diff options
-rw-r--r-- | lib/includes/gnutls/x509.h | 27 | ||||
-rw-r--r-- | lib/libgnutls.map | 9 | ||||
-rw-r--r-- | lib/pkix.asn | 11 | ||||
-rw-r--r-- | lib/pkix_asn1_tab.c | 1014 | ||||
-rw-r--r-- | lib/x509/Makefile.am | 1 | ||||
-rw-r--r-- | lib/x509/extensions.c | 53 | ||||
-rw-r--r-- | lib/x509/name_constraints.c | 641 | ||||
-rw-r--r-- | lib/x509/output.c | 78 | ||||
-rw-r--r-- | lib/x509/x509.c | 21 | ||||
-rw-r--r-- | lib/x509/x509_int.h | 5 | ||||
-rw-r--r-- | tests/Makefile.am | 2 |
11 files changed, 1334 insertions, 528 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index f67200805c..514d69f540 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -233,6 +233,33 @@ int gnutls_x509_crt_get_authority_info_access(gnutls_x509_crt_t data, unsigned int *critical); +typedef struct gnutls_name_constraints_st *gnutls_x509_name_constraints_t; + +unsigned gnutls_x509_name_constraints_check(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name); + +int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc); +void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc); +int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt, + gnutls_x509_name_constraints_t nc, + unsigned int *critical); +int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name); +int gnutls_x509_name_constraints_add_excluded(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name); +int gnutls_x509_crt_set_name_constraints(gnutls_x509_crt_t crt, + gnutls_x509_name_constraints_t nc); +int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc, + unsigned idx, + unsigned *type, gnutls_datum_t * name); +int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc, + unsigned idx, + unsigned *type, gnutls_datum_t * name); + + #define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED, /** * gnutls_x509_crl_reason_flags_t: diff --git a/lib/libgnutls.map b/lib/libgnutls.map index dc87f5cf88..b4cdd3c6ce 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -943,6 +943,15 @@ GNUTLS_3_1_0 { gnutls_privkey_verify_params; gnutls_pubkey_verify_params; gnutls_db_get_default_cache_expiration; + gnutls_x509_name_constraints_init; + gnutls_x509_name_constraints_deinit; + gnutls_x509_crt_get_name_constraints; + gnutls_x509_name_constraints_add_permitted; + gnutls_x509_name_constraints_add_excluded; + gnutls_x509_crt_set_name_constraints; + gnutls_x509_name_constraints_get_permitted; + gnutls_x509_name_constraints_get_excluded; + gnutls_x509_name_constraints_check; } GNUTLS_3_0_0; GNUTLS_PRIVATE { diff --git a/lib/pkix.asn b/lib/pkix.asn index c468dcea05..aa0c57492a 100644 --- a/lib/pkix.asn +++ b/lib/pkix.asn @@ -655,4 +655,15 @@ CRLReason ::= ENUMERATED { privilegeWithdrawn (9), aACompromise (10) } +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + +GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] INTEGER DEFAULT 0, + maximum [1] INTEGER OPTIONAL } + END diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index ec4943db8d..60dba1876c 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -1,510 +1,518 @@ #if HAVE_CONFIG_H -#include "config.h" +# include "config.h" #endif #include <libtasn1.h> const asn1_static_node pkix_asn1_tab[] = { - {"PKIX1", 536875024, NULL}, - {NULL, 1073741836, NULL}, - {"id-pkix", 1879048204, NULL}, - {"iso", 1073741825, "1"}, - {"identified-organization", 1073741825, "3"}, - {"dod", 1073741825, "6"}, - {"internet", 1073741825, "1"}, - {"security", 1073741825, "5"}, - {"mechanisms", 1073741825, "5"}, - {"pkix", 1, "7"}, - {"PrivateKeyUsagePeriod", 1610612741, NULL}, - {"notBefore", 1610637349, NULL}, - {NULL, 4104, "0"}, - {"notAfter", 536895525, NULL}, - {NULL, 4104, "1"}, - {"AuthorityKeyIdentifier", 1610612741, NULL}, - {"keyIdentifier", 1610637314, "KeyIdentifier"}, - {NULL, 4104, "0"}, - {"authorityCertIssuer", 1610637314, "GeneralNames"}, - {NULL, 4104, "1"}, - {"authorityCertSerialNumber", 536895490, - "CertificateSerialNumber"}, - {NULL, 4104, "2"}, - {"KeyIdentifier", 1073741831, NULL}, - {"SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, - {"KeyUsage", 1073741830, NULL}, - {"DirectoryString", 1610612754, NULL}, - {"teletexString", 1612709918, NULL}, - {"MAX", 524298, "1"}, - {"printableString", 1612709919, NULL}, - {"MAX", 524298, "1"}, - {"universalString", 1612709920, NULL}, - {"MAX", 524298, "1"}, - {"utf8String", 1612709922, NULL}, - {"MAX", 524298, "1"}, - {"bmpString", 1612709921, NULL}, - {"MAX", 524298, "1"}, - {"ia5String", 538968093, NULL}, - {"MAX", 524298, "1"}, - {"SubjectAltName", 1073741826, "GeneralNames"}, - {"GeneralNames", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "GeneralName"}, - {"GeneralName", 1610612754, NULL}, - {"otherName", 1610620930, "AnotherName"}, - {NULL, 4104, "0"}, - {"rfc822Name", 1610620957, NULL}, - {NULL, 4104, "1"}, - {"dNSName", 1610620957, NULL}, - {NULL, 4104, "2"}, - {"x400Address", 1610620941, NULL}, - {NULL, 4104, "3"}, - {"directoryName", 1610620930, "RDNSequence"}, - {NULL, 2056, "4"}, - {"ediPartyName", 1610620941, NULL}, - {NULL, 4104, "5"}, - {"uniformResourceIdentifier", 1610620957, NULL}, - {NULL, 4104, "6"}, - {"iPAddress", 1610620935, NULL}, - {NULL, 4104, "7"}, - {"registeredID", 536879116, NULL}, - {NULL, 4104, "8"}, - {"AnotherName", 1610612741, NULL}, - {"type-id", 1073741836, NULL}, - {"value", 541073421, NULL}, - {NULL, 1073743880, "0"}, - {"type-id", 1, NULL}, - {"IssuerAltName", 1073741826, "GeneralNames"}, - {"BasicConstraints", 1610612741, NULL}, - {"cA", 1610645508, NULL}, - {NULL, 131081, NULL}, - {"pathLenConstraint", 537411587, NULL}, - {"0", 10, "MAX"}, - {"CRLDistributionPoints", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "DistributionPoint"}, - {"DistributionPoint", 1610612741, NULL}, - {"distributionPoint", 1610637314, "DistributionPointName"}, - {NULL, 2056, "0"}, - {"reasons", 1610637314, "ReasonFlags"}, - {NULL, 4104, "1"}, - {"cRLIssuer", 536895490, "GeneralNames"}, - {NULL, 4104, "2"}, - {"DistributionPointName", 1610612754, NULL}, - {"fullName", 1610620930, "GeneralNames"}, - {NULL, 4104, "0"}, - {"nameRelativeToCRLIssuer", 536879106, - "RelativeDistinguishedName"}, - {NULL, 4104, "1"}, - {"ReasonFlags", 1073741830, NULL}, - {"ExtKeyUsageSyntax", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "KeyPurposeId"}, - {"KeyPurposeId", 1073741836, NULL}, - {"AuthorityInfoAccessSyntax", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "AccessDescription"}, - {"AccessDescription", 1610612741, NULL}, - {"accessMethod", 1073741836, NULL}, - {"accessLocation", 2, "GeneralName"}, - {"Attribute", 1610612741, NULL}, - {"type", 1073741826, "AttributeType"}, - {"values", 536870927, NULL}, - {NULL, 2, "AttributeValue"}, - {"AttributeType", 1073741836, NULL}, - {"AttributeValue", 1614807053, NULL}, - {"type", 1, NULL}, - {"AttributeTypeAndValue", 1610612741, NULL}, - {"type", 1073741826, "AttributeType"}, - {"value", 2, "AttributeValue"}, - {"id-at", 1879048204, NULL}, - {"joint-iso-ccitt", 1073741825, "2"}, - {"ds", 1073741825, "5"}, - {NULL, 1, "4"}, - {"emailAddress", 1880096780, "AttributeType"}, - {"iso", 1073741825, "1"}, - {"member-body", 1073741825, "2"}, - {"us", 1073741825, "840"}, - {"rsadsi", 1073741825, "113549"}, - {"pkcs", 1073741825, "1"}, - {NULL, 1073741825, "9"}, - {NULL, 1, "1"}, - {"Name", 1610612754, NULL}, - {"rdnSequence", 2, "RDNSequence"}, - {"RDNSequence", 1610612747, NULL}, - {NULL, 2, "RelativeDistinguishedName"}, - {"DistinguishedName", 1073741826, "RDNSequence"}, - {"RelativeDistinguishedName", 1612709903, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "AttributeTypeAndValue"}, - {"Certificate", 1610612741, NULL}, - {"tbsCertificate", 1073741826, "TBSCertificate"}, - {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"signature", 6, NULL}, - {"TBSCertificate", 1610612741, NULL}, - {"version", 1610653699, NULL}, - {NULL, 1073741833, "0"}, - {NULL, 2056, "0"}, - {"serialNumber", 1073741826, "CertificateSerialNumber"}, - {"signature", 1073741826, "AlgorithmIdentifier"}, - {"issuer", 1073741826, "Name"}, - {"validity", 1073741826, "Validity"}, - {"subject", 1073741826, "Name"}, - {"subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, - {"issuerUniqueID", 1610637314, "UniqueIdentifier"}, - {NULL, 4104, "1"}, - {"subjectUniqueID", 1610637314, "UniqueIdentifier"}, - {NULL, 4104, "2"}, - {"extensions", 536895490, "Extensions"}, - {NULL, 2056, "3"}, - {"CertificateSerialNumber", 1073741827, NULL}, - {"Validity", 1610612741, NULL}, - {"notBefore", 1073741826, "Time"}, - {"notAfter", 2, "Time"}, - {"Time", 1610612754, NULL}, - {"utcTime", 1073741860, NULL}, - {"generalTime", 37, NULL}, - {"UniqueIdentifier", 1073741830, NULL}, - {"SubjectPublicKeyInfo", 1610612741, NULL}, - {"algorithm", 1073741826, "AlgorithmIdentifier"}, - {"subjectPublicKey", 6, NULL}, - {"Extensions", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "Extension"}, - {"Extension", 1610612741, NULL}, - {"extnID", 1073741836, NULL}, - {"critical", 1610645508, NULL}, - {NULL, 131081, NULL}, - {"extnValue", 7, NULL}, - {"CertificateList", 1610612741, NULL}, - {"tbsCertList", 1073741826, "TBSCertList"}, - {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"signature", 6, NULL}, - {"TBSCertList", 1610612741, NULL}, - {"version", 1073758211, NULL}, - {"signature", 1073741826, "AlgorithmIdentifier"}, - {"issuer", 1073741826, "Name"}, - {"thisUpdate", 1073741826, "Time"}, - {"nextUpdate", 1073758210, "Time"}, - {"revokedCertificates", 1610629131, NULL}, - {NULL, 536870917, NULL}, - {"userCertificate", 1073741826, "CertificateSerialNumber"}, - {"revocationDate", 1073741826, "Time"}, - {"crlEntryExtensions", 16386, "Extensions"}, - {"crlExtensions", 536895490, "Extensions"}, - {NULL, 2056, "0"}, - {"AlgorithmIdentifier", 1610612741, NULL}, - {"algorithm", 1073741836, NULL}, - {"parameters", 541081613, NULL}, - {"algorithm", 1, NULL}, - {"Dss-Sig-Value", 1610612741, NULL}, - {"r", 1073741827, NULL}, - {"s", 3, NULL}, - {"DomainParameters", 1610612741, NULL}, - {"p", 1073741827, NULL}, - {"g", 1073741827, NULL}, - {"q", 1073741827, NULL}, - {"j", 1073758211, NULL}, - {"validationParms", 16386, "ValidationParms"}, - {"ValidationParms", 1610612741, NULL}, - {"seed", 1073741830, NULL}, - {"pgenCounter", 3, NULL}, - {"Dss-Parms", 1610612741, NULL}, - {"p", 1073741827, NULL}, - {"q", 1073741827, NULL}, - {"g", 3, NULL}, - {"CountryName", 1610620946, NULL}, - {NULL, 1073746952, "1"}, - {"x121-dcc-code", 1612709916, NULL}, - {NULL, 1048586, "ub-country-name-numeric-length"}, - {"iso-3166-alpha2-code", 538968095, NULL}, - {NULL, 1048586, "ub-country-name-alpha-length"}, - {"OrganizationName", 1612709919, NULL}, - {"ub-organization-name-length", 524298, "1"}, - {"NumericUserIdentifier", 1612709916, NULL}, - {"ub-numeric-user-id-length", 524298, "1"}, - {"OrganizationalUnitNames", 1612709899, NULL}, - {"ub-organizational-units", 1074266122, "1"}, - {NULL, 2, "OrganizationalUnitName"}, - {"OrganizationalUnitName", 1612709919, NULL}, - {"ub-organizational-unit-name-length", 524298, "1"}, - {"CommonName", 1073741855, NULL}, - {"pkcs-7-ContentInfo", 1610612741, NULL}, - {"contentType", 1073741826, "pkcs-7-ContentType"}, - {"content", 541073421, NULL}, - {NULL, 1073743880, "0"}, - {"contentType", 1, NULL}, - {"pkcs-7-DigestInfo", 1610612741, NULL}, - {"digestAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"digest", 7, NULL}, - {"pkcs-7-ContentType", 1073741836, NULL}, - {"pkcs-7-SignedData", 1610612741, NULL}, - {"version", 1073741827, NULL}, - {"digestAlgorithms", 1073741826, - "pkcs-7-DigestAlgorithmIdentifiers"}, - {"encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, - {"certificates", 1610637314, "pkcs-7-CertificateSet"}, - {NULL, 4104, "0"}, - {"crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, - {NULL, 4104, "1"}, - {"signerInfos", 2, "pkcs-7-SignerInfos"}, - {"pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL}, - {NULL, 2, "AlgorithmIdentifier"}, - {"pkcs-7-EncapsulatedContentInfo", 1610612741, NULL}, - {"eContentType", 1073741826, "pkcs-7-ContentType"}, - {"eContent", 536895495, NULL}, - {NULL, 2056, "0"}, - {"pkcs-7-CertificateRevocationLists", 1610612751, NULL}, - {NULL, 13, NULL}, - {"pkcs-7-CertificateChoices", 1610612754, NULL}, - {"certificate", 13, NULL}, - {"pkcs-7-CertificateSet", 1610612751, NULL}, - {NULL, 2, "pkcs-7-CertificateChoices"}, - {"pkcs-7-SignerInfos", 1610612751, NULL}, - {NULL, 13, NULL}, - {"pkcs-10-CertificationRequestInfo", 1610612741, NULL}, - {"version", 1073741827, NULL}, - {"subject", 1073741826, "Name"}, - {"subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, - {"attributes", 536879106, "Attributes"}, - {NULL, 4104, "0"}, - {"Attributes", 1610612751, NULL}, - {NULL, 2, "Attribute"}, - {"pkcs-10-CertificationRequest", 1610612741, NULL}, - {"certificationRequestInfo", 1073741826, - "pkcs-10-CertificationRequestInfo"}, - {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"signature", 6, NULL}, - {"pkcs-9-at-challengePassword", 1879048204, NULL}, - {"iso", 1073741825, "1"}, - {"member-body", 1073741825, "2"}, - {"us", 1073741825, "840"}, - {"rsadsi", 1073741825, "113549"}, - {"pkcs", 1073741825, "1"}, - {NULL, 1073741825, "9"}, - {NULL, 1, "7"}, - {"pkcs-9-challengePassword", 1610612754, NULL}, - {"printableString", 1073741855, NULL}, - {"utf8String", 34, NULL}, - {"pkcs-9-localKeyId", 1073741831, NULL}, - {"pkcs-8-PrivateKeyInfo", 1610612741, NULL}, - {"version", 1073741827, NULL}, - {"privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"privateKey", 1073741831, NULL}, - {"attributes", 536895490, "Attributes"}, - {NULL, 4104, "0"}, - {"pkcs-8-Attributes", 1610612751, NULL}, - {NULL, 2, "Attribute"}, - {"pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL}, - {"encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"encryptedData", 2, "pkcs-8-EncryptedData"}, - {"pkcs-8-EncryptedData", 1073741831, NULL}, - {"pkcs-5-des-EDE3-CBC-params", 1612709895, NULL}, - {NULL, 1048586, "8"}, - {"pkcs-5-aes128-CBC-params", 1612709895, NULL}, - {NULL, 1048586, "16"}, - {"pkcs-5-aes192-CBC-params", 1612709895, NULL}, - {NULL, 1048586, "16"}, - {"pkcs-5-aes256-CBC-params", 1612709895, NULL}, - {NULL, 1048586, "16"}, - {"pkcs-5-PBES2-params", 1610612741, NULL}, - {"keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, - {"encryptionScheme", 2, "AlgorithmIdentifier"}, - {"pkcs-5-PBKDF2-params", 1610612741, NULL}, - {"salt", 1610612754, NULL}, - {"specified", 1073741831, NULL}, - {"otherSource", 2, "AlgorithmIdentifier"}, - {"iterationCount", 1611137027, NULL}, - {"1", 10, "MAX"}, - {"keyLength", 1611153411, NULL}, - {"1", 10, "MAX"}, - {"prf", 16386, "AlgorithmIdentifier"}, - {"pkcs-12-PFX", 1610612741, NULL}, - {"version", 1610874883, NULL}, - {"v3", 1, "3"}, - {"authSafe", 1073741826, "pkcs-7-ContentInfo"}, - {"macData", 16386, "pkcs-12-MacData"}, - {"pkcs-12-PbeParams", 1610612741, NULL}, - {"salt", 1073741831, NULL}, - {"iterations", 3, NULL}, - {"pkcs-12-MacData", 1610612741, NULL}, - {"mac", 1073741826, "pkcs-7-DigestInfo"}, - {"macSalt", 1073741831, NULL}, - {"iterations", 536903683, NULL}, - {NULL, 9, "1"}, - {"pkcs-12-AuthenticatedSafe", 1610612747, NULL}, - {NULL, 2, "pkcs-7-ContentInfo"}, - {"pkcs-12-SafeContents", 1610612747, NULL}, - {NULL, 2, "pkcs-12-SafeBag"}, - {"pkcs-12-SafeBag", 1610612741, NULL}, - {"bagId", 1073741836, NULL}, - {"bagValue", 1614815245, NULL}, - {NULL, 1073743880, "0"}, - {"badId", 1, NULL}, - {"bagAttributes", 536887311, NULL}, - {NULL, 2, "Attribute"}, - {"pkcs-12-CertBag", 1610612741, NULL}, - {"certId", 1073741836, NULL}, - {"certValue", 541073421, NULL}, - {NULL, 1073743880, "0"}, - {"certId", 1, NULL}, - {"pkcs-12-CRLBag", 1610612741, NULL}, - {"crlId", 1073741836, NULL}, - {"crlValue", 541073421, NULL}, - {NULL, 1073743880, "0"}, - {"crlId", 1, NULL}, - {"pkcs-12-SecretBag", 1610612741, NULL}, - {"secretTypeId", 1073741836, NULL}, - {"secretValue", 541073421, NULL}, - {NULL, 1073743880, "0"}, - {"secretTypeId", 1, NULL}, - {"pkcs-7-Data", 1073741831, NULL}, - {"pkcs-7-EncryptedData", 1610612741, NULL}, - {"version", 1073741827, NULL}, - {"encryptedContentInfo", 1073741826, - "pkcs-7-EncryptedContentInfo"}, - {"unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, - {NULL, 4104, "1"}, - {"pkcs-7-EncryptedContentInfo", 1610612741, NULL}, - {"contentType", 1073741826, "pkcs-7-ContentType"}, - {"contentEncryptionAlgorithm", 1073741826, - "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, - {"encryptedContent", 536895495, NULL}, - {NULL, 4104, "0"}, - {"pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, - "AlgorithmIdentifier"}, - {"pkcs-7-UnprotectedAttributes", 1612709903, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "Attribute"}, - {"ProxyCertInfo", 1610612741, NULL}, - {"pCPathLenConstraint", 1611153411, NULL}, - {"0", 10, "MAX"}, - {"proxyPolicy", 2, "ProxyPolicy"}, - {"ProxyPolicy", 1610612741, NULL}, - {"policyLanguage", 1073741836, NULL}, - {"policy", 16391, NULL}, - {"certificatePolicies", 1612709899, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "PolicyInformation"}, - {"PolicyInformation", 1610612741, NULL}, - {"policyIdentifier", 1073741836, NULL}, - {"policyQualifiers", 538984459, NULL}, - {"MAX", 1074266122, "1"}, - {NULL, 2, "PolicyQualifierInfo"}, - {"PolicyQualifierInfo", 1610612741, NULL}, - {"policyQualifierId", 1073741836, NULL}, - {"qualifier", 541065229, NULL}, - {"policyQualifierId", 1, NULL}, - {"CPSuri", 1073741853, NULL}, - {"UserNotice", 1610612741, NULL}, - {"noticeRef", 1073758210, "NoticeReference"}, - {"explicitText", 16386, "DisplayText"}, - {"NoticeReference", 1610612741, NULL}, - {"organization", 1073741826, "DisplayText"}, - {"noticeNumbers", 536870923, NULL}, - {NULL, 3, NULL}, - {"DisplayText", 1610612754, NULL}, - {"ia5String", 1612709917, NULL}, - {"200", 524298, "1"}, - {"visibleString", 1612709923, NULL}, - {"200", 524298, "1"}, - {"bmpString", 1612709921, NULL}, - {"200", 524298, "1"}, - {"utf8String", 538968098, NULL}, - {"200", 524298, "1"}, - {"OCSPRequest", 1610612741, NULL}, - {"tbsRequest", 1073741826, "TBSRequest"}, - {"optionalSignature", 536895490, "Signature"}, - {NULL, 2056, "0"}, - {"TBSRequest", 1610612741, NULL}, - {"version", 1610653699, NULL}, - {NULL, 1073741833, "0"}, - {NULL, 2056, "0"}, - {"requestorName", 1610637314, "GeneralName"}, - {NULL, 2056, "1"}, - {"requestList", 1610612747, NULL}, - {NULL, 2, "Request"}, - {"requestExtensions", 536895490, "Extensions"}, - {NULL, 2056, "2"}, - {"Signature", 1610612741, NULL}, - {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"signature", 1073741830, NULL}, - {"certs", 536895499, NULL}, - {NULL, 1073743880, "0"}, - {NULL, 2, "Certificate"}, - {"Request", 1610612741, NULL}, - {"reqCert", 1073741826, "CertID"}, - {"singleRequestExtensions", 536895490, "Extensions"}, - {NULL, 2056, "0"}, - {"CertID", 1610612741, NULL}, - {"hashAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"issuerNameHash", 1073741831, NULL}, - {"issuerKeyHash", 1073741831, NULL}, - {"serialNumber", 2, "CertificateSerialNumber"}, - {"OCSPResponse", 1610612741, NULL}, - {"responseStatus", 1073741826, "OCSPResponseStatus"}, - {"responseBytes", 536895490, "ResponseBytes"}, - {NULL, 2056, "0"}, - {"OCSPResponseStatus", 1610874901, NULL}, - {"successful", 1073741825, "0"}, - {"malformedRequest", 1073741825, "1"}, - {"internalError", 1073741825, "2"}, - {"tryLater", 1073741825, "3"}, - {"sigRequired", 1073741825, "5"}, - {"unauthorized", 1, "6"}, - {"ResponseBytes", 1610612741, NULL}, - {"responseType", 1073741836, NULL}, - {"response", 7, NULL}, - {"BasicOCSPResponse", 1610612741, NULL}, - {"tbsResponseData", 1073741826, "ResponseData"}, - {"signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - {"signature", 1073741830, NULL}, - {"certs", 536895499, NULL}, - {NULL, 1073743880, "0"}, - {NULL, 2, "Certificate"}, - {"ResponseData", 1610612741, NULL}, - {"version", 1610653699, NULL}, - {NULL, 1073741833, "0"}, - {NULL, 2056, "0"}, - {"responderID", 1073741826, "ResponderID"}, - {"producedAt", 1073741861, NULL}, - {"responses", 1610612747, NULL}, - {NULL, 2, "SingleResponse"}, - {"responseExtensions", 536895490, "Extensions"}, - {NULL, 2056, "1"}, - {"ResponderID", 1610612754, NULL}, - {"byName", 1610620930, "RDNSequence"}, - {NULL, 2056, "1"}, - {"byKey", 536879111, NULL}, - {NULL, 4104, "2"}, - {"SingleResponse", 1610612741, NULL}, - {"certID", 1073741826, "CertID"}, - {"certStatus", 1073741826, "CertStatus"}, - {"thisUpdate", 1073741861, NULL}, - {"nextUpdate", 1610637349, NULL}, - {NULL, 2056, "0"}, - {"singleExtensions", 536895490, "Extensions"}, - {NULL, 2056, "1"}, - {"CertStatus", 1610612754, NULL}, - {"good", 1610620948, NULL}, - {NULL, 4104, "0"}, - {"revoked", 1610620930, "RevokedInfo"}, - {NULL, 4104, "1"}, - {"unknown", 536879106, "UnknownInfo"}, - {NULL, 4104, "2"}, - {"RevokedInfo", 1610612741, NULL}, - {"revocationTime", 1073741861, NULL}, - {"revocationReason", 536895490, "CRLReason"}, - {NULL, 2056, "0"}, - {"UnknownInfo", 1073741844, NULL}, - {"CRLReason", 537133077, NULL}, - {"unspecified", 1073741825, "0"}, - {"keyCompromise", 1073741825, "1"}, - {"cACompromise", 1073741825, "2"}, - {"affiliationChanged", 1073741825, "3"}, - {"superseded", 1073741825, "4"}, - {"cessationOfOperation", 1073741825, "5"}, - {"certificateHold", 1073741825, "6"}, - {"removeFromCRL", 1073741825, "8"}, - {"privilegeWithdrawn", 1073741825, "9"}, - {"aACompromise", 1, "10"}, - {NULL, 0, NULL} + { "PKIX1", 536875024, NULL }, + { NULL, 1073741836, NULL }, + { "id-pkix", 1879048204, NULL }, + { "iso", 1073741825, "1"}, + { "identified-organization", 1073741825, "3"}, + { "dod", 1073741825, "6"}, + { "internet", 1073741825, "1"}, + { "security", 1073741825, "5"}, + { "mechanisms", 1073741825, "5"}, + { "pkix", 1, "7"}, + { "PrivateKeyUsagePeriod", 1610612741, NULL }, + { "notBefore", 1610637349, NULL }, + { NULL, 4104, "0"}, + { "notAfter", 536895525, NULL }, + { NULL, 4104, "1"}, + { "AuthorityKeyIdentifier", 1610612741, NULL }, + { "keyIdentifier", 1610637314, "KeyIdentifier"}, + { NULL, 4104, "0"}, + { "authorityCertIssuer", 1610637314, "GeneralNames"}, + { NULL, 4104, "1"}, + { "authorityCertSerialNumber", 536895490, "CertificateSerialNumber"}, + { NULL, 4104, "2"}, + { "KeyIdentifier", 1073741831, NULL }, + { "SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, + { "KeyUsage", 1073741830, NULL }, + { "DirectoryString", 1610612754, NULL }, + { "teletexString", 1612709918, NULL }, + { "MAX", 524298, "1"}, + { "printableString", 1612709919, NULL }, + { "MAX", 524298, "1"}, + { "universalString", 1612709920, NULL }, + { "MAX", 524298, "1"}, + { "utf8String", 1612709922, NULL }, + { "MAX", 524298, "1"}, + { "bmpString", 1612709921, NULL }, + { "MAX", 524298, "1"}, + { "ia5String", 538968093, NULL }, + { "MAX", 524298, "1"}, + { "SubjectAltName", 1073741826, "GeneralNames"}, + { "GeneralNames", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "GeneralName"}, + { "GeneralName", 1610612754, NULL }, + { "otherName", 1610620930, "AnotherName"}, + { NULL, 4104, "0"}, + { "rfc822Name", 1610620957, NULL }, + { NULL, 4104, "1"}, + { "dNSName", 1610620957, NULL }, + { NULL, 4104, "2"}, + { "x400Address", 1610620941, NULL }, + { NULL, 4104, "3"}, + { "directoryName", 1610620930, "RDNSequence"}, + { NULL, 2056, "4"}, + { "ediPartyName", 1610620941, NULL }, + { NULL, 4104, "5"}, + { "uniformResourceIdentifier", 1610620957, NULL }, + { NULL, 4104, "6"}, + { "iPAddress", 1610620935, NULL }, + { NULL, 4104, "7"}, + { "registeredID", 536879116, NULL }, + { NULL, 4104, "8"}, + { "AnotherName", 1610612741, NULL }, + { "type-id", 1073741836, NULL }, + { "value", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "type-id", 1, NULL }, + { "IssuerAltName", 1073741826, "GeneralNames"}, + { "BasicConstraints", 1610612741, NULL }, + { "cA", 1610645508, NULL }, + { NULL, 131081, NULL }, + { "pathLenConstraint", 537411587, NULL }, + { "0", 10, "MAX"}, + { "CRLDistributionPoints", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "DistributionPoint"}, + { "DistributionPoint", 1610612741, NULL }, + { "distributionPoint", 1610637314, "DistributionPointName"}, + { NULL, 2056, "0"}, + { "reasons", 1610637314, "ReasonFlags"}, + { NULL, 4104, "1"}, + { "cRLIssuer", 536895490, "GeneralNames"}, + { NULL, 4104, "2"}, + { "DistributionPointName", 1610612754, NULL }, + { "fullName", 1610620930, "GeneralNames"}, + { NULL, 4104, "0"}, + { "nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"}, + { NULL, 4104, "1"}, + { "ReasonFlags", 1073741830, NULL }, + { "ExtKeyUsageSyntax", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "KeyPurposeId"}, + { "KeyPurposeId", 1073741836, NULL }, + { "AuthorityInfoAccessSyntax", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "AccessDescription"}, + { "AccessDescription", 1610612741, NULL }, + { "accessMethod", 1073741836, NULL }, + { "accessLocation", 2, "GeneralName"}, + { "Attribute", 1610612741, NULL }, + { "type", 1073741826, "AttributeType"}, + { "values", 536870927, NULL }, + { NULL, 2, "AttributeValue"}, + { "AttributeType", 1073741836, NULL }, + { "AttributeValue", 1614807053, NULL }, + { "type", 1, NULL }, + { "AttributeTypeAndValue", 1610612741, NULL }, + { "type", 1073741826, "AttributeType"}, + { "value", 2, "AttributeValue"}, + { "id-at", 1879048204, NULL }, + { "joint-iso-ccitt", 1073741825, "2"}, + { "ds", 1073741825, "5"}, + { NULL, 1, "4"}, + { "emailAddress", 1880096780, "AttributeType"}, + { "iso", 1073741825, "1"}, + { "member-body", 1073741825, "2"}, + { "us", 1073741825, "840"}, + { "rsadsi", 1073741825, "113549"}, + { "pkcs", 1073741825, "1"}, + { NULL, 1073741825, "9"}, + { NULL, 1, "1"}, + { "Name", 1610612754, NULL }, + { "rdnSequence", 2, "RDNSequence"}, + { "RDNSequence", 1610612747, NULL }, + { NULL, 2, "RelativeDistinguishedName"}, + { "DistinguishedName", 1073741826, "RDNSequence"}, + { "RelativeDistinguishedName", 1612709903, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "AttributeTypeAndValue"}, + { "Certificate", 1610612741, NULL }, + { "tbsCertificate", 1073741826, "TBSCertificate"}, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 6, NULL }, + { "TBSCertificate", 1610612741, NULL }, + { "version", 1610653699, NULL }, + { NULL, 1073741833, "0"}, + { NULL, 2056, "0"}, + { "serialNumber", 1073741826, "CertificateSerialNumber"}, + { "signature", 1073741826, "AlgorithmIdentifier"}, + { "issuer", 1073741826, "Name"}, + { "validity", 1073741826, "Validity"}, + { "subject", 1073741826, "Name"}, + { "subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, + { "issuerUniqueID", 1610637314, "UniqueIdentifier"}, + { NULL, 4104, "1"}, + { "subjectUniqueID", 1610637314, "UniqueIdentifier"}, + { NULL, 4104, "2"}, + { "extensions", 536895490, "Extensions"}, + { NULL, 2056, "3"}, + { "CertificateSerialNumber", 1073741827, NULL }, + { "Validity", 1610612741, NULL }, + { "notBefore", 1073741826, "Time"}, + { "notAfter", 2, "Time"}, + { "Time", 1610612754, NULL }, + { "utcTime", 1073741860, NULL }, + { "generalTime", 37, NULL }, + { "UniqueIdentifier", 1073741830, NULL }, + { "SubjectPublicKeyInfo", 1610612741, NULL }, + { "algorithm", 1073741826, "AlgorithmIdentifier"}, + { "subjectPublicKey", 6, NULL }, + { "Extensions", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "Extension"}, + { "Extension", 1610612741, NULL }, + { "extnID", 1073741836, NULL }, + { "critical", 1610645508, NULL }, + { NULL, 131081, NULL }, + { "extnValue", 7, NULL }, + { "CertificateList", 1610612741, NULL }, + { "tbsCertList", 1073741826, "TBSCertList"}, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 6, NULL }, + { "TBSCertList", 1610612741, NULL }, + { "version", 1073758211, NULL }, + { "signature", 1073741826, "AlgorithmIdentifier"}, + { "issuer", 1073741826, "Name"}, + { "thisUpdate", 1073741826, "Time"}, + { "nextUpdate", 1073758210, "Time"}, + { "revokedCertificates", 1610629131, NULL }, + { NULL, 536870917, NULL }, + { "userCertificate", 1073741826, "CertificateSerialNumber"}, + { "revocationDate", 1073741826, "Time"}, + { "crlEntryExtensions", 16386, "Extensions"}, + { "crlExtensions", 536895490, "Extensions"}, + { NULL, 2056, "0"}, + { "AlgorithmIdentifier", 1610612741, NULL }, + { "algorithm", 1073741836, NULL }, + { "parameters", 541081613, NULL }, + { "algorithm", 1, NULL }, + { "Dss-Sig-Value", 1610612741, NULL }, + { "r", 1073741827, NULL }, + { "s", 3, NULL }, + { "DomainParameters", 1610612741, NULL }, + { "p", 1073741827, NULL }, + { "g", 1073741827, NULL }, + { "q", 1073741827, NULL }, + { "j", 1073758211, NULL }, + { "validationParms", 16386, "ValidationParms"}, + { "ValidationParms", 1610612741, NULL }, + { "seed", 1073741830, NULL }, + { "pgenCounter", 3, NULL }, + { "Dss-Parms", 1610612741, NULL }, + { "p", 1073741827, NULL }, + { "q", 1073741827, NULL }, + { "g", 3, NULL }, + { "CountryName", 1610620946, NULL }, + { NULL, 1073746952, "1"}, + { "x121-dcc-code", 1612709916, NULL }, + { NULL, 1048586, "ub-country-name-numeric-length"}, + { "iso-3166-alpha2-code", 538968095, NULL }, + { NULL, 1048586, "ub-country-name-alpha-length"}, + { "OrganizationName", 1612709919, NULL }, + { "ub-organization-name-length", 524298, "1"}, + { "NumericUserIdentifier", 1612709916, NULL }, + { "ub-numeric-user-id-length", 524298, "1"}, + { "OrganizationalUnitNames", 1612709899, NULL }, + { "ub-organizational-units", 1074266122, "1"}, + { NULL, 2, "OrganizationalUnitName"}, + { "OrganizationalUnitName", 1612709919, NULL }, + { "ub-organizational-unit-name-length", 524298, "1"}, + { "CommonName", 1073741855, NULL }, + { "pkcs-7-ContentInfo", 1610612741, NULL }, + { "contentType", 1073741826, "pkcs-7-ContentType"}, + { "content", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "contentType", 1, NULL }, + { "pkcs-7-DigestInfo", 1610612741, NULL }, + { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "digest", 7, NULL }, + { "pkcs-7-ContentType", 1073741836, NULL }, + { "pkcs-7-SignedData", 1610612741, NULL }, + { "version", 1073741827, NULL }, + { "digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"}, + { "encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, + { "certificates", 1610637314, "pkcs-7-CertificateSet"}, + { NULL, 4104, "0"}, + { "crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, + { NULL, 4104, "1"}, + { "signerInfos", 2, "pkcs-7-SignerInfos"}, + { "pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL }, + { NULL, 2, "AlgorithmIdentifier"}, + { "pkcs-7-EncapsulatedContentInfo", 1610612741, NULL }, + { "eContentType", 1073741826, "pkcs-7-ContentType"}, + { "eContent", 536895495, NULL }, + { NULL, 2056, "0"}, + { "pkcs-7-CertificateRevocationLists", 1610612751, NULL }, + { NULL, 13, NULL }, + { "pkcs-7-CertificateChoices", 1610612754, NULL }, + { "certificate", 13, NULL }, + { "pkcs-7-CertificateSet", 1610612751, NULL }, + { NULL, 2, "pkcs-7-CertificateChoices"}, + { "pkcs-7-SignerInfos", 1610612751, NULL }, + { NULL, 13, NULL }, + { "pkcs-10-CertificationRequestInfo", 1610612741, NULL }, + { "version", 1073741827, NULL }, + { "subject", 1073741826, "Name"}, + { "subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, + { "attributes", 536879106, "Attributes"}, + { NULL, 4104, "0"}, + { "Attributes", 1610612751, NULL }, + { NULL, 2, "Attribute"}, + { "pkcs-10-CertificationRequest", 1610612741, NULL }, + { "certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"}, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 6, NULL }, + { "pkcs-9-at-challengePassword", 1879048204, NULL }, + { "iso", 1073741825, "1"}, + { "member-body", 1073741825, "2"}, + { "us", 1073741825, "840"}, + { "rsadsi", 1073741825, "113549"}, + { "pkcs", 1073741825, "1"}, + { NULL, 1073741825, "9"}, + { NULL, 1, "7"}, + { "pkcs-9-challengePassword", 1610612754, NULL }, + { "printableString", 1073741855, NULL }, + { "utf8String", 34, NULL }, + { "pkcs-9-localKeyId", 1073741831, NULL }, + { "pkcs-8-PrivateKeyInfo", 1610612741, NULL }, + { "version", 1073741827, NULL }, + { "privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "privateKey", 1073741831, NULL }, + { "attributes", 536895490, "Attributes"}, + { NULL, 4104, "0"}, + { "pkcs-8-Attributes", 1610612751, NULL }, + { NULL, 2, "Attribute"}, + { "pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL }, + { "encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "encryptedData", 2, "pkcs-8-EncryptedData"}, + { "pkcs-8-EncryptedData", 1073741831, NULL }, + { "pkcs-5-des-EDE3-CBC-params", 1612709895, NULL }, + { NULL, 1048586, "8"}, + { "pkcs-5-aes128-CBC-params", 1612709895, NULL }, + { NULL, 1048586, "16"}, + { "pkcs-5-aes192-CBC-params", 1612709895, NULL }, + { NULL, 1048586, "16"}, + { "pkcs-5-aes256-CBC-params", 1612709895, NULL }, + { NULL, 1048586, "16"}, + { "pkcs-5-PBES2-params", 1610612741, NULL }, + { "keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, + { "encryptionScheme", 2, "AlgorithmIdentifier"}, + { "pkcs-5-PBKDF2-params", 1610612741, NULL }, + { "salt", 1610612754, NULL }, + { "specified", 1073741831, NULL }, + { "otherSource", 2, "AlgorithmIdentifier"}, + { "iterationCount", 1611137027, NULL }, + { "1", 10, "MAX"}, + { "keyLength", 1611153411, NULL }, + { "1", 10, "MAX"}, + { "prf", 16386, "AlgorithmIdentifier"}, + { "pkcs-12-PFX", 1610612741, NULL }, + { "version", 1610874883, NULL }, + { "v3", 1, "3"}, + { "authSafe", 1073741826, "pkcs-7-ContentInfo"}, + { "macData", 16386, "pkcs-12-MacData"}, + { "pkcs-12-PbeParams", 1610612741, NULL }, + { "salt", 1073741831, NULL }, + { "iterations", 3, NULL }, + { "pkcs-12-MacData", 1610612741, NULL }, + { "mac", 1073741826, "pkcs-7-DigestInfo"}, + { "macSalt", 1073741831, NULL }, + { "iterations", 536903683, NULL }, + { NULL, 9, "1"}, + { "pkcs-12-AuthenticatedSafe", 1610612747, NULL }, + { NULL, 2, "pkcs-7-ContentInfo"}, + { "pkcs-12-SafeContents", 1610612747, NULL }, + { NULL, 2, "pkcs-12-SafeBag"}, + { "pkcs-12-SafeBag", 1610612741, NULL }, + { "bagId", 1073741836, NULL }, + { "bagValue", 1614815245, NULL }, + { NULL, 1073743880, "0"}, + { "badId", 1, NULL }, + { "bagAttributes", 536887311, NULL }, + { NULL, 2, "Attribute"}, + { "pkcs-12-CertBag", 1610612741, NULL }, + { "certId", 1073741836, NULL }, + { "certValue", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "certId", 1, NULL }, + { "pkcs-12-CRLBag", 1610612741, NULL }, + { "crlId", 1073741836, NULL }, + { "crlValue", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "crlId", 1, NULL }, + { "pkcs-12-SecretBag", 1610612741, NULL }, + { "secretTypeId", 1073741836, NULL }, + { "secretValue", 541073421, NULL }, + { NULL, 1073743880, "0"}, + { "secretTypeId", 1, NULL }, + { "pkcs-7-Data", 1073741831, NULL }, + { "pkcs-7-EncryptedData", 1610612741, NULL }, + { "version", 1073741827, NULL }, + { "encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"}, + { "unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, + { NULL, 4104, "1"}, + { "pkcs-7-EncryptedContentInfo", 1610612741, NULL }, + { "contentType", 1073741826, "pkcs-7-ContentType"}, + { "contentEncryptionAlgorithm", 1073741826, "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, + { "encryptedContent", 536895495, NULL }, + { NULL, 4104, "0"}, + { "pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, + { "pkcs-7-UnprotectedAttributes", 1612709903, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "Attribute"}, + { "ProxyCertInfo", 1610612741, NULL }, + { "pCPathLenConstraint", 1611153411, NULL }, + { "0", 10, "MAX"}, + { "proxyPolicy", 2, "ProxyPolicy"}, + { "ProxyPolicy", 1610612741, NULL }, + { "policyLanguage", 1073741836, NULL }, + { "policy", 16391, NULL }, + { "certificatePolicies", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "PolicyInformation"}, + { "PolicyInformation", 1610612741, NULL }, + { "policyIdentifier", 1073741836, NULL }, + { "policyQualifiers", 538984459, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "PolicyQualifierInfo"}, + { "PolicyQualifierInfo", 1610612741, NULL }, + { "policyQualifierId", 1073741836, NULL }, + { "qualifier", 541065229, NULL }, + { "policyQualifierId", 1, NULL }, + { "CPSuri", 1073741853, NULL }, + { "UserNotice", 1610612741, NULL }, + { "noticeRef", 1073758210, "NoticeReference"}, + { "explicitText", 16386, "DisplayText"}, + { "NoticeReference", 1610612741, NULL }, + { "organization", 1073741826, "DisplayText"}, + { "noticeNumbers", 536870923, NULL }, + { NULL, 3, NULL }, + { "DisplayText", 1610612754, NULL }, + { "ia5String", 1612709917, NULL }, + { "200", 524298, "1"}, + { "visibleString", 1612709923, NULL }, + { "200", 524298, "1"}, + { "bmpString", 1612709921, NULL }, + { "200", 524298, "1"}, + { "utf8String", 538968098, NULL }, + { "200", 524298, "1"}, + { "OCSPRequest", 1610612741, NULL }, + { "tbsRequest", 1073741826, "TBSRequest"}, + { "optionalSignature", 536895490, "Signature"}, + { NULL, 2056, "0"}, + { "TBSRequest", 1610612741, NULL }, + { "version", 1610653699, NULL }, + { NULL, 1073741833, "0"}, + { NULL, 2056, "0"}, + { "requestorName", 1610637314, "GeneralName"}, + { NULL, 2056, "1"}, + { "requestList", 1610612747, NULL }, + { NULL, 2, "Request"}, + { "requestExtensions", 536895490, "Extensions"}, + { NULL, 2056, "2"}, + { "Signature", 1610612741, NULL }, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 1073741830, NULL }, + { "certs", 536895499, NULL }, + { NULL, 1073743880, "0"}, + { NULL, 2, "Certificate"}, + { "Request", 1610612741, NULL }, + { "reqCert", 1073741826, "CertID"}, + { "singleRequestExtensions", 536895490, "Extensions"}, + { NULL, 2056, "0"}, + { "CertID", 1610612741, NULL }, + { "hashAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "issuerNameHash", 1073741831, NULL }, + { "issuerKeyHash", 1073741831, NULL }, + { "serialNumber", 2, "CertificateSerialNumber"}, + { "OCSPResponse", 1610612741, NULL }, + { "responseStatus", 1073741826, "OCSPResponseStatus"}, + { "responseBytes", 536895490, "ResponseBytes"}, + { NULL, 2056, "0"}, + { "OCSPResponseStatus", 1610874901, NULL }, + { "successful", 1073741825, "0"}, + { "malformedRequest", 1073741825, "1"}, + { "internalError", 1073741825, "2"}, + { "tryLater", 1073741825, "3"}, + { "sigRequired", 1073741825, "5"}, + { "unauthorized", 1, "6"}, + { "ResponseBytes", 1610612741, NULL }, + { "responseType", 1073741836, NULL }, + { "response", 7, NULL }, + { "BasicOCSPResponse", 1610612741, NULL }, + { "tbsResponseData", 1073741826, "ResponseData"}, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 1073741830, NULL }, + { "certs", 536895499, NULL }, + { NULL, 1073743880, "0"}, + { NULL, 2, "Certificate"}, + { "ResponseData", 1610612741, NULL }, + { "version", 1610653699, NULL }, + { NULL, 1073741833, "0"}, + { NULL, 2056, "0"}, + { "responderID", 1073741826, "ResponderID"}, + { "producedAt", 1073741861, NULL }, + { "responses", 1610612747, NULL }, + { NULL, 2, "SingleResponse"}, + { "responseExtensions", 536895490, "Extensions"}, + { NULL, 2056, "1"}, + { "ResponderID", 1610612754, NULL }, + { "byName", 1610620930, "RDNSequence"}, + { NULL, 2056, "1"}, + { "byKey", 536879111, NULL }, + { NULL, 4104, "2"}, + { "SingleResponse", 1610612741, NULL }, + { "certID", 1073741826, "CertID"}, + { "certStatus", 1073741826, "CertStatus"}, + { "thisUpdate", 1073741861, NULL }, + { "nextUpdate", 1610637349, NULL }, + { NULL, 2056, "0"}, + { "singleExtensions", 536895490, "Extensions"}, + { NULL, 2056, "1"}, + { "CertStatus", 1610612754, NULL }, + { "good", 1610620948, NULL }, + { NULL, 4104, "0"}, + { "revoked", 1610620930, "RevokedInfo"}, + { NULL, 4104, "1"}, + { "unknown", 536879106, "UnknownInfo"}, + { NULL, 4104, "2"}, + { "RevokedInfo", 1610612741, NULL }, + { "revocationTime", 1073741861, NULL }, + { "revocationReason", 536895490, "CRLReason"}, + { NULL, 2056, "0"}, + { "UnknownInfo", 1073741844, NULL }, + { "CRLReason", 1610874901, NULL }, + { "unspecified", 1073741825, "0"}, + { "keyCompromise", 1073741825, "1"}, + { "cACompromise", 1073741825, "2"}, + { "affiliationChanged", 1073741825, "3"}, + { "superseded", 1073741825, "4"}, + { "cessationOfOperation", 1073741825, "5"}, + { "certificateHold", 1073741825, "6"}, + { "removeFromCRL", 1073741825, "8"}, + { "privilegeWithdrawn", 1073741825, "9"}, + { "aACompromise", 1, "10"}, + { "NameConstraints", 1610612741, NULL }, + { "permittedSubtrees", 1610637314, "GeneralSubtrees"}, + { NULL, 4104, "0"}, + { "excludedSubtrees", 536895490, "GeneralSubtrees"}, + { NULL, 4104, "1"}, + { "GeneralSubtrees", 1612709899, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "GeneralSubtree"}, + { "GeneralSubtree", 536870917, NULL }, + { "base", 1073741826, "GeneralName"}, + { "minimum", 1610653699, NULL }, + { NULL, 1073741833, "0"}, + { NULL, 4104, "0"}, + { "maximum", 536895491, NULL }, + { NULL, 4104, "1"}, + { NULL, 0, NULL } }; diff --git a/lib/x509/Makefile.am b/lib/x509/Makefile.am index 4fc657969b..b2e5a17a48 100644 --- a/lib/x509/Makefile.am +++ b/lib/x509/Makefile.am @@ -56,6 +56,7 @@ libgnutls_x509_la_SOURCES = \ x509.c x509_dn.c \ x509_int.h \ x509_write.c \ + name_constraints.c \ verify-high.c \ verify-high2.c \ verify-high.h diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 4748421b68..5b2da0e38c 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -820,8 +820,8 @@ int _gnutls_x509_ext_gen_keyUsage(uint16_t usage, gnutls_datum_t * der_ext) return 0; } -static int -write_new_general_name(ASN1_TYPE ext, const char *ext_name, +int +_gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name, gnutls_x509_subject_alt_name_t type, const void *data, unsigned int data_size) { @@ -829,12 +829,6 @@ write_new_general_name(ASN1_TYPE ext, const char *ext_name, int result; char name[128]; - result = asn1_write_value(ext, ext_name, "NEW", 1); - if (result != ASN1_SUCCESS) { - gnutls_assert(); - return _gnutls_asn2err(result); - } - switch (type) { case GNUTLS_SAN_DNSNAME: str = "dNSName"; @@ -853,21 +847,13 @@ write_new_general_name(ASN1_TYPE ext, const char *ext_name, return GNUTLS_E_INTERNAL_ERROR; } - if (ext_name[0] == 0) { /* no dot */ - _gnutls_str_cpy(name, sizeof(name), "?LAST"); - } else { - _gnutls_str_cpy(name, sizeof(name), ext_name); - _gnutls_str_cat(name, sizeof(name), ".?LAST"); - } - - result = asn1_write_value(ext, name, str, 1); + result = asn1_write_value(ext, ext_name, str, 1); if (result != ASN1_SUCCESS) { gnutls_assert(); return _gnutls_asn2err(result); } - _gnutls_str_cat(name, sizeof(name), "."); - _gnutls_str_cat(name, sizeof(name), str); + snprintf(name, sizeof(name), "%s.%s", ext_name, str); result = asn1_write_value(ext, name, data, data_size); if (result != ASN1_SUCCESS) { @@ -879,6 +865,37 @@ write_new_general_name(ASN1_TYPE ext, const char *ext_name, return 0; } +static int +write_new_general_name(ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name_t type, + const void *data, unsigned int data_size) +{ + int result; + char name[128]; + + result = asn1_write_value(ext, ext_name, "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (ext_name[0] == 0) { /* no dot */ + _gnutls_str_cpy(name, sizeof(name), "?LAST"); + } else { + _gnutls_str_cpy(name, sizeof(name), ext_name); + _gnutls_str_cat(name, sizeof(name), ".?LAST"); + } + + result = _gnutls_write_general_name(ext, name, type, + data, data_size); + if (result < 0) { + gnutls_assert(); + return result; + } + + return 0; +} + /* Convert the given name to GeneralNames in a DER encoded extension. * This is the same as subject alternative name. */ diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c new file mode 100644 index 0000000000..bdcfdefaf9 --- /dev/null +++ b/lib/x509/name_constraints.c @@ -0,0 +1,641 @@ +/* + * Copyright (C) 2014 Free Software Foundation, Inc. + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +/* Functions on X.509 Certificate parsing + */ + +#include <gnutls_int.h> +#include <gnutls_datum.h> +#include <gnutls_global.h> +#include <gnutls_errors.h> +#include <common.h> +#include <gnutls_x509.h> +#include <x509_b64.h> +#include <x509_int.h> +#include <libtasn1.h> + +/* Name constraints is limited to DNS names. + */ +typedef struct gnutls_name_constraints_st { + struct name_constraints_node_st * permitted; + struct name_constraints_node_st * excluded; +} gnutls_name_constraints_st; + +typedef struct name_constraints_node_st { + unsigned type; + gnutls_datum_t name; + struct name_constraints_node_st *next; +} name_constraints_node_st; + +static int extract_name_constraints(ASN1_TYPE c2, const char *vstr, + name_constraints_node_st ** _nc) +{ + int ret; + char tmpstr[128]; + unsigned indx = 0; + gnutls_datum_t tmp = { NULL, 0 }; + unsigned int type; + struct name_constraints_node_st *nc, *prev; + + nc = prev = *_nc; + + do { + indx++; + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx); + + ret = + _gnutls_parse_general_name2(c2, tmpstr, -1, &tmp, &type, 0); + + if (ret < 0) + break; + + if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME + && type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI) { + gnutls_assert(); + ret = GNUTLS_E_ILLEGAL_PARAMETER; + goto cleanup; + } + + nc = gnutls_malloc(sizeof(struct name_constraints_node_st)); + if (nc == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + memcpy(&nc->name, &tmp, sizeof(gnutls_datum_t)); + nc->type = type; + nc->next = NULL; + + if (prev == NULL) { + *_nc = prev = nc; + } else { + prev->next = nc; + prev = nc; + } + + tmp.data = NULL; + } while (ret >= 0); + + if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + cleanup: + if (ret < 0) { + nc = *_nc; + while (nc != NULL) { + prev = nc->next; + free(nc->name.data); + free(nc); + nc = prev; + } + *_nc = NULL; + } + gnutls_free(tmp.data); + return ret; +} + +/** + * gnutls_x509_crt_get_name_constraints: + * @crt: should contain a #gnutls_x509_crt_t structure + * @nc: The nameconstraints intermediate structure + * @critical: the extension status + * + * This function will return an intermediate structure containing + * the name constraints of the provided CA certificate. That + * structure can be used in combination with gnutls_x509_name_constraints_check() + * to verify whether a server's name is in accordance with the constraints. + * + * Note that @nc must be initialized prior to calling this function. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE + * if the extension is not present, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt, + gnutls_x509_name_constraints_t nc, + unsigned int *critical) +{ + int result, ret; + gnutls_datum_t der = { NULL, 0 }; + ASN1_TYPE c2 = ASN1_TYPE_EMPTY; + + if (crt == NULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + ret = + _gnutls_x509_crt_get_extension(crt, "2.5.29.30", 0, &der, + critical); + if (ret < 0) + return gnutls_assert_val(ret); + + if (der.size == 0 || der.data == NULL) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.NameConstraints", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_der_decoding(&c2, der.data, der.size, NULL); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + ret = extract_name_constraints(c2, "permittedSubtrees", &nc->permitted); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = extract_name_constraints(c2, "excludedSubtrees", &nc->excluded); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + + cleanup: + _gnutls_free_datum(&der); + asn1_delete_structure(&c2); + + return ret; + +} + +/** + * gnutls_x509_name_constraints_deinit: + * @nc: The nameconstraints structure + * + * This function will deinitialize a name constraints structure. + * + * Since: 3.3.0 + **/ +void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc) +{ + name_constraints_node_st * next, *t; + + t = nc->permitted; + while (t != NULL) { + next = t->next; + free(t->name.data); + free(t); + t = next; + } + + t = nc->excluded; + while (t != NULL) { + next = t->next; + free(t->name.data); + free(t); + t = next; + } +} + +/** + * gnutls_x509_name_constraints_init: + * @nc: The nameconstraints structure + * + * This function will initialize a name constraints structure. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc) +{ + *nc = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st)); + if (*nc == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + return 0; +} + +static +int name_constraints_add(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name, + unsigned permitted) +{ + struct name_constraints_node_st * tmp, *prev = NULL; + int ret; + + if (type != GNUTLS_SAN_DNSNAME && type != GNUTLS_SAN_RFC822NAME && + type != GNUTLS_SAN_DN && type != GNUTLS_SAN_URI) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + if (type == GNUTLS_SAN_DNSNAME && name->size > 0 && name->data[0] == '.') { + _gnutls_debug_log("DNSNAME constraints cannot start with '.'. They must contain a domain name\n"); + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } + + if (permitted != 0) + prev = tmp = nc->permitted; + else + prev = tmp = nc->excluded; + + while(tmp != NULL) { + tmp = tmp->next; + if (tmp != NULL) + prev = tmp; + } + + tmp = gnutls_malloc(sizeof(struct name_constraints_node_st)); + if (tmp == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); + + tmp->next = NULL; + tmp->type = type; + ret = _gnutls_set_datum(&tmp->name, name->data, name->size); + if (ret < 0) { + gnutls_assert(); + gnutls_free(tmp); + return ret; + } + + if (prev == NULL) { + if (permitted != 0) + nc->permitted = tmp; + else + nc->excluded = tmp; + } else + prev->next = tmp; + + return 0; +} + +/** + * gnutls_x509_name_constraints_add_permitted: + * @nc: The nameconstraints structure + * @type: The type of the constraints + * @name: The data of the constraints + * + * This function will add a name constraint to the list of permitted + * constraints. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_name_constraints_add_permitted(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name) +{ + return name_constraints_add(nc, type, name, 1); +} + +/** + * gnutls_x509_name_constraints_add_excluded: + * @nc: The nameconstraints structure + * @type: The type of the constraints + * @name: The data of the constraints + * + * This function will add a name constraint to the list of excluded + * constraints. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_name_constraints_add_excluded(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name) +{ + return name_constraints_add(nc, type, name, 0); +} + +/** + * gnutls_x509_crt_set_name_constraints: + * @crt: The certificate structure + * @nc: The nameconstraints structure + * + * This function will set the provided name constraints to + * the certificate extension list. This extension is always + * marked as critical. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_crt_set_name_constraints(gnutls_x509_crt_t crt, + gnutls_x509_name_constraints_t nc) +{ +int ret, result; +gnutls_datum_t der_data; +uint8_t null = 0; +ASN1_TYPE c2 = ASN1_TYPE_EMPTY; +struct name_constraints_node_st * tmp; + + if (nc->permitted == NULL && nc->excluded == NULL) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + result = asn1_create_element + (_gnutls_get_pkix(), "PKIX1.NameConstraints", &c2); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (nc->permitted == NULL) { + asn1_write_value(c2, "permittedSubtrees", NULL, 0); + } else { + tmp = nc->permitted; + do { + result = asn1_write_value(c2, "permittedSubtrees", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "permittedSubtrees.?LAST.maximum", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "permittedSubtrees.?LAST.minimum", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + ret = _gnutls_write_general_name(c2, "permittedSubtrees.?LAST.base", + tmp->type, tmp->name.data, tmp->name.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + tmp = tmp->next; + } while(tmp != NULL); + } + + if (nc->excluded == NULL) { + asn1_write_value(c2, "excludedSubtrees", NULL, 0); + } else { + tmp = nc->excluded; + do { + result = asn1_write_value(c2, "excludedSubtrees", "NEW", 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "excludedSubtrees.?LAST.maximum", NULL, 0); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + result = asn1_write_value(c2, "excludedSubtrees.?LAST.minimum", &null, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + ret = _gnutls_asn2err(result); + goto cleanup; + } + + ret = _gnutls_write_general_name(c2, "excludedSubtrees.?LAST.base", + tmp->type, tmp->name.data, tmp->name.size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + tmp = tmp->next; + } while(tmp != NULL); + + } + + ret = _gnutls_x509_der_encode(c2, "", &der_data, 0); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + _gnutls_x509_crt_set_extension(crt, "2.5.29.30", &der_data, 1); + + _gnutls_free_datum(&der_data); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = 0; + crt->use_extensions = 1; + +cleanup: + asn1_delete_structure(&c2); + return ret; + +} + +static +unsigned ends_with(const gnutls_datum_t * str, const gnutls_datum_t * suffix) +{ + if (suffix->size >= str->size) + return 0; + + if (memcmp(str->data + str->size - suffix->size, suffix->data, suffix->size) == 0 && + str->data[str->size - suffix->size -1] == '.') + return 1; + + return 0; +} + +static unsigned dnsname_matches(const gnutls_datum_t *name, const gnutls_datum_t *suffix) +{ + _gnutls_hard_log("matching %.*s with constraint %.*s\n", name->size, name->data, + suffix->size, suffix->data); + + if (suffix->size == name->size && memcmp(suffix->data, name->data, suffix->size) == 0) + return 1; /* match */ + + return ends_with(name, suffix); +} + +/** + * gnutls_x509_name_constraints_check: + * @nc: the extracted name constraints structure + * @type: the type of the constraint to check (of type gnutls_x509_subject_alt_name_t) + * @name: the name to be checked + * + * This function will check the provided name against the constraints in + * @nc using the RFC5280 rules. Currently this function is limited to DNS + * names (of type %GNUTLS_SAN_DNSNAME). + * + * Returns: zero if the provided name is not acceptable, and non-zero otherwise. + * + * Since: 3.3.0 + **/ +unsigned gnutls_x509_name_constraints_check(gnutls_x509_name_constraints_t nc, + gnutls_x509_subject_alt_name_t type, + const gnutls_datum_t * name) +{ +unsigned i; +int ret; +unsigned rtype; +unsigned allowed_found = 0; +gnutls_datum_t rname; + + if (type != GNUTLS_SAN_DNSNAME) + return gnutls_assert_val(0); + + /* check restrictions */ + i = 0; + do { + ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &rtype, &rname); + if (ret >= 0 && rtype != type) + continue; + + if (rname.size == 0) + continue; + + if (dnsname_matches(name, &rname) != 0) + return gnutls_assert_val(0); /* rejected */ + } while(ret == 0); + + /* check allowed */ + i = 0; + do { + ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &rtype, &rname); + if (ret >= 0 && rtype != type) + continue; + + if (rname.size == 0) + continue; + + allowed_found = 1; + + if (dnsname_matches(name, &rname) != 0) + return 1; /* accepted */ + } while(ret == 0); + + if (allowed_found != 0) /* there are allowed directives but this host wasn't found */ + return gnutls_assert_val(0); + + return 1; +} + +/** + * gnutls_x509_name_constraints_get_permitted: + * @nc: the extracted name constraints structure + * @idx: the index of the constraint + * @type: the type of the constraint (of type gnutls_x509_subject_alt_name_t) + * @name: the name in the constraint (of the specific type) + * + * This function will return an intermediate structure containing + * the name constraints of the provided CA certificate. That + * structure can be used in combination with gnutls_x509_name_constraints_check() + * to verify whether a server's name is in accordance with the constraints. + * + * The name should be treated as constant and valid for the lifetime of @nc. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE + * if the extension is not present, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc, + unsigned idx, + unsigned *type, gnutls_datum_t * name) +{ + unsigned int i; + struct name_constraints_node_st * tmp = nc->permitted; + + for (i = 0; i < idx; i++) { + if (tmp == NULL) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + tmp = tmp->next; + } + + if (tmp == NULL) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + *type = tmp->type; + *name = tmp->name; + + return 0; +} + +/** + * gnutls_x509_name_constraints_get_excluded: + * @nc: the extracted name constraints structure + * @idx: the index of the constraint + * @type: the type of the constraint (of type gnutls_x509_subject_alt_name_t) + * @name: the name in the constraint (of the specific type) + * + * This function will return an intermediate structure containing + * the name constraints of the provided CA certificate. That + * structure can be used in combination with gnutls_x509_name_constraints_check() + * to verify whether a server's name is in accordance with the constraints. + * + * The name should be treated as constant and valid for the lifetime of @nc. + * + * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE + * if the extension is not present, otherwise a negative error value. + * + * Since: 3.3.0 + **/ +int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc, + unsigned idx, + unsigned *type, gnutls_datum_t * name) +{ + unsigned int i; + struct name_constraints_node_st * tmp = nc->excluded; + + for (i = 0; i < idx; i++) { + if (tmp == NULL) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + tmp = tmp->next; + } + + if (tmp == NULL) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + *type = tmp->type; + *name = tmp->name; + + return 0; +} diff --git a/lib/x509/output.c b/lib/x509/output.c index f88b1a802d..fd3fd1a72e 100644 --- a/lib/x509/output.c +++ b/lib/x509/output.c @@ -158,6 +158,69 @@ static void print_proxy(gnutls_buffer_st * str, gnutls_x509_crt_t cert) } } +static void print_nc(gnutls_buffer_st * str, const char* prefix, gnutls_x509_crt_t cert) +{ + gnutls_x509_name_constraints_t nc; + int ret; + unsigned critical, idx = 0; + gnutls_datum_t name; + unsigned type; + + ret = gnutls_x509_name_constraints_init(&nc); + if (ret < 0) + return; + + ret = gnutls_x509_crt_get_name_constraints(cert, nc, &critical); + if (ret < 0) + goto cleanup; + + do { + ret = gnutls_x509_name_constraints_get_permitted(nc, idx++, &type, &name); + + if (ret >= 0) { + if (idx == 1) + addf(str, _("%s\t\t\tPermitted:\n"), prefix); + + if (type == GNUTLS_SAN_DNSNAME) { + addf(str, _("%s\t\t\tDNSname:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_RFC822NAME) { + addf(str, _("%s\t\t\tRFC822Name:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_URI) { + addf(str, _("%s\t\t\tURI:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_DN) { + addf(str, _("%s\t\t\tdirectoryName:"), prefix); + _gnutls_buffer_hexprint(str, name.data, name.size); + adds(str, _(" \n")); + } + } + } while (ret == 0); + + idx = 0; + do { + ret = gnutls_x509_name_constraints_get_excluded(nc, idx++, &type, &name); + + if (ret >= 0) { + if (idx == 1) + addf(str, _("%s\t\t\tExcluded:\n"), prefix); + + if (type == GNUTLS_SAN_DNSNAME) { + addf(str, _("%s\t\t\tDNSname:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_RFC822NAME) { + addf(str, _("%s\t\t\tRFC822Name:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_URI) { + addf(str, _("%s\t\t\tURI:%s\n"), prefix, name.data); + } else if (type == GNUTLS_SAN_DN) { + addf(str, _("%s\t\t\tdirectoryName:"), prefix); + _gnutls_buffer_hexprint(str, name.data, name.size); + adds(str, _(" \n")); + } + } + } while (ret == 0); + +cleanup: + gnutls_x509_name_constraints_deinit(nc); +} + static void print_aia(gnutls_buffer_st * str, gnutls_x509_crt_t cert) { int err; @@ -982,7 +1045,7 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type, int keyusage_idx = 0; int keypurpose_idx = 0; int ski_idx = 0; - int aki_idx = 0; + int aki_idx = 0, nc_idx = 0; int crldist_idx = 0, pkey_usage_period_idx = 0; char pfx[16]; @@ -1225,6 +1288,19 @@ print_extensions(gnutls_buffer_st * str, const char *prefix, int type, if (type == TYPE_CRT) print_aia(str, cert.crt); + } else if (strcmp(oid, "2.5.29.30") == 0) { + if (nc_idx) { + addf(str, + "error: more than one name constraints extension\n"); + continue; + } + nc_idx++; + + addf(str, _("%s\t\tName Constraints (%s):\n"), prefix, + critical ? _("critical") : _("not critical")); + + if (type == TYPE_CRT) + print_nc(str, prefix, cert.crt); } else { char *buffer; size_t extlen = 0; diff --git a/lib/x509/x509.c b/lib/x509/x509.c index cf9afa5554..24722cff2b 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1108,6 +1108,13 @@ inline static int is_type_printable(int type) /* returns the type and the name on success. * Type is also returned as a parameter in case of an error. + * + * @seq: in case of GeneralNames it will return the corresponding name. + * in case of GeneralName, it must be -1 + * @dname: the name returned + * @ret_type: The type of the name + * @othername_oid: if the name is AnotherName return the OID + * */ int _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, @@ -1121,12 +1128,16 @@ _gnutls_parse_general_name2(ASN1_TYPE src, const char *src_name, char choice_type[128]; gnutls_x509_subject_alt_name_t type; - seq++; /* 0->1, 1->2 etc */ + if (seq != -1) { + seq++; /* 0->1, 1->2 etc */ - if (src_name[0] != 0) - snprintf(nptr, sizeof(nptr), "%s.?%u", src_name, seq); - else - snprintf(nptr, sizeof(nptr), "?%u", seq); + if (src_name[0] != 0) + snprintf(nptr, sizeof(nptr), "%s.?%u", src_name, seq); + else + snprintf(nptr, sizeof(nptr), "?%u", seq); + } else { + snprintf(nptr, sizeof(nptr), "%s", src_name); + } len = sizeof(choice_type); result = asn1_read_value(src, nptr, choice_type, &len); diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h index ae3871c779..0389de8133 100644 --- a/lib/x509/x509_int.h +++ b/lib/x509/x509_int.h @@ -215,6 +215,11 @@ _gnutls_x509_ext_gen_number(const uint8_t * nuber, size_t nr_size, gnutls_datum_t * der_ext); +int +_gnutls_write_general_name(ASN1_TYPE ext, const char *ext_name, + gnutls_x509_subject_alt_name_t type, + const void *data, unsigned int data_size); + int _gnutls_x509_ext_gen_basicConstraints(int CA, int pathLenConstraint, gnutls_datum_t * der_ext); int _gnutls_x509_ext_gen_keyUsage(uint16_t usage, diff --git a/tests/Makefile.am b/tests/Makefile.am index 07ba72cc12..8e9cdde20d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -74,7 +74,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ mini-dtls-srtp mini-xssl rsa-encrypt-decrypt mini-loss-time \ mini-record mini-dtls-record mini-handshake-timeout mini-record-range \ mini-cert-status mini-rsa-psk global-init sec-params \ - fips-test mini-global-load + fips-test mini-global-load name-constraints if ENABLE_OCSP ctests += ocsp |