mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-04-12 15:10:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add support for GSER-encoded certificateExactAsssertion values

Browse Source
This commit is contained in:
Kurt Zeilenga 2006-03-03 04:54:49 +00:00
parent 0ccbce9d09
commit 4c64b8626d
3 changed files with 829 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

826
servers/slapd/schema_init.c
View File

@ -2101,7 +2101,8 @@ IA5StringNormalize(
void *ctx )
{
char *p, *q;
int casefold = !SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match);
int casefold = !SLAP_MR_ASSOCIATED( mr,
slap_schema.si_mr_caseExactIA5Match );
assert( !BER_BVISEMPTY( val ) );
@ -2437,94 +2438,522 @@ serialNumberAndIssuerValidate(
int rc;
ber_len_t n;
struct berval sn, i;
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerValidate: <%s>\n",
in->bv_val, 0, 0 );
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
i.bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
i.bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
sn.bv_val = in->bv_val;
sn.bv_len = i.bv_val - in->bv_val;
sn.bv_val = in->bv_val;
sn.bv_len = i.bv_val - in->bv_val;
i.bv_val++;
i.bv_len = in->bv_len - (sn.bv_len + 1);
i.bv_val++;
i.bv_len = in->bv_len - (sn.bv_len + 1);
/* validate serial number (strict for now) */
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
/* eat leading zeros */
for( n=0; n < (sn.bv_len-1); n++ ) {
if( sn.bv_val[n] != '0' ) break;
}
sn.bv_val += n;
sn.bv_len -= n;
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
}
} else {
/* Parse GSER format */
int havesn=0,haveissuer=0;
struct berval x = *in;
x.bv_val++;
x.bv_len-=2;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
return LDAP_INVALID_SYNTAX;
}
/* should be at issuer or serialNumber NamedValue */
if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
if ( x.bv_len < STRLENOF(",serialNumber 0")) {
return LDAP_INVALID_SYNTAX;
}
haveissuer++;
} else if( strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 )
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
return LDAP_INVALID_SYNTAX;
}
havesn++;
} else return LDAP_INVALID_SYNTAX;
if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should be at remaining NamedValue */
if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
STRLENOF("issuer" )) == 0 ))
{
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
} else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 ))
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len;
x.bv_len -= sn.bv_len;
} else return LDAP_INVALID_SYNTAX;
/* eat trailing spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should have no characters left... */
if( x.bv_len ) return LDAP_INVALID_SYNTAX;
}
/* validate DN */
/* validate DN -- doesn't handle double dquote */
rc = dnValidate( NULL, &i );
if( rc ) return LDAP_INVALID_SYNTAX;
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerValidate: OKAY\n",
in->bv_val, 0, 0 );
return LDAP_SUCCESS;
}
int
serialNumberAndIssuerPretty(
Syntax *syntax,
struct berval *val,
struct berval *in,
struct berval *out,
void *ctx )
{
int rc;
ber_len_t n;
struct berval sn, i, newi;
struct berval sn, i, ni;
assert( val != NULL );
assert( in != NULL );
assert( out != NULL );
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerPretty: <%s>\n",
val->bv_val, 0, 0 );
in->bv_val, 0, 0 );
if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
i.bv_val = ber_bvchr( val, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
i.bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
sn.bv_val = val->bv_val;
sn.bv_len = i.bv_val - val->bv_val;
sn.bv_val = in->bv_val;
sn.bv_len = i.bv_val - in->bv_val;
i.bv_val++;
i.bv_len = val->bv_len - (sn.bv_len + 1);
i.bv_val++;
i.bv_len = in->bv_len - (sn.bv_len + 1);
/* eat leading zeros */
for( n=0; n < (sn.bv_len-1); n++ ) {
if( sn.bv_val[n] != '0' ) break;
}
sn.bv_val += n;
sn.bv_len -= n;
/* eat leading zeros */
for( n=0; n < (sn.bv_len-1); n++ ) {
if( sn.bv_val[n] != '0' ) break;
}
sn.bv_val += n;
sn.bv_len -= n;
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
}
} else {
/* Parse GSER format */
int havesn=0,haveissuer=0;
struct berval x = *in;
x.bv_val++;
x.bv_len-=2;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
return LDAP_INVALID_SYNTAX;
}
/* should be at issuer or serialNumber NamedValue */
if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
if ( x.bv_len < STRLENOF(",serialNumber 0")) {
return LDAP_INVALID_SYNTAX;
}
haveissuer++;
} else if( strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 )
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
return LDAP_INVALID_SYNTAX;
}
havesn++;
} else return LDAP_INVALID_SYNTAX;
if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should be at remaining NamedValue */
if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
STRLENOF("issuer" )) == 0 ))
{
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
} else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 ))
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
/* empty */;
}
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len;
x.bv_len -= sn.bv_len;
} else return LDAP_INVALID_SYNTAX;
/* eat trailing spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should have no characters left... */
if( x.bv_len ) return LDAP_INVALID_SYNTAX;
ber_dupbv_x( &ni, &i, ctx );
i = ni;
/* need to handle double dquotes here */
}
rc = dnPretty( syntax, &i, &ni, ctx );
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
slap_sl_free( i.bv_val, ctx );
}
/* pretty DN */
rc = dnPretty( syntax, &i, &newi, ctx );
if( rc ) return LDAP_INVALID_SYNTAX;
/* make room from sn + "$" */
out->bv_len = sn.bv_len + newi.bv_len + 1;
out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
out->bv_len = STRLENOF("{ serialNumber , issuer \"\" }")
+ sn.bv_len + ni.bv_len;
out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
if( out->bv_val == NULL ) {
out->bv_len = 0;
slap_sl_free( newi.bv_val, ctx );
slap_sl_free( ni.bv_val, ctx );
return LDAP_OTHER;
}
/* push issuer over */
AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len );
/* insert sn and "$" */
AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
out->bv_val[sn.bv_len] = '$';
/* terminate */
out->bv_val[out->bv_len] = '\0';
n = 0;
AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
STRLENOF("{ serialNumber "));
n = STRLENOF("{ serialNumber ");
AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
n += sn.bv_len;
AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF(", issuer \""));
n += STRLENOF(", issuer \"");
AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
n += ni.bv_len;
AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF("\" }"));
n += STRLENOF("\" }");
out->bv_val[n] = '\0';
assert( n == out->bv_len );
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerPretty: <%s>\n",
out->bv_val, 0, 0 );
return LDAP_SUCCESS;
slap_sl_free( ni.bv_val, ctx );
return LDAP_SUCCESS;
}
/*
@ -2538,70 +2967,287 @@ serialNumberAndIssuerNormalize(
slap_mask_t usage,
Syntax *syntax,
MatchingRule *mr,
struct berval *val,
struct berval *in,
struct berval *out,
void *ctx )
{
int rc;
ber_len_t n;
struct berval sn, i, newi;
struct berval sn, i, ni;
assert( val != NULL );
assert( in != NULL );
assert( out != NULL );
Debug( LDAP_DEBUG_TRACE, ">>> serialNumberAndIssuerNormalize: <%s>\n",
val->bv_val, 0, 0 );
in->bv_val, 0, 0 );
if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
i.bv_val = ber_bvchr( val, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
i.bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( &i ) ) return LDAP_INVALID_SYNTAX;
sn.bv_val = val->bv_val;
sn.bv_len = i.bv_val - val->bv_val;
sn.bv_val = in->bv_val;
sn.bv_len = i.bv_val - in->bv_val;
i.bv_val++;
i.bv_len = val->bv_len - (sn.bv_len + 1);
i.bv_val++;
i.bv_len = in->bv_len - (sn.bv_len + 1);
/* eat leading zeros */
for( n=0; n < (sn.bv_len-1); n++ ) {
if( sn.bv_val[n] != '0' ) break;
}
sn.bv_val += n;
sn.bv_len -= n;
/* eat leading zeros */
for( n=0; n < (sn.bv_len-1); n++ ) {
if( sn.bv_val[n] != '0' ) break;
}
sn.bv_val += n;
sn.bv_len -= n;
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) {
for( n=0; n < sn.bv_len; n++ ) {
if( !ASCII_DIGIT(sn.bv_val[n]) ) return LDAP_INVALID_SYNTAX;
}
} else {
/* Parse GSER format */
int havesn=0,haveissuer=0;
struct berval x = *in;
x.bv_val++;
x.bv_len-=2;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if ( x.bv_len < STRLENOF("serialNumber 0,issuer \"\"")) {
return LDAP_INVALID_SYNTAX;
}
/* should be at issuer or serialNumber NamedValue */
if( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer")) == 0 ) {
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
if ( x.bv_len < STRLENOF(",serialNumber 0")) {
return LDAP_INVALID_SYNTAX;
}
haveissuer++;
} else if( strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 )
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len; x.bv_len -= sn.bv_len;
if ( x.bv_len < STRLENOF( ",issuer \"\"" )) {
return LDAP_INVALID_SYNTAX;
}
havesn++;
} else return LDAP_INVALID_SYNTAX;
if( x.bv_val[0] != ',' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should be at remaining NamedValue */
if( !haveissuer && (strncasecmp( x.bv_val, "issuer",
STRLENOF("issuer" )) == 0 ))
{
/* parse issuer */
x.bv_val += STRLENOF("issuer");
x.bv_len -= STRLENOF("issuer");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
if( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
i.bv_val = x.bv_val;
i.bv_len = 0;
for( ; i.bv_len < x.bv_len; ) {
if ( i.bv_val[i.bv_len] != '"' ) {
i.bv_len++;
continue;
}
if ( i.bv_val[i.bv_len+1] == '"' ) {
/* double dquote */
i.bv_len+=2;
continue;
}
break;
}
x.bv_val += i.bv_len+1;
x.bv_len -= i.bv_len+1;
} else if( !havesn && (strncasecmp( x.bv_val, "serialNumber",
STRLENOF("serialNumber")) == 0 ))
{
/* parse serialNumber */
int neg=0;
x.bv_val += STRLENOF("serialNumber");
x.bv_len -= STRLENOF("serialNumber");
if( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX;
x.bv_val++; x.bv_len--;
/* eat leading spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len ; x.bv_val++, x.bv_len--) {
/* empty */;
}
sn.bv_val = x.bv_val;
sn.bv_len = 0;
if( sn.bv_val[0] == '-' ) {
neg++;
sn.bv_len++;
}
for( ; sn.bv_len < x.bv_len; sn.bv_len++ ) {
if ( !ASCII_DIGIT( sn.bv_val[sn.bv_len] )) break;
}
if (!( sn.bv_len > neg )) return LDAP_INVALID_SYNTAX;
if (( sn.bv_len > 1+neg ) && ( sn.bv_val[neg] == '0' )) {
return LDAP_INVALID_SYNTAX;
}
x.bv_val += sn.bv_len;
x.bv_len -= sn.bv_len;
} else return LDAP_INVALID_SYNTAX;
/* eat trailing spaces */
for( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len--) {
/* empty */;
}
/* should have no characters left... */
if( x.bv_len ) return LDAP_INVALID_SYNTAX;
ber_dupbv_x( &ni, &i, ctx );
i = ni;
/* need to handle double dquotes here */
}
rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx );
if( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) {
slap_sl_free( i.bv_val, ctx );
}
/* pretty DN */
rc = dnNormalize( usage, syntax, mr, &i, &newi, ctx );
if( rc ) return LDAP_INVALID_SYNTAX;
/* make room from sn + "$" */
out->bv_len = sn.bv_len + newi.bv_len + 1;
out->bv_val = slap_sl_realloc( newi.bv_val, out->bv_len + 1, ctx );
out->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+ sn.bv_len + ni.bv_len;
out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
if( out->bv_val == NULL ) {
out->bv_len = 0;
slap_sl_free( newi.bv_val, ctx );
slap_sl_free( ni.bv_val, ctx );
return LDAP_OTHER;
}
/* push issuer over */
AC_MEMCPY( &out->bv_val[sn.bv_len+1], out->bv_val, newi.bv_len );
/* insert sn and "$" */
AC_MEMCPY( out->bv_val, sn.bv_val, sn.bv_len );
out->bv_val[sn.bv_len] = '$';
/* terminate */
out->bv_val[out->bv_len] = '\0';
n = 0;
AC_MEMCPY( &out->bv_val[n], "{ serialNumber ",
STRLENOF( "{ serialNumber " ));
n = STRLENOF( "{ serialNumber " );
AC_MEMCPY( &out->bv_val[n], sn.bv_val, sn.bv_len );
n += sn.bv_len;
AC_MEMCPY( &out->bv_val[n], ", issuer \"", STRLENOF( ", issuer \"" ));
n += STRLENOF( ", issuer \"" );
AC_MEMCPY( &out->bv_val[n], ni.bv_val, ni.bv_len );
n += ni.bv_len;
AC_MEMCPY( &out->bv_val[n], "\" }", STRLENOF( "\" }" ));
n += STRLENOF( "\" }" );
out->bv_val[n] = '\0';
assert( n == out->bv_len );
Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
out->bv_val, 0, 0 );
return rc;
slap_sl_free( ni.bv_val, ctx );
return LDAP_SUCCESS;
}
#ifdef HAVE_TLS
@ -2646,19 +3292,34 @@ certificateExactNormalize(
rc = dnX509normalize( name, &issuer_dn );
if( rc != LDAP_SUCCESS ) goto done;
normalized->bv_len = seriallen + issuer_dn.bv_len + 1;
normalized->bv_len = STRLENOF( "{ serialNumber , issuer \"\" }" )
+ seriallen + issuer_dn.bv_len;
normalized->bv_val = ch_malloc(normalized->bv_len+1);
p = (unsigned char *)normalized->bv_val;
AC_MEMCPY(p, "{ serialNumber ", STRLENOF( "{ serialNumber " ));
p += STRLENOF( "{ serialNumber " );
AC_MEMCPY(p, serial, seriallen);
p += seriallen;
*p++ = '$';
AC_MEMCPY(p, ", issuer \"", STRLENOF( ", issuer \"" ));
p += STRLENOF( ", issuer \"" );
AC_MEMCPY(p, issuer_dn.bv_val, issuer_dn.bv_len);
p += issuer_dn.bv_len;
AC_MEMCPY(p, "\" }", STRLENOF( "\" }" ));
p += STRLENOF( "\" }" );
*p = '\0';
Debug( LDAP_DEBUG_TRACE, "certificateExactNormalize: %s\n",
normalized->bv_val, NULL, NULL );
rc = LDAP_SUCCESS;
done:
if (xcert) X509_free(xcert);
if (serial) ch_free(serial);
@ -2918,7 +3579,7 @@ generalizedTimeNormalize(
return rc;
}
len = sizeof("YYYYmmddHHMMSSZ")-1 + fraction.bv_len;
len = STRLENOF("YYYYmmddHHMMSSZ") + fraction.bv_len;
normalized->bv_val = slap_sl_malloc( len + 1, ctx );
if ( BER_BVISNULL( normalized ) ) {
return LBER_ERROR_MEMORY;
@ -2928,9 +3589,9 @@ generalizedTimeNormalize(
parts[0], parts[1], parts[2] + 1, parts[3] + 1,
parts[4], parts[5], parts[6] );
if ( !BER_BVISEMPTY( &fraction ) ) {
memcpy( normalized->bv_val + sizeof("YYYYmmddHHMMSSZ")-2,
memcpy( normalized->bv_val + STRLENOF("YYYYmmddHHMMSSZ")-1,
fraction.bv_val, fraction.bv_len );
normalized->bv_val[sizeof("YYYYmmddHHMMSSZ")-2] = '.';
normalized->bv_val[STRLENOF("YYYYmmddHHMMSSZ")-1] = '.';
}
strcpy( normalized->bv_val + len-1, "Z" );
normalized->bv_len = len;
@ -3861,12 +4522,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
{"( 2.5.13.35 NAME 'certificateMatch' "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )",
SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL,
#ifdef HAVE_TLS
NULL, NULL, octetStringMatch,
octetStringIndexer, octetStringFilter,
#else
NULL, NULL, NULL, NULL, NULL,
#endif
NULL },
{"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' "

103
tests/data/certificate.tls
View File

@ -71,7 +71,7 @@ dn: dc=example,dc=com
objectClass: top
objectClass: organization
objectClass: domainRelatedObject
objectclass: dcobject
objectClass: dcObject
objectClass: extensibleObject
dc: example
l: Anytown, Michigan
@ -133,6 +133,39 @@ userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV
05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j
ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN
# (userCertificate={ serialNumber 2, issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US" })
dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
objectClass: OpenLDAPperson
objectClass: strongAuthenticationUser
cn: Ursula Hampster
sn: Hampster
uid: uham
title: Secretary, UM Alumni Association
postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
homePostalAddress: 123 Anystreet $ Anytown, MI 48104
mail: uham@mail.alumni.example.com
homePhone: +1 313 555 8421
pager: +1 313 555 2844
facsimileTelephoneNumber: +1 313 555 9700
telephoneNumber: +1 313 555 5331
userCertificate;binary:: MIIDazCCAtSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADB3MQswCQYDV
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
NMDMxMDE3MTYzMzE5WhcNMDQxMDE2MTYzMzE5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjEYMBYGA1UEAxMPVXJzdWxhI
EhhbXBzdGVyMR8wHQYJKoZIhvcNAQkBFhB1aGFtQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQ
UAA4GNADCBiQKBgQDuxgp5ELV9LmhxWMpV7qc4028QQT3+zzFDXhruuXE7ji2n3S3ea8bOwDtJh+q
nsDe561DhHHHlgIjMKCiDEizYMpxvJPYEXmvp0huRkMgpKZgmel95BSkt6TYmJ0erS3aoimOHLEFi
mmnTLolNRMiWqNBvqwobx940PGwUWEePKQIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4Q
gENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSjI94TbBmuDEeUUO
iC37EK0Uf0XjCBoQYDVR0jBIGZMIGWgBRLbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1U
EBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0
ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAM
A0GCSqGSIb3DQEBBAUAA4GBAIgUcARb3OlWYNbmr1nmqESuxLn16uqI1Ot6WkcICvpkdQ+Bo+R9AP
05xpoXocZtKdNvBu3FNxB/jFkiOcLU2lX7Px1Ijnsjh60qVRy9HOsHCungIKlGcnXLKHmKu0y//5j
ds/HnaJsGcHI5JRG7CBJbW+wrwge3trJ1xHJI8prN
# (userCertificate:certificateExactMatch:=3$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US)
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
objectClass: OpenLDAPperson
@ -169,37 +202,39 @@ userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV
5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3
quqPrpxZ
dn: dc=example,dc=com
objectClass: top
objectClass: organization
objectClass: domainRelatedObject
objectclass: dcobject
objectClass: extensibleObject
dc: example
l: Anytown, Michigan
st: Michigan
o: Example, Inc.
o: EX
o: Ex.
description: The Example, Inc. at Anytown
postalAddress: Example, Inc. $ 535 W. William St. $ Anytown, MI 48109 $ US
telephoneNumber: +1 313 555 1817
associatedDomain: example.com
cACertificate;binary:: MIIDVDCCAr2gAwIBAgIBADANBgkqhkiG9w0BAQQFADB3MQswCQYDVQQ
GEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRk
LjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhcNM
DMxMDE3MTYzMDQxWhcNMDQxMDE2MTYzMDQxWjB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaW
Zvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA1UEAxMKRXhhbXBsZSB
DQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANljUGxiisAzEiALukzt3Gj/24MRw1J0AZx6GncXLhpNJsAFyA0bYZdAzgvydKeq/uX0i5o/4
Byc3G71XAAcbJZxDPtrLwpDAdMNOBvKV2r67yTgnpatFLfGRt/FWazj5EbFYkorWWTe+4eEBd9VPz
ebHdIm+DPHipUfIAzRoNejAgMBAAGjge8wgewwHQYDVR0OBBYEFEtvIRo2JNKQ+UOwU0ctfeHA5pg
jMIGhBgNVHSMEgZkwgZaAFEtvIRo2JNKQ+UOwU0ctfeHA5pgjoXukeTB3MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTHRkLjETMBEGA
1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb22CAQAwDAYDVR0TBA
UwAwEB/zAZBgNVHREEEjAQgQ5jYUBleGFtcGxlLmNvbTANBgkqhkiG9w0BAQQFAAOBgQCgXD/+28E
l3GXi/uxMNEKqtnIhQdTnNU4il0fZ6pcmHPFC+61Bddow90ZZZh5Gbg5ZBxFRhDXN8K/fix3ewRSj
ASt40dGlEODkE+FsLMt04sYl6kX7RGKg9a46DkeG+uzZnN/3252uCgh+rjNMFAglueUTERv3EtUB1
iXEoU3GyA==
# (userCertificate:certificateExactMatch:={ issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US", serialNumber 3 })
dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
objectClass: OpenLDAPperson
objectClass: strongAuthenticationUser
cn: Jennifer Smith
cn: Jen Smith
sn: Smith
uid: jen
postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
drink: Sam Adams
homePostalAddress: 1000 Maple #44 $ Anytown, MI 48103
title: Telemarketer, UM Alumni Association
mail: jen@mail.alumni.example.com
homePhone: +1 313 555 2333
pager: +1 313 555 6442
facsimileTelephoneNumber: +1 313 555 2756
telephoneNumber: +1 313 555 8232
userCertificate;binary:: MIIDjDCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADB3MQswCQYDV
QQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWT3BlbkxEQVAgRXhhbXBsZSwgTH
RkLjETMBEGA1UEAxMKRXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5jb20wHhc
NMDMxMDE3MTYzNTM1WhcNMDQxMDE2MTYzNTM1WjCBnjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1p
Y2hpZ2FuMR8wHQYDVQQKExZPcGVuTERBUCBFeGFtcGxlLCBMdGQuMRswGQYDVQQLExJBbHVtbmkgQ
XNzb2ljYXRpb24xEjAQBgNVBAMTCUplbiBTbWl0aDEqMCgGCSqGSIb3DQEJARYbamVuQG1haWwuYW
x1bW5pLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpnXWAL0VkROGO1Rg
8J3u6F4F7yMqQCbUMsV9rxQisYj45+pmqiHV5urogvT4MGD6eLNFZKBn+0KRni++uu7gbartzpmBa
HOlzRII9ZdVMFfrT2xYNgAlkne6pb6IZIN9UONuH/httENCDJ5WEpjZ48D1Lrml/HYO/W+SAMkpEq
QIDAQABo4H/MIH8MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIE
NlcnRpZmljYXRlMB0GA1UdDgQWBBTB2saht/od/nis76b9m+pjxfhSPjCBoQYDVR0jBIGZMIGWgBR
LbyEaNiTSkPlDsFNHLX3hwOaYI6F7pHkwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExHzAdBgNVBAoTFk9wZW5MREFQIEV4YW1wbGUsIEx0ZC4xEzARBgNVBAMTCkV4YW1wbGUgQ0ExH
TAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAIoGPc/AS0
cNkMRDNoMIzcFdF9lONMduKBiSuFvv+x8nCek+LUdXxF59V2NPKh2V5gFh5xbAchyv6FVBnpVtPdB
5akCr5tdFQhuBLUXXDk/tTHGpIWt7OAjEmpuMzsz3GUB8Zf9rioHOs1DMw+GpzWdnFITxXhAqEDc3
quqPrpxZ
# (cAcertificate;binary:certificateMatch:=\30\82\03\54\30\82\02\bd\a0\03\02\01\02\02\01\00\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\1e\17\0d\30\33\31\30\31\37\31\36\33\30\34\31\5a\17\0d\30\34\31\30\31\36\31\36\33\30\34\31\5a\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\81\9f\30\0d\06\09\2a\86\48\86\f7\0d\01\01\01\05\00\03\81\8d\00\30\81\89\02\81\81\00\d9\63\50\6c\62\8a\c0\33\12\20\0b\ba\4c\ed\dc\68\ff\db\83\11\c3\52\74\01\9c\7a\1a\77\17\2e\1a\4d\26\c0\05\c8\0d\1b\61\97\40\ce\0b\f2\74\a7\aa\fe\e5\f4\8b\9a\3f\e0\1c\9c\dc\6e\f5\5c\00\1c\6c\96\71\0c\fb\6b\2f\0a\43\01\d3\0d\38\1b\ca\57\6a\fa\ef\24\e0\9e\96\ad\14\b7\c6\46\df\c5\59\ac\e3\e4\46\c5\62\4a\2b\59\64\de\fb\87\84\05\df\55\3f\37\9b\1d\d2\26\f8\33\c7\8a\95\1f\20\0c\d1\a0\d7\a3\02\03\01\00\01\a3\81\ef\30\81\ec\30\1d\06\03\55\1d\0e\04\16\04\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\30\81\a1\06\03\55\1d\23\04\81\99\30\81\96\80\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\a1\7b\a4\79\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\82\01\00\30\0c\06\03\55\1d\13\04\05\30\03\01\01\ff\30\19\06\03\55\1d\11\04\12\30\10\81\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\03\81\81\00\a0\5c\3f\fe\db\c1\25\dc\65\e2\fe\ec\4c\34\42\aa\b6\72\21\41\d4\e7\35\4e\22\97\47\d9\ea\97\26\1c\f1\42\fb\ad\41\75\da\30\f7\46\59\66\1e\46\6e\0e\59\07\11\51\84\35\cd\f0\af\df\8b\1d\de\c1\14\a3\01\2b\78\d1\d1\a5\10\e0\e4\13\e1\6c\2c\cb\74\e2\c6\25\ea\45\fb\44\62\a0\f5\ae\3a\0e\47\86\fa\ec\d9\9c\df\f7\db\9d\ae\0a\08\7e\ae\33\4c\14\08\25\b9\e5\13\11\1b\f7\12\d5\01\d6\25\c4\a1\4d\c6\c8)

25
tests/scripts/test021-certificate
View File

@ -257,7 +257,20 @@ fi
SNAI='2$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US'
echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) ...'
echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) [old format] ...'
echo "# (userCertificate=$SNAI)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
"(userCertificate=$SNAI)" >> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
SNAI='{ serialNumber 2, issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US" }'
echo 'Using ldapsearch to retrieve (userCertificate=serialNumberAndIssuer) [new format] ...'
echo "# (userCertificate=$SNAI)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
"(userCertificate=$SNAI)" >> $SEARCHOUT 2>&1
@ -270,7 +283,7 @@ fi
SNAI='3$EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US'
echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) ...'
echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) [old format] ...'
echo "# (userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
"(userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT 2>&1
@ -281,12 +294,12 @@ if test $RC != 0 ; then
exit $RC
fi
CERT='\30\82\03\54\30\82\02\bd\a0\03\02\01\02\02\01\00\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\1e\17\0d\30\33\31\30\31\37\31\36\33\30\34\31\5a\17\0d\30\34\31\30\31\36\31\36\33\30\34\31\5a\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\81\9f\30\0d\06\09\2a\86\48\86\f7\0d\01\01\01\05\00\03\81\8d\00\30\81\89\02\81\81\00\d9\63\50\6c\62\8a\c0\33\12\20\0b\ba\4c\ed\dc\68\ff\db\83\11\c3\52\74\01\9c\7a\1a\77\17\2e\1a\4d\26\c0\05\c8\0d\1b\61\97\40\ce\0b\f2\74\a7\aa\fe\e5\f4\8b\9a\3f\e0\1c\9c\dc\6e\f5\5c\00\1c\6c\96\71\0c\fb\6b\2f\0a\43\01\d3\0d\38\1b\ca\57\6a\fa\ef\24\e0\9e\96\ad\14\b7\c6\46\df\c5\59\ac\e3\e4\46\c5\62\4a\2b\59\64\de\fb\87\84\05\df\55\3f\37\9b\1d\d2\26\f8\33\c7\8a\95\1f\20\0c\d1\a0\d7\a3\02\03\01\00\01\a3\81\ef\30\81\ec\30\1d\06\03\55\1d\0e\04\16\04\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\30\81\a1\06\03\55\1d\23\04\81\99\30\81\96\80\14\4b\6f\21\1a\36\24\d2\90\f9\43\b0\53\47\2d\7d\e1\c0\e6\98\23\a1\7b\a4\79\30\77\31\0b\30\09\06\03\55\04\06\13\02\55\53\31\13\30\11\06\03\55\04\08\13\0a\43\61\6c\69\66\6f\72\6e\69\61\31\1f\30\1d\06\03\55\04\0a\13\16\4f\70\65\6e\4c\44\41\50\20\45\78\61\6d\70\6c\65\2c\20\4c\74\64\2e\31\13\30\11\06\03\55\04\03\13\0a\45\78\61\6d\70\6c\65\20\43\41\31\1d\30\1b\06\09\2a\86\48\86\f7\0d\01\09\01\16\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\82\01\00\30\0c\06\03\55\1d\13\04\05\30\03\01\01\ff\30\19\06\03\55\1d\11\04\12\30\10\81\0e\63\61\40\65\78\61\6d\70\6c\65\2e\63\6f\6d\30\0d\06\09\2a\86\48\86\f7\0d\01\01\04\05\00\03\81\81\00\a0\5c\3f\fe\db\c1\25\dc\65\e2\fe\ec\4c\34\42\aa\b6\72\21\41\d4\e7\35\4e\22\97\47\d9\ea\97\26\1c\f1\42\fb\ad\41\75\da\30\f7\46\59\66\1e\46\6e\0e\59\07\11\51\84\35\cd\f0\af\df\8b\1d\de\c1\14\a3\01\2b\78\d1\d1\a5\10\e0\e4\13\e1\6c\2c\cb\74\e2\c6\25\ea\45\fb\44\62\a0\f5\ae\3a\0e\47\86\fa\ec\d9\9c\df\f7\db\9d\ae\0a\08\7e\ae\33\4c\14\08\25\b9\e5\13\11\1b\f7\12\d5\01\d6\25\c4\a1\4d\c6\c8'
SNAI='{ issuer "EMAIL=ca@example.com,CN=Example CA,O=Openldap Example\5C, Ltd.,ST=California,C=US", serialNumber 3 }'
echo 'Using ldapsearch to retrieve (cAcertificate;binary:certificateMatch:=certificate) ...'
echo '# (cAcertificate;binary:certificateMatch:=--CERTIFICATE--)' >> $SEARCHOUT
echo 'Using ldapsearch to retrieve (userCertificate:certificateExactMatch:=serialNumberAndIssuer) [new format]...'
echo "# (userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT
$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
"(cAcertificate;binary:certificateMatch:=$CERT)" >> $SEARCHOUT 2>&1
"(userCertificate:certificateExactMatch:=$SNAI)" >> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"