 oiddata = SECOID_FindOID(&oiditem);
252 if ( oiddata == NULL ) {
253 return(SECFailure);
254 }
255
256 certitem.data = (unsigned char*)certbuf;
257 certitem.len = certlen;
258
259 switch ( oiddata->offset ) {
260 case SEC_OID_PKCS7_SIGNED_DATA:
261 return(SEC_ReadPKCS7Certs(&certitem, f, arg));
262 break;
263 case SEC_OID_NS_TYPE_CERT_SEQUENCE:
264 return(SEC_ReadCertSequence(&certitem, f, arg));
265 break;
266 default:
267 break;
268 }
269
270 } else {
271 /* it had better be a certificate by now!! */
272 certitem.data = (unsigned char*)certbuf;
273 certitem.len = certlen;
274
275 rv = (* f)(arg, &pcertitem, 1);
276 return(rv);
277 }
278 }
279
280 /* now look for a netscape base64 ascii encoded cert */
281 notder:
282 {
283 unsigned char *certbegin = NULL;
284 unsigned char *certend = NULL;
285 char *pc;
286 int cl;
287
288 /* Convert the ASCII data into a nul-terminated string */
289 ascCert = (char *)PORT_Alloc(certlen + 1);
290 if (!ascCert) {
291 rv = SECFailure;
292 goto loser;
293 }
294
295 PORT_Memcpy(ascCert, certbuf, certlen);
296 ascCert[certlen] = '\0';
297
298 pc = PORT_Strchr(ascCert, '\n'); /* find an EOL */
299 if (!pc) { /* maybe this is a MAC file */
300 pc = ascCert;
301 while (*pc && NULL != (pc = PORT_Strchr(pc, '\r'))) {
302 *pc++ = '\n';
303 }
304 }
305
306 cp = (unsigned char *)ascCert;
307 cl = certlen;
308
309 /* find the beginning marker */
310 while ( cl > NS_CERT_HEADER_LEN ) {
311 int found = 0;
312 if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
313 NS_CERT_HEADER_LEN) ) {
314 cl -= NS_CERT_HEADER_LEN;
315 cp += NS_CERT_HEADER_LEN;
316 found = 1;
317 }
318
319 /* skip to next eol */
320 while ( cl && ( *cp != '\n' )) {
321 cp++;
322 cl--;
323 }
324
325 /* skip all blank lines */
326 while ( cl && ( *cp == '\n' || *cp == '\r' )) {
327 cp++;
328 cl--;
329 }
330 if (cl && found) {
331 certbegin = cp;
332 break;
333 }
334 }
335
336 if ( certbegin ) {
337 /* find the ending marker */
338 while ( cl >= NS_CERT_TRAILER_LEN ) {
339 if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
340 NS_CERT_TRAILER_LEN) ) {
341 certend = cp;
342 break;
343 }
344
345 /* skip to next eol */
346 while ( cl && ( *cp != '\n' )) {
347 cp++;
348 cl--;
349 }
350
351 /* skip all blank lines */
352 while ( cl && ( *cp == '\n' || *cp == '\r' )) {
353 cp++;
354 cl--;
355 }
356 }
357 }
358
359 if ( certbegin && certend ) {
360 unsigned int binLen;
361
362 *certend = 0;
363 /* convert to binary */
364 bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
365 if (!bincert) {
366 rv = SECFailure;
367 goto loser;
368 }
369
370 /* now recurse to decode the binary */
371 rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
372
373 } else {
374 PORT_SetError(SEC_ERROR_BAD_DER);
375 rv = SECFailure;
376 }
377 }
378
379 loser:
380
381 if ( bincert ) {
382 PORT_Free(bincert);
383 }
384
385 if ( ascCert ) {
386 PORT_Free(ascCert);
387 }
388
389 return(rv);
390 }
391
392 typedef struct {
393 PRArenaPool *arena;
394 SECItem cert;
395 } collect_args;
396
397 static SECStatus
398 collect_certs(void *arg, SECItem **certs, int numcerts)
399 {
400 SECStatus rv;
401 collect_args *collectArgs;
402
403 collectArgs = (collect_args *)arg;
404
405 rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
406
407 return(rv);
408 }
409
410
411 /*
412 * read an old style ascii or binary certificate
413 */
414 CERTCertificate *
415 CERT_DecodeCertFromPackage(char *certbuf, int certlen)
416 {
417 collect_args collectArgs;
418 SECStatus rv;
419 CERTCertificate *cert = NULL;
420
421 collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
422
423 rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
424 (void *)&collectArgs);
425 if ( rv == SECSuccess ) {
426 cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
427 &collectArgs.cert, NULL,
428 PR_FALSE, PR_TRUE);
429 }
430
431 PORT_FreeArena(collectArgs.arena, PR_FALSE);
432
433 return(cert);
434 }
OLDNEW
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/secpkcs5.h ('k') | mozilla/security/nss/lib/pkcs7/p7common.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698