oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Sprinkle setting error strings.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17399 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-05-01 15:24:51 +00:00
parent 0e0680efba
commit e6b5883e02
1 changed files with 119 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
lib/hx509/cert.c
View File

@@ -684,18 +684,19 @@ subject_null_p(const Certificate *c)
} }
static hx509_cert static int
find_parent(hx509_context context, find_parent(hx509_context context,
hx509_certs trust_anchors, hx509_certs trust_anchors,
hx509_path *path, hx509_path *path,
hx509_certs pool, hx509_certs pool,
hx509_cert current) hx509_cert current,
hx509_cert *parent)
{ {
AuthorityKeyIdentifier ai; AuthorityKeyIdentifier ai;
hx509_query q; hx509_query q;
hx509_cert c;
int ret; int ret;
*parent = NULL;
memset(&ai, 0, sizeof(ai)); memset(&ai, 0, sizeof(ai));
_hx509_query_clear(&q); _hx509_query_clear(&q);
@@ -705,12 +706,18 @@ find_parent(hx509_context context,
q.subject = _hx509_get_cert(current); q.subject = _hx509_get_cert(current);
} else { } else {
ret = find_extension_auth_key_id(current->data, &ai); ret = find_extension_auth_key_id(current->data, &ai);
if (ret) if (ret) {
return NULL; hx509_set_error_string(context, 0, HX509_CERTIFICATE_MALFORMED,
"Subjectless certificate missing AuthKeyID");
return HX509_CERTIFICATE_MALFORMED;
}
if (ai.keyIdentifier == NULL) { if (ai.keyIdentifier == NULL) {
free_AuthorityKeyIdentifier(&ai); free_AuthorityKeyIdentifier(&ai);
return NULL; hx509_set_error_string(context, 0, HX509_CERTIFICATE_MALFORMED,
"Subjectless certificate missing keyIdentifier "
"inside AuthKeyID");
return HX509_CERTIFICATE_MALFORMED;
} }
q.subject_id = ai.keyIdentifier; q.subject_id = ai.keyIdentifier;
@@ -721,10 +728,10 @@ find_parent(hx509_context context,
q.match |= HX509_QUERY_NO_MATCH_PATH; q.match |= HX509_QUERY_NO_MATCH_PATH;
if (pool) { if (pool) {
ret = hx509_certs_find(context, pool, &q, &c); ret = hx509_certs_find(context, pool, &q, parent);
if (ret == 0) { if (ret == 0) {
free_AuthorityKeyIdentifier(&ai); free_AuthorityKeyIdentifier(&ai);
return c; return 0;
} }
} }
@@ -733,14 +740,37 @@ find_parent(hx509_context context,
* KeyUsage.KeyCertSign * KeyUsage.KeyCertSign
*/ */
q.match |= HX509_QUERY_KU_KEYCERTSIGN; q.match |= HX509_QUERY_KU_KEYCERTSIGN;
ret = hx509_certs_find(context, trust_anchors, &q, &c); ret = hx509_certs_find(context, trust_anchors, &q, parent);
if (ret == 0) { if (ret == 0) {
free_AuthorityKeyIdentifier(&ai); free_AuthorityKeyIdentifier(&ai);
return c; return ret;
} }
free_AuthorityKeyIdentifier(&ai); free_AuthorityKeyIdentifier(&ai);
return NULL;
{
hx509_name name;
char *str;
int ret;
ret = hx509_cert_get_subject(current, &name);
if (ret) {
hx509_clear_error_string(context);
return HX509_ISSUER_NOT_FOUND;
}
ret = hx509_name_to_string(name, &str);
hx509_name_free(&name);
if (ret) {
hx509_clear_error_string(context);
return HX509_ISSUER_NOT_FOUND;
}
hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
"Failed to find issuer for"
"certificate with subject: %s", str);
free(str);
}
return HX509_ISSUER_NOT_FOUND;
} }
/* /*
@@ -748,7 +778,7 @@ find_parent(hx509_context context,
*/ */
static int static int
is_proxy_cert(const Certificate *cert, ProxyCertInfo *rinfo) is_proxy_cert(hx509_context context, const Certificate *cert, ProxyCertInfo *rinfo)
{ {
ProxyCertInfo info; ProxyCertInfo info;
const Extension *e; const Extension *e;
@@ -759,17 +789,22 @@ is_proxy_cert(const Certificate *cert, ProxyCertInfo *rinfo)
memset(rinfo, 0, sizeof(*rinfo)); memset(rinfo, 0, sizeof(*rinfo));
e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i); e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i);
if (e == NULL) if (e == NULL) {
hx509_clear_error_string(context);
return HX509_EXTENSION_NOT_FOUND; return HX509_EXTENSION_NOT_FOUND;
}
ret = decode_ProxyCertInfo(e->extnValue.data, ret = decode_ProxyCertInfo(e->extnValue.data,
e->extnValue.length, e->extnValue.length,
&info, &info,
&size); &size);
if (ret) if (ret) {
hx509_clear_error_string(context);
return ret; return ret;
}
if (size != e->extnValue.length) { if (size != e->extnValue.length) {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
return HX509_EXTRA_DATA_AFTER_STRUCTURE; return HX509_EXTRA_DATA_AFTER_STRUCTURE;
} }
if (rinfo) if (rinfo)
@@ -784,12 +819,14 @@ is_proxy_cert(const Certificate *cert, ProxyCertInfo *rinfo)
*/ */
int int
_hx509_path_append(hx509_path *path, hx509_cert cert) _hx509_path_append(hx509_context context, hx509_path *path, hx509_cert cert)
{ {
hx509_cert *val; hx509_cert *val;
val = realloc(path->val, (path->len + 1) * sizeof(path->val[0])); val = realloc(path->val, (path->len + 1) * sizeof(path->val[0]));
if (val == NULL) if (val == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
return ENOMEM; return ENOMEM;
}
path->val = val; path->val = val;
path->val[path->len] = hx509_cert_ref(cert); path->val[path->len] = hx509_cert_ref(cert);
@@ -836,7 +873,7 @@ _hx509_calculate_path(hx509_context context,
if (max_depth == 0) if (max_depth == 0)
max_depth = HX509_VERIFY_MAX_DEPTH; max_depth = HX509_VERIFY_MAX_DEPTH;
ret = _hx509_path_append(path, cert); ret = _hx509_path_append(context, path, cert);
if (ret) if (ret)
return ret; return ret;
@@ -844,19 +881,22 @@ _hx509_calculate_path(hx509_context context,
while (!certificate_is_anchor(context, trust_anchors, current)) { while (!certificate_is_anchor(context, trust_anchors, current)) {
parent = find_parent(context, trust_anchors, path, pool, current); ret = find_parent(context, trust_anchors, path, pool, current, &parent);
hx509_cert_free(current); hx509_cert_free(current);
if (parent == NULL) if (ret)
return HX509_ISSUER_NOT_FOUND; return ret;
ret = _hx509_path_append(path, parent); ret = _hx509_path_append(context, path, parent);
if (ret) if (ret)
return ret; return ret;
current = parent; current = parent;
if (path->len > max_depth) if (path->len > max_depth) {
hx509_set_error_string(context, 0, HX509_PATH_TOO_LONG,
"Path too long while bulding certificate chain");
return HX509_PATH_TOO_LONG; return HX509_PATH_TOO_LONG;
} }
}
hx509_cert_free(current); hx509_cert_free(current);
return 0; return 0;
} }
@@ -922,7 +962,7 @@ hx509_cert_get_base_subject(hx509_context context, hx509_cert c, hx509_name *nam
{ {
if (c->basename) if (c->basename)
return hx509_name_copy(context, c->basename, name); return hx509_name_copy(context, c->basename, name);
if (is_proxy_cert(c->data, NULL) == 0) if (is_proxy_cert(context, c->data, NULL) == 0)
return EINVAL; /* XXX */ return EINVAL; /* XXX */
return _hx509_name_from_Name(&c->data->tbsCertificate.subject, name); return _hx509_name_from_Name(&c->data->tbsCertificate.subject, name);
} }
@@ -995,7 +1035,7 @@ init_name_constraints(hx509_name_constraints *nc)
} }
static int static int
add_name_constraints(const Certificate *c, int not_ca, add_name_constraints(hx509_context context, const Certificate *c, int not_ca,
hx509_name_constraints *nc) hx509_name_constraints *nc)
{ {
NameConstraints tnc; NameConstraints tnc;
@@ -1004,21 +1044,27 @@ add_name_constraints(const Certificate *c, int not_ca,
ret = find_extension_name_constraints(c, &tnc); ret = find_extension_name_constraints(c, &tnc);
if (ret == HX509_EXTENSION_NOT_FOUND) if (ret == HX509_EXTENSION_NOT_FOUND)
return 0; return 0;
else if (ret) else if (ret) {
hx509_set_error_string(context, 0, ret, "Failed getting NameConstraints");
return ret; return ret;
else if (not_ca) { } else if (not_ca) {
ret = HX509_VERIFY_CONSTRAINTS; ret = HX509_VERIFY_CONSTRAINTS;
hx509_set_error_string(context, 0, ret, "Not a CA and "
"have NameConstraints");
} else { } else {
NameConstraints *val; NameConstraints *val;
val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1)); val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
if (val == NULL) { if (val == NULL) {
hx509_clear_error_string(context);
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
} }
nc->val = val; nc->val = val;
ret = copy_NameConstraints(&tnc, &nc->val[nc->len]); ret = copy_NameConstraints(&tnc, &nc->val[nc->len]);
if (ret) if (ret) {
hx509_clear_error_string(context);
goto out; goto out;
}
nc->len += 1; nc->len += 1;
} }
out: out:
@@ -1219,7 +1265,8 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
} }
static int static int
check_name_constraints(const hx509_name_constraints *nc, check_name_constraints(hx509_context context,
const hx509_name_constraints *nc,
const Certificate *c) const Certificate *c)
{ {
int match, ret; int match, ret;
@@ -1231,21 +1278,29 @@ check_name_constraints(const hx509_name_constraints *nc,
if (nc->val[i].permittedSubtrees) { if (nc->val[i].permittedSubtrees) {
GeneralSubtrees_SET(&gs, nc->val[i].permittedSubtrees); GeneralSubtrees_SET(&gs, nc->val[i].permittedSubtrees);
ret = match_tree(&gs, c, &match); ret = match_tree(&gs, c, &match);
if (ret) if (ret) {
hx509_clear_error_string(context);
return ret; return ret;
}
/* allow null subjectNames, they wont matches anything */ /* allow null subjectNames, they wont matches anything */
if (match == 0 && !subject_null_p(c)) if (match == 0 && !subject_null_p(c)) {
hx509_clear_error_string(context);
return HX509_VERIFY_CONSTRAINTS; return HX509_VERIFY_CONSTRAINTS;
} }
}
if (nc->val[i].excludedSubtrees) { if (nc->val[i].excludedSubtrees) {
GeneralSubtrees_SET(&gs, nc->val[i].excludedSubtrees); GeneralSubtrees_SET(&gs, nc->val[i].excludedSubtrees);
ret = match_tree(&gs, c, &match); ret = match_tree(&gs, c, &match);
if (ret) if (ret) {
hx509_clear_error_string(context);
return ret; return ret;
if (match) }
if (match) {
hx509_clear_error_string(context);
return HX509_VERIFY_CONSTRAINTS; return HX509_VERIFY_CONSTRAINTS;
} }
} }
}
return 0; return 0;
} }
@@ -1334,7 +1389,7 @@ hx509_verify_path(hx509_context context,
case PROXY_CERT: { case PROXY_CERT: {
ProxyCertInfo info; ProxyCertInfo info;
if (is_proxy_cert(c, &info) == 0) { if (is_proxy_cert(context, c, &info) == 0) {
Name name; Name name;
int j; int j;
@@ -1342,6 +1397,7 @@ hx509_verify_path(hx509_context context,
*info.pCPathLenConstraint < i + 1) *info.pCPathLenConstraint < i + 1)
{ {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
ret = HX509_PATH_TOO_LONG; ret = HX509_PATH_TOO_LONG;
goto out; goto out;
} }
@@ -1349,6 +1405,7 @@ hx509_verify_path(hx509_context context,
j = 0; j = 0;
if (find_extension(c, oid_id_x509_ce_subjectAltName(), &j)) { if (find_extension(c, oid_id_x509_ce_subjectAltName(), &j)) {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
ret = HX509_PROXY_CERT_INVALID; ret = HX509_PROXY_CERT_INVALID;
goto out; goto out;
} }
@@ -1356,6 +1413,7 @@ hx509_verify_path(hx509_context context,
j = 0; j = 0;
if (find_extension(c, oid_id_x509_ce_issuerAltName(), &j)) { if (find_extension(c, oid_id_x509_ce_issuerAltName(), &j)) {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
ret = HX509_PROXY_CERT_INVALID; ret = HX509_PROXY_CERT_INVALID;
goto out; goto out;
} }
@@ -1369,6 +1427,7 @@ hx509_verify_path(hx509_context context,
ret = copy_Name(&c->tbsCertificate.subject, &name); ret = copy_Name(&c->tbsCertificate.subject, &name);
if (ret) { if (ret) {
hx509_clear_error_string(context);
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
goto out; goto out;
} }
@@ -1380,6 +1439,7 @@ hx509_verify_path(hx509_context context,
oid_id_at_commonName())) oid_id_at_commonName()))
{ {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
ret = HX509_PROXY_CERT_NAME_WRONG; ret = HX509_PROXY_CERT_NAME_WRONG;
goto out; goto out;
} }
@@ -1392,6 +1452,7 @@ hx509_verify_path(hx509_context context,
free_Name(&name); free_Name(&name);
if (ret) { if (ret) {
free_ProxyCertInfo(&info); free_ProxyCertInfo(&info);
hx509_clear_error_string(context);
ret = HX509_PROXY_CERT_NAME_WRONG; ret = HX509_PROXY_CERT_NAME_WRONG;
goto out; goto out;
} }
@@ -1413,16 +1474,19 @@ hx509_verify_path(hx509_context context,
&c->tbsCertificate.subject); &c->tbsCertificate.subject);
if (ret) { if (ret) {
ret = HX509_PROXY_CERT_NAME_WRONG; ret = HX509_PROXY_CERT_NAME_WRONG;
hx509_clear_error_string(context);
goto out; goto out;
} }
if (cert->basename) if (cert->basename)
hx509_name_free(&cert->basename); hx509_name_free(&cert->basename);
ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename); ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename);
if (ret) if (ret) {
hx509_clear_error_string(context);
goto out; goto out;
} }
} }
}
type = EE_CERT; type = EE_CERT;
/* FALLTHOUGH */ /* FALLTHOUGH */
} }
@@ -1437,11 +1501,13 @@ hx509_verify_path(hx509_context context,
t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore); t = _hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
if (t > ctx->time_now) { if (t > ctx->time_now) {
ret = HX509_CERT_USED_BEFORE_TIME; ret = HX509_CERT_USED_BEFORE_TIME;
hx509_clear_error_string(context);
goto out; goto out;
} }
t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter); t = _hx509_Time2time_t(&c->tbsCertificate.validity.notAfter);
if (t < ctx->time_now) { if (t < ctx->time_now) {
ret = HX509_CERT_USED_AFTER_TIME; ret = HX509_CERT_USED_AFTER_TIME;
hx509_clear_error_string(context);
goto out; goto out;
} }
@@ -1466,6 +1532,7 @@ hx509_verify_path(hx509_context context,
/* XXX this is wrong */ /* XXX this is wrong */
ret = alg_cmp(&c->tbsCertificate.signature, alg_id); ret = alg_cmp(&c->tbsCertificate.signature, alg_id);
if (ret) { if (ret) {
hx509_clear_error_string(context);
ret = HX509_PATH_ALGORITHM_CHANGED; ret = HX509_PATH_ALGORITHM_CHANGED;
goto out; goto out;
} }
@@ -1473,11 +1540,12 @@ hx509_verify_path(hx509_context context,
/* verify name constraints, not for selfsigned and anchor */ /* verify name constraints, not for selfsigned and anchor */
if (!certificate_is_self_signed(c) || i == path.len - 1) { if (!certificate_is_self_signed(c) || i == path.len - 1) {
ret = check_name_constraints(&nc, c); ret = check_name_constraints(context, &nc, c);
if (ret) if (ret) {
goto out; goto out;
} }
ret = add_name_constraints(c, i == 0, &nc); }
ret = add_name_constraints(context, c, i == 0, &nc);
if (ret) if (ret)
goto out; goto out;
@@ -1561,7 +1629,9 @@ hx509_verify_path(hx509_context context,
&c->tbsCertificate._save, &c->tbsCertificate._save,
&c->signatureValue); &c->signatureValue);
if (ret) { if (ret) {
break; hx509_set_error_string(context, 0, ret,
"Failed to verify signature of certificate");
goto out;
} }
} }
@@ -1597,7 +1667,9 @@ hx509_verify_hostname(hx509_context context,
} }
int int
_hx509_set_cert_attribute(hx509_cert cert, const heim_oid *oid, _hx509_set_cert_attribute(hx509_context context,
hx509_cert cert,
const heim_oid *oid,
const heim_octet_string *attr) const heim_octet_string *attr)
{ {
hx509_cert_attribute a; hx509_cert_attribute a;
@@ -1608,8 +1680,10 @@ _hx509_set_cert_attribute(hx509_cert cert, const heim_oid *oid,
d = realloc(cert->attrs.val, d = realloc(cert->attrs.val,
sizeof(cert->attrs.val[0]) * (cert->attrs.len + 1)); sizeof(cert->attrs.val[0]) * (cert->attrs.len + 1));
if (d == NULL) if (d == NULL) {
hx509_clear_error_string(context);
return ENOMEM; return ENOMEM;
}
cert->attrs.val = d; cert->attrs.val = d;
a = malloc(sizeof(*a)); a = malloc(sizeof(*a));
@@ -1875,8 +1949,10 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
int ret, i; int ret, i;
ret = find_extension_eku(_hx509_get_cert(cert), &e); ret = find_extension_eku(_hx509_get_cert(cert), &e);
if (ret) if (ret) {
hx509_clear_error_string(context);
return ret; return ret;
}
for (i = 0; i < e.len; i++) { for (i = 0; i < e.len; i++) {
if (heim_oid_cmp(eku, &e.val[i]) == 0) { if (heim_oid_cmp(eku, &e.val[i]) == 0) {
@@ -1893,5 +1969,6 @@ hx509_cert_check_eku(hx509_context context, hx509_cert cert,
} }
} }
free_ExtKeyUsage(&e); free_ExtKeyUsage(&e);
return -1; hx509_clear_error_string(context);
return HX509_CERTIFICATE_MISSING_EKU;
} }