1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/x509/x509_cmp.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,425 @@
1.4 +/* crypto/x509/x509_cmp.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +
1.62 +#include <stdio.h>
1.63 +#include <ctype.h>
1.64 +#include "cryptlib.h"
1.65 +#include <openssl/asn1.h>
1.66 +#include <openssl/objects.h>
1.67 +#include <openssl/x509.h>
1.68 +#include <openssl/x509v3.h>
1.69 +
1.70 +EXPORT_C int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
1.71 + {
1.72 + int i;
1.73 + X509_CINF *ai,*bi;
1.74 +
1.75 + ai=a->cert_info;
1.76 + bi=b->cert_info;
1.77 + i=M_ASN1_INTEGER_cmp(ai->serialNumber,bi->serialNumber);
1.78 + if (i) return(i);
1.79 + return(X509_NAME_cmp(ai->issuer,bi->issuer));
1.80 + }
1.81 +
1.82 +#ifndef OPENSSL_NO_MD5
1.83 +EXPORT_C unsigned long X509_issuer_and_serial_hash(X509 *a)
1.84 + {
1.85 + unsigned long ret=0;
1.86 + EVP_MD_CTX ctx;
1.87 + unsigned char md[16];
1.88 + char *f;
1.89 +
1.90 + EVP_MD_CTX_init(&ctx);
1.91 + f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
1.92 + ret=strlen(f);
1.93 + EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
1.94 + EVP_DigestUpdate(&ctx,(unsigned char *)f,ret);
1.95 + OPENSSL_free(f);
1.96 + EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
1.97 + (unsigned long)a->cert_info->serialNumber->length);
1.98 + EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
1.99 + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
1.100 + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
1.101 + )&0xffffffffL;
1.102 + EVP_MD_CTX_cleanup(&ctx);
1.103 + return(ret);
1.104 + }
1.105 +#endif
1.106 +
1.107 +EXPORT_C int X509_issuer_name_cmp(const X509 *a, const X509 *b)
1.108 + {
1.109 + return(X509_NAME_cmp(a->cert_info->issuer,b->cert_info->issuer));
1.110 + }
1.111 +
1.112 +EXPORT_C int X509_subject_name_cmp(const X509 *a, const X509 *b)
1.113 + {
1.114 + return(X509_NAME_cmp(a->cert_info->subject,b->cert_info->subject));
1.115 + }
1.116 +
1.117 +EXPORT_C int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
1.118 + {
1.119 + return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
1.120 + }
1.121 +
1.122 +EXPORT_C X509_NAME *X509_get_issuer_name(X509 *a)
1.123 + {
1.124 + return(a->cert_info->issuer);
1.125 + }
1.126 +
1.127 +EXPORT_C unsigned long X509_issuer_name_hash(X509 *x)
1.128 + {
1.129 + return(X509_NAME_hash(x->cert_info->issuer));
1.130 + }
1.131 +
1.132 +EXPORT_C X509_NAME *X509_get_subject_name(X509 *a)
1.133 + {
1.134 + return(a->cert_info->subject);
1.135 + }
1.136 +
1.137 +EXPORT_C ASN1_INTEGER *X509_get_serialNumber(X509 *a)
1.138 + {
1.139 + return(a->cert_info->serialNumber);
1.140 + }
1.141 +
1.142 +EXPORT_C unsigned long X509_subject_name_hash(X509 *x)
1.143 + {
1.144 + return(X509_NAME_hash(x->cert_info->subject));
1.145 + }
1.146 +
1.147 +#ifndef OPENSSL_NO_SHA
1.148 +/* Compare two certificates: they must be identical for
1.149 + * this to work. NB: Although "cmp" operations are generally
1.150 + * prototyped to take "const" arguments (eg. for use in
1.151 + * STACKs), the way X509 handling is - these operations may
1.152 + * involve ensuring the hashes are up-to-date and ensuring
1.153 + * certain cert information is cached. So this is the point
1.154 + * where the "depth-first" constification tree has to halt
1.155 + * with an evil cast.
1.156 + */
1.157 +EXPORT_C int X509_cmp(const X509 *a, const X509 *b)
1.158 +{
1.159 + /* ensure hash is valid */
1.160 + X509_check_purpose((X509 *)a, -1, 0);
1.161 + X509_check_purpose((X509 *)b, -1, 0);
1.162 +
1.163 + return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
1.164 +}
1.165 +#endif
1.166 +
1.167 +
1.168 +/* Case insensitive string comparision */
1.169 +static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
1.170 +{
1.171 + int i;
1.172 +
1.173 + if (a->length != b->length)
1.174 + return (a->length - b->length);
1.175 +
1.176 + for (i=0; i<a->length; i++)
1.177 + {
1.178 + int ca, cb;
1.179 +
1.180 + ca = tolower(a->data[i]);
1.181 + cb = tolower(b->data[i]);
1.182 +
1.183 + if (ca != cb)
1.184 + return(ca-cb);
1.185 + }
1.186 + return 0;
1.187 +}
1.188 +
1.189 +/* Case insensitive string comparision with space normalization
1.190 + * Space normalization - ignore leading, trailing spaces,
1.191 + * multiple spaces between characters are replaced by single space
1.192 + */
1.193 +static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
1.194 +{
1.195 + unsigned char *pa = NULL, *pb = NULL;
1.196 + int la, lb;
1.197 +
1.198 + la = a->length;
1.199 + lb = b->length;
1.200 + pa = a->data;
1.201 + pb = b->data;
1.202 +
1.203 + /* skip leading spaces */
1.204 + while (la > 0 && isspace(*pa))
1.205 + {
1.206 + la--;
1.207 + pa++;
1.208 + }
1.209 + while (lb > 0 && isspace(*pb))
1.210 + {
1.211 + lb--;
1.212 + pb++;
1.213 + }
1.214 +
1.215 + /* skip trailing spaces */
1.216 + while (la > 0 && isspace(pa[la-1]))
1.217 + la--;
1.218 + while (lb > 0 && isspace(pb[lb-1]))
1.219 + lb--;
1.220 +
1.221 + /* compare strings with space normalization */
1.222 + while (la > 0 && lb > 0)
1.223 + {
1.224 + int ca, cb;
1.225 +
1.226 + /* compare character */
1.227 + ca = tolower(*pa);
1.228 + cb = tolower(*pb);
1.229 + if (ca != cb)
1.230 + return (ca - cb);
1.231 +
1.232 + pa++; pb++;
1.233 + la--; lb--;
1.234 +
1.235 + if (la <= 0 || lb <= 0)
1.236 + break;
1.237 +
1.238 + /* is white space next character ? */
1.239 + if (isspace(*pa) && isspace(*pb))
1.240 + {
1.241 + /* skip remaining white spaces */
1.242 + while (la > 0 && isspace(*pa))
1.243 + {
1.244 + la--;
1.245 + pa++;
1.246 + }
1.247 + while (lb > 0 && isspace(*pb))
1.248 + {
1.249 + lb--;
1.250 + pb++;
1.251 + }
1.252 + }
1.253 + }
1.254 + if (la > 0 || lb > 0)
1.255 + return la - lb;
1.256 +
1.257 + return 0;
1.258 +}
1.259 +
1.260 +static int asn1_string_memcmp(ASN1_STRING *a, ASN1_STRING *b)
1.261 + {
1.262 + int j;
1.263 + j = a->length - b->length;
1.264 + if (j)
1.265 + return j;
1.266 + return memcmp(a->data, b->data, a->length);
1.267 + }
1.268 +
1.269 +#define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
1.270 +
1.271 +EXPORT_C int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
1.272 + {
1.273 + int i,j;
1.274 + X509_NAME_ENTRY *na,*nb;
1.275 +
1.276 + unsigned long nabit, nbbit;
1.277 +
1.278 + j = sk_X509_NAME_ENTRY_num(a->entries)
1.279 + - sk_X509_NAME_ENTRY_num(b->entries);
1.280 + if (j)
1.281 + return j;
1.282 + for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
1.283 + {
1.284 + na=sk_X509_NAME_ENTRY_value(a->entries,i);
1.285 + nb=sk_X509_NAME_ENTRY_value(b->entries,i);
1.286 + j=na->value->type-nb->value->type;
1.287 + if (j)
1.288 + {
1.289 + nabit = ASN1_tag2bit(na->value->type);
1.290 + nbbit = ASN1_tag2bit(nb->value->type);
1.291 + if (!(nabit & STR_TYPE_CMP) ||
1.292 + !(nbbit & STR_TYPE_CMP))
1.293 + return j;
1.294 + j = asn1_string_memcmp(na->value, nb->value);
1.295 + }
1.296 + else if (na->value->type == V_ASN1_PRINTABLESTRING)
1.297 + j=nocase_spacenorm_cmp(na->value, nb->value);
1.298 + else if (na->value->type == V_ASN1_IA5STRING
1.299 + && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
1.300 + j=nocase_cmp(na->value, nb->value);
1.301 + else
1.302 + j = asn1_string_memcmp(na->value, nb->value);
1.303 + if (j) return(j);
1.304 + j=na->set-nb->set;
1.305 + if (j) return(j);
1.306 + }
1.307 +
1.308 + /* We will check the object types after checking the values
1.309 + * since the values will more often be different than the object
1.310 + * types. */
1.311 + for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
1.312 + {
1.313 + na=sk_X509_NAME_ENTRY_value(a->entries,i);
1.314 + nb=sk_X509_NAME_ENTRY_value(b->entries,i);
1.315 + j=OBJ_cmp(na->object,nb->object);
1.316 + if (j) return(j);
1.317 + }
1.318 + return(0);
1.319 + }
1.320 +
1.321 +#ifndef OPENSSL_NO_MD5
1.322 +/* I now DER encode the name and hash it. Since I cache the DER encoding,
1.323 + * this is reasonably efficient. */
1.324 +EXPORT_C unsigned long X509_NAME_hash(X509_NAME *x)
1.325 + {
1.326 + unsigned long ret=0;
1.327 + unsigned char md[16];
1.328 +
1.329 + /* Make sure X509_NAME structure contains valid cached encoding */
1.330 + i2d_X509_NAME(x,NULL);
1.331 + EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
1.332 +
1.333 + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
1.334 + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
1.335 + )&0xffffffffL;
1.336 + return(ret);
1.337 + }
1.338 +#endif
1.339 +
1.340 +/* Search a stack of X509 for a match */
1.341 +EXPORT_C X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
1.342 + ASN1_INTEGER *serial)
1.343 + {
1.344 + int i;
1.345 + X509_CINF cinf;
1.346 + X509 x,*x509=NULL;
1.347 +
1.348 + if(!sk) return NULL;
1.349 +
1.350 + x.cert_info= &cinf;
1.351 + cinf.serialNumber=serial;
1.352 + cinf.issuer=name;
1.353 +
1.354 + for (i=0; i<sk_X509_num(sk); i++)
1.355 + {
1.356 + x509=sk_X509_value(sk,i);
1.357 + if (X509_issuer_and_serial_cmp(x509,&x) == 0)
1.358 + return(x509);
1.359 + }
1.360 + return(NULL);
1.361 + }
1.362 +
1.363 +EXPORT_C X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
1.364 + {
1.365 + X509 *x509;
1.366 + int i;
1.367 +
1.368 + for (i=0; i<sk_X509_num(sk); i++)
1.369 + {
1.370 + x509=sk_X509_value(sk,i);
1.371 + if (X509_NAME_cmp(X509_get_subject_name(x509),name) == 0)
1.372 + return(x509);
1.373 + }
1.374 + return(NULL);
1.375 + }
1.376 +
1.377 +EXPORT_C EVP_PKEY *X509_get_pubkey(X509 *x)
1.378 + {
1.379 + if ((x == NULL) || (x->cert_info == NULL))
1.380 + return(NULL);
1.381 + return(X509_PUBKEY_get(x->cert_info->key));
1.382 + }
1.383 +
1.384 +EXPORT_C ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
1.385 + {
1.386 + if(!x) return NULL;
1.387 + return x->cert_info->key->public_key;
1.388 + }
1.389 +
1.390 +EXPORT_C int X509_check_private_key(X509 *x, EVP_PKEY *k)
1.391 + {
1.392 + EVP_PKEY *xk=NULL;
1.393 + int ok=0;
1.394 +
1.395 + xk=X509_get_pubkey(x);
1.396 + switch (EVP_PKEY_cmp(xk, k))
1.397 + {
1.398 + case 1:
1.399 + ok=1;
1.400 + break;
1.401 + case 0:
1.402 + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_VALUES_MISMATCH);
1.403 + break;
1.404 + case -1:
1.405 + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_KEY_TYPE_MISMATCH);
1.406 + break;
1.407 + case -2:
1.408 +#ifndef OPENSSL_NO_EC
1.409 + if (k->type == EVP_PKEY_EC)
1.410 + {
1.411 + X509err(X509_F_X509_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
1.412 + break;
1.413 + }
1.414 +#endif
1.415 +#ifndef OPENSSL_NO_DH
1.416 + if (k->type == EVP_PKEY_DH)
1.417 + {
1.418 + /* No idea */
1.419 + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
1.420 + break;
1.421 + }
1.422 +#endif
1.423 + X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_UNKNOWN_KEY_TYPE);
1.424 + }
1.425 +
1.426 + EVP_PKEY_free(xk);
1.427 + return(ok);
1.428 + }