mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
certificate handling cleanup
This commit is contained in:
parent
548a9f39ba
commit
14bd1744b7
@ -113,6 +113,12 @@ enum {
|
||||
SLAP_X509_V3 = 2
|
||||
};
|
||||
|
||||
enum {
|
||||
SLAP_TAG_UTCTIME = 0x17U,
|
||||
SLAP_TAG_GENERALIZEDTIME = 0x18U
|
||||
};
|
||||
|
||||
|
||||
#define SLAP_X509_OPTION (LBER_CLASS_CONTEXT|LBER_CONSTRUCTED)
|
||||
|
||||
enum {
|
||||
@ -127,7 +133,8 @@ enum {
|
||||
};
|
||||
|
||||
/* X.509 certificate validation */
|
||||
static int certificateValidate( Syntax *syntax, struct berval *in )
|
||||
static int
|
||||
certificateValidate( Syntax *syntax, struct berval *in )
|
||||
{
|
||||
BerElementBuffer berbuf;
|
||||
BerElement *ber = (BerElement *)&berbuf;
|
||||
@ -199,7 +206,8 @@ static int certificateValidate( Syntax *syntax, struct berval *in )
|
||||
}
|
||||
|
||||
/* X.509 certificate list validation */
|
||||
static int certificateListValidate( Syntax *syntax, struct berval *in )
|
||||
static int
|
||||
certificateListValidate( Syntax *syntax, struct berval *in )
|
||||
{
|
||||
BerElementBuffer berbuf;
|
||||
BerElement *ber = (BerElement *)&berbuf;
|
||||
@ -227,11 +235,11 @@ static int certificateListValidate( Syntax *syntax, struct berval *in )
|
||||
ber_skip_data( ber, len );
|
||||
tag = ber_skip_tag( ber, &len ); /* thisUpdate */
|
||||
/* Time is a CHOICE { UTCTime, GeneralizedTime } */
|
||||
if ( tag != 0x17U && tag != 0x18U ) return LDAP_INVALID_SYNTAX;
|
||||
if ( tag != SLAP_TAG_UTCTIME && tag != SLAP_TAG_GENERALIZEDTIME ) return LDAP_INVALID_SYNTAX;
|
||||
ber_skip_data( ber, len );
|
||||
/* Optional nextUpdate */
|
||||
tag = ber_skip_tag( ber, &len );
|
||||
if ( tag == 0x17U || tag == 0x18U ) {
|
||||
if ( tag == SLAP_TAG_UTCTIME || tag == SLAP_TAG_GENERALIZEDTIME ) {
|
||||
ber_skip_data( ber, len );
|
||||
tag = ber_skip_tag( ber, &len );
|
||||
}
|
||||
@ -851,8 +859,8 @@ bitStringValidate(
|
||||
}
|
||||
|
||||
/* RFC 4517 Section 3.3.2 Bit String:
|
||||
* BitString = SQUOTE *binary-digit SQUOTE "B"
|
||||
* binary-digit = "0" / "1"
|
||||
* BitString = SQUOTE *binary-digit SQUOTE "B"
|
||||
* binary-digit = "0" / "1"
|
||||
*
|
||||
* where SQUOTE [RFC4512] is
|
||||
* SQUOTE = %x27 ; single quote ("'")
|
||||
@ -1777,7 +1785,7 @@ approxMatch(
|
||||
}
|
||||
|
||||
/* Work through the asserted value's words, to see if at least some
|
||||
of the words are there, in the same order. */
|
||||
* of the words are there, in the same order. */
|
||||
len = 0;
|
||||
while ( (ber_len_t) nextchunk < assertv->bv_len ) {
|
||||
len = strcspn( assertv->bv_val + nextchunk, SLAPD_APPROX_DELIMITER);
|
||||
@ -2832,15 +2840,71 @@ integerBitOrMatch(
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
static int
|
||||
checkNum( struct berval *in, struct berval *out )
|
||||
{
|
||||
/* parse serialNumber */
|
||||
int neg = 0;
|
||||
char first = '\0';
|
||||
int extra = 0;
|
||||
|
||||
out->bv_val = in->bv_val;
|
||||
out->bv_len = 0;
|
||||
|
||||
if ( out->bv_val[0] == '-' ) {
|
||||
neg++;
|
||||
out->bv_len++;
|
||||
}
|
||||
|
||||
if ( strncasecmp( out->bv_val, "0x", STRLENOF("0x") ) == 0 ) {
|
||||
first = out->bv_val[2];
|
||||
extra = 2;
|
||||
|
||||
out->bv_len += STRLENOF("0x");
|
||||
for ( ; out->bv_len < in->bv_len; out->bv_len++ ) {
|
||||
if ( !ASCII_HEX( out->bv_val[out->bv_len] ) ) break;
|
||||
}
|
||||
|
||||
} else if ( out->bv_val[0] == '\'' ) {
|
||||
first = out->bv_val[1];
|
||||
extra = 3;
|
||||
|
||||
out->bv_len += STRLENOF("'");
|
||||
|
||||
for ( ; out->bv_len < in->bv_len; out->bv_len++ ) {
|
||||
if ( !ASCII_HEX( out->bv_val[out->bv_len] ) ) break;
|
||||
}
|
||||
if ( strncmp( &out->bv_val[out->bv_len], "'H", STRLENOF("'H") ) != 0 ) {
|
||||
return -1;
|
||||
}
|
||||
out->bv_len += STRLENOF("'H");
|
||||
|
||||
} else {
|
||||
first = out->bv_val[0];
|
||||
for ( ; out->bv_len < in->bv_len; out->bv_len++ ) {
|
||||
if ( !ASCII_DIGIT( out->bv_val[out->bv_len] ) ) break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( !( out->bv_len > neg ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( ( out->bv_len > extra + 1 + neg ) && ( first == '0' ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
serialNumberAndIssuerCheck(
|
||||
struct berval *in,
|
||||
struct berval *sn,
|
||||
struct berval *is,
|
||||
void *ctx
|
||||
)
|
||||
void *ctx )
|
||||
{
|
||||
int is_hex = 0, n;
|
||||
int n;
|
||||
|
||||
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
@ -2868,266 +2932,125 @@ serialNumberAndIssuerCheck(
|
||||
|
||||
} else {
|
||||
/* Parse GSER format */
|
||||
int havesn = 0, haveissuer = 0, numdquotes = 0;
|
||||
enum {
|
||||
HAVE_NONE = 0x0,
|
||||
HAVE_ISSUER = 0x1,
|
||||
HAVE_SN = 0x2,
|
||||
HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
|
||||
} have = HAVE_NONE;
|
||||
|
||||
int numdquotes = 0;
|
||||
struct berval x = *in;
|
||||
struct berval ni;
|
||||
x.bv_val++;
|
||||
x.bv_len-=2;
|
||||
|
||||
/* eat leading spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
/* should be at issuer or serialNumber NamedValue */
|
||||
if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
|
||||
/* parse issuer */
|
||||
x.bv_val += STRLENOF("issuer");
|
||||
x.bv_len -= STRLENOF("issuer");
|
||||
|
||||
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
x.bv_len -= 2;
|
||||
|
||||
do {
|
||||
/* eat leading spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
/* For backward compatibility, this part is optional */
|
||||
if( !strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:"))) {
|
||||
x.bv_val += STRLENOF("rdnSequence:");
|
||||
x.bv_len -= STRLENOF("rdnSequence:");
|
||||
}
|
||||
/* should be at issuer or serialNumber NamedValue */
|
||||
if ( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer") ) == 0 ) {
|
||||
if ( have & HAVE_ISSUER ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
/* parse issuer */
|
||||
x.bv_val += STRLENOF("issuer");
|
||||
x.bv_len -= STRLENOF("issuer");
|
||||
|
||||
is->bv_val = x.bv_val;
|
||||
is->bv_len = 0;
|
||||
if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++;
|
||||
x.bv_len--;
|
||||
|
||||
for( ; is->bv_len < x.bv_len; ) {
|
||||
if ( is->bv_val[is->bv_len] != '"' ) {
|
||||
is->bv_len++;
|
||||
continue;
|
||||
/* eat leading spaces */
|
||||
for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
|
||||
/* empty */;
|
||||
}
|
||||
if ( is->bv_val[is->bv_len+1] == '"' ) {
|
||||
/* double dquote */
|
||||
is->bv_len+=2;
|
||||
continue;
|
||||
|
||||
/* For backward compatibility, this part is optional */
|
||||
if ( strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:") ) == 0 ) {
|
||||
x.bv_val += STRLENOF("rdnSequence:");
|
||||
x.bv_len -= STRLENOF("rdnSequence:");
|
||||
}
|
||||
break;
|
||||
}
|
||||
x.bv_val += is->bv_len+1;
|
||||
x.bv_len -= is->bv_len+1;
|
||||
|
||||
if ( x.bv_len < STRLENOF(",serialNumber 0")) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++;
|
||||
x.bv_len--;
|
||||
|
||||
haveissuer++;
|
||||
is->bv_val = x.bv_val;
|
||||
is->bv_len = 0;
|
||||
|
||||
} else if( strncasecmp( x.bv_val, "serialNumber",
|
||||
STRLENOF("serialNumber")) == 0 )
|
||||
{
|
||||
/* parse serialNumber */
|
||||
int neg = 0;
|
||||
char first = '\0';
|
||||
int extra = 0;
|
||||
for ( ; is->bv_len < x.bv_len; ) {
|
||||
if ( is->bv_val[is->bv_len] != '"' ) {
|
||||
is->bv_len++;
|
||||
continue;
|
||||
}
|
||||
if ( is->bv_val[is->bv_len+1] == '"' ) {
|
||||
/* double dquote */
|
||||
is->bv_len += 2;
|
||||
continue;
|
||||
}
|
||||
break;
|
||||
}
|
||||
x.bv_val += is->bv_len + 1;
|
||||
x.bv_len -= is->bv_len + 1;
|
||||
|
||||
x.bv_val += STRLENOF("serialNumber");
|
||||
x.bv_len -= STRLENOF("serialNumber");
|
||||
have |= HAVE_ISSUER;
|
||||
|
||||
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
|
||||
/* eat leading spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
sn->bv_val = x.bv_val;
|
||||
sn->bv_len = 0;
|
||||
|
||||
if( sn->bv_val[0] == '-' ) {
|
||||
neg++;
|
||||
sn->bv_len++;
|
||||
}
|
||||
|
||||
if ( sn->bv_val[0] == '0' && ( sn->bv_val[1] == 'x' ||
|
||||
sn->bv_val[1] == 'X' ))
|
||||
} else if ( strncasecmp( x.bv_val, "serialNumber", STRLENOF("serialNumber") ) == 0 )
|
||||
{
|
||||
is_hex = 1;
|
||||
first = sn->bv_val[2];
|
||||
extra = 2;
|
||||
if ( have & HAVE_SN ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
sn->bv_len += STRLENOF("0x");
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
|
||||
/* parse serialNumber */
|
||||
x.bv_val += STRLENOF("serialNumber");
|
||||
x.bv_len -= STRLENOF("serialNumber");
|
||||
|
||||
if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++;
|
||||
x.bv_len--;
|
||||
|
||||
/* eat leading spaces */
|
||||
for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
} else if ( sn->bv_val[0] == '\'' ) {
|
||||
first = sn->bv_val[1];
|
||||
extra = 3;
|
||||
|
||||
sn->bv_len += STRLENOF("'");
|
||||
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
|
||||
}
|
||||
if ( sn->bv_val[sn->bv_len] == '\'' &&
|
||||
sn->bv_val[sn->bv_len + 1] == 'H' )
|
||||
{
|
||||
sn->bv_len += STRLENOF("'H");
|
||||
is_hex = 1;
|
||||
|
||||
} else {
|
||||
if ( checkNum( &x, sn ) ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
x.bv_val += sn->bv_len;
|
||||
x.bv_len -= sn->bv_len;
|
||||
|
||||
have |= HAVE_SN;
|
||||
|
||||
} else {
|
||||
first = sn->bv_val[0];
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_DIGIT( sn->bv_val[sn->bv_len] )) break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!( sn->bv_len > neg )) return LDAP_INVALID_SYNTAX;
|
||||
if (( sn->bv_len > extra+1+neg ) && ( first == '0' )) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
x.bv_val += sn->bv_len; x.bv_len -= sn->bv_len;
|
||||
|
||||
if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
havesn++;
|
||||
|
||||
} else return LDAP_INVALID_SYNTAX;
|
||||
|
||||
if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
|
||||
/* eat spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
/* should be at remaining NamedValue */
|
||||
if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
|
||||
STRLENOF("issuer" )) == 0 ))
|
||||
{
|
||||
/* parse issuer */
|
||||
x.bv_val += STRLENOF("issuer");
|
||||
x.bv_len -= STRLENOF("issuer");
|
||||
|
||||
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
|
||||
/* eat leading spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
/* For backward compatibility, this part is optional */
|
||||
if( !strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:"))) {
|
||||
x.bv_val += STRLENOF("rdnSequence:");
|
||||
x.bv_len -= STRLENOF("rdnSequence:");
|
||||
}
|
||||
|
||||
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
|
||||
is->bv_val = x.bv_val;
|
||||
is->bv_len = 0;
|
||||
|
||||
for( ; is->bv_len < x.bv_len; ) {
|
||||
if ( is->bv_val[is->bv_len] != '"' ) {
|
||||
is->bv_len++;
|
||||
continue;
|
||||
}
|
||||
if ( is->bv_val[is->bv_len+1] == '"' ) {
|
||||
/* double dquote */
|
||||
numdquotes++;
|
||||
is->bv_len+=2;
|
||||
continue;
|
||||
}
|
||||
break;
|
||||
}
|
||||
x.bv_val += is->bv_len+1;
|
||||
x.bv_len -= is->bv_len+1;
|
||||
|
||||
} else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
|
||||
STRLENOF("serialNumber")) == 0 ))
|
||||
{
|
||||
/* parse serialNumber */
|
||||
int neg=0;
|
||||
x.bv_val += STRLENOF("serialNumber");
|
||||
x.bv_len -= STRLENOF("serialNumber");
|
||||
|
||||
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
|
||||
x.bv_val++; x.bv_len--;
|
||||
|
||||
/* eat leading spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
|
||||
for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) {
|
||||
/* empty */;
|
||||
}
|
||||
|
||||
sn->bv_val = x.bv_val;
|
||||
sn->bv_len = 0;
|
||||
|
||||
if( sn->bv_val[0] == '-' ) {
|
||||
neg++;
|
||||
sn->bv_len++;
|
||||
if ( have == HAVE_ALL ) {
|
||||
break;
|
||||
}
|
||||
|
||||
if ( sn->bv_val[0] == '0' && ( sn->bv_val[1] == 'x' ||
|
||||
sn->bv_val[1] == 'X' )) {
|
||||
is_hex = 1;
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
|
||||
}
|
||||
} else if ( sn->bv_val[0] == '\'' ) {
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_HEX( sn->bv_val[sn->bv_len] )) break;
|
||||
}
|
||||
if ( sn->bv_val[sn->bv_len] == '\'' &&
|
||||
sn->bv_val[sn->bv_len+1] == 'H' )
|
||||
is_hex = 1;
|
||||
else
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
sn->bv_len += 2;
|
||||
} else {
|
||||
for( ; sn->bv_len < x.bv_len; sn->bv_len++ ) {
|
||||
if ( !ASCII_DIGIT( sn->bv_val[sn->bv_len] )) break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!( sn->bv_len > neg )) return LDAP_INVALID_SYNTAX;
|
||||
if (( sn->bv_len > 1+neg ) && ( sn->bv_val[neg] == '0' )) {
|
||||
if ( x.bv_val[0] != ',' ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
x.bv_val += sn->bv_len;
|
||||
x.bv_len -= sn->bv_len;
|
||||
|
||||
} else return LDAP_INVALID_SYNTAX;
|
||||
|
||||
/* eat trailing spaces */
|
||||
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
|
||||
/* empty */;
|
||||
}
|
||||
x.bv_val++;
|
||||
x.bv_len--;
|
||||
} while ( 1 );
|
||||
|
||||
/* should have no characters left... */
|
||||
if( x.bv_len ) return LDAP_INVALID_SYNTAX;
|
||||
if ( x.bv_len ) return LDAP_INVALID_SYNTAX;
|
||||
|
||||
if ( numdquotes == 0 ) {
|
||||
ber_dupbv_x( &ni, is, ctx );
|
||||
|
||||
} else {
|
||||
ber_int_t src, dst;
|
||||
|
||||
@ -3160,91 +3083,165 @@ serialNumberAndIssuerValidate(
|
||||
in->bv_val, 0, 0 );
|
||||
|
||||
rc = serialNumberAndIssuerCheck( in, &sn, &i, NULL );
|
||||
if ( rc )
|
||||
return rc;
|
||||
if ( rc ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* validate DN -- doesn't handle double dquote */
|
||||
rc = dnValidate( NULL, &i );
|
||||
if( rc )
|
||||
if ( rc ) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
slap_sl_free( i.bv_val, NULL );
|
||||
}
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n",
|
||||
0, 0, 0 );
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: <%s> err=%d\n",
|
||||
in->bv_val, rc, 0 );
|
||||
|
||||
done:;
|
||||
return rc;
|
||||
}
|
||||
|
||||
int
|
||||
static int
|
||||
serialNumberAndIssuerPretty(
|
||||
Syntax *syntax,
|
||||
struct berval *in,
|
||||
struct berval *out,
|
||||
void *ctx )
|
||||
{
|
||||
int n, rc;
|
||||
struct berval sn, i, ni;
|
||||
int rc;
|
||||
struct berval sn, i, ni = BER_BVNULL;
|
||||
char *p;
|
||||
|
||||
assert( in != NULL );
|
||||
assert( out != NULL );
|
||||
|
||||
BER_BVZERO( out );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
|
||||
in->bv_val, 0, 0 );
|
||||
|
||||
rc = serialNumberAndIssuerCheck( in, &sn, &i, ctx );
|
||||
if ( rc )
|
||||
return rc;
|
||||
if ( rc ) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
rc = dnPretty( syntax, &i, &ni, ctx );
|
||||
|
||||
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
slap_sl_free( i.bv_val, ctx );
|
||||
}
|
||||
|
||||
if( rc ) return LDAP_INVALID_SYNTAX;
|
||||
if ( rc ) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* make room from sn + "$" */
|
||||
out->bv_len = STRLENOF("{ serialNumber , issuer rdnSequence:\"\" }")
|
||||
+ sn.bv_len + ni.bv_len;
|
||||
out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
|
||||
|
||||
if( out->bv_val == NULL ) {
|
||||
if ( out->bv_val == NULL ) {
|
||||
out->bv_len = 0;
|
||||
slap_sl_free( ni.bv_val, ctx );
|
||||
return LDAP_OTHER;
|
||||
rc = LDAP_OTHER;
|
||||
goto done;
|
||||
}
|
||||
|
||||
n = 0;
|
||||
AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
|
||||
STRLENOF("{ serialNumber "));
|
||||
n = STRLENOF("{ serialNumber ");
|
||||
p = out->bv_val;
|
||||
p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
|
||||
p = lutil_strncopy( p, sn.bv_val, sn.bv_len );
|
||||
p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
|
||||
p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
|
||||
p = lutil_strcopy( p, /*{*/ "\" }" );
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
|
||||
n += sn.bv_len;
|
||||
assert( p - out->bv_val == out->bv_len );
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], ", issuer rdnSequence:\"", STRLENOF(", issuer rdnSequence:\""));
|
||||
n += STRLENOF(", issuer rdnSequence:\"");
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
|
||||
n += ni.bv_len;
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
|
||||
n += STRLENOF("\" }");
|
||||
|
||||
out->bv_val[n] = '\0';
|
||||
|
||||
assert( n == out->bv_len );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
done:;
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s> => <%s>\n",
|
||||
in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 );
|
||||
|
||||
slap_sl_free( ni.bv_val, ctx );
|
||||
|
||||
return LDAP_SUCCESS;
|
||||
}
|
||||
|
||||
static int
|
||||
slap_bin2hex(
|
||||
struct berval *in,
|
||||
struct berval *out,
|
||||
void *ctx )
|
||||
|
||||
{
|
||||
/* Use hex format. '123456789abcdef'H */
|
||||
unsigned char *ptr, zero = '\0';
|
||||
char *sptr;
|
||||
int first;
|
||||
int i;
|
||||
ber_len_t len, nlen;
|
||||
|
||||
assert( in != NULL );
|
||||
assert( !BER_BVISNULL( in ) );
|
||||
assert( out != NULL );
|
||||
assert( !BER_BVISNULL( out ) );
|
||||
|
||||
ptr = (unsigned char *)in->bv_val;
|
||||
len = in->bv_len;
|
||||
|
||||
/* Check for minimal encodings */
|
||||
if ( len > 1 ) {
|
||||
if ( ptr[0] & 0x80 ) {
|
||||
if ( ( ptr[0] == 0xff ) && ( ptr[1] & 0x80 ) ) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
} else if ( ptr[0] == 0 ) {
|
||||
if ( !( ptr[1] & 0x80 ) ) {
|
||||
return -1;
|
||||
}
|
||||
len--;
|
||||
ptr++;
|
||||
}
|
||||
|
||||
} else if ( len == 0 ) {
|
||||
/* FIXME: this should not be possible,
|
||||
* since a value of zero would have length 1 */
|
||||
len = 1;
|
||||
ptr = &zero;
|
||||
}
|
||||
|
||||
first = !( ptr[0] & 0xf0U );
|
||||
nlen = len * 2 - first + STRLENOF("''H"); /* quotes, H */
|
||||
if ( nlen >= out->bv_len ) {
|
||||
out->bv_val = slap_sl_malloc( nlen + 1, ctx );
|
||||
}
|
||||
sptr = out->bv_val;
|
||||
*sptr++ = '\'';
|
||||
i = 0;
|
||||
if ( first ) {
|
||||
sprintf( sptr, "%01X", ( ptr[0] & 0x0fU ) );
|
||||
sptr++;
|
||||
i = 1;
|
||||
}
|
||||
for ( ; i < len; i++ ) {
|
||||
sprintf( sptr, "%02X", ptr[i] );
|
||||
sptr += 2;
|
||||
}
|
||||
*sptr++ = '\'';
|
||||
*sptr++ = 'H';
|
||||
*sptr = '\0';
|
||||
|
||||
assert( sptr - out->bv_val == nlen );
|
||||
|
||||
out->bv_len = nlen;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define SLAP_SN_BUFLEN (64)
|
||||
|
||||
/*
|
||||
* This routine is called by certificateExactNormalize when
|
||||
* certificateExactNormalize receives a search string instead of
|
||||
@ -3260,10 +3257,11 @@ serialNumberAndIssuerNormalize(
|
||||
struct berval *out,
|
||||
void *ctx )
|
||||
{
|
||||
struct berval sn, sn2, i, ni;
|
||||
char sbuf[64], *stmp = sbuf;
|
||||
struct berval sn, sn2, sn3, i, ni;
|
||||
char sbuf2[SLAP_SN_BUFLEN];
|
||||
char sbuf3[SLAP_SN_BUFLEN];
|
||||
char *p;
|
||||
int rc;
|
||||
ber_len_t n;
|
||||
|
||||
assert( in != NULL );
|
||||
assert( out != NULL );
|
||||
@ -3272,78 +3270,70 @@ serialNumberAndIssuerNormalize(
|
||||
in->bv_val, 0, 0 );
|
||||
|
||||
rc = serialNumberAndIssuerCheck( in, &sn, &i, ctx );
|
||||
if ( rc )
|
||||
if ( rc ) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
|
||||
|
||||
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
|
||||
slap_sl_free( i.bv_val, ctx );
|
||||
}
|
||||
|
||||
if( rc ) return LDAP_INVALID_SYNTAX;
|
||||
if ( rc ) {
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
|
||||
/* Convert sn to canonical hex */
|
||||
if ( sn.bv_len > sizeof( sbuf )) {
|
||||
stmp = slap_sl_malloc( sn.bv_len, ctx );
|
||||
sn2.bv_val = sbuf2;
|
||||
if ( sn.bv_len > sizeof( sbuf2 ) ) {
|
||||
sn2.bv_val = slap_sl_malloc( sn.bv_len, ctx );
|
||||
}
|
||||
sn2.bv_val = stmp;
|
||||
sn2.bv_len = sn.bv_len;
|
||||
if ( lutil_str2bin( &sn, &sn2, ctx )) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
goto func_leave;
|
||||
}
|
||||
|
||||
/* make room for sn + "$" */
|
||||
sn3.bv_val = sbuf3;
|
||||
sn3.bv_len = sizeof(sbuf3);
|
||||
if ( slap_bin2hex( &sn2, &sn3, ctx ) ) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
goto func_leave;
|
||||
}
|
||||
|
||||
out->bv_len = STRLENOF( "{ serialNumber , issuer rdnSequence:\"\" }" )
|
||||
+ ( sn2.bv_len * 2 + 3 ) + ni.bv_len;
|
||||
+ sn3.bv_len + ni.bv_len;
|
||||
out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
|
||||
|
||||
if( out->bv_val == NULL ) {
|
||||
if ( out->bv_val == NULL ) {
|
||||
out->bv_len = 0;
|
||||
slap_sl_free( ni.bv_val, ctx );
|
||||
rc = LDAP_OTHER;
|
||||
goto func_leave;
|
||||
}
|
||||
|
||||
n = 0;
|
||||
AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
|
||||
STRLENOF( "{ serialNumber " ));
|
||||
n = STRLENOF( "{ serialNumber " );
|
||||
p = out->bv_val;
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
|
||||
{
|
||||
int j;
|
||||
unsigned char *v = (unsigned char *)sn2.bv_val;
|
||||
out->bv_val[n++] = '\'';
|
||||
for ( j = 0; j < sn2.bv_len; j++ ) {
|
||||
snprintf( &out->bv_val[n], out->bv_len - n + 1,
|
||||
"%02X", v[j] );
|
||||
n += 2;
|
||||
}
|
||||
out->bv_val[n++] = '\'';
|
||||
out->bv_val[n++] = 'H';
|
||||
}
|
||||
p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
|
||||
p = lutil_strncopy( p, sn3.bv_val, sn3.bv_len );
|
||||
p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
|
||||
p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
|
||||
p = lutil_strcopy( p, /*{*/ "\" }" );
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], ", issuer rdnSequence:\"", STRLENOF( ", issuer rdnSequence:\"" ));
|
||||
n += STRLENOF( ", issuer rdnSequence:\"" );
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
|
||||
n += ni.bv_len;
|
||||
|
||||
AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
|
||||
n += STRLENOF( "\" }" );
|
||||
|
||||
out->bv_val[n] = '\0';
|
||||
|
||||
assert( n == out->bv_len );
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
|
||||
out->bv_val, 0, 0 );
|
||||
assert( p - out->bv_val == out->bv_len );
|
||||
|
||||
func_leave:
|
||||
if ( stmp != sbuf )
|
||||
slap_sl_free( stmp, ctx );
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s> => <%s>\n",
|
||||
in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 );
|
||||
|
||||
if ( sn2.bv_val != sbuf2 ) {
|
||||
slap_sl_free( sn2.bv_val, ctx );
|
||||
}
|
||||
|
||||
if ( sn3.bv_val != sbuf3 ) {
|
||||
slap_sl_free( sn3.bv_val, ctx );
|
||||
}
|
||||
|
||||
slap_sl_free( ni.bv_val, ctx );
|
||||
|
||||
return rc;
|
||||
@ -3363,16 +3353,21 @@ certificateExactNormalize(
|
||||
ber_tag_t tag;
|
||||
ber_len_t len;
|
||||
ber_int_t i;
|
||||
char serialbuf[64], *serial = serialbuf;
|
||||
ber_len_t seriallen;
|
||||
char serialbuf2[SLAP_SN_BUFLEN];
|
||||
struct berval sn, sn2 = BER_BVNULL;
|
||||
struct berval issuer_dn = BER_BVNULL, bvdn;
|
||||
unsigned char *p;
|
||||
char *p;
|
||||
int rc = LDAP_INVALID_SYNTAX;
|
||||
|
||||
if( BER_BVISEMPTY( val ) ) goto done;
|
||||
assert( val != NULL );
|
||||
|
||||
if( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
|
||||
return serialNumberAndIssuerNormalize(0,NULL,NULL,val,normalized,ctx);
|
||||
Debug( LDAP_DEBUG_TRACE, ">>> certificateExactNormalize: <%p, %lu>\n",
|
||||
val->bv_val, val->bv_len, 0 );
|
||||
|
||||
if ( BER_BVISEMPTY( val ) ) goto done;
|
||||
|
||||
if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) {
|
||||
return serialNumberAndIssuerNormalize( 0, NULL, NULL, val, normalized, ctx );
|
||||
}
|
||||
|
||||
assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 );
|
||||
@ -3389,42 +3384,17 @@ certificateExactNormalize(
|
||||
/* NOTE: move the test here from certificateValidate,
|
||||
* so that we can validate certs with serial longer
|
||||
* than sizeof(ber_int_t) */
|
||||
tag = ber_peek_tag( ber, &len ); /* serial */
|
||||
|
||||
/* Use hex format. '123456789abcdef'H
|
||||
*/
|
||||
{
|
||||
unsigned char *ptr;
|
||||
char *sptr;
|
||||
|
||||
tag = ber_skip_tag( ber, &len );
|
||||
ptr = (unsigned char *)ber->ber_ptr;
|
||||
ber_skip_data( ber, len );
|
||||
|
||||
/* Check for minimal encodings */
|
||||
if ( len > 1 ) {
|
||||
if ( ptr[0] & 0x80 ) {
|
||||
if (( ptr[0] == 0xff ) && ( ptr[1] & 0x80 ))
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
} else if ( ptr[0] == 0 ) {
|
||||
if (!( ptr[1] & 0x80 ))
|
||||
return LDAP_INVALID_SYNTAX;
|
||||
}
|
||||
}
|
||||
|
||||
seriallen = len * 2 + 4; /* quotes, H, NUL */
|
||||
if ( seriallen > sizeof( serialbuf ))
|
||||
serial = slap_sl_malloc( seriallen, ctx );
|
||||
sptr = serial;
|
||||
*sptr++ = '\'';
|
||||
for ( i = 0; i<len; i++ ) {
|
||||
sprintf( sptr, "%02X", ptr[i] );
|
||||
sptr += 2;
|
||||
}
|
||||
*sptr++ = '\'';
|
||||
*sptr++ = 'H';
|
||||
seriallen--;
|
||||
tag = ber_skip_tag( ber, &len ); /* serial */
|
||||
sn.bv_len = len;
|
||||
sn.bv_val = (char *)ber->ber_ptr;
|
||||
sn2.bv_val = serialbuf2;
|
||||
sn2.bv_len = sizeof(serialbuf2);
|
||||
if ( slap_bin2hex( &sn, &sn2, ctx ) ) {
|
||||
rc = LDAP_INVALID_SYNTAX;
|
||||
goto done;
|
||||
}
|
||||
ber_skip_data( ber, len );
|
||||
|
||||
tag = ber_skip_tag( ber, &len ); /* SignatureAlg */
|
||||
ber_skip_data( ber, len );
|
||||
tag = ber_peek_tag( ber, &len ); /* IssuerDN */
|
||||
@ -3433,39 +3403,28 @@ certificateExactNormalize(
|
||||
bvdn.bv_len = val->bv_len - len;
|
||||
|
||||
rc = dnX509normalize( &bvdn, &issuer_dn );
|
||||
if( rc != LDAP_SUCCESS ) goto done;
|
||||
if ( rc != LDAP_SUCCESS ) goto done;
|
||||
|
||||
normalized->bv_len = STRLENOF( "{ serialNumber , issuer rdnSequence:\"\" }" )
|
||||
+ seriallen + issuer_dn.bv_len;
|
||||
normalized->bv_val = ch_malloc(normalized->bv_len+1);
|
||||
+ sn2.bv_len + issuer_dn.bv_len;
|
||||
normalized->bv_val = ch_malloc( normalized->bv_len + 1 );
|
||||
|
||||
p = (unsigned char *)normalized->bv_val;
|
||||
p = normalized->bv_val;
|
||||
|
||||
AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
|
||||
p += STRLENOF( "{ serialNumber " );
|
||||
|
||||
AC_MEMCPY(p, serial, seriallen);
|
||||
p += seriallen;
|
||||
|
||||
AC_MEMCPY(p, ", issuer rdnSequence:\"", STRLENOF( ", issuer rdnSequence:\"" ));
|
||||
p += STRLENOF( ", issuer rdnSequence:\"" );
|
||||
|
||||
AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
|
||||
p += issuer_dn.bv_len;
|
||||
|
||||
AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
|
||||
p += STRLENOF( "\" }" );
|
||||
|
||||
*p = '\0';
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
|
||||
normalized->bv_val, NULL, NULL );
|
||||
p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
|
||||
p = lutil_strncopy( p, sn2.bv_val, sn2.bv_len );
|
||||
p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
|
||||
p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
|
||||
p = lutil_strcopy( p, /*{*/ "\" }" );
|
||||
|
||||
rc = LDAP_SUCCESS;
|
||||
|
||||
done:
|
||||
Debug( LDAP_DEBUG_TRACE, "<<< certificateExactNormalize: <%p, %lu> => <%s>\n",
|
||||
val->bv_val, val->bv_len, rc == LDAP_SUCCESS ? normalized->bv_val : "(err)" );
|
||||
|
||||
if ( issuer_dn.bv_val ) ber_memfree( issuer_dn.bv_val );
|
||||
if ( serial != serialbuf ) ber_memfree_x( serial, ctx );
|
||||
if ( sn2.bv_val != serialbuf2 ) ber_memfree_x( sn2.bv_val, ctx );
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user