The Tor Browser / file revision

 /* This Source Code Form is subject to the terms of the Mozilla Public

  * License, v. 2.0. If a copy of the MPL was not distributed with this

  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include "cert.h"

 #include "certt.h"

 #include "secder.h"

 #include "key.h"

 #include "secitem.h"

 #include "secasn1.h"

 #include "secerr.h"

 SEC_ASN1_MKSUB(SEC_AnyTemplate)

 const SEC_ASN1Template CERT_AttributeTemplate[] = {

     { SEC_ASN1_SEQUENCE,

 	0, NULL, sizeof(CERTAttribute) },

     { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },

     { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(CERTAttribute, attrValue),

 	SEC_ASN1_SUB(SEC_AnyTemplate) },

     { 0 }

 };

 const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {

     { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },

 };

 const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {

     { SEC_ASN1_SEQUENCE,

 	  0, NULL, sizeof(CERTCertificateRequest) },

     { SEC_ASN1_INTEGER,

 	  offsetof(CERTCertificateRequest,version) },

     { SEC_ASN1_INLINE,

 	  offsetof(CERTCertificateRequest,subject),

 	  CERT_NameTemplate },

     { SEC_ASN1_INLINE,

 	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),

 	  CERT_SubjectPublicKeyInfoTemplate },

     { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,

 	  offsetof(CERTCertificateRequest,attributes), 

 	  CERT_SetOfAttributeTemplate },

     { 0 }

 };

 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)

 CERTCertificate *

 CERT_CreateCertificate(unsigned long serialNumber,

 		      CERTName *issuer,

 		      CERTValidity *validity,

 		      CERTCertificateRequest *req)

 {

     CERTCertificate *c;

     int rv;

     PLArenaPool *arena;

     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

     if ( !arena ) {

 	return(0);

     }

     c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));

     if (!c) {

 	PORT_FreeArena(arena, PR_FALSE);

 	return 0;

     }

     c->referenceCount = 1;

     c->arena = arena;

     /*

      * Default is a plain version 1.

      * If extensions are added, it will get changed as appropriate.

      */

     rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);

     if (rv) goto loser;

     rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);

     if (rv) goto loser;

     rv = CERT_CopyName(arena, &c->issuer, issuer);

     if (rv) goto loser;

     rv = CERT_CopyValidity(arena, &c->validity, validity);

     if (rv) goto loser;

     rv = CERT_CopyName(arena, &c->subject, &req->subject);

     if (rv) goto loser;

     rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,

 					 &req->subjectPublicKeyInfo);

     if (rv) goto loser;

     return c;

  loser:

     CERT_DestroyCertificate(c);

     return 0;

 }

 /************************************************************************/

 /* It's clear from the comments that the original author of this 

  * function expected the template for certificate requests to treat

  * the attributes as a SET OF ANY.  This function expected to be 

  * passed an array of SECItems each of which contained an already encoded

  * Attribute.  But the cert request template does not treat the 

  * Attributes as a SET OF ANY, and AFAIK never has.  Instead the template

  * encodes attributes as a SET OF xxxxxxx.  That is, it expects to encode

  * each of the Attributes, not have them pre-encoded.  Consequently an 

  * array of SECItems containing encoded Attributes is of no value to this 

  * function.  But we cannot change the signature of this public function.

  * It must continue to take SECItems.

  *

  * I have recoded this function so that each SECItem contains an 

  * encoded cert extension.  The encoded cert extensions form the list for the

  * single attribute of the cert request. In this implementation there is at most

  * one attribute and it is always of type SEC_OID_PKCS9_EXTENSION_REQUEST.

  */

 CERTCertificateRequest *

 CERT_CreateCertificateRequest(CERTName *subject,

 			     CERTSubjectPublicKeyInfo *spki,

 			     SECItem **attributes)

 {

     CERTCertificateRequest *certreq;

     PLArenaPool *arena;

     CERTAttribute * attribute;

     SECOidData * oidData;

     SECStatus rv;

     int i = 0;

     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

     if ( arena == NULL ) {

 	return NULL;

     }

     certreq = PORT_ArenaZNew(arena, CERTCertificateRequest);

     if (!certreq) {

 	PORT_FreeArena(arena, PR_FALSE);

 	return NULL;

     }

     /* below here it is safe to goto loser */

     certreq->arena = arena;

     rv = DER_SetUInteger(arena, &certreq->version,

 			 SEC_CERTIFICATE_REQUEST_VERSION);

     if (rv != SECSuccess)

 	goto loser;

     rv = CERT_CopyName(arena, &certreq->subject, subject);

     if (rv != SECSuccess)

 	goto loser;

     rv = SECKEY_CopySubjectPublicKeyInfo(arena,

 				      &certreq->subjectPublicKeyInfo,

 				      spki);

     if (rv != SECSuccess)

 	goto loser;

     certreq->attributes = PORT_ArenaZNewArray(arena, CERTAttribute*, 2);

     if(!certreq->attributes) 

 	goto loser;

     /* Copy over attribute information */

     if (!attributes || !attributes[0]) {

 	/*

 	 ** Invent empty attribute information. According to the

 	 ** pkcs#10 spec, attributes has this ASN.1 type:

 	 **

 	 ** attributes [0] IMPLICIT Attributes

 	 ** 

 	 ** Which means, we should create a NULL terminated list

 	 ** with the first entry being NULL;

 	 */

 	certreq->attributes[0] = NULL;

 	return certreq;

     }	

     /* allocate space for attributes */

     attribute = PORT_ArenaZNew(arena, CERTAttribute);

     if (!attribute) 

 	goto loser;

     oidData = SECOID_FindOIDByTag( SEC_OID_PKCS9_EXTENSION_REQUEST );

     PORT_Assert(oidData);

     if (!oidData)

 	goto loser;

     rv = SECITEM_CopyItem(arena, &attribute->attrType, &oidData->oid);

     if (rv != SECSuccess)

 	goto loser;

     for (i = 0; attributes[i] != NULL ; i++) 

 	;

     attribute->attrValue = PORT_ArenaZNewArray(arena, SECItem *, i+1);

     if (!attribute->attrValue) 

 	goto loser;

     /* copy attributes */

     for (i = 0; attributes[i]; i++) {

 	/*

 	** Attributes are a SetOf Attribute which implies

 	** lexigraphical ordering.  It is assumes that the

 	** attributes are passed in sorted.  If we need to

 	** add functionality to sort them, there is an

 	** example in the PKCS 7 code.

 	*/

 	attribute->attrValue[i] = SECITEM_ArenaDupItem(arena, attributes[i]);

 	if(!attribute->attrValue[i]) 

 	    goto loser;

     }

     certreq->attributes[0] = attribute;

     return certreq;

 loser:

     CERT_DestroyCertificateRequest(certreq);

     return NULL;

 }

 void

 CERT_DestroyCertificateRequest(CERTCertificateRequest *req)

 {

     if (req && req->arena) {

 	PORT_FreeArena(req->arena, PR_FALSE);

     }

     return;

 }

 static void

 setCRExt(void *o, CERTCertExtension **exts)

 {

     ((CERTCertificateRequest *)o)->attributes = (struct CERTAttributeStr **)exts;

 }

 /*

 ** Set up to start gathering cert extensions for a cert request.

 ** The list is created as CertExtensions and converted to an

 ** attribute list by CERT_FinishCRAttributes().

  */

 extern void *cert_StartExtensions(void *owner, PLArenaPool *ownerArena,

                        void (*setExts)(void *object, CERTCertExtension **exts));

 void *

 CERT_StartCertificateRequestAttributes(CERTCertificateRequest *req)

 {

     return (cert_StartExtensions ((void *)req, req->arena, setCRExt));

 }

 /*

 ** At entry req->attributes actually contains an list of cert extensions--

 ** req-attributes is overloaded until the list is DER encoded (the first

 ** ...EncodeItem() below).

 ** We turn this into an attribute list by encapsulating it

 ** in a PKCS 10 Attribute structure

  */

 SECStatus

 CERT_FinishCertificateRequestAttributes(CERTCertificateRequest *req)

 {   SECItem *extlist;

     SECOidData *oidrec;

     CERTAttribute *attribute;

     if (!req || !req->arena) {

 	PORT_SetError(SEC_ERROR_INVALID_ARGS);

         return SECFailure;

     }

     if (req->attributes == NULL || req->attributes[0] == NULL)

         return SECSuccess;

     extlist = SEC_ASN1EncodeItem(req->arena, NULL, &req->attributes,

                             SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate));

     if (extlist == NULL)

         return(SECFailure);

     oidrec = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);

     if (oidrec == NULL)

 	return SECFailure;

     /* now change the list of cert extensions into a list of attributes

      */

     req->attributes = PORT_ArenaZNewArray(req->arena, CERTAttribute*, 2);

     attribute = PORT_ArenaZNew(req->arena, CERTAttribute);

     if (req->attributes == NULL || attribute == NULL ||

         SECITEM_CopyItem(req->arena, &attribute->attrType, &oidrec->oid) != 0) {

         PORT_SetError(SEC_ERROR_NO_MEMORY);

 	return SECFailure;

     }

     attribute->attrValue = PORT_ArenaZNewArray(req->arena, SECItem*, 2);

     if (attribute->attrValue == NULL)

         return SECFailure;

     attribute->attrValue[0] = extlist;

     attribute->attrValue[1] = NULL;

     req->attributes[0] = attribute;

     req->attributes[1] = NULL;

     return SECSuccess;

 }

 SECStatus

 CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,

                                         CERTCertExtension ***exts)

 {

     if (req == NULL || exts == NULL) {

 	PORT_SetError(SEC_ERROR_INVALID_ARGS);

         return SECFailure;

     }

     if (req->attributes == NULL || *req->attributes == NULL)

         return SECSuccess;

     if ((*req->attributes)->attrValue == NULL) {

 	PORT_SetError(SEC_ERROR_INVALID_ARGS);

         return SECFailure;

     }

     return(SEC_ASN1DecodeItem(req->arena, exts, 

             SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate),

             (*req->attributes)->attrValue[0]));

 }