📄 x509v3.c

📁 WLAN无线网络管理的最新程序
💻 C
📖 第 1 页 / 共 3 页
字号:
		break;	default:		wpa_printf(MSG_DEBUG, "X509: Expected UTCTime or "			   "GeneralizedTime - found tag 0x%x", asn1_tag);		return -1;	}	if (sscanf(pos, "%02d", &month) != 1) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "				  "(month)", buf, len);		return -1;	}	pos += 2;	if (sscanf(pos, "%02d", &day) != 1) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "				  "(day)", buf, len);		return -1;	}	pos += 2;	if (sscanf(pos, "%02d", &hour) != 1) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "				  "(hour)", buf, len);		return -1;	}	pos += 2;	if (sscanf(pos, "%02d", &min) != 1) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "				  "(min)", buf, len);		return -1;	}	pos += 2;	if (sscanf(pos, "%02d", &sec) != 1) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "				  "(sec)", buf, len);		return -1;	}	if (os_mktime(year, month, day, hour, min, sec, val) < 0) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to convert Time",				  buf, len);		if (year < 1970) {			/*			 * At least some test certificates have been configured			 * to use dates prior to 1970. Set the date to			 * beginning of 1970 to handle these case.			 */			wpa_printf(MSG_DEBUG, "X509: Year=%d before epoch - "				   "assume epoch as the time", year);			*val = 0;			return 0;		}		return -1;	}	return 0;}static int x509_parse_validity(const u8 *buf, size_t len,			       struct x509_certificate *cert, const u8 **next){	struct asn1_hdr hdr;	const u8 *pos;	size_t plen;	/*	 * Validity ::= SEQUENCE {	 *     notBefore      Time,	 *     notAfter       Time	 * }	 *	 * RFC 3280, 4.1.2.5:	 * CAs conforming to this profile MUST always encode certificate	 * validity dates through the year 2049 as UTCTime; certificate	 * validity dates in 2050 or later MUST be encoded as GeneralizedTime.	 */	if (asn1_get_next(buf, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_SEQUENCE) {		wpa_printf(MSG_DEBUG, "X509: Expected SEQUENCE "			   "(Validity) - found class %d tag 0x%x",			   hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	plen = hdr.length;	if (pos + plen > buf + len)		return -1;	*next = pos + plen;	if (asn1_get_next(pos, plen, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    x509_parse_time(hdr.payload, hdr.length, hdr.tag,			    &cert->not_before) < 0) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse notBefore "				  "Time", hdr.payload, hdr.length);		return -1;	}	pos = hdr.payload + hdr.length;	plen = *next - pos;	if (asn1_get_next(pos, plen, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    x509_parse_time(hdr.payload, hdr.length, hdr.tag,			    &cert->not_after) < 0) {		wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse notAfter "				  "Time", hdr.payload, hdr.length);		return -1;	}	wpa_printf(MSG_MSGDUMP, "X509: Validity: notBefore: %lu notAfter: %lu",		   (unsigned long) cert->not_before,		   (unsigned long) cert->not_after);	return 0;}static int x509_id_ce_oid(struct asn1_oid *oid){	/* id-ce arc from X.509 for standard X.509v3 extensions */	return oid->len >= 4 &&		oid->oid[0] == 2 /* joint-iso-ccitt */ &&		oid->oid[1] == 5 /* ds */ &&		oid->oid[2] == 29 /* id-ce */;}static int x509_parse_ext_key_usage(struct x509_certificate *cert,				    const u8 *pos, size_t len){	struct asn1_hdr hdr;	/*	 * KeyUsage ::= BIT STRING {	 *     digitalSignature        (0),	 *     nonRepudiation          (1),	 *     keyEncipherment         (2),	 *     dataEncipherment        (3),	 *     keyAgreement            (4),	 *     keyCertSign             (5),	 *     cRLSign                 (6),	 *     encipherOnly            (7),	 *     decipherOnly            (8) }	 */	if (asn1_get_next(pos, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_BITSTRING ||	    hdr.length < 1) {		wpa_printf(MSG_DEBUG, "X509: Expected BIT STRING in "			   "KeyUsage; found %d tag 0x%x len %d",			   hdr.class, hdr.tag, hdr.length);		return -1;	}	cert->extensions_present |= X509_EXT_KEY_USAGE;	cert->key_usage = asn1_bit_string_to_long(hdr.payload, hdr.length);	wpa_printf(MSG_DEBUG, "X509: KeyUsage 0x%lx", cert->key_usage);	return 0;}static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,					    const u8 *pos, size_t len){	struct asn1_hdr hdr;	unsigned long value;	size_t left;	/*	 * BasicConstraints ::= SEQUENCE {	 * cA                      BOOLEAN DEFAULT FALSE,	 * pathLenConstraint       INTEGER (0..MAX) OPTIONAL }	 */	if (asn1_get_next(pos, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_SEQUENCE) {		wpa_printf(MSG_DEBUG, "X509: Expected SEQUENCE in "			   "BasicConstraints; found %d tag 0x%x",			   hdr.class, hdr.tag);		return -1;	}	cert->extensions_present |= X509_EXT_BASIC_CONSTRAINTS;	if (hdr.length == 0)		return 0;	if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL) {		wpa_printf(MSG_DEBUG, "X509: Failed to parse "			   "BasicConstraints");		return -1;	}	if (hdr.tag == ASN1_TAG_BOOLEAN) {		if (hdr.length != 1) {			wpa_printf(MSG_DEBUG, "X509: Unexpected "				   "Boolean length (%u) in BasicConstraints",				   hdr.length);			return -1;		}		cert->ca = hdr.payload[0];		if (hdr.payload + hdr.length == pos + len) {			wpa_printf(MSG_DEBUG, "X509: BasicConstraints - cA=%d",				   cert->ca);			return 0;		}		if (asn1_get_next(hdr.payload + hdr.length, len - hdr.length,				  &hdr) < 0 ||		    hdr.class != ASN1_CLASS_UNIVERSAL) {			wpa_printf(MSG_DEBUG, "X509: Failed to parse "				   "BasicConstraints");			return -1;		}	}	if (hdr.tag != ASN1_TAG_INTEGER) {		wpa_printf(MSG_DEBUG, "X509: Expected INTEGER in "			   "BasicConstraints; found class %d tag 0x%x",			   hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	left = hdr.length;	value = 0;	while (left) {		value <<= 8;		value |= *pos++;		left--;	}	cert->path_len_constraint = value;	cert->extensions_present |= X509_EXT_PATH_LEN_CONSTRAINT;	wpa_printf(MSG_DEBUG, "X509: BasicConstraints - cA=%d "		   "pathLenConstraint=%lu",		   cert->ca, cert->path_len_constraint);	return 0;}static int x509_parse_extension_data(struct x509_certificate *cert,				     struct asn1_oid *oid,				     const u8 *pos, size_t len){	if (!x509_id_ce_oid(oid))		return 1;	/* TODO: add other extensions required by RFC 3280, Ch 4.2:	 * certificate policies (section 4.2.1.5)	 * the subject alternative name (section 4.2.1.7)	 * name constraints (section 4.2.1.11)	 * policy constraints (section 4.2.1.12)	 * extended key usage (section 4.2.1.13)	 * inhibit any-policy (section 4.2.1.15)	 */	switch (oid->oid[3]) {	case 15: /* id-ce-keyUsage */		return x509_parse_ext_key_usage(cert, pos, len);	case 19: /* id-ce-basicConstraints */		return x509_parse_ext_basic_constraints(cert, pos, len);	default:		return 1;	}}static int x509_parse_extension(struct x509_certificate *cert,				const u8 *pos, size_t len, const u8 **next){	const u8 *end;	struct asn1_hdr hdr;	struct asn1_oid oid;	int critical_ext = 0, res;	char buf[80];	/*	 * Extension  ::=  SEQUENCE  {	 *     extnID      OBJECT IDENTIFIER,	 *     critical    BOOLEAN DEFAULT FALSE,	 *     extnValue   OCTET STRING	 * }	 */	if (asn1_get_next(pos, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_SEQUENCE) {		wpa_printf(MSG_DEBUG, "X509: Unexpected ASN.1 header in "			   "Extensions: class %d tag 0x%x; expected SEQUENCE",			   hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	*next = end = pos + hdr.length;	if (asn1_get_oid(pos, end - pos, &oid, &pos) < 0) {		wpa_printf(MSG_DEBUG, "X509: Unexpected ASN.1 data for "			   "Extension (expected OID)");		return -1;	}	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    (hdr.tag != ASN1_TAG_BOOLEAN &&	     hdr.tag != ASN1_TAG_OCTETSTRING)) {		wpa_printf(MSG_DEBUG, "X509: Unexpected ASN.1 header in "			   "Extensions: class %d tag 0x%x; expected BOOLEAN "			   "or OCTET STRING", hdr.class, hdr.tag);		return -1;	}	if (hdr.tag == ASN1_TAG_BOOLEAN) {		if (hdr.length != 1) {			wpa_printf(MSG_DEBUG, "X509: Unexpected "				   "Boolean length (%u)", hdr.length);			return -1;		}		critical_ext = hdr.payload[0];		pos = hdr.payload;		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||		    (hdr.class != ASN1_CLASS_UNIVERSAL &&		     hdr.class != ASN1_CLASS_PRIVATE) ||		    hdr.tag != ASN1_TAG_OCTETSTRING) {			wpa_printf(MSG_DEBUG, "X509: Unexpected ASN.1 header "				   "in Extensions: class %d tag 0x%x; "				   "expected OCTET STRING",				   hdr.class, hdr.tag);			return -1;		}	}	asn1_oid_to_str(&oid, buf, sizeof(buf));	wpa_printf(MSG_DEBUG, "X509: Extension: extnID=%s critical=%d",		   buf, critical_ext);	wpa_hexdump(MSG_MSGDUMP, "X509: extnValue", hdr.payload, hdr.length);	res = x509_parse_extension_data(cert, &oid, hdr.payload, hdr.length);	if (res < 0)		return res;	if (res == 1 && critical_ext) {		wpa_printf(MSG_INFO, "X509: Unknown critical extension %s",			   buf);		return -1;	}	return 0;}static int x509_parse_extensions(struct x509_certificate *cert,				 const u8 *pos, size_t len){	const u8 *end;	struct asn1_hdr hdr;	/* Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension */	if (asn1_get_next(pos, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_SEQUENCE) {		wpa_printf(MSG_DEBUG, "X509: Unexpected ASN.1 data "			   "for Extensions: class %d tag 0x%x; "			   "expected SEQUENCE", hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	end = pos + hdr.length;	while (pos < end) {		if (x509_parse_extension(cert, pos, end - pos, &pos)		    < 0)			return -1;	}	return 0;}static int x509_parse_tbs_certificate(const u8 *buf, size_t len,				      struct x509_certificate *cert,				      const u8 **next){	struct asn1_hdr hdr;	const u8 *pos, *end;	size_t left;	char sbuf[128];	unsigned long value;	/* tbsCertificate TBSCertificate ::= SEQUENCE */	if (asn1_get_next(buf, len, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_SEQUENCE) {		wpa_printf(MSG_DEBUG, "X509: tbsCertificate did not start "			   "with a valid SEQUENCE - found class %d tag 0x%x",			   hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	end = *next = pos + hdr.length;	/*	 * version [0]  EXPLICIT Version DEFAULT v1	 * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }	 */	if (asn1_get_next(pos, end - pos, &hdr) < 0)		return -1;	pos = hdr.payload;	if (hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC) {		if (asn1_get_next(pos, end - pos, &hdr) < 0)			return -1;		if (hdr.class != ASN1_CLASS_UNIVERSAL ||		    hdr.tag != ASN1_TAG_INTEGER) {			wpa_printf(MSG_DEBUG, "X509: No INTEGER tag found for "				   "version field - found class %d tag 0x%x",				   hdr.class, hdr.tag);			return -1;		}		if (hdr.length != 1) {			wpa_printf(MSG_DEBUG, "X509: Unexpected version field "				   "length %u (expected 1)", hdr.length);			return -1;		}		pos = hdr.payload;		left = hdr.length;		value = 0;		while (left) {			value <<= 8;			value |= *pos++;			left--;		}		cert->version = value;		if (cert->version != X509_CERT_V1 &&		    cert->version != X509_CERT_V2 &&		    cert->version != X509_CERT_V3) {			wpa_printf(MSG_DEBUG, "X509: Unsupported version %d",				   cert->version + 1);			return -1;		}		if (asn1_get_next(pos, end - pos, &hdr) < 0)			return -1;	} else		cert->version = X509_CERT_V1;	wpa_printf(MSG_MSGDUMP, "X509: Version X.509v%d", cert->version + 1);	/* serialNumber CertificateSerialNumber ::= INTEGER */	if (hdr.class != ASN1_CLASS_UNIVERSAL ||	    hdr.tag != ASN1_TAG_INTEGER) {		wpa_printf(MSG_DEBUG, "X509: No INTEGER tag found for "			   "serialNumber; class=%d tag=0x%x",			   hdr.class, hdr.tag);		return -1;	}	pos = hdr.payload;	left = hdr.length;	while (left) {		cert->serial_number <<= 8;		cert->serial_number |= *pos++;		left--;	}	wpa_printf(MSG_MSGDUMP, "X509: serialNumber %lu", cert->serial_number);	/* signature AlgorithmIdentifier */	if (x509_parse_algorithm_identifier(pos, end - pos, &cert->signature,					    &pos))		return -1;	/* issuer Name */	if (x509_parse_name(pos, end - pos, &cert->issuer, &pos))		return -1;	x509_name_string(&cert->issuer, sbuf, sizeof(sbuf));	wpa_printf(MSG_MSGDUMP, "X509: issuer %s", sbuf);	/* validity Validity */	if (x509_parse_validity(pos, end - pos, cert, &pos))		return -1;	/* subject Name */	if (x509_parse_name(pos, end - pos, &cert->subject, &pos))		return -1;	x509_name_string(&cert->subject, sbuf, sizeof(sbuf));	wpa_printf(MSG_MSGDUMP, "X509: subject %s", sbuf);	/* subjectPublicKeyInfo SubjectPublicKeyInfo */	if (x509_parse_public_key(pos, end - pos, cert, &pos))		return -1;	if (pos == end)		return 0;	if (cert->version == X509_CERT_V1)		return 0;	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {		wpa_printf(MSG_DEBUG, "X509: Expected Context-Specific"			   " tag to parse optional tbsCertificate "			   "field(s); parsed class %d tag 0x%x",			   hdr.class, hdr.tag);		return -1;	}	if (hdr.tag == 1) {		/* issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL */		wpa_printf(MSG_DEBUG, "X509: issuerUniqueID");		/* TODO: parse UniqueIdentifier ::= BIT STRING */		if (hdr.payload + hdr.length == end)			return 0;		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||		    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {			wpa_printf(MSG_DEBUG, "X509: Expected Context-Specific"				   " tag to parse optional tbsCertificate "				   "field(s); parsed class %d tag 0x%x",				   hdr.class, hdr.tag);			return -1;		}	}	if (hdr.tag == 2) {		/* subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL */		wpa_printf(MSG_DEBUG, "X509: subjectUniqueID");		/* TODO: parse UniqueIdentifier ::= BIT STRING */		if (hdr.payload + hdr.length == end)			return 0;		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||		    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {			wpa_printf(MSG_DEBUG, "X509: Expected Context-Specific"				   " tag to parse optional tbsCertificate "				   "field(s); parsed class %d tag 0x%x",				   hdr.class, hdr.tag);			return -1;		}	}
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -