X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_asn1/lib/X509Templates.c?ds=inline diff --git a/Security/libsecurity_asn1/lib/X509Templates.c b/Security/libsecurity_asn1/lib/X509Templates.c new file mode 100644 index 00000000..4677b4ee --- /dev/null +++ b/Security/libsecurity_asn1/lib/X509Templates.c @@ -0,0 +1,222 @@ +/* + * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * X509Templates.c - Common ASN1 templates for use with libNSSDer. + */ + +#include "SecAsn1Templates.h" +#include "X509Templates.h" +#include "keyTemplates.h" +#include +#include + +/* + * Validity + */ +/* + * NSS_Time Template chooser. + */ +static const NSS_TagChoice timeChoices[] = { + { SEC_ASN1_GENERALIZED_TIME, kSecAsn1GeneralizedTimeTemplate} , + { SEC_ASN1_UTC_TIME, kSecAsn1UTCTimeTemplate }, + { 0, NULL} +}; + +static const SecAsn1Template * NSS_TimeChooser( + void *arg, + Boolean enc, + const char *buf, + void *dest) +{ + return SecAsn1TaggedTemplateChooser(arg, enc, buf, dest, timeChoices); +} + +static const SecAsn1TemplateChooserPtr NSS_TimeChooserPtr = NSS_TimeChooser; + +const SecAsn1Template kSecAsn1ValidityTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_Validity) }, + { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, + offsetof(NSS_Validity,notBefore.item), + &NSS_TimeChooserPtr }, + { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, + offsetof(NSS_Validity,notAfter.item), + &NSS_TimeChooserPtr }, + { 0 } +}; + +/* X509 cert extension */ +const SecAsn1Template kSecAsn1CertExtensionTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_CertExtension) }, + { SEC_ASN1_OBJECT_ID, + offsetof(NSS_CertExtension,extnId) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, /* XXX DER_DEFAULT */ + offsetof(NSS_CertExtension,critical) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSS_CertExtension,value) }, + { 0, } +}; + +const SecAsn1Template kSecAsn1SequenceOfCertExtensionTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1CertExtensionTemplate } +}; + +/* TBS Cert */ +const SecAsn1Template kSecAsn1TBSCertificateTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_TBSCertificate) }, + /* optional version, explicit tag 0, default 0 */ + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, /* XXX DER_DEFAULT */ + offsetof(NSS_TBSCertificate,version), + kSecAsn1IntegerTemplate }, + /* serial number is SIGNED integer */ + { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, + offsetof(NSS_TBSCertificate,serialNumber) }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCertificate,signature), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derIssuer) }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCertificate,issuer), + kSecAsn1NameTemplate }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCertificate,validity), + kSecAsn1ValidityTemplate }, + { SEC_ASN1_SAVE, offsetof(NSS_TBSCertificate,derSubject) }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCertificate,subject), + kSecAsn1NameTemplate }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCertificate,subjectPublicKeyInfo), + kSecAsn1SubjectPublicKeyInfoTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(NSS_TBSCertificate,issuerID), + kSecAsn1BitStringTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(NSS_TBSCertificate,subjectID), + kSecAsn1BitStringTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 3, + offsetof(NSS_TBSCertificate,extensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0 } +}; + +/* + * For signing and verifying only, treating the TBS portion as an + * opaque ASN_ANY blob. + */ +const SecAsn1Template kSecAsn1SignedCertOrCRLTemplate[] = +{ + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_SignedCertOrCRL) }, + { SEC_ASN1_ANY, + offsetof(NSS_SignedCertOrCRL,tbsBlob) }, + { SEC_ASN1_ANY, + offsetof(NSS_SignedCertOrCRL,signatureAlgorithm) }, + { SEC_ASN1_BIT_STRING, + offsetof(NSS_SignedCertOrCRL,signature) }, + { 0 } +}; + +/* Fully specified signed certificate */ +const SecAsn1Template kSecAsn1SignedCertTemplate[] = +{ + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_Certificate) }, + { SEC_ASN1_INLINE, + offsetof(NSS_Certificate,tbs), + kSecAsn1TBSCertificateTemplate }, + { SEC_ASN1_INLINE, + offsetof(NSS_Certificate,signatureAlgorithm), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_BIT_STRING, + offsetof(NSS_Certificate,signature) }, + { 0 } +}; + +/* Entry in CRL.revokedCerts */ +const SecAsn1Template kSecAsn1RevokedCertTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_RevokedCert) }, + /* serial number - signed itneger, just like in the actual cert */ + { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, + offsetof(NSS_RevokedCert,userCertificate) }, + { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, + offsetof(NSS_RevokedCert,revocationDate.item), + &NSS_TimeChooserPtr }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, + offsetof(NSS_RevokedCert,extensions), + kSecAsn1CertExtensionTemplate }, + { 0, } +}; + +const SecAsn1Template kSecAsn1SequenceOfRevokedCertTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, 0, kSecAsn1RevokedCertTemplate } +}; + +/* NSS_TBSCrl (unsigned CRL) */ +const SecAsn1Template kSecAsn1TBSCrlTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_TBSCrl) }, + /* optional version, default 0 */ + { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (NSS_TBSCrl, version) }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCrl,signature), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_SAVE, offsetof(NSS_TBSCrl,derIssuer) }, + { SEC_ASN1_INLINE, + offsetof(NSS_TBSCrl,issuer), + kSecAsn1NameTemplate }, + { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC, + offsetof(NSS_TBSCrl,thisUpdate.item), + &NSS_TimeChooserPtr }, + { SEC_ASN1_INLINE | SEC_ASN1_DYNAMIC | SEC_ASN1_OPTIONAL, + offsetof(NSS_TBSCrl,nextUpdate), + &NSS_TimeChooserPtr }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, + offsetof(NSS_TBSCrl,revokedCerts), + kSecAsn1RevokedCertTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(NSS_TBSCrl,extensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0, } +}; + +/* Fully specified signed CRL */ +const SecAsn1Template kSecAsn1SignedCrlTemplate[] = +{ + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSS_Crl) }, + { SEC_ASN1_INLINE, + offsetof(NSS_Crl,tbs), + kSecAsn1TBSCrlTemplate }, + { SEC_ASN1_INLINE, + offsetof(NSS_Crl,signatureAlgorithm), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_BIT_STRING, + offsetof(NSS_Crl,signature) }, + { 0 } +};