LCOV - code coverage report
Current view: top level - src - certreq.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 0 568 0.0 %
Date: 2016-12-09 14:04:45 Functions: 0 18 0.0 %

          Line data    Source code
       1             : /* certreq.c - create pkcs-10 messages
       2             :  *      Copyright (C) 2002, 2011, 2012 g10 Code GmbH
       3             :  *
       4             :  * This file is part of KSBA.
       5             :  *
       6             :  * KSBA is free software; you can redistribute it and/or modify
       7             :  * it under the terms of either
       8             :  *
       9             :  *   - the GNU Lesser General Public License as published by the Free
      10             :  *     Software Foundation; either version 3 of the License, or (at
      11             :  *     your option) any later version.
      12             :  *
      13             :  * or
      14             :  *
      15             :  *   - the GNU General Public License as published by the Free
      16             :  *     Software Foundation; either version 2 of the License, or (at
      17             :  *     your option) any later version.
      18             :  *
      19             :  * or both in parallel, as here.
      20             :  *
      21             :  * KSBA is distributed in the hope that it will be useful, but WITHOUT
      22             :  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
      23             :  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
      24             :  * License for more details.
      25             :  *
      26             :  * You should have received a copies of the GNU General Public License
      27             :  * and the GNU Lesser General Public License along with this program;
      28             :  * if not, see <http://www.gnu.org/licenses/>.
      29             :  */
      30             : 
      31             : #include <config.h>
      32             : #include <stdio.h>
      33             : #include <stdlib.h>
      34             : #include <string.h>
      35             : #include <assert.h>
      36             : #include <errno.h>
      37             : 
      38             : #include "util.h"
      39             : 
      40             : #include "cms.h"
      41             : #include "convert.h"
      42             : #include "keyinfo.h"
      43             : #include "der-encoder.h"
      44             : #include "ber-help.h"
      45             : #include "certreq.h"
      46             : 
      47             : static const char oidstr_subjectAltName[] = "2.5.29.17";
      48             : static const char oidstr_extensionReq[] = "1.2.840.113549.1.9.14";
      49             : 
      50             : 
      51             : 
      52             : /**
      53             :  * ksba_cms_new:
      54             :  *
      55             :  * Create a new and empty CMS object
      56             :  *
      57             :  * Return value: A CMS object or an error code.
      58             :  **/
      59             : gpg_error_t
      60           0 : ksba_certreq_new (ksba_certreq_t *r_cr)
      61             : {
      62           0 :   *r_cr = xtrycalloc (1, sizeof **r_cr);
      63           0 :   if (!*r_cr)
      64           0 :     return gpg_error_from_errno (errno);
      65             : 
      66           0 :   return 0;
      67             : }
      68             : 
      69             : /**
      70             :  * ksba_certreq_release:
      71             :  * @cms: A Certreq object
      72             :  *
      73             :  * Release a Certreq object.
      74             :  **/
      75             : void
      76           0 : ksba_certreq_release (ksba_certreq_t cr)
      77             : {
      78           0 :   if (!cr)
      79           0 :     return;
      80           0 :   xfree (cr->x509.serial.der);
      81           0 :   xfree (cr->x509.issuer.der);
      82           0 :   xfree (cr->x509.siginfo.der);
      83           0 :   xfree (cr->subject.der);
      84           0 :   xfree (cr->key.der);
      85           0 :   xfree (cr->cri.der);
      86           0 :   xfree (cr->sig_val.algo);
      87           0 :   xfree (cr->sig_val.value);
      88           0 :   while (cr->subject_alt_names)
      89             :     {
      90           0 :       struct general_names_s *tmp = cr->subject_alt_names->next;
      91           0 :       xfree (cr->subject_alt_names);
      92           0 :       cr->subject_alt_names = tmp;
      93             :     }
      94           0 :   while (cr->extn_list)
      95             :     {
      96           0 :       struct extn_list_s *e = cr->extn_list->next;
      97           0 :       xfree (cr->extn_list);
      98           0 :       cr->extn_list = e;
      99             :     }
     100             : 
     101           0 :   xfree (cr);
     102             : }
     103             : 
     104             : 
     105             : gpg_error_t
     106           0 : ksba_certreq_set_writer (ksba_certreq_t cr, ksba_writer_t w)
     107             : {
     108           0 :   if (!cr || !w)
     109           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     110           0 :   cr->writer = w;
     111           0 :   return 0;
     112             : }
     113             : 
     114             : 
     115             : /* Provide a hash function so that we are able to hash the data */
     116             : void
     117           0 : ksba_certreq_set_hash_function (ksba_certreq_t cr,
     118             :                                 void (*hash_fnc)(void *, const void *, size_t),
     119             :                                 void *hash_fnc_arg)
     120             : {
     121           0 :   if (cr)
     122             :     {
     123           0 :       cr->hash_fnc = hash_fnc;
     124           0 :       cr->hash_fnc_arg = hash_fnc_arg;
     125             :     }
     126           0 : }
     127             : 
     128             : 
     129             : 
     130             : /* Store the serial number.  If this function is used, a real X.509
     131             :    certificate will be built instead of a pkcs#10 certificate signing
     132             :    request.  SN must be a simple canonical encoded s-expression with
     133             :    the serial number as its only item.  Note that this function allows
     134             :    to set a negative serial number, which is not forbidden but
     135             :    probably not a good idea.  */
     136             : gpg_error_t
     137           0 : ksba_certreq_set_serial (ksba_certreq_t cr, ksba_const_sexp_t sn)
     138             : {
     139           0 :   const char *p = (const char *)sn;
     140             :   unsigned long n;
     141             :   char *endp;
     142             : 
     143           0 :   if (!cr || !sn || !p || *p != '(')
     144           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     145             : 
     146           0 :   p++;
     147           0 :   n = strtoul (p, &endp, 10);
     148           0 :   p = endp;
     149           0 :   if (*p++ != ':' || !n)
     150           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     151             : 
     152             :   /* Remove invalid leading zero bytes.  */
     153           0 :   for (; n > 1 && !*p && !(p[1] & 0x80); n--, p++)
     154             :     ;
     155             : 
     156           0 :   if (cr->x509.serial.der)
     157           0 :     return gpg_error (GPG_ERR_CONFLICT); /* Already set */
     158           0 :   cr->x509.serial.der = xtrymalloc (n);
     159           0 :   if (!cr->x509.serial.der)
     160           0 :     return gpg_error_from_syserror ();
     161           0 :   memcpy (cr->x509.serial.der, p, n);
     162           0 :   cr->x509.serial.derlen = n;
     163             : 
     164           0 :   return 0;
     165             : }
     166             : 
     167             : 
     168             : /* Store the issuer's name.  NAME must be a valid RFC-2253 encoded DN
     169             :    name.  Only used for building an X.509 certificate.  */
     170             : gpg_error_t
     171           0 : ksba_certreq_set_issuer (ksba_certreq_t cr, const char *name)
     172             : {
     173           0 :   if (!cr || !name)
     174           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     175           0 :   if (cr->x509.issuer.der)
     176           0 :     return gpg_error (GPG_ERR_CONFLICT); /* Already set */
     177           0 :   return _ksba_dn_from_str (name, &cr->x509.issuer.der,
     178             :                             &cr->x509.issuer.derlen);
     179             : }
     180             : 
     181             : /* Store validity information.  The time is in TIMEBUF.  A value of 0
     182             :    for WHAT stores the notBefore time, a value of 1 stores the
     183             :    notAfter time.  Only used for building an X.509 certificate.  */
     184             : gpg_error_t
     185           0 : ksba_certreq_set_validity (ksba_certreq_t cr, int what,
     186             :                            const ksba_isotime_t timebuf)
     187             : {
     188           0 :   if (!cr || what < 0 || what > 1
     189           0 :       || !timebuf || _ksba_assert_time_format (timebuf))
     190           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     191             : 
     192           0 :   _ksba_copy_time (what?cr->x509.not_after:cr->x509.not_before, timebuf);
     193           0 :   return 0;
     194             : }
     195             : 
     196             : 
     197             : /* Store the signing key info.  This is used to extract the signing
     198             :    algorithm; the signing itself needs to be done by the caller as
     199             :    response to a stop code.  The expression SIGINFO is similar to a
     200             :    sig-val one, however most parameters are not required.  The
     201             :    expected structure of this canonical encoded s-expression is:
     202             : 
     203             :      (sig-val
     204             :        (<algo>
     205             :           (<param_name1> <value>)
     206             :           ...
     207             :           (<param_namen> <value>)))
     208             : 
     209             : */
     210             : gpg_error_t
     211           0 : ksba_certreq_set_siginfo (ksba_certreq_t cr, ksba_const_sexp_t siginfo)
     212             : {
     213           0 :   if (!cr || !siginfo)
     214           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     215           0 :   xfree (cr->x509.siginfo.der);
     216           0 :   cr->x509.siginfo.der = NULL;
     217             : 
     218           0 :   return _ksba_algoinfo_from_sexp (siginfo, &cr->x509.siginfo.der,
     219             :                                    &cr->x509.siginfo.derlen);
     220             : }
     221             : 
     222             : 
     223             : 
     224             : /* Store the subject's name.  Does perform some syntactic checks on
     225             :    the name.  The first added subject is the real one, all subsequent
     226             :    calls add subjectAltNames.
     227             : 
     228             :    NAME must be a valid RFC-2253 encoded DN name for the first one or an
     229             :    email address enclosed in angle brackets for all further calls.
     230             :  */
     231             : gpg_error_t
     232           0 : ksba_certreq_add_subject (ksba_certreq_t cr, const char *name)
     233             : {
     234             :   unsigned long namelen;
     235             :   size_t n, n1;
     236             :   struct general_names_s *gn;
     237             :   unsigned char *der;
     238             :   int tag;
     239             :   const char *endp;
     240             : 
     241           0 :   if (!cr || !name)
     242           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     243           0 :   if (!cr->subject.der)
     244           0 :     return _ksba_dn_from_str (name, &cr->subject.der, &cr->subject.derlen);
     245             :   /* This is assumed to be an subjectAltName. */
     246             : 
     247             :   /* Note that the way we pass the name should match what
     248             :      ksba_cert_get_subject() returns.  In particular we expect that it
     249             :      is a real string and thus a canonical S-expression is
     250             :      additionally terminated by a 0. */
     251           0 :   namelen = strlen (name);
     252           0 :   if (*name == '<' && name[namelen-1] == '>'
     253           0 :       && namelen >= 4 && strchr (name, '@'))
     254             :     {
     255           0 :       name++;
     256           0 :       namelen -= 2;
     257           0 :       tag = 1;  /* rfc822Name */
     258             :     }
     259           0 :   else if (!strncmp (name, "(8:dns-name", 11))
     260             :     {
     261           0 :       tag = 2; /* dNSName */
     262           0 :       namelen = strtoul (name+11, (char**)&endp, 10);
     263           0 :       name = endp;
     264           0 :       if (!namelen || *name != ':')
     265           0 :         return gpg_error (GPG_ERR_INV_SEXP);
     266           0 :       name++;
     267             :     }
     268           0 :   else if (!strncmp (name, "(3:uri", 6))
     269             :     {
     270           0 :       tag = 6; /* uRI */
     271           0 :       namelen = strtoul (name+6, (char**)&endp, 10);
     272           0 :       name = endp;
     273           0 :       if (!namelen || *name != ':')
     274           0 :         return gpg_error (GPG_ERR_INV_SEXP);
     275           0 :       name++;
     276             :     }
     277             :   else
     278           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     279             : 
     280           0 :   n1  = _ksba_ber_count_tl (tag, CLASS_CONTEXT, 0, namelen);
     281           0 :   n1 += namelen;
     282             : 
     283           0 :   gn = xtrymalloc (sizeof *gn + n1 - 1);
     284           0 :   if (!gn)
     285           0 :     return gpg_error_from_errno (errno);
     286           0 :   gn->tag = tag;
     287           0 :   gn->datalen = n1;
     288           0 :   der = (unsigned char *)gn->data;
     289           0 :   n = _ksba_ber_encode_tl (der, tag, CLASS_CONTEXT, 0, namelen);
     290           0 :   if (!n)
     291           0 :     return gpg_error (GPG_ERR_BUG);
     292           0 :   der += n;
     293           0 :   memcpy (der, name, namelen);
     294           0 :   assert (der + namelen - (unsigned char*)gn->data == n1);
     295             : 
     296           0 :   gn->next = cr->subject_alt_names;
     297           0 :   cr->subject_alt_names = gn;
     298             : 
     299           0 :   return 0;
     300             : }
     301             : 
     302             : 
     303             : /* Add the GeneralNames object GNAMES to the list of extensions in CR.
     304             :    Use OID as object identifier for the extensions. */
     305             : static gpg_error_t
     306           0 : add_general_names_to_extn (ksba_certreq_t cr, struct general_names_s *gnames,
     307             :                            const char *oid)
     308             : {
     309             :   struct general_names_s *g;
     310             :   size_t n, n1, n2;
     311             :   struct extn_list_s *e;
     312             :   unsigned char *der;
     313             : 
     314             :   /* Calculate the required size. */
     315           0 :   n1 = 0;
     316           0 :   for (g=gnames; g; g = g->next)
     317           0 :     n1 += g->datalen;
     318             : 
     319           0 :   n2  = _ksba_ber_count_tl (TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n1);
     320           0 :   n2 += n1;
     321             : 
     322             :   /* Allocate memory and encode all. */
     323           0 :   e = xtrymalloc (sizeof *e + n2 - 1);
     324           0 :   if (!e)
     325           0 :     return gpg_error_from_errno (errno);
     326           0 :   e->oid = oid;
     327           0 :   e->critical = 0;
     328           0 :   e->derlen = n2;
     329           0 :   der = e->der;
     330           0 :   n = _ksba_ber_encode_tl (der, TYPE_SEQUENCE, CLASS_UNIVERSAL, 1, n1);
     331           0 :   if (!n)
     332           0 :     return gpg_error (GPG_ERR_BUG); /* (no need to cleanup after a bug) */
     333           0 :   der += n;
     334             : 
     335           0 :   for (g=gnames; g; g = g->next)
     336             :     {
     337           0 :       memcpy (der, g->data, g->datalen);
     338           0 :       der += g->datalen;
     339             :     }
     340           0 :   assert (der - e->der == n2);
     341             : 
     342           0 :   e->next = cr->extn_list;
     343           0 :   cr->extn_list = e;
     344           0 :   return 0;
     345             : }
     346             : 
     347             : /* Store the subject's publickey. */
     348             : gpg_error_t
     349           0 : ksba_certreq_set_public_key (ksba_certreq_t cr, ksba_const_sexp_t key)
     350             : {
     351           0 :   if (!cr)
     352           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     353           0 :   xfree (cr->key.der);
     354           0 :   cr->key.der = NULL;
     355           0 :   return _ksba_keyinfo_from_sexp (key, &cr->key.der, &cr->key.derlen);
     356             : }
     357             : 
     358             : 
     359             : /* Generic function to add an extension to a certificate request.  The
     360             :    extension must be provided readily encoded in the buffer DER of
     361             :    length DERLEN bytes; the OID is to be given in OID and IS_CRIT
     362             :    should be set to true if that extension shall be marked
     363             :    critical. */
     364             : gpg_error_t
     365           0 : ksba_certreq_add_extension (ksba_certreq_t cr,
     366             :                             const char *oid, int is_crit,
     367             :                             const void *der, size_t derlen)
     368             : {
     369             :   size_t oidlen;
     370             :   struct extn_list_s *e;
     371             : 
     372           0 :   if (!cr || !oid|| !*oid || !der || !derlen)
     373           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     374             : 
     375           0 :   oidlen = strlen (oid);
     376           0 :   e = xtrymalloc (sizeof *e + derlen + oidlen);
     377           0 :   if (!e)
     378           0 :     return gpg_error_from_errno (errno);
     379           0 :   e->critical = is_crit;
     380           0 :   e->derlen = derlen;
     381           0 :   memcpy (e->der, der, derlen);
     382           0 :   strcpy (e->der+derlen, oid);
     383           0 :   e->oid = e->der + derlen;
     384             : 
     385           0 :   e->next = cr->extn_list;
     386           0 :   cr->extn_list = e;
     387             : 
     388           0 :   return 0;
     389             : }
     390             : 
     391             : 
     392             : 
     393             : 
     394             : /*
     395             :  * r_sig  = (sig-val
     396             :  *            (<algo>
     397             :  *              (<param_name1> <mpi>)
     398             :  *              ...
     399             :  *              (<param_namen> <mpi>)
     400             :  *            ))
     401             :  * The sexp must be in canonical form.
     402             :  * Fixme:  The code is mostly duplicated from cms.c
     403             :  * Note, that <algo> must be given as a stringified OID or the special
     404             :  * string "rsa" which is translated to sha1WithRSAEncryption
     405             : */
     406             : gpg_error_t
     407           0 : ksba_certreq_set_sig_val (ksba_certreq_t cr, ksba_const_sexp_t sigval)
     408             : {
     409             :   const char *s, *endp;
     410             :   unsigned long n;
     411             : 
     412           0 :   if (!cr)
     413           0 :     return gpg_error (GPG_ERR_INV_VALUE);
     414             : 
     415           0 :   s = sigval;
     416           0 :   if (*s != '(')
     417           0 :     return gpg_error (GPG_ERR_INV_SEXP);
     418           0 :   s++;
     419             : 
     420           0 :   n = strtoul (s, (char**)&endp, 10);
     421           0 :   s = endp;
     422           0 :   if (!n || *s!=':')
     423           0 :     return gpg_error (GPG_ERR_INV_SEXP); /* we don't allow empty lengths */
     424           0 :   s++;
     425           0 :   if (n != 7 || memcmp (s, "sig-val", 7))
     426           0 :     return gpg_error (GPG_ERR_UNKNOWN_SEXP);
     427           0 :   s += 7;
     428           0 :   if (*s != '(')
     429           0 :     return gpg_error (digitp (s)? GPG_ERR_UNKNOWN_SEXP : GPG_ERR_INV_SEXP);
     430           0 :   s++;
     431             : 
     432             :   /* break out the algorithm ID */
     433           0 :   n = strtoul (s, (char**)&endp, 10);
     434           0 :   s = endp;
     435           0 :   if (!n || *s != ':')
     436           0 :     return gpg_error (GPG_ERR_INV_SEXP); /* we don't allow empty lengths */
     437           0 :   s++;
     438           0 :   xfree (cr->sig_val.algo);
     439           0 :   if (n==3 && s[0] == 'r' && s[1] == 's' && s[2] == 'a')
     440             :     { /* kludge to allow "rsa" to be passed as algorithm name */
     441           0 :       cr->sig_val.algo = xtrystrdup ("1.2.840.113549.1.1.5");
     442           0 :       if (!cr->sig_val.algo)
     443           0 :         return gpg_error (GPG_ERR_ENOMEM);
     444             :     }
     445             :   else
     446             :     {
     447           0 :       cr->sig_val.algo = xtrymalloc (n+1);
     448           0 :       if (!cr->sig_val.algo)
     449           0 :         return gpg_error (GPG_ERR_ENOMEM);
     450           0 :       memcpy (cr->sig_val.algo, s, n);
     451           0 :       cr->sig_val.algo[n] = 0;
     452             :     }
     453           0 :   s += n;
     454             : 
     455             :   /* And now the values - FIXME: For now we only support one */
     456             :   /* fixme: start loop */
     457           0 :   if (*s != '(')
     458           0 :     return gpg_error (digitp (s)? GPG_ERR_UNKNOWN_SEXP : GPG_ERR_INV_SEXP);
     459           0 :   s++;
     460           0 :   n = strtoul (s, (char**)&endp, 10);
     461           0 :   s = endp;
     462           0 :   if (!n || *s != ':')
     463           0 :     return gpg_error (GPG_ERR_INV_SEXP);
     464           0 :   s++;
     465           0 :   s += n; /* ignore the name of the parameter */
     466             : 
     467           0 :   if (!digitp(s))
     468           0 :     return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* but may also be an invalid one */
     469           0 :   n = strtoul (s, (char**)&endp, 10);
     470           0 :   s = endp;
     471           0 :   if (!n || *s != ':')
     472           0 :     return gpg_error (GPG_ERR_INV_SEXP);
     473           0 :   s++;
     474           0 :   if (n > 1 && !*s)
     475             :     { /* We might have a leading zero due to the way we encode
     476             :          MPIs - this zero should not go into the BIT STRING.  */
     477           0 :       s++;
     478           0 :       n--;
     479             :     }
     480           0 :   xfree (cr->sig_val.value);
     481           0 :   cr->sig_val.value = xtrymalloc (n);
     482           0 :   if (!cr->sig_val.value)
     483           0 :     return gpg_error (GPG_ERR_ENOMEM);
     484           0 :   memcpy (cr->sig_val.value, s, n);
     485           0 :   cr->sig_val.valuelen = n;
     486           0 :   s += n;
     487           0 :   if ( *s != ')')
     488           0 :     return gpg_error (GPG_ERR_UNKNOWN_SEXP); /* but may also be an invalid one */
     489           0 :   s++;
     490             :   /* fixme: end loop over parameters */
     491             : 
     492             :   /* we need 2 closing parenthesis */
     493           0 :   if ( *s != ')' || s[1] != ')')
     494           0 :     return gpg_error (GPG_ERR_INV_SEXP);
     495             : 
     496           0 :   return 0;
     497             : }
     498             : 
     499             : 
     500             : 
     501             : /* Build the extension block and return it in R_DER and R_DERLEN.  IF
     502             :    CERTMODE is true build X.509 certificate extension instead.  */
     503             : static gpg_error_t
     504           0 : build_extensions (ksba_certreq_t cr, int certmode,
     505             :                   void **r_der, size_t *r_derlen)
     506             : {
     507             :   gpg_error_t err;
     508           0 :   ksba_writer_t writer, w=NULL;
     509             :   struct extn_list_s *e;
     510           0 :   unsigned char *value = NULL;
     511             :   size_t valuelen;
     512             :   unsigned char *p;
     513             :   size_t n;
     514             : 
     515           0 :   *r_der = NULL;
     516           0 :   *r_derlen = 0;
     517           0 :   err = ksba_writer_new (&writer);
     518           0 :   if (err)
     519           0 :     goto leave;
     520           0 :   err = ksba_writer_set_mem (writer, 2048);
     521           0 :   if (err)
     522           0 :     goto leave;
     523           0 :   err = ksba_writer_new (&w);
     524           0 :   if (err)
     525           0 :     goto leave;
     526             : 
     527           0 :   for (e=cr->extn_list; e; e = e->next)
     528             :     {
     529           0 :       err = ksba_writer_set_mem (w, e->derlen + 100);
     530           0 :       if (err)
     531           0 :         goto leave;
     532             : 
     533           0 :       err = ksba_oid_from_str (e->oid, &p, &n);
     534           0 :       if(err)
     535           0 :         goto leave;
     536           0 :       err = _ksba_ber_write_tl (w, TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, n);
     537           0 :       if (!err)
     538           0 :         err = ksba_writer_write (w, p, n);
     539           0 :       xfree (p);
     540             : 
     541           0 :       if (e->critical)
     542             :         {
     543           0 :           err = _ksba_ber_write_tl (w, TYPE_BOOLEAN, CLASS_UNIVERSAL, 0, 1);
     544           0 :           if (!err)
     545           0 :             err = ksba_writer_write (w, "\xff", 1);
     546           0 :           if(err)
     547           0 :             goto leave;
     548             :         }
     549             : 
     550           0 :       err = _ksba_ber_write_tl (w, TYPE_OCTET_STRING, CLASS_UNIVERSAL,
     551           0 :                                 0, e->derlen);
     552           0 :       if (!err)
     553           0 :         err = ksba_writer_write (w, e->der, e->derlen);
     554           0 :       if(err)
     555           0 :         goto leave;
     556             : 
     557           0 :       p = ksba_writer_snatch_mem (w, &n);
     558           0 :       if (!p)
     559             :         {
     560           0 :           err = gpg_error (GPG_ERR_ENOMEM);
     561           0 :           goto leave;
     562             :         }
     563           0 :       err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL,
     564             :                                 1, n);
     565           0 :       if (!err)
     566           0 :         err = ksba_writer_write (writer, p, n);
     567           0 :       xfree (p); p = NULL;
     568           0 :       if (err)
     569           0 :         goto leave;
     570             :     }
     571             : 
     572             :   /* Embed all the sequences into another sequence */
     573           0 :   value = ksba_writer_snatch_mem (writer, &valuelen);
     574           0 :   if (!value)
     575             :     {
     576           0 :       err = gpg_error (GPG_ERR_ENOMEM);
     577           0 :       goto leave;
     578             :     }
     579           0 :   err = ksba_writer_set_mem (writer, valuelen+10);
     580           0 :   if (err)
     581           0 :     goto leave;
     582           0 :   err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL,
     583             :                             1, valuelen);
     584           0 :   if (!err)
     585           0 :     err = ksba_writer_write (writer, value, valuelen);
     586           0 :   if (err)
     587           0 :     goto leave;
     588             : 
     589           0 :   xfree (value);
     590           0 :   value = ksba_writer_snatch_mem (writer, &valuelen);
     591           0 :   if (!value)
     592             :     {
     593           0 :       err = gpg_error (GPG_ERR_ENOMEM);
     594           0 :       goto leave;
     595             :     }
     596             : 
     597           0 :   if (!certmode)
     598             :     {
     599             :       /* Now create the extension request sequence content */
     600           0 :       err = ksba_writer_set_mem (writer, valuelen+100);
     601           0 :       if (err)
     602           0 :         goto leave;
     603           0 :       err = ksba_oid_from_str (oidstr_extensionReq, &p, &n);
     604           0 :       if(err)
     605           0 :         goto leave;
     606           0 :       err = _ksba_ber_write_tl (writer, TYPE_OBJECT_ID, CLASS_UNIVERSAL, 0, n);
     607           0 :       if (!err)
     608           0 :         err = ksba_writer_write (writer, p, n);
     609           0 :       xfree (p); p = NULL;
     610           0 :       if (err)
     611           0 :         return err;
     612           0 :       err = _ksba_ber_write_tl (writer, TYPE_SET, CLASS_UNIVERSAL, 1, valuelen);
     613           0 :       if (!err)
     614           0 :         err = ksba_writer_write (writer, value, valuelen);
     615             : 
     616             :       /* Put this all into a SEQUENCE */
     617           0 :       xfree (value);
     618           0 :       value = ksba_writer_snatch_mem (writer, &valuelen);
     619           0 :       if (!value)
     620             :         {
     621           0 :           err = gpg_error (GPG_ERR_ENOMEM);
     622           0 :           goto leave;
     623             :         }
     624           0 :       err = ksba_writer_set_mem (writer, valuelen+10);
     625           0 :       if (err)
     626           0 :         goto leave;
     627           0 :       err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL,
     628             :                                 1, valuelen);
     629           0 :       if (!err)
     630           0 :         err = ksba_writer_write (writer, value, valuelen);
     631           0 :       if (err)
     632           0 :         goto leave;
     633             : 
     634           0 :       xfree (value);
     635           0 :       value = ksba_writer_snatch_mem (writer, &valuelen);
     636           0 :       if (!value)
     637             :         {
     638           0 :           err = gpg_error (GPG_ERR_ENOMEM);
     639           0 :           goto leave;
     640             :         }
     641             :     }
     642             : 
     643           0 :   *r_der = value;
     644           0 :   *r_derlen = valuelen;
     645           0 :   value = NULL;
     646             : 
     647             : 
     648             :  leave:
     649           0 :   ksba_writer_release (writer);
     650           0 :   ksba_writer_release (w);
     651           0 :   xfree (value);
     652           0 :   return err;
     653             : }
     654             : 
     655             : 
     656             : /* Build a value tree from the already stored values. */
     657             : static gpg_error_t
     658           0 : build_cri (ksba_certreq_t cr)
     659             : {
     660             :   gpg_error_t err;
     661             :   ksba_writer_t writer;
     662           0 :   void *value = NULL;
     663             :   size_t valuelen;
     664             :   int certmode;
     665             : 
     666             :   /* If a serial number has been set, we don't create a CSR but a
     667             :      proper certificate.  */
     668           0 :   certmode = !!cr->x509.serial.der;
     669             : 
     670           0 :   err = ksba_writer_new (&writer);
     671           0 :   if (err)
     672           0 :     goto leave;
     673           0 :   err = ksba_writer_set_mem (writer, 2048);
     674           0 :   if (err)
     675           0 :     goto leave;
     676             : 
     677           0 :   if (!cr->key.der)
     678             :     {
     679           0 :       err = gpg_error (GPG_ERR_MISSING_VALUE);
     680           0 :       goto leave;
     681             :     }
     682             : 
     683             :   /* We write all stuff out to a temporary writer object, then use
     684             :      this object to create the cri and store the cri image */
     685             : 
     686           0 :   if (certmode)
     687             :     {
     688             :       /* Store the version structure; version is 3 (encoded as 2):
     689             :          [0] { INTEGER 2 }  */
     690           0 :       err = ksba_writer_write (writer, "\xa0\x03\x02\x01\x02", 5);
     691             :     }
     692             :   else
     693             :     {
     694             :       /* Store version v1 (which is a 0).  */
     695           0 :       err = _ksba_ber_write_tl (writer, TYPE_INTEGER, CLASS_UNIVERSAL, 0, 1);
     696           0 :       if (!err)
     697           0 :         err = ksba_writer_write (writer, "", 1);
     698             :     }
     699           0 :   if (err)
     700           0 :     goto leave;
     701             : 
     702             :   /* For a certificate we need to store the s/n, the signature
     703             :      algorithm identifier, the issuer DN and the validity.  */
     704           0 :   if (certmode)
     705             :     {
     706             :       /* Store the serial number. */
     707           0 :       err = _ksba_ber_write_tl (writer, TYPE_INTEGER, CLASS_UNIVERSAL, 0,
     708             :                                 cr->x509.serial.derlen);
     709           0 :       if (!err)
     710           0 :         err = ksba_writer_write (writer,
     711           0 :                                  cr->x509.serial.der, cr->x509.serial.derlen);
     712           0 :       if (err)
     713           0 :         goto leave;
     714             : 
     715             :       /* Store the signature algorithm identifier.  */
     716           0 :       if (!cr->x509.siginfo.der)
     717           0 :         err = gpg_error (GPG_ERR_MISSING_VALUE);
     718             :       else
     719           0 :         err = ksba_writer_write (writer,
     720           0 :                                  cr->x509.siginfo.der, cr->x509.siginfo.derlen);
     721           0 :       if (err)
     722           0 :         goto leave;
     723             : 
     724             : 
     725             :       /* Store the issuer DN.  If no issuer DN has been set we use the
     726             :          subject DN.  */
     727           0 :       if (cr->x509.issuer.der)
     728           0 :         err = ksba_writer_write (writer,
     729           0 :                                  cr->x509.issuer.der, cr->x509.issuer.derlen);
     730           0 :       else if (cr->subject.der)
     731           0 :         err = ksba_writer_write (writer, cr->subject.der, cr->subject.derlen);
     732             :       else
     733           0 :         err = gpg_error (GPG_ERR_MISSING_VALUE);
     734           0 :       if (err)
     735           0 :         goto leave;
     736             : 
     737             :       /* Store the Validity.  */
     738             :       {
     739             :         unsigned char templ[36];
     740             :         unsigned char *tp;
     741             : 
     742           0 :         tp = templ;
     743           0 :         *tp++ = 0x30;
     744           0 :         *tp++ = 0x22;
     745             : 
     746           0 :         *tp++ = TYPE_GENERALIZED_TIME;
     747           0 :         *tp++ = 15;
     748           0 :         if (cr->x509.not_before[0])
     749             :           {
     750           0 :             if (_ksba_cmp_time (cr->x509.not_before, "20500101T000000") >= 0)
     751             :               {
     752           0 :                 memcpy (tp, cr->x509.not_before, 8);
     753           0 :                 tp += 8;
     754           0 :                 memcpy (tp, cr->x509.not_before+9, 6);
     755           0 :                 tp += 6;
     756             :               }
     757             :             else
     758             :               {
     759           0 :                 tp[-2] = TYPE_UTC_TIME;
     760           0 :                 tp[-1] = 13;
     761           0 :                 memcpy (tp, cr->x509.not_before+2, 6);
     762           0 :                 tp += 6;
     763           0 :                 memcpy (tp, cr->x509.not_before+9, 6);
     764           0 :                 tp += 6;
     765             :               }
     766             :           }
     767             :         else
     768             :           {
     769           0 :             tp[-2] = TYPE_UTC_TIME;
     770           0 :             tp[-1] = 13;
     771           0 :             memcpy (tp, "110101000000", 12);
     772           0 :             tp += 12;
     773             :           }
     774           0 :         *tp++ = 'Z';
     775             : 
     776           0 :         *tp++ = TYPE_GENERALIZED_TIME;
     777           0 :         *tp++ = 15;
     778           0 :         if (cr->x509.not_after[0])
     779             :           {
     780           0 :             if (_ksba_cmp_time (cr->x509.not_after, "20500101T000000") >= 0)
     781             :               {
     782           0 :                 memcpy (tp, cr->x509.not_after, 8);
     783           0 :                 tp += 8;
     784           0 :                 memcpy (tp, cr->x509.not_after+9, 6);
     785           0 :                 tp += 6;
     786             :               }
     787             :             else
     788             :               {
     789           0 :                 tp[-2] = TYPE_UTC_TIME;
     790           0 :                 tp[-1] = 13;
     791           0 :                 memcpy (tp, cr->x509.not_after+2, 6);
     792           0 :                 tp += 6;
     793           0 :                 memcpy (tp, cr->x509.not_after+9, 6);
     794           0 :                 tp += 6;
     795             :               }
     796             :           }
     797             :         else
     798             :           {
     799           0 :             memcpy (tp,"20630405170000", 14);
     800           0 :             tp += 14;
     801             :           }
     802           0 :         *tp++ = 'Z';
     803           0 :         assert (tp - templ <= 36);
     804           0 :         templ[1] = tp - templ - 2;  /* Fixup the sequence length.  */
     805             : 
     806           0 :         err = ksba_writer_write (writer, templ, tp - templ);
     807           0 :         if (err)
     808           0 :           goto leave;
     809             :       }
     810             :     }
     811             : 
     812             :   /* store the subject */
     813           0 :   if (!cr->subject.der)
     814             :     {
     815           0 :       err = gpg_error (GPG_ERR_MISSING_VALUE);
     816           0 :       goto leave;
     817             :     }
     818           0 :   err = ksba_writer_write (writer, cr->subject.der, cr->subject.derlen);
     819           0 :   if (err)
     820           0 :     goto leave;
     821             : 
     822             :   /* store the public key info */
     823           0 :   err = ksba_writer_write (writer, cr->key.der, cr->key.derlen);
     824           0 :   if (err)
     825           0 :     goto leave;
     826             : 
     827             :   /* Copy generalNames objects to the extension list. */
     828           0 :   if (cr->subject_alt_names)
     829             :     {
     830           0 :       err = add_general_names_to_extn (cr, cr->subject_alt_names,
     831             :                                        oidstr_subjectAltName);
     832           0 :       if (err)
     833           0 :         goto leave;
     834           0 :       while (cr->subject_alt_names)
     835             :         {
     836           0 :           struct general_names_s *tmp = cr->subject_alt_names->next;
     837           0 :           xfree (cr->subject_alt_names);
     838           0 :           cr->subject_alt_names = tmp;
     839             :         }
     840           0 :       cr->subject_alt_names = NULL;
     841             :     }
     842             : 
     843             : 
     844             :   /* Write the extensions.  Note that the implicit SET OF is REQUIRED */
     845           0 :   xfree (value); value = NULL;
     846           0 :   valuelen = 0;
     847           0 :   if (cr->extn_list)
     848             :     {
     849           0 :       err = build_extensions (cr, certmode, &value, &valuelen);
     850           0 :       if (err)
     851           0 :         goto leave;
     852           0 :       err = _ksba_ber_write_tl (writer, certmode? 3:0,
     853             :                                 CLASS_CONTEXT, 1, valuelen);
     854           0 :       if (!err)
     855           0 :         err = ksba_writer_write (writer, value, valuelen);
     856           0 :       if (err)
     857           0 :         goto leave;
     858             :     }
     859             :   else
     860             :     { /* We can't write an object of length zero using our ber_write
     861             :          function.  So we must open encode it. */
     862           0 :       err = ksba_writer_write (writer,
     863             :                                certmode? "\xa3\x02\x30":"\xa0\x02\x30", 4);
     864           0 :       if (err)
     865           0 :         goto leave;
     866             :     }
     867             : 
     868             : 
     869             :   /* pack it into the sequence */
     870           0 :   xfree (value);
     871           0 :   value = ksba_writer_snatch_mem (writer, &valuelen);
     872           0 :   if (!value)
     873             :     {
     874           0 :       err = gpg_error (GPG_ERR_ENOMEM);
     875           0 :       goto leave;
     876             :     }
     877             :   /* reinitialize the buffer to create the outer sequence */
     878           0 :   err = ksba_writer_set_mem (writer, valuelen+10);
     879           0 :   if (err)
     880           0 :     goto leave;
     881             :   /* write outer sequence */
     882           0 :   err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL,
     883             :                             1, valuelen);
     884           0 :   if (!err)
     885           0 :     err = ksba_writer_write (writer, value, valuelen);
     886           0 :   if (err)
     887           0 :     goto leave;
     888             : 
     889             :   /* and store the final result */
     890           0 :   cr->cri.der = ksba_writer_snatch_mem (writer, &cr->cri.derlen);
     891           0 :   if (!cr->cri.der)
     892           0 :     err = gpg_error (GPG_ERR_ENOMEM);
     893             : 
     894             :  leave:
     895           0 :   ksba_writer_release (writer);
     896           0 :   xfree (value);
     897           0 :   return err;
     898             : }
     899             : 
     900             : static gpg_error_t
     901           0 : hash_cri (ksba_certreq_t cr)
     902             : {
     903           0 :   if (!cr->hash_fnc)
     904           0 :     return gpg_error (GPG_ERR_MISSING_ACTION);
     905           0 :   if (!cr->cri.der)
     906           0 :     return gpg_error (GPG_ERR_INV_STATE);
     907           0 :   cr->hash_fnc (cr->hash_fnc_arg, cr->cri.der, cr->cri.derlen);
     908           0 :   return 0;
     909             : }
     910             : 
     911             : 
     912             : /* The user has calculated the signatures and we can now write
     913             :    the signature */
     914             : static gpg_error_t
     915           0 : sign_and_write (ksba_certreq_t cr)
     916             : {
     917             :   gpg_error_t err;
     918             :   ksba_writer_t writer;
     919           0 :   void *value = NULL;
     920             :   size_t valuelen;
     921             : 
     922           0 :   err = ksba_writer_new (&writer);
     923           0 :   if (err)
     924           0 :     goto leave;
     925           0 :   err = ksba_writer_set_mem (writer, 2048);
     926           0 :   if (err)
     927           0 :     goto leave;
     928             : 
     929             :   /* store the cri */
     930           0 :   if (!cr->cri.der)
     931             :     {
     932           0 :       err = gpg_error (GPG_ERR_MISSING_VALUE);
     933           0 :       goto leave;
     934             :     }
     935           0 :   err = ksba_writer_write (writer, cr->cri.der, cr->cri.derlen);
     936           0 :   if (err)
     937           0 :     goto leave;
     938             : 
     939             :   /* store the signatureAlgorithm */
     940           0 :   if (!cr->sig_val.algo)
     941           0 :     return gpg_error (GPG_ERR_MISSING_VALUE);
     942           0 :   err = _ksba_der_write_algorithm_identifier (writer,
     943           0 :                                               cr->sig_val.algo, NULL, 0);
     944           0 :   if (err)
     945           0 :     goto leave;
     946             : 
     947             :   /* write the signature */
     948           0 :   err = _ksba_ber_write_tl (writer, TYPE_BIT_STRING, CLASS_UNIVERSAL, 0,
     949           0 :                             1 + cr->sig_val.valuelen);
     950           0 :   if (!err)
     951           0 :     err = ksba_writer_write (writer, "", 1);
     952           0 :   if (!err)
     953           0 :     err = ksba_writer_write (writer, cr->sig_val.value, cr->sig_val.valuelen);
     954           0 :   if (err)
     955           0 :     goto leave;
     956             : 
     957             :   /* pack it into the outer sequence */
     958           0 :   value = ksba_writer_snatch_mem (writer, &valuelen);
     959           0 :   if (!value)
     960             :     {
     961           0 :       err = gpg_error (GPG_ERR_ENOMEM);
     962           0 :       goto leave;
     963             :     }
     964           0 :   err = ksba_writer_set_mem (writer, valuelen+10);
     965           0 :   if (err)
     966           0 :     goto leave;
     967             :   /* write outer sequence */
     968           0 :   err = _ksba_ber_write_tl (writer, TYPE_SEQUENCE, CLASS_UNIVERSAL,
     969             :                             1, valuelen);
     970           0 :   if (!err)
     971           0 :     err = ksba_writer_write (writer, value, valuelen);
     972           0 :   if (err)
     973           0 :     goto leave;
     974             : 
     975             :   /* and finally write the result */
     976           0 :   xfree (value);
     977           0 :   value = ksba_writer_snatch_mem (writer, &valuelen);
     978           0 :   if (!value)
     979           0 :     err = gpg_error (GPG_ERR_ENOMEM);
     980           0 :   else if (!cr->writer)
     981           0 :     err = gpg_error (GPG_ERR_MISSING_ACTION);
     982             :   else
     983           0 :     err = ksba_writer_write (cr->writer, value, valuelen);
     984             : 
     985             :  leave:
     986           0 :   ksba_writer_release (writer);
     987           0 :   xfree (value);
     988           0 :   return err;
     989             : }
     990             : 
     991             : 
     992             : 
     993             : /* The main function to build a certificate request.  It used used in
     994             :    a loop so allow for interaction between the function and the caller */
     995             : gpg_error_t
     996           0 : ksba_certreq_build (ksba_certreq_t cr, ksba_stop_reason_t *r_stopreason)
     997             : {
     998             :   enum {
     999             :     sSTART,
    1000             :     sHASHING,
    1001             :     sGOTSIG,
    1002             :     sERROR
    1003           0 :   } state = sERROR;
    1004           0 :   gpg_error_t err = 0;
    1005             :   ksba_stop_reason_t stop_reason;
    1006             : 
    1007           0 :   if (!cr || !r_stopreason)
    1008           0 :     return gpg_error (GPG_ERR_INV_VALUE);
    1009             : 
    1010           0 :   if (!cr->any_build_done)
    1011             :     { /* first time initialization of the stop reason */
    1012           0 :       *r_stopreason = 0;
    1013           0 :       cr->any_build_done = 1;
    1014             :     }
    1015             : 
    1016             :   /* Calculate state from last reason */
    1017           0 :   stop_reason = *r_stopreason;
    1018           0 :   *r_stopreason = KSBA_SR_RUNNING;
    1019           0 :   switch (stop_reason)
    1020             :     {
    1021             :     case 0:
    1022           0 :       state = sSTART;
    1023           0 :       break;
    1024             :     case KSBA_SR_NEED_HASH:
    1025           0 :       state = sHASHING;
    1026           0 :       break;
    1027             :     case KSBA_SR_NEED_SIG:
    1028           0 :       if (!cr->sig_val.algo)
    1029           0 :         err = gpg_error (GPG_ERR_MISSING_ACTION);
    1030             :       else
    1031           0 :         state = sGOTSIG;
    1032           0 :       break;
    1033             :     case KSBA_SR_RUNNING:
    1034           0 :       err = gpg_error (GPG_ERR_INV_STATE);
    1035           0 :       break;
    1036             :     default:
    1037           0 :       err = gpg_error (GPG_ERR_BUG);
    1038           0 :       break;
    1039             :     }
    1040           0 :   if (err)
    1041           0 :     return err;
    1042             : 
    1043             :   /* Do the action */
    1044           0 :   switch (state)
    1045             :     {
    1046             :     case sSTART:
    1047           0 :       err = build_cri (cr);
    1048           0 :       break;
    1049             :     case sHASHING:
    1050           0 :       err = hash_cri (cr);
    1051           0 :       break;
    1052             :     case sGOTSIG:
    1053           0 :       err = sign_and_write (cr);
    1054           0 :       break;
    1055             :     default:
    1056           0 :       err = gpg_error (GPG_ERR_INV_STATE);
    1057           0 :       break;
    1058             :     }
    1059           0 :   if (err)
    1060           0 :     return err;
    1061             : 
    1062             :   /* Calculate new stop reason */
    1063           0 :   switch (state)
    1064             :     {
    1065             :     case sSTART:
    1066           0 :       stop_reason = KSBA_SR_NEED_HASH; /* caller should set the hash function*/
    1067           0 :       break;
    1068             :     case sHASHING:
    1069           0 :       stop_reason = KSBA_SR_NEED_SIG;
    1070           0 :       break;
    1071             :     case sGOTSIG:
    1072           0 :       stop_reason = KSBA_SR_READY;
    1073           0 :       break;
    1074             :     default:
    1075           0 :       break;
    1076             :     }
    1077             : 
    1078           0 :   *r_stopreason = stop_reason;
    1079           0 :   return 0;
    1080             : }

Generated by: LCOV version 1.12