Commit graph

124 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard d4ec21dd47 Add a check for multiple curve specification 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 80300ad0d9 Add checks for pk_alg.
Used to be implicitly done by oid_get_pk_alg().
2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 9c1cf459dd Implement x509parse_key_pkcs8_encrypted_der_ec() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard a5d9974423 Split up x509_parse_pkcs8_encrypted_der() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 416fa8fde5 Implement x509parse_key_pkcs8_unencrypted_der_ec() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard e366342233 Implement x509parse_key_sec1_der() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 15e8b82724 Fill in x509parse_key_ec using stub function 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 73c0cda346 Complete x509parse_public_key_ec()
Warning: due to a bug in oid_descriptor_from_buf(), keys associated to some
curves (secp224r1, secp384r1, secp521r1) are incorrectly rejected,
since their namedCurve OID contains a nul byte.
2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard f838eeda09 Add x509_get_ecparams() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 444b42710a Optionally allow parameters in x509_get_tag() 2013-07-08 17:32:26 +02:00
Manuel Pégourié-Gonnard 26833c2fc6 Add stubs for x509parse_key_ec and co. 2013-07-08 15:31:19 +02:00
Manuel Pégourié-Gonnard 4250a1f818 Fix a comment and some whitespace 2013-07-08 15:31:18 +02:00
Manuel Pégourié-Gonnard ba4878aa64 Rename x509parse_key & co with _rsa suffix 2013-07-08 15:31:18 +02:00
Paul Bakker fa9b10050b Also compiles / runs without time-based functions in OS
Can now run without need of time() / localtime() and gettimeofday()
2013-07-03 17:22:32 +02:00
Paul Bakker 6e339b52e8 Memory-allocation abstraction layer and buffer-based allocator added 2013-07-03 17:22:31 +02:00
Paul Bakker e5bffc319d Removed redundant includes 2013-06-30 14:53:06 +02:00
Paul Bakker d2681d82e2 Renamed sha2.{c,h} to sha256.{c,h} and sha4.{c,h} to sha512.{c,h} 2013-06-30 14:49:12 +02:00
Paul Bakker 9e36f0475f SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
The SHA4 name was not clear with regards to the new SHA-3 standard. So
SHA2 and SHA4 have been renamed to better represent what they are:
SHA256 and SHA512 modules.
2013-06-30 14:34:05 +02:00
Paul Bakker f8d018a274 Made asn1_get_alg() and asn1_get_alg_null() as generic functions
A generic function for retrieving the AlgorithmIdentifier structure with
its parameters and adapted X509, PKCS#5 and PKCS#12 to use them.
2013-06-29 18:35:40 +02:00
Paul Bakker 7749a22974 Moved PKCS#12 cipher layer based PBE detection to use OID database 2013-06-29 18:32:16 +02:00
Paul Bakker b6c5d2e1a6 Cleanup up non-prototyped functions (static) and const-correctness
More fixes based on the compiler directives -Wcast-qual -Wwrite-strings
-Wmissing-prototypes -Wmissing-declarations. Not everything with regards
to -Wcast-qual has been fixed as some have unwanted consequences for the
rest of the code.
2013-06-25 16:25:17 +02:00
Paul Bakker bda7cb76fa Fixed minor comment typo
(cherry picked from commit da7fdbd534)
2013-06-25 15:06:54 +02:00
Paul Bakker 38b50d73a1 Moved PKCS#12 PBE functions to cipher / md layer where possible
The 3-key and 2-key Triple DES PBE functions have been replaced with a
single pkcs12_pbe() function that handles both situations (and more).

In addition this allows for some PASSWORD_MISMATCH checking
(cherry picked from commit 14a222cef2)
2013-06-25 15:06:53 +02:00
Paul Bakker a4232a7ccb x509parse_crt() and x509parse_crt_der() return X509 password related codes
POLARSSL_ERR_X509_PASSWORD_MISMATCH is returned instead of
POLARSSL_ERR_PEM_PASSWORD_MISMATCH and
POLARSSL_ERR_X509_PASSWORD_REQUIRED instead of
POLARSSL_ERR_PEM_PASSWORD_REQUIRED

Rationale: For PKCS#8 encrypted keys the same are returned
(cherry picked from commit b495d3a2c7)
2013-06-25 15:06:53 +02:00
Paul Bakker 72823091c2 Removed redundant free()s
(cherry picked from commit 1fc7dfe2e2)
2013-06-25 15:06:53 +02:00
Paul Bakker 28144decef PKCS#5 v2 PBES2 support and use in PKCS#8 encrypted certificates
The error code POLARSSL_ERR_X509_PASSWORD_MISMATCH is now properly
returned in case of an encryption failure in the padding. The
POLARSSL_ERR_X509_PASSWORD_REQUIRED error code is only returned for PEM
formatted private keys as for DER formatted ones it is impossible to
distinguish if a DER blob is PKCS#8 encrypted or not.
(cherry picked from commit 1fd4321ba2)

Conflicts:
	include/polarssl/error.h
	scripts/generate_errors.pl
2013-06-25 15:06:52 +02:00
Paul Bakker 2c8cdd201f x509parse_crtpath() is now reentrant and uses more portable stat()
Moved from readdir() to readdir_r() and use stat instead of the less
portable d_type from struct dirent.
(cherry picked from commit cbfcaa9206)
2013-06-25 15:06:51 +02:00
Paul Bakker 42c6581110 Changed x509parse_crt_der() to support adding to chain.
Removed chain functionality from x509parse_crt() as x509parse_crt_der()
now handles that much cleaner.
(cherry picked from commit d6d4109adc)
2013-06-25 15:06:51 +02:00
Paul Bakker f1f21fe825 Parsing of PKCS#8 encrypted private key files added and PKCS#12 basis
PKCS#8 encrypted key file support has been added to x509parse_key() with
support for some PCKS#12 PBE functions (pbeWithSHAAnd128BitRC4,
pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd2-KeyTripleDES-CBC)
(cherry picked from commit cf6e95d9a8)

Conflicts:
	scripts/generate_errors.pl
2013-06-25 15:06:51 +02:00
Paul Bakker e2f5040876 Internally split up x509parse_key()
Split up x509parse_key() into a (PEM) handler function and specific
DER parser functions for the PKCS#1 (x509parse_key_pkcs1_der()) and
unencrypted PKCS#8 (x509parse_key_pkcs8_unencrypted_der()) private
key formats.
(cherry picked from commit 65a1909dc6)

Conflicts:
	library/x509parse.c
2013-06-25 15:06:50 +02:00
Paul Bakker 5ed3b34e22 x509parse_crt() now better handles PEM error situations
Because of new pem_read_buffer() handling of when it writes use_len,
x509parse_crt() is able to better handle situations where a PEM blob
results in an error but the other blobs can still be parsed.
(cherry picked from commit 6417186365)
2013-06-24 19:09:25 +02:00
Paul Bakker 00b2860e8d pem_read_buffer() already update use_len after header and footer are read
After header and footer are read, pem_read_buffer() is able to determine
the length of input data used. This allows calling functions to skip
this PEM bit if an error occurs during its parsing.
(cherry picked from commit 9255e8300e)
2013-06-24 19:09:25 +02:00
Paul Bakker 3c2122ff9d Fixed const correctness issues that have no impact on the ABI
(cherry picked from commit eae09db9e5)

Conflicts:
	library/gcm.c
2013-06-24 19:09:24 +02:00
Paul Bakker f6a19bd728 Possible resource leak on FILE* removed in X509 parse 2013-05-14 13:26:51 +02:00
Paul Bakker c70b982056 OID functionality moved to a separate module.
A new OID module has been created that contains the main OID searching
functionality based on type-dependent arrays. A base type is used to
contain the basic values (oid_descriptor_t) and that type is extended to
contain type specific information (like a pk_alg_t).

As a result the rsa sign and verify function prototypes have changed. They
now expect a md_type_t identifier instead of the removed RSA_SIG_XXX
defines.

All OID definitions have been moved to oid.h
All OID matching code is in the OID module.

The RSA PKCS#1 functions cleaned up as a result and adapted to use the
MD layer.

The SSL layer cleanup up as a result and adapted to use the MD layer.

The X509 parser cleaned up and matches OIDs in certificates with new
module and adapted to use the MD layer.

The X509 writer cleaned up and adapted to use the MD layer.

Apps and tests modified accordingly
2013-04-07 22:00:46 +02:00
Paul Bakker 2ca8ad10a1 Made x509parse.c also work with missing hash header files 2013-02-19 13:17:38 +01:00
Paul Bakker 3497d8c7bf Do not check sig on trust-ca (might not be top) 2012-11-24 11:53:17 +01:00
Paul Bakker 9a73632fd9 - Merged changesets 1399 up to and including 1415 into 1.2 branch 2012-11-14 12:39:52 +00:00
Paul Bakker 97872aceb6 - Merged 1397 in branch for 1.2 2012-11-02 12:53:26 +00:00
Paul Bakker 4a2bd0da0f - Merged fixes 1394 and 1395 from trunk to PolarSSL 1.2 branch 2012-11-02 11:06:08 +00:00
Paul Bakker 3338b792da - Fixed WIN32 version of x509parse_crtpath() 2012-10-01 21:13:10 +00:00
Paul Bakker 5c2364c2ba - Moved from unsigned long to uint32_t throughout code 2012-10-01 14:41:15 +00:00
Paul Bakker 915275ba78 - Revamped x509_verify() and the SSL f_vrfy callback implementations 2012-09-28 07:10:55 +00:00
Paul Bakker b00ca42f2a - Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob 2012-09-25 12:10:00 +00:00
Paul Bakker 94a6796179 - Correctly handle MS certificate's key usage bits 2012-08-23 13:03:52 +00:00
Paul Bakker 535e97dbab - Better checking for reading over buffer boundaries
- Zeroize altSubjectName chain memory before use
2012-08-23 10:49:55 +00:00
Paul Bakker cefb396a77 - Handle empty certificate subject names 2012-06-27 11:51:09 +00:00
Paul Bakker e4791f3936 - Bugfix for Windows in cert path handling 2012-06-04 21:29:15 +00:00
Paul Bakker 8d914583f3 - Added X509 CA Path support 2012-06-04 12:46:42 +00:00
Paul Bakker 4d2c1243b1 - Changed certificate verify behaviour to comply with RFC 6125 section 6.3 to not match CN if subjectAltName extension is present. 2012-05-10 14:12:46 +00:00