45 void x509_certificate_free(struct x509_certificate *cert)  in x509_certificate_free()  argument
47 	if (cert == NULL)  in x509_certificate_free()
49 	if (cert->next) {  in x509_certificate_free()
52 			   cert, cert->next);  in x509_certificate_free()
54 	x509_free_name(&cert->issuer);  in x509_certificate_free()
55 	x509_free_name(&cert->subject);  in x509_certificate_free()
56 	os_free(cert->public_key);  in x509_certificate_free()
57 	os_free(cert->sign_value);  in x509_certificate_free()
58 	os_free(cert->subject_dn);  in x509_certificate_free()
59 	os_free(cert);  in x509_certificate_free()
67 void x509_certificate_chain_free(struct x509_certificate *cert)  in x509_certificate_chain_free()  argument
71 	while (cert) {  in x509_certificate_chain_free()
72 		next = cert->next;  in x509_certificate_chain_free()
73 		cert->next = NULL;  in x509_certificate_chain_free()
74 		x509_certificate_free(cert);  in x509_certificate_chain_free()
75 		cert = next;  in x509_certificate_chain_free()
217 				 struct x509_certificate *cert,  in x509_parse_public_key()  argument
247 					    &cert->public_key_alg, &pos))  in x509_parse_public_key()
270 	os_free(cert->public_key);  in x509_parse_public_key()
271 	cert->public_key = os_memdup(pos + 1, hdr.length - 1);  in x509_parse_public_key()
272 	if (cert->public_key == NULL) {  in x509_parse_public_key()
277 	cert->public_key_len = hdr.length - 1;  in x509_parse_public_key()
279 		    cert->public_key, cert->public_key_len);  in x509_parse_public_key()
687 			       struct x509_certificate *cert, const u8 **next)  in x509_parse_validity()  argument
720 			    &cert->not_before) < 0) {  in x509_parse_validity()
732 			    &cert->not_after) < 0) {  in x509_parse_validity()
739 		   (unsigned long) cert->not_before,  in x509_parse_validity()
740 		   (unsigned long) cert->not_after);  in x509_parse_validity()
765 static int x509_parse_ext_key_usage(struct x509_certificate *cert,  in x509_parse_ext_key_usage()  argument
789 	cert->extensions_present |= X509_EXT_KEY_USAGE;  in x509_parse_ext_key_usage()
790 	cert->key_usage = asn1_bit_string_to_long(hdr.payload, hdr.length);  in x509_parse_ext_key_usage()
792 	wpa_printf(MSG_DEBUG, "X509: KeyUsage 0x%lx", cert->key_usage);  in x509_parse_ext_key_usage()
798 static int x509_parse_ext_basic_constraints(struct x509_certificate *cert,  in x509_parse_ext_basic_constraints()  argument
818 	cert->extensions_present |= X509_EXT_BASIC_CONSTRAINTS;  in x509_parse_ext_basic_constraints()
831 		cert->ca = hdr.payload[0];  in x509_parse_ext_basic_constraints()
837 				   cert->ca);  in x509_parse_ext_basic_constraints()
862 	cert->path_len_constraint = value;  in x509_parse_ext_basic_constraints()
863 	cert->extensions_present |= X509_EXT_PATH_LEN_CONSTRAINT;  in x509_parse_ext_basic_constraints()
867 		   cert->ca, cert->path_len_constraint);  in x509_parse_ext_basic_constraints()
1049 static int x509_parse_ext_subject_alt_name(struct x509_certificate *cert,  in x509_parse_ext_subject_alt_name()  argument
1063 	cert->extensions_present |= X509_EXT_SUBJECT_ALT_NAME;  in x509_parse_ext_subject_alt_name()
1068 	return x509_parse_ext_alt_name(&cert->subject, hdr.payload,  in x509_parse_ext_subject_alt_name()
1073 static int x509_parse_ext_issuer_alt_name(struct x509_certificate *cert,  in x509_parse_ext_issuer_alt_name()  argument
1087 	cert->extensions_present |= X509_EXT_ISSUER_ALT_NAME;  in x509_parse_ext_issuer_alt_name()
1092 	return x509_parse_ext_alt_name(&cert->issuer, hdr.payload,  in x509_parse_ext_issuer_alt_name()
1146 static int x509_parse_ext_certificate_policies(struct x509_certificate *cert,  in x509_parse_ext_certificate_policies()  argument
1197 			cert->certificate_policy |=  in x509_parse_ext_certificate_policies()
1201 			cert->certificate_policy |=  in x509_parse_ext_certificate_policies()
1205 			cert->certificate_policy |=  in x509_parse_ext_certificate_policies()
1215 	cert->extensions_present |= X509_EXT_CERTIFICATE_POLICY;  in x509_parse_ext_certificate_policies()
1270 static int x509_parse_ext_ext_key_usage(struct x509_certificate *cert,  in x509_parse_ext_ext_key_usage()  argument
1302 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_ANY;  in x509_parse_ext_ext_key_usage()
1305 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_SERVER_AUTH;  in x509_parse_ext_ext_key_usage()
1308 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_CLIENT_AUTH;  in x509_parse_ext_ext_key_usage()
1311 			cert->ext_key_usage |= X509_EXT_KEY_USAGE_OCSP;  in x509_parse_ext_ext_key_usage()
1318 	cert->extensions_present |= X509_EXT_EXT_KEY_USAGE;  in x509_parse_ext_ext_key_usage()
1324 static int x509_parse_extension_data(struct x509_certificate *cert,  in x509_parse_extension_data()  argument
1338 		return x509_parse_ext_key_usage(cert, pos, len);  in x509_parse_extension_data()
1340 		return x509_parse_ext_subject_alt_name(cert, pos, len);  in x509_parse_extension_data()
1342 		return x509_parse_ext_issuer_alt_name(cert, pos, len);  in x509_parse_extension_data()
1344 		return x509_parse_ext_basic_constraints(cert, pos, len);  in x509_parse_extension_data()
1346 		return x509_parse_ext_certificate_policies(cert, pos, len);  in x509_parse_extension_data()
1348 		return x509_parse_ext_ext_key_usage(cert, pos, len);  in x509_parse_extension_data()
1355 static int x509_parse_extension(struct x509_certificate *cert,  in x509_parse_extension()  argument
1416 	res = x509_parse_extension_data(cert, &oid, hdr.payload, hdr.length);  in x509_parse_extension()
1429 static int x509_parse_extensions(struct x509_certificate *cert,  in x509_parse_extensions()  argument
1446 		if (x509_parse_extension(cert, pos, end - pos, &pos)  in x509_parse_extensions()
1456 				      struct x509_certificate *cert,  in x509_parse_tbs_certificate()  argument
1504 		cert->version = value;  in x509_parse_tbs_certificate()
1505 		if (cert->version != X509_CERT_V1 &&  in x509_parse_tbs_certificate()
1506 		    cert->version != X509_CERT_V2 &&  in x509_parse_tbs_certificate()
1507 		    cert->version != X509_CERT_V3) {  in x509_parse_tbs_certificate()
1509 				   cert->version + 1);  in x509_parse_tbs_certificate()
1516 		cert->version = X509_CERT_V1;  in x509_parse_tbs_certificate()
1517 	wpa_printf(MSG_MSGDUMP, "X509: Version X.509v%d", cert->version + 1);  in x509_parse_tbs_certificate()
1532 	os_memcpy(cert->serial_number, hdr.payload, hdr.length);  in x509_parse_tbs_certificate()
1533 	cert->serial_number_len = hdr.length;  in x509_parse_tbs_certificate()
1534 	wpa_hexdump(MSG_MSGDUMP, "X509: serialNumber", cert->serial_number,  in x509_parse_tbs_certificate()
1535 		    cert->serial_number_len);  in x509_parse_tbs_certificate()
1538 	if (x509_parse_algorithm_identifier(pos, end - pos, &cert->signature,  in x509_parse_tbs_certificate()
1543 	if (x509_parse_name(pos, end - pos, &cert->issuer, &pos))  in x509_parse_tbs_certificate()
1545 	x509_name_string(&cert->issuer, sbuf, sizeof(sbuf));  in x509_parse_tbs_certificate()
1549 	if (x509_parse_validity(pos, end - pos, cert, &pos))  in x509_parse_tbs_certificate()
1554 	if (x509_parse_name(pos, end - pos, &cert->subject, &pos))  in x509_parse_tbs_certificate()
1556 	cert->subject_dn = os_malloc(pos - subject_dn);  in x509_parse_tbs_certificate()
1557 	if (!cert->subject_dn)  in x509_parse_tbs_certificate()
1559 	cert->subject_dn_len = pos - subject_dn;  in x509_parse_tbs_certificate()
1560 	os_memcpy(cert->subject_dn, subject_dn, cert->subject_dn_len);  in x509_parse_tbs_certificate()
1561 	x509_name_string(&cert->subject, sbuf, sizeof(sbuf));  in x509_parse_tbs_certificate()
1565 	if (x509_parse_public_key(pos, end - pos, cert, &pos))  in x509_parse_tbs_certificate()
1571 	if (cert->version == X509_CERT_V1)  in x509_parse_tbs_certificate()
1624 	if (cert->version != X509_CERT_V3) {  in x509_parse_tbs_certificate()
1627 			   "version 3", cert->version + 1);  in x509_parse_tbs_certificate()
1631 	if (x509_parse_extensions(cert, hdr.payload, hdr.length) < 0)  in x509_parse_tbs_certificate()
1731 	struct x509_certificate *cert;  in x509_certificate_parse()  local
1733 	cert = os_zalloc(sizeof(*cert) + len);  in x509_certificate_parse()
1734 	if (cert == NULL)  in x509_certificate_parse()
1736 	os_memcpy(cert + 1, buf, len);  in x509_certificate_parse()
1737 	cert->cert_start = (u8 *) (cert + 1);  in x509_certificate_parse()
1738 	cert->cert_len = len;  in x509_certificate_parse()
1749 		x509_certificate_free(cert);  in x509_certificate_parse()
1755 		x509_certificate_free(cert);  in x509_certificate_parse()
1767 	cert->tbs_cert_start = cert->cert_start + (hash_start - buf);  in x509_certificate_parse()
1768 	if (x509_parse_tbs_certificate(pos, end - pos, cert, &pos)) {  in x509_certificate_parse()
1769 		x509_certificate_free(cert);  in x509_certificate_parse()
1772 	cert->tbs_cert_len = pos - hash_start;  in x509_certificate_parse()
1776 					    &cert->signature_alg, &pos)) {  in x509_certificate_parse()
1777 		x509_certificate_free(cert);  in x509_certificate_parse()
1786 		x509_certificate_free(cert);  in x509_certificate_parse()
1790 		x509_certificate_free(cert);  in x509_certificate_parse()
1802 		x509_certificate_free(cert);  in x509_certificate_parse()
1805 	os_free(cert->sign_value);  in x509_certificate_parse()
1806 	cert->sign_value = os_memdup(pos + 1, hdr.length - 1);  in x509_certificate_parse()
1807 	if (cert->sign_value == NULL) {  in x509_certificate_parse()
1810 		x509_certificate_free(cert);  in x509_certificate_parse()
1813 	cert->sign_value_len = hdr.length - 1;  in x509_certificate_parse()
1815 		    cert->sign_value, cert->sign_value_len);  in x509_certificate_parse()
1817 	return cert;  in x509_certificate_parse()
1829 				     struct x509_certificate *cert)  in x509_certificate_check_signature()  argument
1831 	return x509_check_signature(issuer, &cert->signature,  in x509_certificate_check_signature()
1832 				    cert->sign_value, cert->sign_value_len,  in x509_certificate_check_signature()
1833 				    cert->tbs_cert_start, cert->tbs_cert_len);  in x509_certificate_check_signature()
2103 static int x509_valid_issuer(const struct x509_certificate *cert)  in x509_valid_issuer()  argument
2105 	if ((cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS) &&  in x509_valid_issuer()
2106 	    !cert->ca) {  in x509_valid_issuer()
2112 	if (cert->version == X509_CERT_V3 &&  in x509_valid_issuer()
2113 	    !(cert->extensions_present & X509_EXT_BASIC_CONSTRAINTS)) {  in x509_valid_issuer()
2119 	if ((cert->extensions_present & X509_EXT_KEY_USAGE) &&  in x509_valid_issuer()
2120 	    !(cert->key_usage & X509_KEY_USAGE_KEY_CERT_SIGN)) {  in x509_valid_issuer()
2144 	struct x509_certificate *cert, *trust;  in x509_certificate_chain_validate()  local
2153 	for (cert = chain, idx = 0; cert; cert = cert->next, idx++) {  in x509_certificate_chain_validate()
2154 		cert->issuer_trusted = 0;  in x509_certificate_chain_validate()
2155 		x509_name_string(&cert->subject, buf, sizeof(buf));  in x509_certificate_chain_validate()
2163 		     (unsigned long) cert->not_before ||  in x509_certificate_chain_validate()
2165 		     (unsigned long) cert->not_after)) {  in x509_certificate_chain_validate()
2168 				   now.sec, cert->not_before, cert->not_after);  in x509_certificate_chain_validate()
2173 		if (cert->next) {  in x509_certificate_chain_validate()
2174 			if (x509_name_compare(&cert->issuer,  in x509_certificate_chain_validate()
2175 					      &cert->next->subject) != 0) {  in x509_certificate_chain_validate()
2178 				x509_name_string(&cert->issuer, buf,  in x509_certificate_chain_validate()
2182 				x509_name_string(&cert->next->subject, buf,  in x509_certificate_chain_validate()
2190 			if (x509_valid_issuer(cert->next) < 0) {  in x509_certificate_chain_validate()
2195 			if ((cert->next->extensions_present &  in x509_certificate_chain_validate()
2197 			    idx > cert->next->path_len_constraint) {  in x509_certificate_chain_validate()
2201 					   cert->next->path_len_constraint);  in x509_certificate_chain_validate()
2206 			if (x509_certificate_check_signature(cert->next, cert)  in x509_certificate_chain_validate()
2217 			if (x509_name_compare(&cert->issuer, &trust->subject)  in x509_certificate_chain_validate()
2230 			if (x509_certificate_check_signature(trust, cert) < 0)  in x509_certificate_chain_validate()
2240 			cert->issuer_trusted = 1;  in x509_certificate_chain_validate()
2273 	struct x509_certificate *cert;  in x509_certificate_get_subject()  local
2275 	for (cert = chain; cert; cert = cert->next) {  in x509_certificate_get_subject()
2276 		if (x509_name_compare(&cert->subject, name) == 0)  in x509_certificate_get_subject()
2277 			return cert;  in x509_certificate_get_subject()
2288 int x509_certificate_self_signed(struct x509_certificate *cert)  in x509_certificate_self_signed()  argument
2290 	return x509_name_compare(&cert->issuer, &cert->subject) == 0;  in x509_certificate_self_signed()